aws-sdk-core 3.115.0 → 3.117.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: c51427ddefb35e2594f5b19314371162a9ef641ee2347f2c569135f25c5e164e
4
- data.tar.gz: ace6b55f07d11168cf425716aefcac7751ca6b1b7d30ccfc3a9a6f409055ab72
3
+ metadata.gz: 87480a79b026cd9f4a732927079633d67b5fa7cb0150c3cef3c7eedd954d179d
4
+ data.tar.gz: 42e118b53803b2d5bb5514059852fe684f4f64a22fadee010541851eca299fc5
5
5
  SHA512:
6
- metadata.gz: 362d882a36335ccbf9567673cf9c433484bdc7c7da626800e7b2cf3429662ffe2b05cdf4ba3f3a5a91cdc1122c48fe6bb1348f21937c878ac1f1a46dbedd7110
7
- data.tar.gz: 754a0a0d8320723ac59aaa084cd3aee95dba74d844764bcee42a6163566aacdbde8a06793aae2e94e9f191e15849e36575f3ee27f4d0901cec4a1ee29534f40b
6
+ metadata.gz: 71053f9fca038e4fb57084f29d972034e845d58c45a973ac3e9690717689ba74228d6b1d25c2b1e473e8f2358091916875dfd3ffb90ed4ece0b36aaa38d9e81e
7
+ data.tar.gz: 6e353f5356d8a61a4cfc70dce05f176859e5180e53b7de74c09bf1da7e57d0a5ac9f7cc58a584880b98b95d8518da62ed22adac942cf8d37a596300ea9caa102
data/CHANGELOG.md CHANGED
@@ -1,6 +1,18 @@
1
1
  Unreleased Changes
2
2
  ------------------
3
3
 
4
+ 3.117.0 (2021-07-12)
5
+ ------------------
6
+
7
+ * Feature - Support IPv6 endpoints for `Aws::InstanceProfileCredentials`. It supports two shared configuration options (`ec2_metadata_service_endpoint` & `ec2_metadata_service_endpoint_mode`), two ENV variables (`AWS_EC2_METADATA_SERVICE_ENDPOINT` & `AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE`), and two constructor options (`:endpoint` & `:endpoint_mode`).
8
+
9
+ * Feature - Support IPv6 endpoint for `Aws::EC2Metadata` client. It can be configured with `:endpoint` or `:endpoint_mode`.
10
+
11
+ 3.116.0 (2021-07-07)
12
+ ------------------
13
+
14
+ * Feature - Updated Aws::STS::Client with the latest API changes.
15
+
4
16
  3.115.0 (2021-06-23)
5
17
  ------------------
6
18
 
data/VERSION CHANGED
@@ -1 +1 @@
1
- 3.115.0
1
+ 3.117.0
@@ -160,10 +160,11 @@ module Aws
160
160
  end
161
161
 
162
162
  def instance_profile_credentials(options)
163
+ profile_name = determine_profile_name(options)
163
164
  if ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI']
164
165
  ECSCredentials.new(options)
165
166
  else
166
- InstanceProfileCredentials.new(options)
167
+ InstanceProfileCredentials.new(options.merge(profile: profile_name))
167
168
  end
168
169
  end
169
170
 
@@ -39,7 +39,11 @@ module Aws
39
39
  # defaulting to 6 hours.
40
40
  # @option options [Integer] :retries (3) The number of retries for failed
41
41
  # requests.
42
- # @option options [String] :endpoint (169.254.169.254) The IMDS endpoint.
42
+ # @option options [String] :endpoint ('http://169.254.169.254') The IMDS
43
+ # endpoint. This option has precedence over the :endpoint_mode.
44
+ # @option options [String] :endpoint_mode ('IPv4') The endpoint mode for
45
+ # the instance metadata service. This is either 'IPv4'
46
+ # ('http://169.254.169.254') or 'IPv6' ('http://[fd00:ec2::254]').
43
47
  # @option options [Integer] :port (80) The IMDS endpoint port.
44
48
  # @option options [Integer] :http_open_timeout (1) The number of seconds to
45
49
  # wait for the connection to open.
@@ -55,7 +59,8 @@ module Aws
55
59
  @retries = options[:retries] || 3
56
60
  @backoff = backoff(options[:backoff])
57
61
 
58
- @endpoint = options[:endpoint] || '169.254.169.254'
62
+ endpoint_mode = options[:endpoint_mode] || 'IPv4'
63
+ @endpoint = resolve_endpoint(options[:endpoint], endpoint_mode)
59
64
  @port = options[:port] || 80
60
65
 
61
66
  @http_open_timeout = options[:http_open_timeout] || 1
@@ -76,7 +81,7 @@ module Aws
76
81
  # ec2_metadata.get('/latest/meta-data/instance-id')
77
82
  # => "i-023a25f10a73a0f79"
78
83
  #
79
- # @Note This implementation always returns a String and will not parse any
84
+ # @note This implementation always returns a String and will not parse any
80
85
  # responses. Parsable responses may include JSON objects or directory
81
86
  # listings, which are strings separated by line feeds (ASCII 10).
82
87
  #
@@ -93,7 +98,7 @@ module Aws
93
98
  # listing.split(10.chr)
94
99
  # => ["ami-id", "ami-launch-index", ...]
95
100
  #
96
- # @Note Unlike other services, IMDS does not have a service API model. This
101
+ # @note Unlike other services, IMDS does not have a service API model. This
97
102
  # means that we cannot confidently generate code with methods and
98
103
  # response structures. This implementation ensures that new IMDS features
99
104
  # are always supported by being deployed to the instance and does not
@@ -116,6 +121,19 @@ module Aws
116
121
 
117
122
  private
118
123
 
124
+ def resolve_endpoint(endpoint, endpoint_mode)
125
+ return endpoint if endpoint
126
+
127
+ case endpoint_mode.downcase
128
+ when 'ipv4' then 'http://169.254.169.254'
129
+ when 'ipv6' then 'http://[fd00:ec2::254]'
130
+ else
131
+ raise ArgumentError,
132
+ ':endpoint_mode is not valid, expected IPv4 or IPv6, '\
133
+ "got: #{endpoint_mode}"
134
+ end
135
+ end
136
+
119
137
  def fetch_token
120
138
  open_connection do |conn|
121
139
  token_value, token_ttl = http_put(conn, @token_ttl)
@@ -163,7 +181,8 @@ module Aws
163
181
  end
164
182
 
165
183
  def open_connection
166
- http = Net::HTTP.new(@endpoint, @port, nil)
184
+ uri = URI.parse(@endpoint)
185
+ http = Net::HTTP.new(uri.hostname || @endpoint, @port || uri.port)
167
186
  http.open_timeout = @http_open_timeout
168
187
  http.read_timeout = @http_read_timeout
169
188
  http.set_debug_output(@http_debug_output) if @http_debug_output
@@ -5,7 +5,6 @@ require 'net/http'
5
5
 
6
6
  module Aws
7
7
  class InstanceProfileCredentials
8
-
9
8
  include CredentialProvider
10
9
  include RefreshingCredentials
11
10
 
@@ -44,7 +43,13 @@ module Aws
44
43
  # @param [Hash] options
45
44
  # @option options [Integer] :retries (1) Number of times to retry
46
45
  # when retrieving credentials.
47
- # @option options [String] :ip_address ('169.254.169.254')
46
+ # @option options [String] :endpoint ('http://169.254.169.254') The IMDS
47
+ # endpoint. This option has precedence over the :endpoint_mode.
48
+ # @option options [String] :endpoint_mode ('IPv4') The endpoint mode for
49
+ # the instance metadata service. This is either 'IPv4' ('169.254.169.254')
50
+ # or 'IPv6' ('[fd00:ec2::254]').
51
+ # @option options [String] :ip_address ('169.254.169.254') Deprecated. Use
52
+ # :endpoint instead. The IP address for the endpoint.
48
53
  # @option options [Integer] :port (80)
49
54
  # @option options [Float] :http_open_timeout (1)
50
55
  # @option options [Float] :http_read_timeout (1)
@@ -60,7 +65,8 @@ module Aws
60
65
  # to 21600 seconds
61
66
  def initialize(options = {})
62
67
  @retries = options[:retries] || 1
63
- @ip_address = options[:ip_address] || '169.254.169.254'
68
+ endpoint_mode = resolve_endpoint_mode(options)
69
+ @endpoint = resolve_endpoint(options, endpoint_mode)
64
70
  @port = options[:port] || 80
65
71
  @http_open_timeout = options[:http_open_timeout] || 1
66
72
  @http_read_timeout = options[:http_read_timeout] || 1
@@ -78,6 +84,34 @@ module Aws
78
84
 
79
85
  private
80
86
 
87
+ def resolve_endpoint_mode(options)
88
+ value = options[:endpoint_mode]
89
+ value ||= ENV['AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE']
90
+ value ||= Aws.shared_config.ec2_metadata_service_endpoint_mode(
91
+ profile: options[:profile]
92
+ )
93
+ value || 'IPv4'
94
+ end
95
+
96
+ def resolve_endpoint(options, endpoint_mode)
97
+ value = options[:endpoint] || options[:ip_address]
98
+ value ||= ENV['AWS_EC2_METADATA_SERVICE_ENDPOINT']
99
+ value ||= Aws.shared_config.ec2_metadata_service_endpoint(
100
+ profile: options[:profile]
101
+ )
102
+
103
+ return value if value
104
+
105
+ case endpoint_mode.downcase
106
+ when 'ipv4' then 'http://169.254.169.254'
107
+ when 'ipv6' then 'http://[fd00:ec2::254]'
108
+ else
109
+ raise ArgumentError,
110
+ ':endpoint_mode is not valid, expected IPv4 or IPv6, '\
111
+ "got: #{endpoint_mode}"
112
+ end
113
+ end
114
+
81
115
  def backoff(backoff)
82
116
  case backoff
83
117
  when Proc then backoff
@@ -152,7 +186,8 @@ module Aws
152
186
  end
153
187
 
154
188
  def open_connection
155
- http = Net::HTTP.new(@ip_address, @port, nil)
189
+ uri = URI.parse(@endpoint)
190
+ http = Net::HTTP.new(uri.hostname || @endpoint, @port || uri.port)
156
191
  http.open_timeout = @http_open_timeout
157
192
  http.read_timeout = @http_read_timeout
158
193
  http.set_debug_output(@http_debug_output) if @http_debug_output
@@ -163,6 +163,8 @@ module Aws
163
163
  :ca_bundle,
164
164
  :credential_process,
165
165
  :endpoint_discovery_enabled,
166
+ :ec2_metadata_service_endpoint,
167
+ :ec2_metadata_service_endpoint_mode,
166
168
  :max_attempts,
167
169
  :retry_mode,
168
170
  :adaptive_retry_wait_to_fill,
@@ -14,11 +14,17 @@ module Aws
14
14
  'aws_session_token' => 'session_token',
15
15
  }
16
16
 
17
- # Constructs a new SharedCredentials object. This will load AWS access
17
+ # Constructs a new SharedCredentials object. This will load static
18
+ # (access_key_id, secret_access_key and session_token) AWS access
18
19
  # credentials from an ini file, which supports profiles. The default
19
20
  # profile name is 'default'. You can specify the profile name with the
20
21
  # `ENV['AWS_PROFILE']` or with the `:profile_name` option.
21
22
  #
23
+ # To use credentials from the default credential resolution chain
24
+ # create a client without the credential option specified.
25
+ # You may access the resolved credentials through
26
+ # `client.config.credentials`.
27
+ #
22
28
  # @option [String] :path Path to the shared file. Defaults
23
29
  # to "#{Dir.home}/.aws/credentials".
24
30
  #
data/lib/aws-sdk-sso.rb CHANGED
@@ -50,6 +50,6 @@ require_relative 'aws-sdk-sso/customizations'
50
50
  # @!group service
51
51
  module Aws::SSO
52
52
 
53
- GEM_VERSION = '3.115.0'
53
+ GEM_VERSION = '3.117.0'
54
54
 
55
55
  end
@@ -523,7 +523,7 @@ module Aws::SSO
523
523
  params: params,
524
524
  config: config)
525
525
  context[:gem_name] = 'aws-sdk-core'
526
- context[:gem_version] = '3.115.0'
526
+ context[:gem_version] = '3.117.0'
527
527
  Seahorse::Client::Request.new(handlers, context)
528
528
  end
529
529
 
data/lib/aws-sdk-sts.rb CHANGED
@@ -50,6 +50,6 @@ require_relative 'aws-sdk-sts/customizations'
50
50
  # @!group service
51
51
  module Aws::STS
52
52
 
53
- GEM_VERSION = '3.115.0'
53
+ GEM_VERSION = '3.117.0'
54
54
 
55
55
  end
@@ -335,20 +335,21 @@ module Aws::STS
335
335
  # @!group API Operations
336
336
 
337
337
  # Returns a set of temporary security credentials that you can use to
338
- # access AWS resources that you might not normally have access to. These
339
- # temporary credentials consist of an access key ID, a secret access
340
- # key, and a security token. Typically, you use `AssumeRole` within your
341
- # account or for cross-account access. For a comparison of `AssumeRole`
342
- # with other API operations that produce temporary credentials, see
343
- # [Requesting Temporary Security Credentials][1] and [Comparing the AWS
344
- # STS API operations][2] in the *IAM User Guide*.
338
+ # access Amazon Web Services resources that you might not normally have
339
+ # access to. These temporary credentials consist of an access key ID, a
340
+ # secret access key, and a security token. Typically, you use
341
+ # `AssumeRole` within your account or for cross-account access. For a
342
+ # comparison of `AssumeRole` with other API operations that produce
343
+ # temporary credentials, see [Requesting Temporary Security
344
+ # Credentials][1] and [Comparing the STS API operations][2] in the *IAM
345
+ # User Guide*.
345
346
  #
346
347
  # **Permissions**
347
348
  #
348
349
  # The temporary security credentials created by `AssumeRole` can be used
349
- # to make API calls to any AWS service with the following exception: You
350
- # cannot call the AWS STS `GetFederationToken` or `GetSessionToken` API
351
- # operations.
350
+ # to make API calls to any Amazon Web Services service with the
351
+ # following exception: You cannot call the STS `GetFederationToken` or
352
+ # `GetSessionToken` API operations.
352
353
  #
353
354
  # (Optional) You can pass inline or managed [session policies][3] to
354
355
  # this operation. You can pass a single JSON policy document to use as
@@ -358,13 +359,14 @@ module Aws::STS
358
359
  # characters. Passing policies to this operation returns new temporary
359
360
  # credentials. The resulting session's permissions are the intersection
360
361
  # of the role's identity-based policy and the session policies. You can
361
- # use the role's temporary credentials in subsequent AWS API calls to
362
- # access resources in the account that owns the role. You cannot use
363
- # session policies to grant more permissions than those allowed by the
364
- # identity-based policy of the role that is being assumed. For more
365
- # information, see [Session Policies][3] in the *IAM User Guide*.
362
+ # use the role's temporary credentials in subsequent Amazon Web
363
+ # Services API calls to access resources in the account that owns the
364
+ # role. You cannot use session policies to grant more permissions than
365
+ # those allowed by the identity-based policy of the role that is being
366
+ # assumed. For more information, see [Session Policies][3] in the *IAM
367
+ # User Guide*.
366
368
  #
367
- # To assume a role from a different account, your AWS account must be
369
+ # To assume a role from a different account, your account must be
368
370
  # trusted by the role. The trust relationship is defined in the role's
369
371
  # trust policy when the role is created. That trust policy states which
370
372
  # accounts are allowed to delegate that access to users in the account.
@@ -408,12 +410,12 @@ module Aws::STS
408
410
  # (Optional) You can include multi-factor authentication (MFA)
409
411
  # information when you call `AssumeRole`. This is useful for
410
412
  # cross-account scenarios to ensure that the user that assumes the role
411
- # has been authenticated with an AWS MFA device. In that scenario, the
412
- # trust policy of the role being assumed includes a condition that tests
413
- # for MFA authentication. If the caller does not include valid MFA
414
- # information, the request to assume the role is denied. The condition
415
- # in a trust policy that tests for MFA authentication might look like
416
- # the following example.
413
+ # has been authenticated with an Amazon Web Services MFA device. In that
414
+ # scenario, the trust policy of the role being assumed includes a
415
+ # condition that tests for MFA authentication. If the caller does not
416
+ # include valid MFA information, the request to assume the role is
417
+ # denied. The condition in a trust policy that tests for MFA
418
+ # authentication might look like the following example.
417
419
  #
418
420
  # `"Condition": \{"Bool": \{"aws:MultiFactorAuthPresent": true\}\}`
419
421
  #
@@ -449,7 +451,7 @@ module Aws::STS
449
451
  # also used in the ARN of the assumed role principal. This means that
450
452
  # subsequent cross-account API requests that use the temporary security
451
453
  # credentials will expose the role session name to the external account
452
- # in their AWS CloudTrail logs.
454
+ # in their CloudTrail logs.
453
455
  #
454
456
  # The regex used to validate this parameter is a string of characters
455
457
  # consisting of upper- and lower-case alphanumeric characters with no
@@ -464,26 +466,27 @@ module Aws::STS
464
466
  # This parameter is optional. You can provide up to 10 managed policy
465
467
  # ARNs. However, the plaintext that you use for both inline and managed
466
468
  # session policies can't exceed 2,048 characters. For more information
467
- # about ARNs, see [Amazon Resource Names (ARNs) and AWS Service
468
- # Namespaces][1] in the AWS General Reference.
469
+ # about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services
470
+ # Service Namespaces][1] in the Amazon Web Services General Reference.
469
471
  #
470
- # <note markdown="1"> An AWS conversion compresses the passed session policies and session
471
- # tags into a packed binary format that has a separate limit. Your
472
- # request can fail for this limit even if your plaintext meets the other
473
- # requirements. The `PackedPolicySize` response element indicates by
474
- # percentage how close the policies and tags for your request are to the
475
- # upper size limit.
472
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
473
+ # policies and session tags into a packed binary format that has a
474
+ # separate limit. Your request can fail for this limit even if your
475
+ # plaintext meets the other requirements. The `PackedPolicySize`
476
+ # response element indicates by percentage how close the policies and
477
+ # tags for your request are to the upper size limit.
476
478
  #
477
479
  # </note>
478
480
  #
479
481
  # Passing policies to this operation returns new temporary credentials.
480
482
  # The resulting session's permissions are the intersection of the
481
483
  # role's identity-based policy and the session policies. You can use
482
- # the role's temporary credentials in subsequent AWS API calls to
483
- # access resources in the account that owns the role. You cannot use
484
- # session policies to grant more permissions than those allowed by the
485
- # identity-based policy of the role that is being assumed. For more
486
- # information, see [Session Policies][2] in the *IAM User Guide*.
484
+ # the role's temporary credentials in subsequent Amazon Web Services
485
+ # API calls to access resources in the account that owns the role. You
486
+ # cannot use session policies to grant more permissions than those
487
+ # allowed by the identity-based policy of the role that is being
488
+ # assumed. For more information, see [Session Policies][2] in the *IAM
489
+ # User Guide*.
487
490
  #
488
491
  #
489
492
  #
@@ -498,11 +501,11 @@ module Aws::STS
498
501
  # new temporary credentials. The resulting session's permissions are
499
502
  # the intersection of the role's identity-based policy and the session
500
503
  # policies. You can use the role's temporary credentials in subsequent
501
- # AWS API calls to access resources in the account that owns the role.
502
- # You cannot use session policies to grant more permissions than those
503
- # allowed by the identity-based policy of the role that is being
504
- # assumed. For more information, see [Session Policies][1] in the *IAM
505
- # User Guide*.
504
+ # Amazon Web Services API calls to access resources in the account that
505
+ # owns the role. You cannot use session policies to grant more
506
+ # permissions than those allowed by the identity-based policy of the
507
+ # role that is being assumed. For more information, see [Session
508
+ # Policies][1] in the *IAM User Guide*.
506
509
  #
507
510
  # The plaintext that you use for both inline and managed session
508
511
  # policies can't exceed 2,048 characters. The JSON policy characters
@@ -511,12 +514,12 @@ module Aws::STS
511
514
  # the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
512
515
  # characters.
513
516
  #
514
- # <note markdown="1"> An AWS conversion compresses the passed session policies and session
515
- # tags into a packed binary format that has a separate limit. Your
516
- # request can fail for this limit even if your plaintext meets the other
517
- # requirements. The `PackedPolicySize` response element indicates by
518
- # percentage how close the policies and tags for your request are to the
519
- # upper size limit.
517
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
518
+ # policies and session tags into a packed binary format that has a
519
+ # separate limit. Your request can fail for this limit even if your
520
+ # plaintext meets the other requirements. The `PackedPolicySize`
521
+ # response element indicates by percentage how close the policies and
522
+ # tags for your request are to the upper size limit.
520
523
  #
521
524
  # </note>
522
525
  #
@@ -543,8 +546,8 @@ module Aws::STS
543
546
  # The request to the federation endpoint for a console sign-in token
544
547
  # takes a `SessionDuration` parameter that specifies the maximum length
545
548
  # of the console session. For more information, see [Creating a URL that
546
- # Enables Federated Users to Access the AWS Management Console][2] in
547
- # the *IAM User Guide*.
549
+ # Enables Federated Users to Access the Management Console][2] in the
550
+ # *IAM User Guide*.
548
551
  #
549
552
  # </note>
550
553
  #
@@ -556,7 +559,7 @@ module Aws::STS
556
559
  # @option params [Array<Types::Tag>] :tags
557
560
  # A list of session tags that you want to pass. Each session tag
558
561
  # consists of a key name and an associated value. For more information
559
- # about session tags, see [Tagging AWS STS Sessions][1] in the *IAM User
562
+ # about session tags, see [Tagging STS Sessions][1] in the *IAM User
560
563
  # Guide*.
561
564
  #
562
565
  # This parameter is optional. You can pass up to 50 session tags. The
@@ -564,12 +567,12 @@ module Aws::STS
564
567
  # can’t exceed 256 characters. For these and additional limits, see [IAM
565
568
  # and STS Character Limits][2] in the *IAM User Guide*.
566
569
  #
567
- # <note markdown="1"> An AWS conversion compresses the passed session policies and session
568
- # tags into a packed binary format that has a separate limit. Your
569
- # request can fail for this limit even if your plaintext meets the other
570
- # requirements. The `PackedPolicySize` response element indicates by
571
- # percentage how close the policies and tags for your request are to the
572
- # upper size limit.
570
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
571
+ # policies and session tags into a packed binary format that has a
572
+ # separate limit. Your request can fail for this limit even if your
573
+ # plaintext meets the other requirements. The `PackedPolicySize`
574
+ # response element indicates by percentage how close the policies and
575
+ # tags for your request are to the upper size limit.
573
576
  #
574
577
  # </note>
575
578
  #
@@ -588,8 +591,8 @@ module Aws::STS
588
591
  # operation, the new session inherits any transitive session tags from
589
592
  # the calling session. If you pass a session tag with the same key as an
590
593
  # inherited tag, the operation fails. To view the inherited tags for a
591
- # session, see the AWS CloudTrail logs. For more information, see
592
- # [Viewing Session Tags in CloudTrail][3] in the *IAM User Guide*.
594
+ # session, see the CloudTrail logs. For more information, see [Viewing
595
+ # Session Tags in CloudTrail][3] in the *IAM User Guide*.
593
596
  #
594
597
  #
595
598
  #
@@ -625,7 +628,8 @@ module Aws::STS
625
628
  # trusted account. That way, only someone with the ID can assume the
626
629
  # role, rather than everyone in the account. For more information about
627
630
  # the external ID, see [How to Use an External ID When Granting Access
628
- # to Your AWS Resources to a Third Party][1] in the *IAM User Guide*.
631
+ # to Your Amazon Web Services Resources to a Third Party][1] in the *IAM
632
+ # User Guide*.
629
633
  #
630
634
  # The regex used to validate this parameter is a string of characters
631
635
  # consisting of upper- and lower-case alphanumeric characters with no
@@ -666,18 +670,18 @@ module Aws::STS
666
670
  #
667
671
  # You can require users to specify a source identity when they assume a
668
672
  # role. You do this by using the `sts:SourceIdentity` condition key in a
669
- # role trust policy. You can use source identity information in AWS
673
+ # role trust policy. You can use source identity information in
670
674
  # CloudTrail logs to determine who took actions with a role. You can use
671
675
  # the `aws:SourceIdentity` condition key to further control access to
672
- # AWS resources based on the value of source identity. For more
673
- # information about using source identity, see [Monitor and control
674
- # actions taken with assumed roles][1] in the *IAM User Guide*.
676
+ # Amazon Web Services resources based on the value of source identity.
677
+ # For more information about using source identity, see [Monitor and
678
+ # control actions taken with assumed roles][1] in the *IAM User Guide*.
675
679
  #
676
680
  # The regex used to validate this parameter is a string of characters
677
681
  # consisting of upper- and lower-case alphanumeric characters with no
678
682
  # spaces. You can also include underscores or any of the following
679
683
  # characters: =,.@-. You cannot use a value that begins with the text
680
- # `aws:`. This prefix is reserved for AWS internal use.
684
+ # `aws:`. This prefix is reserved for Amazon Web Services internal use.
681
685
  #
682
686
  #
683
687
  #
@@ -781,16 +785,17 @@ module Aws::STS
781
785
  # Returns a set of temporary security credentials for users who have
782
786
  # been authenticated via a SAML authentication response. This operation
783
787
  # provides a mechanism for tying an enterprise identity store or
784
- # directory to role-based AWS access without user-specific credentials
785
- # or configuration. For a comparison of `AssumeRoleWithSAML` with the
786
- # other API operations that produce temporary credentials, see
787
- # [Requesting Temporary Security Credentials][1] and [Comparing the AWS
788
- # STS API operations][2] in the *IAM User Guide*.
788
+ # directory to role-based Amazon Web Services access without
789
+ # user-specific credentials or configuration. For a comparison of
790
+ # `AssumeRoleWithSAML` with the other API operations that produce
791
+ # temporary credentials, see [Requesting Temporary Security
792
+ # Credentials][1] and [Comparing the STS API operations][2] in the *IAM
793
+ # User Guide*.
789
794
  #
790
795
  # The temporary security credentials returned by this operation consist
791
796
  # of an access key ID, a secret access key, and a security token.
792
797
  # Applications can use these temporary security credentials to sign
793
- # calls to AWS services.
798
+ # calls to Amazon Web Services services.
794
799
  #
795
800
  # **Session Duration**
796
801
  #
@@ -810,22 +815,22 @@ module Aws::STS
810
815
  # use those operations to create a console URL. For more information,
811
816
  # see [Using IAM Roles][4] in the *IAM User Guide*.
812
817
  #
813
- # <note markdown="1"> [Role chaining][5] limits your AWS CLI or AWS API role session to a
814
- # maximum of one hour. When you use the `AssumeRole` API operation to
815
- # assume a role, you can specify the duration of your role session with
816
- # the `DurationSeconds` parameter. You can specify a parameter value of
817
- # up to 43200 seconds (12 hours), depending on the maximum session
818
- # duration setting for your role. However, if you assume a role using
819
- # role chaining and provide a `DurationSeconds` parameter value greater
820
- # than one hour, the operation fails.
818
+ # <note markdown="1"> [Role chaining][5] limits your CLI or Amazon Web Services API role
819
+ # session to a maximum of one hour. When you use the `AssumeRole` API
820
+ # operation to assume a role, you can specify the duration of your role
821
+ # session with the `DurationSeconds` parameter. You can specify a
822
+ # parameter value of up to 43200 seconds (12 hours), depending on the
823
+ # maximum session duration setting for your role. However, if you assume
824
+ # a role using role chaining and provide a `DurationSeconds` parameter
825
+ # value greater than one hour, the operation fails.
821
826
  #
822
827
  # </note>
823
828
  #
824
829
  # **Permissions**
825
830
  #
826
831
  # The temporary security credentials created by `AssumeRoleWithSAML` can
827
- # be used to make API calls to any AWS service with the following
828
- # exception: you cannot call the STS `GetFederationToken` or
832
+ # be used to make API calls to any Amazon Web Services service with the
833
+ # following exception: you cannot call the STS `GetFederationToken` or
829
834
  # `GetSessionToken` API operations.
830
835
  #
831
836
  # (Optional) You can pass inline or managed [session policies][6] to
@@ -836,22 +841,23 @@ module Aws::STS
836
841
  # characters. Passing policies to this operation returns new temporary
837
842
  # credentials. The resulting session's permissions are the intersection
838
843
  # of the role's identity-based policy and the session policies. You can
839
- # use the role's temporary credentials in subsequent AWS API calls to
840
- # access resources in the account that owns the role. You cannot use
841
- # session policies to grant more permissions than those allowed by the
842
- # identity-based policy of the role that is being assumed. For more
843
- # information, see [Session Policies][6] in the *IAM User Guide*.
844
- #
845
- # Calling `AssumeRoleWithSAML` does not require the use of AWS security
846
- # credentials. The identity of the caller is validated by using keys in
847
- # the metadata document that is uploaded for the SAML provider entity
848
- # for your identity provider.
849
- #
850
- # Calling `AssumeRoleWithSAML` can result in an entry in your AWS
851
- # CloudTrail logs. The entry includes the value in the `NameID` element
852
- # of the SAML assertion. We recommend that you use a `NameIDType` that
853
- # is not associated with any personally identifiable information (PII).
854
- # For example, you could instead use the persistent identifier
844
+ # use the role's temporary credentials in subsequent Amazon Web
845
+ # Services API calls to access resources in the account that owns the
846
+ # role. You cannot use session policies to grant more permissions than
847
+ # those allowed by the identity-based policy of the role that is being
848
+ # assumed. For more information, see [Session Policies][6] in the *IAM
849
+ # User Guide*.
850
+ #
851
+ # Calling `AssumeRoleWithSAML` does not require the use of Amazon Web
852
+ # Services security credentials. The identity of the caller is validated
853
+ # by using keys in the metadata document that is uploaded for the SAML
854
+ # provider entity for your identity provider.
855
+ #
856
+ # Calling `AssumeRoleWithSAML` can result in an entry in your CloudTrail
857
+ # logs. The entry includes the value in the `NameID` element of the SAML
858
+ # assertion. We recommend that you use a `NameIDType` that is not
859
+ # associated with any personally identifiable information (PII). For
860
+ # example, you could instead use the persistent identifier
855
861
  # (`urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`).
856
862
  #
857
863
  # **Tags**
@@ -866,12 +872,12 @@ module Aws::STS
866
872
  # characters. For these and additional limits, see [IAM and STS
867
873
  # Character Limits][8] in the *IAM User Guide*.
868
874
  #
869
- # <note markdown="1"> An AWS conversion compresses the passed session policies and session
870
- # tags into a packed binary format that has a separate limit. Your
871
- # request can fail for this limit even if your plaintext meets the other
872
- # requirements. The `PackedPolicySize` response element indicates by
873
- # percentage how close the policies and tags for your request are to the
874
- # upper size limit.
875
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
876
+ # policies and session tags into a packed binary format that has a
877
+ # separate limit. Your request can fail for this limit even if your
878
+ # plaintext meets the other requirements. The `PackedPolicySize`
879
+ # response element indicates by percentage how close the policies and
880
+ # tags for your request are to the upper size limit.
875
881
  #
876
882
  # </note>
877
883
  #
@@ -893,10 +899,11 @@ module Aws::STS
893
899
  #
894
900
  # Before your application can call `AssumeRoleWithSAML`, you must
895
901
  # configure your SAML identity provider (IdP) to issue the claims
896
- # required by AWS. Additionally, you must use AWS Identity and Access
897
- # Management (IAM) to create a SAML provider entity in your AWS account
898
- # that represents your identity provider. You must also create an IAM
899
- # role that specifies this SAML provider in its trust policy.
902
+ # required by Amazon Web Services. Additionally, you must use Identity
903
+ # and Access Management (IAM) to create a SAML provider entity in your
904
+ # Amazon Web Services account that represents your identity provider.
905
+ # You must also create an IAM role that specifies this SAML provider in
906
+ # its trust policy.
900
907
  #
901
908
  # For more information, see the following resources:
902
909
  #
@@ -953,26 +960,27 @@ module Aws::STS
953
960
  # This parameter is optional. You can provide up to 10 managed policy
954
961
  # ARNs. However, the plaintext that you use for both inline and managed
955
962
  # session policies can't exceed 2,048 characters. For more information
956
- # about ARNs, see [Amazon Resource Names (ARNs) and AWS Service
957
- # Namespaces][1] in the AWS General Reference.
963
+ # about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services
964
+ # Service Namespaces][1] in the Amazon Web Services General Reference.
958
965
  #
959
- # <note markdown="1"> An AWS conversion compresses the passed session policies and session
960
- # tags into a packed binary format that has a separate limit. Your
961
- # request can fail for this limit even if your plaintext meets the other
962
- # requirements. The `PackedPolicySize` response element indicates by
963
- # percentage how close the policies and tags for your request are to the
964
- # upper size limit.
966
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
967
+ # policies and session tags into a packed binary format that has a
968
+ # separate limit. Your request can fail for this limit even if your
969
+ # plaintext meets the other requirements. The `PackedPolicySize`
970
+ # response element indicates by percentage how close the policies and
971
+ # tags for your request are to the upper size limit.
965
972
  #
966
973
  # </note>
967
974
  #
968
975
  # Passing policies to this operation returns new temporary credentials.
969
976
  # The resulting session's permissions are the intersection of the
970
977
  # role's identity-based policy and the session policies. You can use
971
- # the role's temporary credentials in subsequent AWS API calls to
972
- # access resources in the account that owns the role. You cannot use
973
- # session policies to grant more permissions than those allowed by the
974
- # identity-based policy of the role that is being assumed. For more
975
- # information, see [Session Policies][2] in the *IAM User Guide*.
978
+ # the role's temporary credentials in subsequent Amazon Web Services
979
+ # API calls to access resources in the account that owns the role. You
980
+ # cannot use session policies to grant more permissions than those
981
+ # allowed by the identity-based policy of the role that is being
982
+ # assumed. For more information, see [Session Policies][2] in the *IAM
983
+ # User Guide*.
976
984
  #
977
985
  #
978
986
  #
@@ -987,11 +995,11 @@ module Aws::STS
987
995
  # new temporary credentials. The resulting session's permissions are
988
996
  # the intersection of the role's identity-based policy and the session
989
997
  # policies. You can use the role's temporary credentials in subsequent
990
- # AWS API calls to access resources in the account that owns the role.
991
- # You cannot use session policies to grant more permissions than those
992
- # allowed by the identity-based policy of the role that is being
993
- # assumed. For more information, see [Session Policies][1] in the *IAM
994
- # User Guide*.
998
+ # Amazon Web Services API calls to access resources in the account that
999
+ # owns the role. You cannot use session policies to grant more
1000
+ # permissions than those allowed by the identity-based policy of the
1001
+ # role that is being assumed. For more information, see [Session
1002
+ # Policies][1] in the *IAM User Guide*.
995
1003
  #
996
1004
  # The plaintext that you use for both inline and managed session
997
1005
  # policies can't exceed 2,048 characters. The JSON policy characters
@@ -1000,12 +1008,12 @@ module Aws::STS
1000
1008
  # the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
1001
1009
  # characters.
1002
1010
  #
1003
- # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1004
- # tags into a packed binary format that has a separate limit. Your
1005
- # request can fail for this limit even if your plaintext meets the other
1006
- # requirements. The `PackedPolicySize` response element indicates by
1007
- # percentage how close the policies and tags for your request are to the
1008
- # upper size limit.
1011
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
1012
+ # policies and session tags into a packed binary format that has a
1013
+ # separate limit. Your request can fail for this limit even if your
1014
+ # plaintext meets the other requirements. The `PackedPolicySize`
1015
+ # response element indicates by percentage how close the policies and
1016
+ # tags for your request are to the upper size limit.
1009
1017
  #
1010
1018
  # </note>
1011
1019
  #
@@ -1034,8 +1042,8 @@ module Aws::STS
1034
1042
  # The request to the federation endpoint for a console sign-in token
1035
1043
  # takes a `SessionDuration` parameter that specifies the maximum length
1036
1044
  # of the console session. For more information, see [Creating a URL that
1037
- # Enables Federated Users to Access the AWS Management Console][2] in
1038
- # the *IAM User Guide*.
1045
+ # Enables Federated Users to Access the Management Console][2] in the
1046
+ # *IAM User Guide*.
1039
1047
  #
1040
1048
  # </note>
1041
1049
  #
@@ -1132,33 +1140,36 @@ module Aws::STS
1132
1140
  # Facebook, Google, or any OpenID Connect-compatible identity provider.
1133
1141
  #
1134
1142
  # <note markdown="1"> For mobile applications, we recommend that you use Amazon Cognito. You
1135
- # can use Amazon Cognito with the [AWS SDK for iOS Developer Guide][1]
1136
- # and the [AWS SDK for Android Developer Guide][2] to uniquely identify
1137
- # a user. You can also supply the user with a consistent identity
1138
- # throughout the lifetime of an application.
1143
+ # can use Amazon Cognito with the [Amazon Web Services SDK for iOS
1144
+ # Developer Guide][1] and the [Amazon Web Services SDK for Android
1145
+ # Developer Guide][2] to uniquely identify a user. You can also supply
1146
+ # the user with a consistent identity throughout the lifetime of an
1147
+ # application.
1139
1148
  #
1140
1149
  # To learn more about Amazon Cognito, see [Amazon Cognito Overview][3]
1141
- # in *AWS SDK for Android Developer Guide* and [Amazon Cognito
1142
- # Overview][4] in the *AWS SDK for iOS Developer Guide*.
1150
+ # in *Amazon Web Services SDK for Android Developer Guide* and [Amazon
1151
+ # Cognito Overview][4] in the *Amazon Web Services SDK for iOS Developer
1152
+ # Guide*.
1143
1153
  #
1144
1154
  # </note>
1145
1155
  #
1146
- # Calling `AssumeRoleWithWebIdentity` does not require the use of AWS
1147
- # security credentials. Therefore, you can distribute an application
1148
- # (for example, on mobile devices) that requests temporary security
1149
- # credentials without including long-term AWS credentials in the
1150
- # application. You also don't need to deploy server-based proxy
1151
- # services that use long-term AWS credentials. Instead, the identity of
1152
- # the caller is validated by using a token from the web identity
1153
- # provider. For a comparison of `AssumeRoleWithWebIdentity` with the
1154
- # other API operations that produce temporary credentials, see
1155
- # [Requesting Temporary Security Credentials][5] and [Comparing the AWS
1156
- # STS API operations][6] in the *IAM User Guide*.
1156
+ # Calling `AssumeRoleWithWebIdentity` does not require the use of Amazon
1157
+ # Web Services security credentials. Therefore, you can distribute an
1158
+ # application (for example, on mobile devices) that requests temporary
1159
+ # security credentials without including long-term Amazon Web Services
1160
+ # credentials in the application. You also don't need to deploy
1161
+ # server-based proxy services that use long-term Amazon Web Services
1162
+ # credentials. Instead, the identity of the caller is validated by using
1163
+ # a token from the web identity provider. For a comparison of
1164
+ # `AssumeRoleWithWebIdentity` with the other API operations that produce
1165
+ # temporary credentials, see [Requesting Temporary Security
1166
+ # Credentials][5] and [Comparing the STS API operations][6] in the *IAM
1167
+ # User Guide*.
1157
1168
  #
1158
1169
  # The temporary security credentials returned by this API consist of an
1159
1170
  # access key ID, a secret access key, and a security token. Applications
1160
- # can use these temporary security credentials to sign calls to AWS
1161
- # service API operations.
1171
+ # can use these temporary security credentials to sign calls to Amazon
1172
+ # Web Services service API operations.
1162
1173
  #
1163
1174
  # **Session Duration**
1164
1175
  #
@@ -1178,9 +1189,9 @@ module Aws::STS
1178
1189
  # **Permissions**
1179
1190
  #
1180
1191
  # The temporary security credentials created by
1181
- # `AssumeRoleWithWebIdentity` can be used to make API calls to any AWS
1182
- # service with the following exception: you cannot call the STS
1183
- # `GetFederationToken` or `GetSessionToken` API operations.
1192
+ # `AssumeRoleWithWebIdentity` can be used to make API calls to any
1193
+ # Amazon Web Services service with the following exception: you cannot
1194
+ # call the STS `GetFederationToken` or `GetSessionToken` API operations.
1184
1195
  #
1185
1196
  # (Optional) You can pass inline or managed [session policies][9] to
1186
1197
  # this operation. You can pass a single JSON policy document to use as
@@ -1190,11 +1201,12 @@ module Aws::STS
1190
1201
  # characters. Passing policies to this operation returns new temporary
1191
1202
  # credentials. The resulting session's permissions are the intersection
1192
1203
  # of the role's identity-based policy and the session policies. You can
1193
- # use the role's temporary credentials in subsequent AWS API calls to
1194
- # access resources in the account that owns the role. You cannot use
1195
- # session policies to grant more permissions than those allowed by the
1196
- # identity-based policy of the role that is being assumed. For more
1197
- # information, see [Session Policies][9] in the *IAM User Guide*.
1204
+ # use the role's temporary credentials in subsequent Amazon Web
1205
+ # Services API calls to access resources in the account that owns the
1206
+ # role. You cannot use session policies to grant more permissions than
1207
+ # those allowed by the identity-based policy of the role that is being
1208
+ # assumed. For more information, see [Session Policies][9] in the *IAM
1209
+ # User Guide*.
1198
1210
  #
1199
1211
  # **Tags**
1200
1212
  #
@@ -1208,12 +1220,12 @@ module Aws::STS
1208
1220
  # characters. For these and additional limits, see [IAM and STS
1209
1221
  # Character Limits][11] in the *IAM User Guide*.
1210
1222
  #
1211
- # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1212
- # tags into a packed binary format that has a separate limit. Your
1213
- # request can fail for this limit even if your plaintext meets the other
1214
- # requirements. The `PackedPolicySize` response element indicates by
1215
- # percentage how close the policies and tags for your request are to the
1216
- # upper size limit.
1223
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
1224
+ # policies and session tags into a packed binary format that has a
1225
+ # separate limit. Your request can fail for this limit even if your
1226
+ # plaintext meets the other requirements. The `PackedPolicySize`
1227
+ # response element indicates by percentage how close the policies and
1228
+ # tags for your request are to the upper size limit.
1217
1229
  #
1218
1230
  # </note>
1219
1231
  #
@@ -1240,7 +1252,7 @@ module Aws::STS
1240
1252
  # identity token. In other words, the identity provider must be
1241
1253
  # specified in the role's trust policy.
1242
1254
  #
1243
- # Calling `AssumeRoleWithWebIdentity` can result in an entry in your AWS
1255
+ # Calling `AssumeRoleWithWebIdentity` can result in an entry in your
1244
1256
  # CloudTrail logs. The entry includes the [Subject][14] of the provided
1245
1257
  # web identity token. We recommend that you avoid using any personally
1246
1258
  # identifiable information (PII) in this field. For example, you could
@@ -1256,13 +1268,13 @@ module Aws::STS
1256
1268
  # * [ Web Identity Federation Playground][18]. Walk through the process
1257
1269
  # of authenticating through Login with Amazon, Facebook, or Google,
1258
1270
  # getting temporary security credentials, and then using those
1259
- # credentials to make a request to AWS.
1271
+ # credentials to make a request to Amazon Web Services.
1260
1272
  #
1261
- # * [AWS SDK for iOS Developer Guide][1] and [AWS SDK for Android
1262
- # Developer Guide][2]. These toolkits contain sample apps that show
1263
- # how to invoke the identity providers. The toolkits then show how to
1264
- # use the information from these providers to get and use temporary
1265
- # security credentials.
1273
+ # * [Amazon Web Services SDK for iOS Developer Guide][1] and [Amazon Web
1274
+ # Services SDK for Android Developer Guide][2]. These toolkits contain
1275
+ # sample apps that show how to invoke the identity providers. The
1276
+ # toolkits then show how to use the information from these providers
1277
+ # to get and use temporary security credentials.
1266
1278
  #
1267
1279
  # * [Web Identity Federation with Mobile Applications][19]. This article
1268
1280
  # discusses web identity federation and shows an example of how to use
@@ -1333,26 +1345,27 @@ module Aws::STS
1333
1345
  # This parameter is optional. You can provide up to 10 managed policy
1334
1346
  # ARNs. However, the plaintext that you use for both inline and managed
1335
1347
  # session policies can't exceed 2,048 characters. For more information
1336
- # about ARNs, see [Amazon Resource Names (ARNs) and AWS Service
1337
- # Namespaces][1] in the AWS General Reference.
1348
+ # about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services
1349
+ # Service Namespaces][1] in the Amazon Web Services General Reference.
1338
1350
  #
1339
- # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1340
- # tags into a packed binary format that has a separate limit. Your
1341
- # request can fail for this limit even if your plaintext meets the other
1342
- # requirements. The `PackedPolicySize` response element indicates by
1343
- # percentage how close the policies and tags for your request are to the
1344
- # upper size limit.
1351
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
1352
+ # policies and session tags into a packed binary format that has a
1353
+ # separate limit. Your request can fail for this limit even if your
1354
+ # plaintext meets the other requirements. The `PackedPolicySize`
1355
+ # response element indicates by percentage how close the policies and
1356
+ # tags for your request are to the upper size limit.
1345
1357
  #
1346
1358
  # </note>
1347
1359
  #
1348
1360
  # Passing policies to this operation returns new temporary credentials.
1349
1361
  # The resulting session's permissions are the intersection of the
1350
1362
  # role's identity-based policy and the session policies. You can use
1351
- # the role's temporary credentials in subsequent AWS API calls to
1352
- # access resources in the account that owns the role. You cannot use
1353
- # session policies to grant more permissions than those allowed by the
1354
- # identity-based policy of the role that is being assumed. For more
1355
- # information, see [Session Policies][2] in the *IAM User Guide*.
1363
+ # the role's temporary credentials in subsequent Amazon Web Services
1364
+ # API calls to access resources in the account that owns the role. You
1365
+ # cannot use session policies to grant more permissions than those
1366
+ # allowed by the identity-based policy of the role that is being
1367
+ # assumed. For more information, see [Session Policies][2] in the *IAM
1368
+ # User Guide*.
1356
1369
  #
1357
1370
  #
1358
1371
  #
@@ -1367,11 +1380,11 @@ module Aws::STS
1367
1380
  # new temporary credentials. The resulting session's permissions are
1368
1381
  # the intersection of the role's identity-based policy and the session
1369
1382
  # policies. You can use the role's temporary credentials in subsequent
1370
- # AWS API calls to access resources in the account that owns the role.
1371
- # You cannot use session policies to grant more permissions than those
1372
- # allowed by the identity-based policy of the role that is being
1373
- # assumed. For more information, see [Session Policies][1] in the *IAM
1374
- # User Guide*.
1383
+ # Amazon Web Services API calls to access resources in the account that
1384
+ # owns the role. You cannot use session policies to grant more
1385
+ # permissions than those allowed by the identity-based policy of the
1386
+ # role that is being assumed. For more information, see [Session
1387
+ # Policies][1] in the *IAM User Guide*.
1375
1388
  #
1376
1389
  # The plaintext that you use for both inline and managed session
1377
1390
  # policies can't exceed 2,048 characters. The JSON policy characters
@@ -1380,12 +1393,12 @@ module Aws::STS
1380
1393
  # the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
1381
1394
  # characters.
1382
1395
  #
1383
- # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1384
- # tags into a packed binary format that has a separate limit. Your
1385
- # request can fail for this limit even if your plaintext meets the other
1386
- # requirements. The `PackedPolicySize` response element indicates by
1387
- # percentage how close the policies and tags for your request are to the
1388
- # upper size limit.
1396
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
1397
+ # policies and session tags into a packed binary format that has a
1398
+ # separate limit. Your request can fail for this limit even if your
1399
+ # plaintext meets the other requirements. The `PackedPolicySize`
1400
+ # response element indicates by percentage how close the policies and
1401
+ # tags for your request are to the upper size limit.
1389
1402
  #
1390
1403
  # </note>
1391
1404
  #
@@ -1411,8 +1424,8 @@ module Aws::STS
1411
1424
  # The request to the federation endpoint for a console sign-in token
1412
1425
  # takes a `SessionDuration` parameter that specifies the maximum length
1413
1426
  # of the console session. For more information, see [Creating a URL that
1414
- # Enables Federated Users to Access the AWS Management Console][2] in
1415
- # the *IAM User Guide*.
1427
+ # Enables Federated Users to Access the Management Console][2] in the
1428
+ # *IAM User Guide*.
1416
1429
  #
1417
1430
  # </note>
1418
1431
  #
@@ -1501,19 +1514,19 @@ module Aws::STS
1501
1514
  end
1502
1515
 
1503
1516
  # Decodes additional information about the authorization status of a
1504
- # request from an encoded message returned in response to an AWS
1505
- # request.
1517
+ # request from an encoded message returned in response to an Amazon Web
1518
+ # Services request.
1506
1519
  #
1507
1520
  # For example, if a user is not authorized to perform an operation that
1508
1521
  # he or she has requested, the request returns a
1509
1522
  # `Client.UnauthorizedOperation` response (an HTTP 403 response). Some
1510
- # AWS operations additionally return an encoded message that can provide
1511
- # details about this authorization failure.
1523
+ # Amazon Web Services operations additionally return an encoded message
1524
+ # that can provide details about this authorization failure.
1512
1525
  #
1513
- # <note markdown="1"> Only certain AWS operations return an encoded authorization message.
1514
- # The documentation for an individual operation indicates whether that
1515
- # operation returns an encoded message in addition to returning an HTTP
1516
- # code.
1526
+ # <note markdown="1"> Only certain Amazon Web Services operations return an encoded
1527
+ # authorization message. The documentation for an individual operation
1528
+ # indicates whether that operation returns an encoded message in
1529
+ # addition to returning an HTTP code.
1517
1530
  #
1518
1531
  # </note>
1519
1532
  #
@@ -1589,15 +1602,16 @@ module Aws::STS
1589
1602
  # *IAM User Guide*.
1590
1603
  #
1591
1604
  # When you pass an access key ID to this operation, it returns the ID of
1592
- # the AWS account to which the keys belong. Access key IDs beginning
1593
- # with `AKIA` are long-term credentials for an IAM user or the AWS
1594
- # account root user. Access key IDs beginning with `ASIA` are temporary
1595
- # credentials that are created using STS operations. If the account in
1596
- # the response belongs to you, you can sign in as the root user and
1597
- # review your root user access keys. Then, you can pull a [credentials
1598
- # report][2] to learn which IAM user owns the keys. To learn who
1599
- # requested the temporary credentials for an `ASIA` access key, view the
1600
- # STS events in your [CloudTrail logs][3] in the *IAM User Guide*.
1605
+ # the Amazon Web Services account to which the keys belong. Access key
1606
+ # IDs beginning with `AKIA` are long-term credentials for an IAM user or
1607
+ # the Amazon Web Services account root user. Access key IDs beginning
1608
+ # with `ASIA` are temporary credentials that are created using STS
1609
+ # operations. If the account in the response belongs to you, you can
1610
+ # sign in as the root user and review your root user access keys. Then,
1611
+ # you can pull a [credentials report][2] to learn which IAM user owns
1612
+ # the keys. To learn who requested the temporary credentials for an
1613
+ # `ASIA` access key, view the STS events in your [CloudTrail logs][3] in
1614
+ # the *IAM User Guide*.
1601
1615
  #
1602
1616
  # This operation does not indicate the state of the access key. The key
1603
1617
  # might be active, inactive, or deleted. Active keys might not have
@@ -1734,8 +1748,8 @@ module Aws::STS
1734
1748
  # can be safely stored, usually in a server-based application. For a
1735
1749
  # comparison of `GetFederationToken` with the other API operations that
1736
1750
  # produce temporary credentials, see [Requesting Temporary Security
1737
- # Credentials][1] and [Comparing the AWS STS API operations][2] in the
1738
- # *IAM User Guide*.
1751
+ # Credentials][1] and [Comparing the STS API operations][2] in the *IAM
1752
+ # User Guide*.
1739
1753
  #
1740
1754
  # <note markdown="1"> You can create a mobile-based or browser-based app that can
1741
1755
  # authenticate users using a web identity provider like Login with
@@ -1747,27 +1761,29 @@ module Aws::STS
1747
1761
  # </note>
1748
1762
  #
1749
1763
  # You can also call `GetFederationToken` using the security credentials
1750
- # of an AWS account root user, but we do not recommend it. Instead, we
1751
- # recommend that you create an IAM user for the purpose of the proxy
1752
- # application. Then attach a policy to the IAM user that limits
1753
- # federated users to only the actions and resources that they need to
1754
- # access. For more information, see [IAM Best Practices][5] in the *IAM
1755
- # User Guide*.
1764
+ # of an Amazon Web Services account root user, but we do not recommend
1765
+ # it. Instead, we recommend that you create an IAM user for the purpose
1766
+ # of the proxy application. Then attach a policy to the IAM user that
1767
+ # limits federated users to only the actions and resources that they
1768
+ # need to access. For more information, see [IAM Best Practices][5] in
1769
+ # the *IAM User Guide*.
1756
1770
  #
1757
1771
  # **Session duration**
1758
1772
  #
1759
1773
  # The temporary credentials are valid for the specified duration, from
1760
1774
  # 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36
1761
1775
  # hours). The default session duration is 43,200 seconds (12 hours).
1762
- # Temporary credentials that are obtained by using AWS account root user
1763
- # credentials have a maximum duration of 3,600 seconds (1 hour).
1776
+ # Temporary credentials that are obtained by using Amazon Web Services
1777
+ # account root user credentials have a maximum duration of 3,600 seconds
1778
+ # (1 hour).
1764
1779
  #
1765
1780
  # **Permissions**
1766
1781
  #
1767
1782
  # You can use the temporary credentials created by `GetFederationToken`
1768
- # in any AWS service except the following:
1783
+ # in any Amazon Web Services service except the following:
1769
1784
  #
1770
- # * You cannot call any IAM operations using the AWS CLI or the AWS API.
1785
+ # * You cannot call any IAM operations using the CLI or the Amazon Web
1786
+ # Services API.
1771
1787
  #
1772
1788
  # * You cannot call any STS operations except `GetCallerIdentity`.
1773
1789
  #
@@ -1813,27 +1829,29 @@ module Aws::STS
1813
1829
  # </note>
1814
1830
  #
1815
1831
  # You can also call `GetFederationToken` using the security credentials
1816
- # of an AWS account root user, but we do not recommend it. Instead, we
1817
- # recommend that you create an IAM user for the purpose of the proxy
1818
- # application. Then attach a policy to the IAM user that limits
1819
- # federated users to only the actions and resources that they need to
1820
- # access. For more information, see [IAM Best Practices][5] in the *IAM
1821
- # User Guide*.
1832
+ # of an Amazon Web Services account root user, but we do not recommend
1833
+ # it. Instead, we recommend that you create an IAM user for the purpose
1834
+ # of the proxy application. Then attach a policy to the IAM user that
1835
+ # limits federated users to only the actions and resources that they
1836
+ # need to access. For more information, see [IAM Best Practices][5] in
1837
+ # the *IAM User Guide*.
1822
1838
  #
1823
1839
  # **Session duration**
1824
1840
  #
1825
1841
  # The temporary credentials are valid for the specified duration, from
1826
1842
  # 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36
1827
1843
  # hours). The default session duration is 43,200 seconds (12 hours).
1828
- # Temporary credentials that are obtained by using AWS account root user
1829
- # credentials have a maximum duration of 3,600 seconds (1 hour).
1844
+ # Temporary credentials that are obtained by using Amazon Web Services
1845
+ # account root user credentials have a maximum duration of 3,600 seconds
1846
+ # (1 hour).
1830
1847
  #
1831
1848
  # **Permissions**
1832
1849
  #
1833
1850
  # You can use the temporary credentials created by `GetFederationToken`
1834
- # in any AWS service except the following:
1851
+ # in any Amazon Web Services service except the following:
1835
1852
  #
1836
- # * You cannot call any IAM operations using the AWS CLI or the AWS API.
1853
+ # * You cannot call any IAM operations using the CLI or the Amazon Web
1854
+ # Services API.
1837
1855
  #
1838
1856
  # * You cannot call any STS operations except `GetCallerIdentity`.
1839
1857
  #
@@ -1941,12 +1959,12 @@ module Aws::STS
1941
1959
  # the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
1942
1960
  # characters.
1943
1961
  #
1944
- # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1945
- # tags into a packed binary format that has a separate limit. Your
1946
- # request can fail for this limit even if your plaintext meets the other
1947
- # requirements. The `PackedPolicySize` response element indicates by
1948
- # percentage how close the policies and tags for your request are to the
1949
- # upper size limit.
1962
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
1963
+ # policies and session tags into a packed binary format that has a
1964
+ # separate limit. Your request can fail for this limit even if your
1965
+ # plaintext meets the other requirements. The `PackedPolicySize`
1966
+ # response element indicates by percentage how close the policies and
1967
+ # tags for your request are to the upper size limit.
1950
1968
  #
1951
1969
  # </note>
1952
1970
  #
@@ -1965,8 +1983,9 @@ module Aws::STS
1965
1983
  # to use as managed session policies. The plaintext that you use for
1966
1984
  # both inline and managed session policies can't exceed 2,048
1967
1985
  # characters. You can provide up to 10 managed policy ARNs. For more
1968
- # information about ARNs, see [Amazon Resource Names (ARNs) and AWS
1969
- # Service Namespaces][2] in the AWS General Reference.
1986
+ # information about ARNs, see [Amazon Resource Names (ARNs) and Amazon
1987
+ # Web Services Service Namespaces][2] in the Amazon Web Services General
1988
+ # Reference.
1970
1989
  #
1971
1990
  # This parameter is optional. However, if you do not pass any session
1972
1991
  # policies, then the resulting federated user session has no
@@ -1987,12 +2006,12 @@ module Aws::STS
1987
2006
  # are granted in addition to the permissions that are granted by the
1988
2007
  # session policies.
1989
2008
  #
1990
- # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1991
- # tags into a packed binary format that has a separate limit. Your
1992
- # request can fail for this limit even if your plaintext meets the other
1993
- # requirements. The `PackedPolicySize` response element indicates by
1994
- # percentage how close the policies and tags for your request are to the
1995
- # upper size limit.
2009
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
2010
+ # policies and session tags into a packed binary format that has a
2011
+ # separate limit. Your request can fail for this limit even if your
2012
+ # plaintext meets the other requirements. The `PackedPolicySize`
2013
+ # response element indicates by percentage how close the policies and
2014
+ # tags for your request are to the upper size limit.
1996
2015
  #
1997
2016
  # </note>
1998
2017
  #
@@ -2005,10 +2024,10 @@ module Aws::STS
2005
2024
  # The duration, in seconds, that the session should last. Acceptable
2006
2025
  # durations for federation sessions range from 900 seconds (15 minutes)
2007
2026
  # to 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the
2008
- # default. Sessions obtained using AWS account root user credentials are
2009
- # restricted to a maximum of 3,600 seconds (one hour). If the specified
2010
- # duration is longer than one hour, the session obtained by using root
2011
- # user credentials defaults to one hour.
2027
+ # default. Sessions obtained using Amazon Web Services account root user
2028
+ # credentials are restricted to a maximum of 3,600 seconds (one hour).
2029
+ # If the specified duration is longer than one hour, the session
2030
+ # obtained by using root user credentials defaults to one hour.
2012
2031
  #
2013
2032
  # @option params [Array<Types::Tag>] :tags
2014
2033
  # A list of session tags. Each session tag consists of a key name and an
@@ -2020,12 +2039,12 @@ module Aws::STS
2020
2039
  # can’t exceed 256 characters. For these and additional limits, see [IAM
2021
2040
  # and STS Character Limits][2] in the *IAM User Guide*.
2022
2041
  #
2023
- # <note markdown="1"> An AWS conversion compresses the passed session policies and session
2024
- # tags into a packed binary format that has a separate limit. Your
2025
- # request can fail for this limit even if your plaintext meets the other
2026
- # requirements. The `PackedPolicySize` response element indicates by
2027
- # percentage how close the policies and tags for your request are to the
2028
- # upper size limit.
2042
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
2043
+ # policies and session tags into a packed binary format that has a
2044
+ # separate limit. Your request can fail for this limit even if your
2045
+ # plaintext meets the other requirements. The `PackedPolicySize`
2046
+ # response element indicates by percentage how close the policies and
2047
+ # tags for your request are to the upper size limit.
2029
2048
  #
2030
2049
  # </note>
2031
2050
  #
@@ -2123,37 +2142,38 @@ module Aws::STS
2123
2142
  req.send_request(options)
2124
2143
  end
2125
2144
 
2126
- # Returns a set of temporary credentials for an AWS account or IAM user.
2127
- # The credentials consist of an access key ID, a secret access key, and
2128
- # a security token. Typically, you use `GetSessionToken` if you want to
2129
- # use MFA to protect programmatic calls to specific AWS API operations
2130
- # like Amazon EC2 `StopInstances`. MFA-enabled IAM users would need to
2131
- # call `GetSessionToken` and submit an MFA code that is associated with
2132
- # their MFA device. Using the temporary security credentials that are
2133
- # returned from the call, IAM users can then make programmatic calls to
2134
- # API operations that require MFA authentication. If you do not supply a
2145
+ # Returns a set of temporary credentials for an Amazon Web Services
2146
+ # account or IAM user. The credentials consist of an access key ID, a
2147
+ # secret access key, and a security token. Typically, you use
2148
+ # `GetSessionToken` if you want to use MFA to protect programmatic calls
2149
+ # to specific Amazon Web Services API operations like Amazon EC2
2150
+ # `StopInstances`. MFA-enabled IAM users would need to call
2151
+ # `GetSessionToken` and submit an MFA code that is associated with their
2152
+ # MFA device. Using the temporary security credentials that are returned
2153
+ # from the call, IAM users can then make programmatic calls to API
2154
+ # operations that require MFA authentication. If you do not supply a
2135
2155
  # correct MFA code, then the API returns an access denied error. For a
2136
2156
  # comparison of `GetSessionToken` with the other API operations that
2137
2157
  # produce temporary credentials, see [Requesting Temporary Security
2138
- # Credentials][1] and [Comparing the AWS STS API operations][2] in the
2139
- # *IAM User Guide*.
2158
+ # Credentials][1] and [Comparing the STS API operations][2] in the *IAM
2159
+ # User Guide*.
2140
2160
  #
2141
2161
  # **Session Duration**
2142
2162
  #
2143
2163
  # The `GetSessionToken` operation must be called by using the long-term
2144
- # AWS security credentials of the AWS account root user or an IAM user.
2145
- # Credentials that are created by IAM users are valid for the duration
2146
- # that you specify. This duration can range from 900 seconds (15
2147
- # minutes) up to a maximum of 129,600 seconds (36 hours), with a default
2148
- # of 43,200 seconds (12 hours). Credentials based on account credentials
2149
- # can range from 900 seconds (15 minutes) up to 3,600 seconds (1 hour),
2150
- # with a default of 1 hour.
2164
+ # Amazon Web Services security credentials of the Amazon Web Services
2165
+ # account root user or an IAM user. Credentials that are created by IAM
2166
+ # users are valid for the duration that you specify. This duration can
2167
+ # range from 900 seconds (15 minutes) up to a maximum of 129,600 seconds
2168
+ # (36 hours), with a default of 43,200 seconds (12 hours). Credentials
2169
+ # based on account credentials can range from 900 seconds (15 minutes)
2170
+ # up to 3,600 seconds (1 hour), with a default of 1 hour.
2151
2171
  #
2152
2172
  # **Permissions**
2153
2173
  #
2154
2174
  # The temporary security credentials created by `GetSessionToken` can be
2155
- # used to make API calls to any AWS service with the following
2156
- # exceptions:
2175
+ # used to make API calls to any Amazon Web Services service with the
2176
+ # following exceptions:
2157
2177
  #
2158
2178
  # * You cannot call any IAM API operations unless MFA authentication
2159
2179
  # information is included in the request.
@@ -2161,20 +2181,21 @@ module Aws::STS
2161
2181
  # * You cannot call any STS API *except* `AssumeRole` or
2162
2182
  # `GetCallerIdentity`.
2163
2183
  #
2164
- # <note markdown="1"> We recommend that you do not call `GetSessionToken` with AWS account
2165
- # root user credentials. Instead, follow our [best practices][3] by
2166
- # creating one or more IAM users, giving them the necessary permissions,
2167
- # and using IAM users for everyday interaction with AWS.
2184
+ # <note markdown="1"> We recommend that you do not call `GetSessionToken` with Amazon Web
2185
+ # Services account root user credentials. Instead, follow our [best
2186
+ # practices][3] by creating one or more IAM users, giving them the
2187
+ # necessary permissions, and using IAM users for everyday interaction
2188
+ # with Amazon Web Services.
2168
2189
  #
2169
2190
  # </note>
2170
2191
  #
2171
2192
  # The credentials that are returned by `GetSessionToken` are based on
2172
2193
  # permissions associated with the user whose credentials were used to
2173
- # call the operation. If `GetSessionToken` is called using AWS account
2174
- # root user credentials, the temporary credentials have root user
2175
- # permissions. Similarly, if `GetSessionToken` is called using the
2176
- # credentials of an IAM user, the temporary credentials have the same
2177
- # permissions as the IAM user.
2194
+ # call the operation. If `GetSessionToken` is called using Amazon Web
2195
+ # Services account root user credentials, the temporary credentials have
2196
+ # root user permissions. Similarly, if `GetSessionToken` is called using
2197
+ # the credentials of an IAM user, the temporary credentials have the
2198
+ # same permissions as the IAM user.
2178
2199
  #
2179
2200
  # For more information about using `GetSessionToken` to create temporary
2180
2201
  # credentials, go to [Temporary Credentials for Users in Untrusted
@@ -2191,9 +2212,10 @@ module Aws::STS
2191
2212
  # The duration, in seconds, that the credentials should remain valid.
2192
2213
  # Acceptable durations for IAM user sessions range from 900 seconds (15
2193
2214
  # minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12 hours)
2194
- # as the default. Sessions for AWS account owners are restricted to a
2195
- # maximum of 3,600 seconds (one hour). If the duration is longer than
2196
- # one hour, the session for AWS account owners defaults to one hour.
2215
+ # as the default. Sessions for Amazon Web Services account owners are
2216
+ # restricted to a maximum of 3,600 seconds (one hour). If the duration
2217
+ # is longer than one hour, the session for Amazon Web Services account
2218
+ # owners defaults to one hour.
2197
2219
  #
2198
2220
  # @option params [String] :serial_number
2199
2221
  # The identification number of the MFA device that is associated with
@@ -2202,8 +2224,8 @@ module Aws::STS
2202
2224
  # The value is either the serial number for a hardware device (such as
2203
2225
  # `GAHT12345678`) or an Amazon Resource Name (ARN) for a virtual device
2204
2226
  # (such as `arn:aws:iam::123456789012:mfa/user`). You can find the
2205
- # device for an IAM user by going to the AWS Management Console and
2206
- # viewing the user's security credentials.
2227
+ # device for an IAM user by going to the Management Console and viewing
2228
+ # the user's security credentials.
2207
2229
  #
2208
2230
  # The regex used to validate this parameter is a string of characters
2209
2231
  # consisting of upper- and lower-case alphanumeric characters with no
@@ -2281,7 +2303,7 @@ module Aws::STS
2281
2303
  params: params,
2282
2304
  config: config)
2283
2305
  context[:gem_name] = 'aws-sdk-core'
2284
- context[:gem_version] = '3.115.0'
2306
+ context[:gem_version] = '3.117.0'
2285
2307
  Seahorse::Client::Request.new(handlers, context)
2286
2308
  end
2287
2309