aws-sdk-core 3.125.6 → 3.188.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +533 -0
- data/VERSION +1 -1
- data/lib/aws-defaults/default_configuration.rb +4 -4
- data/lib/aws-sdk-core/arn.rb +13 -0
- data/lib/aws-sdk-core/assume_role_credentials.rb +21 -7
- data/lib/aws-sdk-core/assume_role_web_identity_credentials.rb +14 -10
- data/lib/aws-sdk-core/binary/encode_handler.rb +12 -1
- data/lib/aws-sdk-core/client_stubs.rb +5 -1
- data/lib/aws-sdk-core/credential_provider.rb +3 -0
- data/lib/aws-sdk-core/credential_provider_chain.rb +8 -5
- data/lib/aws-sdk-core/ec2_metadata.rb +3 -2
- data/lib/aws-sdk-core/ecs_credentials.rb +186 -52
- data/lib/aws-sdk-core/endpoints/condition.rb +41 -0
- data/lib/aws-sdk-core/endpoints/endpoint.rb +17 -0
- data/lib/aws-sdk-core/endpoints/endpoint_rule.rb +75 -0
- data/lib/aws-sdk-core/endpoints/error_rule.rb +42 -0
- data/lib/aws-sdk-core/endpoints/function.rb +80 -0
- data/lib/aws-sdk-core/endpoints/matchers.rb +131 -0
- data/lib/aws-sdk-core/endpoints/reference.rb +31 -0
- data/lib/aws-sdk-core/endpoints/rule.rb +25 -0
- data/lib/aws-sdk-core/endpoints/rule_set.rb +52 -0
- data/lib/aws-sdk-core/endpoints/rules_provider.rb +37 -0
- data/lib/aws-sdk-core/endpoints/templater.rb +58 -0
- data/lib/aws-sdk-core/endpoints/tree_rule.rb +45 -0
- data/lib/aws-sdk-core/endpoints/url.rb +60 -0
- data/lib/aws-sdk-core/endpoints.rb +78 -0
- data/lib/aws-sdk-core/errors.rb +14 -1
- data/lib/aws-sdk-core/ini_parser.rb +7 -0
- data/lib/aws-sdk-core/instance_profile_credentials.rb +124 -31
- data/lib/aws-sdk-core/json/error_handler.rb +20 -1
- data/lib/aws-sdk-core/json/handler.rb +8 -1
- data/lib/aws-sdk-core/json/parser.rb +27 -2
- data/lib/aws-sdk-core/log/formatter.rb +6 -0
- data/lib/aws-sdk-core/pageable_response.rb +81 -32
- data/lib/aws-sdk-core/param_validator.rb +2 -2
- data/lib/aws-sdk-core/plugins/bearer_authorization.rb +67 -0
- data/lib/aws-sdk-core/plugins/checksum_algorithm.rb +340 -0
- data/lib/aws-sdk-core/plugins/credentials_configuration.rb +24 -0
- data/lib/aws-sdk-core/plugins/endpoint_discovery.rb +6 -2
- data/lib/aws-sdk-core/plugins/http_checksum.rb +8 -1
- data/lib/aws-sdk-core/plugins/jsonvalue_converter.rb +34 -6
- data/lib/aws-sdk-core/plugins/recursion_detection.rb +38 -0
- data/lib/aws-sdk-core/plugins/regional_endpoint.rb +111 -30
- data/lib/aws-sdk-core/plugins/request_compression.rb +217 -0
- data/lib/aws-sdk-core/plugins/response_paging.rb +1 -1
- data/lib/aws-sdk-core/plugins/retries/error_inspector.rb +3 -2
- data/lib/aws-sdk-core/plugins/retry_errors.rb +12 -2
- data/lib/aws-sdk-core/plugins/sign.rb +201 -0
- data/lib/aws-sdk-core/plugins/signature_v2.rb +1 -0
- data/lib/aws-sdk-core/plugins/signature_v4.rb +15 -8
- data/lib/aws-sdk-core/plugins/stub_responses.rb +5 -1
- data/lib/aws-sdk-core/plugins/user_agent.rb +117 -14
- data/lib/aws-sdk-core/process_credentials.rb +9 -11
- data/lib/aws-sdk-core/refreshing_credentials.rb +41 -16
- data/lib/aws-sdk-core/refreshing_token.rb +71 -0
- data/lib/aws-sdk-core/rest/handler.rb +1 -1
- data/lib/aws-sdk-core/rest/request/headers.rb +2 -6
- data/lib/aws-sdk-core/rest/request/querystring_builder.rb +43 -29
- data/lib/aws-sdk-core/shared_config.rb +107 -12
- data/lib/aws-sdk-core/sso_credentials.rb +91 -50
- data/lib/aws-sdk-core/sso_token_provider.rb +135 -0
- data/lib/aws-sdk-core/static_token_provider.rb +14 -0
- data/lib/aws-sdk-core/structure.rb +6 -4
- data/lib/aws-sdk-core/stubbing/stub_data.rb +11 -0
- data/lib/aws-sdk-core/token.rb +31 -0
- data/lib/aws-sdk-core/token_provider.rb +15 -0
- data/lib/aws-sdk-core/token_provider_chain.rb +51 -0
- data/lib/aws-sdk-core/waiters/poller.rb +3 -1
- data/lib/aws-sdk-core/xml/error_handler.rb +7 -0
- data/lib/aws-sdk-core/xml/parser/engines/oga.rb +2 -0
- data/lib/aws-sdk-core.rb +14 -0
- data/lib/aws-sdk-sso/client.rb +75 -11
- data/lib/aws-sdk-sso/endpoint_parameters.rb +66 -0
- data/lib/aws-sdk-sso/endpoint_provider.rb +57 -0
- data/lib/aws-sdk-sso/endpoints.rb +72 -0
- data/lib/aws-sdk-sso/plugins/endpoints.rb +76 -0
- data/lib/aws-sdk-sso/types.rb +8 -43
- data/lib/aws-sdk-sso.rb +5 -1
- data/lib/aws-sdk-ssooidc/client.rb +935 -0
- data/lib/aws-sdk-ssooidc/client_api.rb +271 -0
- data/lib/aws-sdk-ssooidc/customizations.rb +1 -0
- data/lib/aws-sdk-ssooidc/endpoint_parameters.rb +66 -0
- data/lib/aws-sdk-ssooidc/endpoint_provider.rb +57 -0
- data/lib/aws-sdk-ssooidc/endpoints.rb +72 -0
- data/lib/aws-sdk-ssooidc/errors.rb +321 -0
- data/lib/aws-sdk-ssooidc/plugins/endpoints.rb +76 -0
- data/lib/aws-sdk-ssooidc/resource.rb +26 -0
- data/lib/aws-sdk-ssooidc/types.rb +755 -0
- data/lib/aws-sdk-ssooidc.rb +59 -0
- data/lib/aws-sdk-sts/client.rb +330 -262
- data/lib/aws-sdk-sts/client_api.rb +12 -1
- data/lib/aws-sdk-sts/endpoint_parameters.rb +78 -0
- data/lib/aws-sdk-sts/endpoint_provider.rb +112 -0
- data/lib/aws-sdk-sts/endpoints.rb +136 -0
- data/lib/aws-sdk-sts/plugins/endpoints.rb +84 -0
- data/lib/aws-sdk-sts/presigner.rb +14 -16
- data/lib/aws-sdk-sts/types.rb +135 -204
- data/lib/aws-sdk-sts.rb +5 -1
- data/lib/seahorse/client/async_base.rb +0 -1
- data/lib/seahorse/client/configuration.rb +1 -5
- data/lib/seahorse/client/h2/connection.rb +12 -11
- data/lib/seahorse/client/net_http/patches.rb +1 -4
- data/lib/seahorse/client/plugins/h2.rb +3 -3
- data/lib/seahorse/client/plugins/request_callback.rb +40 -9
- data/lib/seahorse/client/response.rb +6 -0
- data/lib/seahorse/model/operation.rb +6 -0
- data/lib/seahorse/util.rb +4 -0
- metadata +59 -9
data/lib/aws-sdk-sts/client.rb
CHANGED
@@ -27,8 +27,11 @@ require 'aws-sdk-core/plugins/client_metrics_plugin.rb'
|
|
27
27
|
require 'aws-sdk-core/plugins/client_metrics_send_plugin.rb'
|
28
28
|
require 'aws-sdk-core/plugins/transfer_encoding.rb'
|
29
29
|
require 'aws-sdk-core/plugins/http_checksum.rb'
|
30
|
+
require 'aws-sdk-core/plugins/checksum_algorithm.rb'
|
31
|
+
require 'aws-sdk-core/plugins/request_compression.rb'
|
30
32
|
require 'aws-sdk-core/plugins/defaults_mode.rb'
|
31
|
-
require 'aws-sdk-core/plugins/
|
33
|
+
require 'aws-sdk-core/plugins/recursion_detection.rb'
|
34
|
+
require 'aws-sdk-core/plugins/sign.rb'
|
32
35
|
require 'aws-sdk-core/plugins/protocols/query.rb'
|
33
36
|
require 'aws-sdk-sts/plugins/sts_regional_endpoints.rb'
|
34
37
|
|
@@ -75,10 +78,14 @@ module Aws::STS
|
|
75
78
|
add_plugin(Aws::Plugins::ClientMetricsSendPlugin)
|
76
79
|
add_plugin(Aws::Plugins::TransferEncoding)
|
77
80
|
add_plugin(Aws::Plugins::HttpChecksum)
|
81
|
+
add_plugin(Aws::Plugins::ChecksumAlgorithm)
|
82
|
+
add_plugin(Aws::Plugins::RequestCompression)
|
78
83
|
add_plugin(Aws::Plugins::DefaultsMode)
|
79
|
-
add_plugin(Aws::Plugins::
|
84
|
+
add_plugin(Aws::Plugins::RecursionDetection)
|
85
|
+
add_plugin(Aws::Plugins::Sign)
|
80
86
|
add_plugin(Aws::Plugins::Protocols::Query)
|
81
87
|
add_plugin(Aws::STS::Plugins::STSRegionalEndpoints)
|
88
|
+
add_plugin(Aws::STS::Plugins::Endpoints)
|
82
89
|
|
83
90
|
# @overload initialize(options)
|
84
91
|
# @param [Hash] options
|
@@ -187,6 +194,10 @@ module Aws::STS
|
|
187
194
|
# Set to true to disable SDK automatically adding host prefix
|
188
195
|
# to default service endpoint when available.
|
189
196
|
#
|
197
|
+
# @option options [Boolean] :disable_request_compression (false)
|
198
|
+
# When set to 'true' the request body will not be compressed
|
199
|
+
# for supported operations.
|
200
|
+
#
|
190
201
|
# @option options [String] :endpoint
|
191
202
|
# The client endpoint is normally constructed from the `:region`
|
192
203
|
# option. You should only configure an `:endpoint` when connecting
|
@@ -207,6 +218,10 @@ module Aws::STS
|
|
207
218
|
# @option options [Boolean] :endpoint_discovery (false)
|
208
219
|
# When set to `true`, endpoint discovery will be enabled for operations when available.
|
209
220
|
#
|
221
|
+
# @option options [Boolean] :ignore_configured_endpoint_urls
|
222
|
+
# Setting to true disables use of endpoint URLs provided via environment
|
223
|
+
# variables and the shared configuration file.
|
224
|
+
#
|
210
225
|
# @option options [Aws::Log::Formatter] :log_formatter (Aws::Log::Formatter.default)
|
211
226
|
# The log formatter.
|
212
227
|
#
|
@@ -227,6 +242,11 @@ module Aws::STS
|
|
227
242
|
# Used when loading credentials from the shared credentials file
|
228
243
|
# at HOME/.aws/credentials. When not specified, 'default' is used.
|
229
244
|
#
|
245
|
+
# @option options [Integer] :request_min_compression_size_bytes (10240)
|
246
|
+
# The minimum size in bytes that triggers compression for request
|
247
|
+
# bodies. The value must be non-negative integer value between 0
|
248
|
+
# and 10485780 bytes inclusive.
|
249
|
+
#
|
230
250
|
# @option options [Proc] :retry_backoff
|
231
251
|
# A proc or lambda used for backoff. Defaults to 2**retries * retry_base_delay.
|
232
252
|
# This option is only used in the `legacy` retry mode.
|
@@ -272,6 +292,11 @@ module Aws::STS
|
|
272
292
|
# in the future.
|
273
293
|
#
|
274
294
|
#
|
295
|
+
# @option options [String] :sdk_ua_app_id
|
296
|
+
# A unique and opaque application ID that is appended to the
|
297
|
+
# User-Agent header as app/<sdk_ua_app_id>. It should have a
|
298
|
+
# maximum length of 50.
|
299
|
+
#
|
275
300
|
# @option options [String] :secret_access_key
|
276
301
|
#
|
277
302
|
# @option options [String] :session_token
|
@@ -290,6 +315,19 @@ module Aws::STS
|
|
290
315
|
# ** Please note ** When response stubbing is enabled, no HTTP
|
291
316
|
# requests are made, and retries are disabled.
|
292
317
|
#
|
318
|
+
# @option options [Aws::TokenProvider] :token_provider
|
319
|
+
# A Bearer Token Provider. This can be an instance of any one of the
|
320
|
+
# following classes:
|
321
|
+
#
|
322
|
+
# * `Aws::StaticTokenProvider` - Used for configuring static, non-refreshing
|
323
|
+
# tokens.
|
324
|
+
#
|
325
|
+
# * `Aws::SSOTokenProvider` - Used for loading tokens from AWS SSO using an
|
326
|
+
# access token generated from `aws login`.
|
327
|
+
#
|
328
|
+
# When `:token_provider` is not configured directly, the `Aws::TokenProviderChain`
|
329
|
+
# will be used to search for tokens configured for your profile in shared configuration files.
|
330
|
+
#
|
293
331
|
# @option options [Boolean] :use_dualstack_endpoint
|
294
332
|
# When set to `true`, dualstack enabled endpoints (with `.aws` TLD)
|
295
333
|
# will be used if available.
|
@@ -303,6 +341,9 @@ module Aws::STS
|
|
303
341
|
# When `true`, request parameters are validated before
|
304
342
|
# sending the request.
|
305
343
|
#
|
344
|
+
# @option options [Aws::STS::EndpointProvider] :endpoint_provider
|
345
|
+
# The endpoint provider used to resolve endpoints. Any object that responds to `#resolve_endpoint(parameters)` where `parameters` is a Struct similar to `Aws::STS::EndpointParameters`
|
346
|
+
#
|
306
347
|
# @option options [URI::HTTP,String] :http_proxy A proxy to send
|
307
348
|
# requests through. Formatted like 'http://proxy.com:123'.
|
308
349
|
#
|
@@ -355,14 +396,13 @@ module Aws::STS
|
|
355
396
|
# @!group API Operations
|
356
397
|
|
357
398
|
# Returns a set of temporary security credentials that you can use to
|
358
|
-
# access Amazon Web Services resources
|
359
|
-
#
|
360
|
-
#
|
361
|
-
#
|
362
|
-
#
|
363
|
-
#
|
364
|
-
#
|
365
|
-
# operations][2] in the *IAM User Guide*.
|
399
|
+
# access Amazon Web Services resources. These temporary credentials
|
400
|
+
# consist of an access key ID, a secret access key, and a security
|
401
|
+
# token. Typically, you use `AssumeRole` within your account or for
|
402
|
+
# cross-account access. For a comparison of `AssumeRole` with other API
|
403
|
+
# operations that produce temporary credentials, see [Requesting
|
404
|
+
# Temporary Security Credentials][1] and [Comparing the Amazon Web
|
405
|
+
# Services STS API operations][2] in the *IAM User Guide*.
|
366
406
|
#
|
367
407
|
# **Permissions**
|
368
408
|
#
|
@@ -373,23 +413,24 @@ module Aws::STS
|
|
373
413
|
#
|
374
414
|
# (Optional) You can pass inline or managed [session policies][3] to
|
375
415
|
# this operation. You can pass a single JSON policy document to use as
|
376
|
-
# an inline session policy. You can also specify up to 10 managed
|
377
|
-
#
|
378
|
-
# use for both inline and managed session policies
|
379
|
-
# characters. Passing policies to this operation
|
380
|
-
# credentials. The resulting session's
|
381
|
-
# of the role's identity-based policy
|
382
|
-
# use the role's temporary
|
383
|
-
# Services API calls to access
|
384
|
-
# role. You cannot use session
|
385
|
-
#
|
386
|
-
#
|
387
|
-
# User Guide*.
|
388
|
-
#
|
389
|
-
# When you create a role, you create two policies:
|
390
|
-
# that specifies *who* can assume the role and a permissions policy
|
391
|
-
# specifies *what* can be done with the role. You specify the
|
392
|
-
# principal
|
416
|
+
# an inline session policy. You can also specify up to 10 managed policy
|
417
|
+
# Amazon Resource Names (ARNs) to use as managed session policies. The
|
418
|
+
# plaintext that you use for both inline and managed session policies
|
419
|
+
# can't exceed 2,048 characters. Passing policies to this operation
|
420
|
+
# returns new temporary credentials. The resulting session's
|
421
|
+
# permissions are the intersection of the role's identity-based policy
|
422
|
+
# and the session policies. You can use the role's temporary
|
423
|
+
# credentials in subsequent Amazon Web Services API calls to access
|
424
|
+
# resources in the account that owns the role. You cannot use session
|
425
|
+
# policies to grant more permissions than those allowed by the
|
426
|
+
# identity-based policy of the role that is being assumed. For more
|
427
|
+
# information, see [Session Policies][3] in the *IAM User Guide*.
|
428
|
+
#
|
429
|
+
# When you create a role, you create two policies: a role trust policy
|
430
|
+
# that specifies *who* can assume the role, and a permissions policy
|
431
|
+
# that specifies *what* can be done with the role. You specify the
|
432
|
+
# trusted principal that is allowed to assume the role in the role trust
|
433
|
+
# policy.
|
393
434
|
#
|
394
435
|
# To assume a role from a different account, your Amazon Web Services
|
395
436
|
# account must be trusted by the role. The trust relationship is defined
|
@@ -398,10 +439,9 @@ module Aws::STS
|
|
398
439
|
# users in the account.
|
399
440
|
#
|
400
441
|
# A user who wants to access a role in a different account must also
|
401
|
-
# have permissions that are delegated from the
|
402
|
-
#
|
403
|
-
#
|
404
|
-
# account.
|
442
|
+
# have permissions that are delegated from the account administrator.
|
443
|
+
# The administrator must attach a policy that allows the user to call
|
444
|
+
# `AssumeRole` for the ARN of the role in the other account.
|
405
445
|
#
|
406
446
|
# To allow a user to assume a role in the same account, you can do
|
407
447
|
# either of the following:
|
@@ -498,12 +538,12 @@ module Aws::STS
|
|
498
538
|
# about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services
|
499
539
|
# Service Namespaces][1] in the Amazon Web Services General Reference.
|
500
540
|
#
|
501
|
-
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
502
|
-
#
|
503
|
-
# separate limit. Your request can fail for this limit
|
504
|
-
# plaintext meets the other requirements. The
|
505
|
-
# response element indicates by percentage how close
|
506
|
-
# tags for your request are to the upper size limit.
|
541
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
|
542
|
+
# policy, managed policy ARNs, and session tags into a packed binary
|
543
|
+
# format that has a separate limit. Your request can fail for this limit
|
544
|
+
# even if your plaintext meets the other requirements. The
|
545
|
+
# `PackedPolicySize` response element indicates by percentage how close
|
546
|
+
# the policies and tags for your request are to the upper size limit.
|
507
547
|
#
|
508
548
|
# </note>
|
509
549
|
#
|
@@ -543,12 +583,12 @@ module Aws::STS
|
|
543
583
|
# the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
544
584
|
# characters.
|
545
585
|
#
|
546
|
-
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
547
|
-
#
|
548
|
-
# separate limit. Your request can fail for this limit
|
549
|
-
# plaintext meets the other requirements. The
|
550
|
-
# response element indicates by percentage how close
|
551
|
-
# tags for your request are to the upper size limit.
|
586
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
|
587
|
+
# policy, managed policy ARNs, and session tags into a packed binary
|
588
|
+
# format that has a separate limit. Your request can fail for this limit
|
589
|
+
# even if your plaintext meets the other requirements. The
|
590
|
+
# `PackedPolicySize` response element indicates by percentage how close
|
591
|
+
# the policies and tags for your request are to the upper size limit.
|
552
592
|
#
|
553
593
|
# </note>
|
554
594
|
#
|
@@ -606,12 +646,12 @@ module Aws::STS
|
|
606
646
|
# can’t exceed 256 characters. For these and additional limits, see [IAM
|
607
647
|
# and STS Character Limits][2] in the *IAM User Guide*.
|
608
648
|
#
|
609
|
-
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
610
|
-
#
|
611
|
-
# separate limit. Your request can fail for this limit
|
612
|
-
# plaintext meets the other requirements. The
|
613
|
-
# response element indicates by percentage how close
|
614
|
-
# tags for your request are to the upper size limit.
|
649
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
|
650
|
+
# policy, managed policy ARNs, and session tags into a packed binary
|
651
|
+
# format that has a separate limit. Your request can fail for this limit
|
652
|
+
# even if your plaintext meets the other requirements. The
|
653
|
+
# `PackedPolicySize` response element indicates by percentage how close
|
654
|
+
# the policies and tags for your request are to the upper size limit.
|
615
655
|
#
|
616
656
|
# </note>
|
617
657
|
#
|
@@ -637,7 +677,7 @@ module Aws::STS
|
|
637
677
|
#
|
638
678
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
639
679
|
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
|
640
|
-
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
680
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_ctlogs
|
641
681
|
#
|
642
682
|
# @option params [Array<String>] :transitive_tag_keys
|
643
683
|
# A list of keys for session tags that you want to set as transitive. If
|
@@ -726,6 +766,17 @@ module Aws::STS
|
|
726
766
|
#
|
727
767
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
|
728
768
|
#
|
769
|
+
# @option params [Array<Types::ProvidedContext>] :provided_contexts
|
770
|
+
# A list of previously acquired trusted context assertions in the format
|
771
|
+
# of a JSON array. The trusted context assertion is signed and encrypted
|
772
|
+
# by Amazon Web Services STS.
|
773
|
+
#
|
774
|
+
# The following is an example of a `ProvidedContext` value that includes
|
775
|
+
# a single trusted context assertion and the ARN of the context provider
|
776
|
+
# from which the trusted context assertion was generated.
|
777
|
+
#
|
778
|
+
# `[\{"ProviderArn":"arn:aws:iam::aws:contextProvider/identitycenter","ContextAssertion":"trusted-context-assertion"\}]`
|
779
|
+
#
|
729
780
|
# @return [Types::AssumeRoleResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
730
781
|
#
|
731
782
|
# * {Types::AssumeRoleResponse#credentials #credentials} => Types::Credentials
|
@@ -786,7 +837,7 @@ module Aws::STS
|
|
786
837
|
# arn: "arnType",
|
787
838
|
# },
|
788
839
|
# ],
|
789
|
-
# policy: "
|
840
|
+
# policy: "unrestrictedSessionPolicyDocumentType",
|
790
841
|
# duration_seconds: 1,
|
791
842
|
# tags: [
|
792
843
|
# {
|
@@ -799,6 +850,12 @@ module Aws::STS
|
|
799
850
|
# serial_number: "serialNumberType",
|
800
851
|
# token_code: "tokenCodeType",
|
801
852
|
# source_identity: "sourceIdentityType",
|
853
|
+
# provided_contexts: [
|
854
|
+
# {
|
855
|
+
# provider_arn: "arnType",
|
856
|
+
# context_assertion: "contextAssertionType",
|
857
|
+
# },
|
858
|
+
# ],
|
802
859
|
# })
|
803
860
|
#
|
804
861
|
# @example Response structure
|
@@ -874,18 +931,18 @@ module Aws::STS
|
|
874
931
|
#
|
875
932
|
# (Optional) You can pass inline or managed [session policies][6] to
|
876
933
|
# this operation. You can pass a single JSON policy document to use as
|
877
|
-
# an inline session policy. You can also specify up to 10 managed
|
878
|
-
#
|
879
|
-
# use for both inline and managed session policies
|
880
|
-
# characters. Passing policies to this operation
|
881
|
-
# credentials. The resulting session's
|
882
|
-
# of the role's identity-based policy
|
883
|
-
# use the role's temporary
|
884
|
-
# Services API calls to access
|
885
|
-
# role. You cannot use session
|
886
|
-
#
|
887
|
-
#
|
888
|
-
# User Guide*.
|
934
|
+
# an inline session policy. You can also specify up to 10 managed policy
|
935
|
+
# Amazon Resource Names (ARNs) to use as managed session policies. The
|
936
|
+
# plaintext that you use for both inline and managed session policies
|
937
|
+
# can't exceed 2,048 characters. Passing policies to this operation
|
938
|
+
# returns new temporary credentials. The resulting session's
|
939
|
+
# permissions are the intersection of the role's identity-based policy
|
940
|
+
# and the session policies. You can use the role's temporary
|
941
|
+
# credentials in subsequent Amazon Web Services API calls to access
|
942
|
+
# resources in the account that owns the role. You cannot use session
|
943
|
+
# policies to grant more permissions than those allowed by the
|
944
|
+
# identity-based policy of the role that is being assumed. For more
|
945
|
+
# information, see [Session Policies][6] in the *IAM User Guide*.
|
889
946
|
#
|
890
947
|
# Calling `AssumeRoleWithSAML` does not require the use of Amazon Web
|
891
948
|
# Services security credentials. The identity of the caller is validated
|
@@ -911,12 +968,12 @@ module Aws::STS
|
|
911
968
|
# characters. For these and additional limits, see [IAM and STS
|
912
969
|
# Character Limits][8] in the *IAM User Guide*.
|
913
970
|
#
|
914
|
-
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
915
|
-
#
|
916
|
-
# separate limit. Your request can fail for this limit
|
917
|
-
# plaintext meets the other requirements. The
|
918
|
-
# response element indicates by percentage how close
|
919
|
-
# tags for your request are to the upper size limit.
|
971
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
|
972
|
+
# policy, managed policy ARNs, and session tags into a packed binary
|
973
|
+
# format that has a separate limit. Your request can fail for this limit
|
974
|
+
# even if your plaintext meets the other requirements. The
|
975
|
+
# `PackedPolicySize` response element indicates by percentage how close
|
976
|
+
# the policies and tags for your request are to the upper size limit.
|
920
977
|
#
|
921
978
|
# </note>
|
922
979
|
#
|
@@ -1002,12 +1059,12 @@ module Aws::STS
|
|
1002
1059
|
# about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services
|
1003
1060
|
# Service Namespaces][1] in the Amazon Web Services General Reference.
|
1004
1061
|
#
|
1005
|
-
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
1006
|
-
#
|
1007
|
-
# separate limit. Your request can fail for this limit
|
1008
|
-
# plaintext meets the other requirements. The
|
1009
|
-
# response element indicates by percentage how close
|
1010
|
-
# tags for your request are to the upper size limit.
|
1062
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
|
1063
|
+
# policy, managed policy ARNs, and session tags into a packed binary
|
1064
|
+
# format that has a separate limit. Your request can fail for this limit
|
1065
|
+
# even if your plaintext meets the other requirements. The
|
1066
|
+
# `PackedPolicySize` response element indicates by percentage how close
|
1067
|
+
# the policies and tags for your request are to the upper size limit.
|
1011
1068
|
#
|
1012
1069
|
# </note>
|
1013
1070
|
#
|
@@ -1047,12 +1104,12 @@ module Aws::STS
|
|
1047
1104
|
# the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
1048
1105
|
# characters.
|
1049
1106
|
#
|
1050
|
-
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
1051
|
-
#
|
1052
|
-
# separate limit. Your request can fail for this limit
|
1053
|
-
# plaintext meets the other requirements. The
|
1054
|
-
# response element indicates by percentage how close
|
1055
|
-
# tags for your request are to the upper size limit.
|
1107
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
|
1108
|
+
# policy, managed policy ARNs, and session tags into a packed binary
|
1109
|
+
# format that has a separate limit. Your request can fail for this limit
|
1110
|
+
# even if your plaintext meets the other requirements. The
|
1111
|
+
# `PackedPolicySize` response element indicates by percentage how close
|
1112
|
+
# the policies and tags for your request are to the upper size limit.
|
1056
1113
|
#
|
1057
1114
|
# </note>
|
1058
1115
|
#
|
@@ -1175,20 +1232,19 @@ module Aws::STS
|
|
1175
1232
|
|
1176
1233
|
# Returns a set of temporary security credentials for users who have
|
1177
1234
|
# been authenticated in a mobile or web application with a web identity
|
1178
|
-
# provider. Example providers include
|
1179
|
-
# Facebook,
|
1235
|
+
# provider. Example providers include the OAuth 2.0 providers Login with
|
1236
|
+
# Amazon and Facebook, or any OpenID Connect-compatible identity
|
1237
|
+
# provider such as Google or [Amazon Cognito federated identities][1].
|
1180
1238
|
#
|
1181
1239
|
# <note markdown="1"> For mobile applications, we recommend that you use Amazon Cognito. You
|
1182
1240
|
# can use Amazon Cognito with the [Amazon Web Services SDK for iOS
|
1183
|
-
# Developer Guide][
|
1184
|
-
# Developer Guide][
|
1241
|
+
# Developer Guide][2] and the [Amazon Web Services SDK for Android
|
1242
|
+
# Developer Guide][3] to uniquely identify a user. You can also supply
|
1185
1243
|
# the user with a consistent identity throughout the lifetime of an
|
1186
1244
|
# application.
|
1187
1245
|
#
|
1188
|
-
# To learn more about Amazon Cognito, see [Amazon Cognito
|
1189
|
-
# in *Amazon
|
1190
|
-
# Cognito Overview][4] in the *Amazon Web Services SDK for iOS Developer
|
1191
|
-
# Guide*.
|
1246
|
+
# To learn more about Amazon Cognito, see [Amazon Cognito identity
|
1247
|
+
# pools][1] in *Amazon Cognito Developer Guide*.
|
1192
1248
|
#
|
1193
1249
|
# </note>
|
1194
1250
|
#
|
@@ -1202,8 +1258,8 @@ module Aws::STS
|
|
1202
1258
|
# a token from the web identity provider. For a comparison of
|
1203
1259
|
# `AssumeRoleWithWebIdentity` with the other API operations that produce
|
1204
1260
|
# temporary credentials, see [Requesting Temporary Security
|
1205
|
-
# Credentials][
|
1206
|
-
# operations][
|
1261
|
+
# Credentials][4] and [Comparing the Amazon Web Services STS API
|
1262
|
+
# operations][5] in the *IAM User Guide*.
|
1207
1263
|
#
|
1208
1264
|
# The temporary security credentials returned by this API consist of an
|
1209
1265
|
# access key ID, a secret access key, and a security token. Applications
|
@@ -1219,11 +1275,11 @@ module Aws::STS
|
|
1219
1275
|
# to the maximum session duration setting for the role. This setting can
|
1220
1276
|
# have a value from 1 hour to 12 hours. To learn how to view the maximum
|
1221
1277
|
# value for your role, see [View the Maximum Session Duration Setting
|
1222
|
-
# for a Role][
|
1278
|
+
# for a Role][6] in the *IAM User Guide*. The maximum session duration
|
1223
1279
|
# limit applies when you use the `AssumeRole*` API operations or the
|
1224
1280
|
# `assume-role*` CLI commands. However the limit does not apply when you
|
1225
1281
|
# use those operations to create a console URL. For more information,
|
1226
|
-
# see [Using IAM Roles][
|
1282
|
+
# see [Using IAM Roles][7] in the *IAM User Guide*.
|
1227
1283
|
#
|
1228
1284
|
# **Permissions**
|
1229
1285
|
#
|
@@ -1232,39 +1288,39 @@ module Aws::STS
|
|
1232
1288
|
# Amazon Web Services service with the following exception: you cannot
|
1233
1289
|
# call the STS `GetFederationToken` or `GetSessionToken` API operations.
|
1234
1290
|
#
|
1235
|
-
# (Optional) You can pass inline or managed [session policies][
|
1291
|
+
# (Optional) You can pass inline or managed [session policies][8] to
|
1236
1292
|
# this operation. You can pass a single JSON policy document to use as
|
1237
|
-
# an inline session policy. You can also specify up to 10 managed
|
1238
|
-
#
|
1239
|
-
# use for both inline and managed session policies
|
1240
|
-
# characters. Passing policies to this operation
|
1241
|
-
# credentials. The resulting session's
|
1242
|
-
# of the role's identity-based policy
|
1243
|
-
# use the role's temporary
|
1244
|
-
# Services API calls to access
|
1245
|
-
# role. You cannot use session
|
1246
|
-
#
|
1247
|
-
#
|
1248
|
-
# User Guide*.
|
1293
|
+
# an inline session policy. You can also specify up to 10 managed policy
|
1294
|
+
# Amazon Resource Names (ARNs) to use as managed session policies. The
|
1295
|
+
# plaintext that you use for both inline and managed session policies
|
1296
|
+
# can't exceed 2,048 characters. Passing policies to this operation
|
1297
|
+
# returns new temporary credentials. The resulting session's
|
1298
|
+
# permissions are the intersection of the role's identity-based policy
|
1299
|
+
# and the session policies. You can use the role's temporary
|
1300
|
+
# credentials in subsequent Amazon Web Services API calls to access
|
1301
|
+
# resources in the account that owns the role. You cannot use session
|
1302
|
+
# policies to grant more permissions than those allowed by the
|
1303
|
+
# identity-based policy of the role that is being assumed. For more
|
1304
|
+
# information, see [Session Policies][8] in the *IAM User Guide*.
|
1249
1305
|
#
|
1250
1306
|
# **Tags**
|
1251
1307
|
#
|
1252
1308
|
# (Optional) You can configure your IdP to pass attributes into your web
|
1253
1309
|
# identity token as session tags. Each session tag consists of a key
|
1254
1310
|
# name and an associated value. For more information about session tags,
|
1255
|
-
# see [Passing Session Tags in STS][
|
1311
|
+
# see [Passing Session Tags in STS][9] in the *IAM User Guide*.
|
1256
1312
|
#
|
1257
1313
|
# You can pass up to 50 session tags. The plaintext session tag keys
|
1258
1314
|
# can’t exceed 128 characters and the values can’t exceed 256
|
1259
1315
|
# characters. For these and additional limits, see [IAM and STS
|
1260
|
-
# Character Limits][
|
1316
|
+
# Character Limits][10] in the *IAM User Guide*.
|
1261
1317
|
#
|
1262
|
-
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
1263
|
-
#
|
1264
|
-
# separate limit. Your request can fail for this limit
|
1265
|
-
# plaintext meets the other requirements. The
|
1266
|
-
# response element indicates by percentage how close
|
1267
|
-
# tags for your request are to the upper size limit.
|
1318
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
|
1319
|
+
# policy, managed policy ARNs, and session tags into a packed binary
|
1320
|
+
# format that has a separate limit. Your request can fail for this limit
|
1321
|
+
# even if your plaintext meets the other requirements. The
|
1322
|
+
# `PackedPolicySize` response element indicates by percentage how close
|
1323
|
+
# the policies and tags for your request are to the upper size limit.
|
1268
1324
|
#
|
1269
1325
|
# </note>
|
1270
1326
|
#
|
@@ -1275,12 +1331,12 @@ module Aws::STS
|
|
1275
1331
|
# An administrator must grant you the permissions necessary to pass
|
1276
1332
|
# session tags. The administrator can also create granular permissions
|
1277
1333
|
# to allow you to pass only specific session tags. For more information,
|
1278
|
-
# see [Tutorial: Using Tags for Attribute-Based Access Control][
|
1334
|
+
# see [Tutorial: Using Tags for Attribute-Based Access Control][11] in
|
1279
1335
|
# the *IAM User Guide*.
|
1280
1336
|
#
|
1281
1337
|
# You can set the session tags as transitive. Transitive tags persist
|
1282
1338
|
# during role chaining. For more information, see [Chaining Roles with
|
1283
|
-
# Session Tags][
|
1339
|
+
# Session Tags][12] in the *IAM User Guide*.
|
1284
1340
|
#
|
1285
1341
|
# **Identities**
|
1286
1342
|
#
|
@@ -1292,54 +1348,53 @@ module Aws::STS
|
|
1292
1348
|
# specified in the role's trust policy.
|
1293
1349
|
#
|
1294
1350
|
# Calling `AssumeRoleWithWebIdentity` can result in an entry in your
|
1295
|
-
# CloudTrail logs. The entry includes the [Subject][
|
1351
|
+
# CloudTrail logs. The entry includes the [Subject][13] of the provided
|
1296
1352
|
# web identity token. We recommend that you avoid using any personally
|
1297
1353
|
# identifiable information (PII) in this field. For example, you could
|
1298
1354
|
# instead use a GUID or a pairwise identifier, as [suggested in the OIDC
|
1299
|
-
# specification][
|
1355
|
+
# specification][14].
|
1300
1356
|
#
|
1301
1357
|
# For more information about how to use web identity federation and the
|
1302
1358
|
# `AssumeRoleWithWebIdentity` API, see the following resources:
|
1303
1359
|
#
|
1304
|
-
# * [Using Web Identity Federation API Operations for Mobile Apps][
|
1305
|
-
# and [Federation Through a Web-based Identity Provider][
|
1360
|
+
# * [Using Web Identity Federation API Operations for Mobile Apps][15]
|
1361
|
+
# and [Federation Through a Web-based Identity Provider][16].
|
1306
1362
|
#
|
1307
|
-
# * [ Web Identity Federation Playground][
|
1363
|
+
# * [ Web Identity Federation Playground][17]. Walk through the process
|
1308
1364
|
# of authenticating through Login with Amazon, Facebook, or Google,
|
1309
1365
|
# getting temporary security credentials, and then using those
|
1310
1366
|
# credentials to make a request to Amazon Web Services.
|
1311
1367
|
#
|
1312
|
-
# * [Amazon Web Services SDK for iOS Developer Guide][
|
1313
|
-
# Services SDK for Android Developer Guide][
|
1368
|
+
# * [Amazon Web Services SDK for iOS Developer Guide][2] and [Amazon Web
|
1369
|
+
# Services SDK for Android Developer Guide][3]. These toolkits contain
|
1314
1370
|
# sample apps that show how to invoke the identity providers. The
|
1315
1371
|
# toolkits then show how to use the information from these providers
|
1316
1372
|
# to get and use temporary security credentials.
|
1317
1373
|
#
|
1318
|
-
# * [Web Identity Federation with Mobile Applications][
|
1374
|
+
# * [Web Identity Federation with Mobile Applications][18]. This article
|
1319
1375
|
# discusses web identity federation and shows an example of how to use
|
1320
1376
|
# web identity federation to get access to content in Amazon S3.
|
1321
1377
|
#
|
1322
1378
|
#
|
1323
1379
|
#
|
1324
|
-
# [1]:
|
1325
|
-
# [2]: http://aws.amazon.com/
|
1326
|
-
# [3]:
|
1327
|
-
# [4]: https://docs.aws.amazon.com/
|
1328
|
-
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
1329
|
-
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1330
|
-
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
|
1331
|
-
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1332
|
-
# [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1333
|
-
# [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1334
|
-
# [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1335
|
-
# [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1336
|
-
# [13]:
|
1337
|
-
# [14]: http://openid.net/specs/openid-connect-core-1_0.html#
|
1338
|
-
# [15]:
|
1339
|
-
# [16]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1340
|
-
# [17]: https://
|
1341
|
-
# [18]:
|
1342
|
-
# [19]: http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications
|
1380
|
+
# [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html
|
1381
|
+
# [2]: http://aws.amazon.com/sdkforios/
|
1382
|
+
# [3]: http://aws.amazon.com/sdkforandroid/
|
1383
|
+
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
1384
|
+
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
|
1385
|
+
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
|
1386
|
+
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
|
1387
|
+
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
1388
|
+
# [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
1389
|
+
# [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
|
1390
|
+
# [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
|
1391
|
+
# [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
|
1392
|
+
# [13]: http://openid.net/specs/openid-connect-core-1_0.html#Claims
|
1393
|
+
# [14]: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
|
1394
|
+
# [15]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html
|
1395
|
+
# [16]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
|
1396
|
+
# [17]: https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/
|
1397
|
+
# [18]: http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications
|
1343
1398
|
#
|
1344
1399
|
# @option params [required, String] :role_arn
|
1345
1400
|
# The Amazon Resource Name (ARN) of the role that the caller is
|
@@ -1363,16 +1418,17 @@ module Aws::STS
|
|
1363
1418
|
# by the identity provider. Your application must get this token by
|
1364
1419
|
# authenticating the user who is using your application with a web
|
1365
1420
|
# identity provider before the application makes an
|
1366
|
-
# `AssumeRoleWithWebIdentity` call.
|
1421
|
+
# `AssumeRoleWithWebIdentity` call. Only tokens with RSA algorithms
|
1422
|
+
# (RS256) are supported.
|
1367
1423
|
#
|
1368
1424
|
# @option params [String] :provider_id
|
1369
|
-
# The fully qualified host component of the domain name of the
|
1370
|
-
# provider.
|
1425
|
+
# The fully qualified host component of the domain name of the OAuth 2.0
|
1426
|
+
# identity provider. Do not specify this value for an OpenID Connect
|
1427
|
+
# identity provider.
|
1371
1428
|
#
|
1372
|
-
#
|
1373
|
-
#
|
1374
|
-
#
|
1375
|
-
# schemes and port numbers.
|
1429
|
+
# Currently `www.amazon.com` and `graph.facebook.com` are the only
|
1430
|
+
# supported identity providers for OAuth 2.0 access tokens. Do not
|
1431
|
+
# include URL schemes and port numbers.
|
1376
1432
|
#
|
1377
1433
|
# Do not specify this value for OpenID Connect ID tokens.
|
1378
1434
|
#
|
@@ -1387,12 +1443,12 @@ module Aws::STS
|
|
1387
1443
|
# about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services
|
1388
1444
|
# Service Namespaces][1] in the Amazon Web Services General Reference.
|
1389
1445
|
#
|
1390
|
-
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
1391
|
-
#
|
1392
|
-
# separate limit. Your request can fail for this limit
|
1393
|
-
# plaintext meets the other requirements. The
|
1394
|
-
# response element indicates by percentage how close
|
1395
|
-
# tags for your request are to the upper size limit.
|
1446
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
|
1447
|
+
# policy, managed policy ARNs, and session tags into a packed binary
|
1448
|
+
# format that has a separate limit. Your request can fail for this limit
|
1449
|
+
# even if your plaintext meets the other requirements. The
|
1450
|
+
# `PackedPolicySize` response element indicates by percentage how close
|
1451
|
+
# the policies and tags for your request are to the upper size limit.
|
1396
1452
|
#
|
1397
1453
|
# </note>
|
1398
1454
|
#
|
@@ -1432,12 +1488,12 @@ module Aws::STS
|
|
1432
1488
|
# the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
1433
1489
|
# characters.
|
1434
1490
|
#
|
1435
|
-
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
1436
|
-
#
|
1437
|
-
# separate limit. Your request can fail for this limit
|
1438
|
-
# plaintext meets the other requirements. The
|
1439
|
-
# response element indicates by percentage how close
|
1440
|
-
# tags for your request are to the upper size limit.
|
1491
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
|
1492
|
+
# policy, managed policy ARNs, and session tags into a packed binary
|
1493
|
+
# format that has a separate limit. Your request can fail for this limit
|
1494
|
+
# even if your plaintext meets the other requirements. The
|
1495
|
+
# `PackedPolicySize` response element indicates by percentage how close
|
1496
|
+
# the policies and tags for your request are to the upper size limit.
|
1441
1497
|
#
|
1442
1498
|
# </note>
|
1443
1499
|
#
|
@@ -1698,11 +1754,11 @@ module Aws::STS
|
|
1698
1754
|
# to call the operation.
|
1699
1755
|
#
|
1700
1756
|
# <note markdown="1"> No permissions are required to perform this operation. If an
|
1701
|
-
# administrator
|
1757
|
+
# administrator attaches a policy to your identity that explicitly
|
1702
1758
|
# denies access to the `sts:GetCallerIdentity` action, you can still
|
1703
1759
|
# perform this operation. Permissions are not required because the same
|
1704
|
-
# information is returned when
|
1705
|
-
#
|
1760
|
+
# information is returned when access is denied. To view an example
|
1761
|
+
# response, see [I Am Not Authorized to Perform:
|
1706
1762
|
# iam:DeleteVirtualMFADevice][1] in the *IAM User Guide*.
|
1707
1763
|
#
|
1708
1764
|
# </note>
|
@@ -1779,60 +1835,63 @@ module Aws::STS
|
|
1779
1835
|
end
|
1780
1836
|
|
1781
1837
|
# Returns a set of temporary security credentials (consisting of an
|
1782
|
-
# access key ID, a secret access key, and a security token) for a
|
1783
|
-
#
|
1784
|
-
#
|
1785
|
-
#
|
1786
|
-
#
|
1787
|
-
#
|
1788
|
-
#
|
1789
|
-
#
|
1790
|
-
#
|
1838
|
+
# access key ID, a secret access key, and a security token) for a user.
|
1839
|
+
# A typical use is in a proxy application that gets temporary security
|
1840
|
+
# credentials on behalf of distributed applications inside a corporate
|
1841
|
+
# network.
|
1842
|
+
#
|
1843
|
+
# You must call the `GetFederationToken` operation using the long-term
|
1844
|
+
# security credentials of an IAM user. As a result, this call is
|
1845
|
+
# appropriate in contexts where those credentials can be safeguarded,
|
1846
|
+
# usually in a server-based application. For a comparison of
|
1847
|
+
# `GetFederationToken` with the other API operations that produce
|
1848
|
+
# temporary credentials, see [Requesting Temporary Security
|
1791
1849
|
# Credentials][1] and [Comparing the Amazon Web Services STS API
|
1792
1850
|
# operations][2] in the *IAM User Guide*.
|
1793
1851
|
#
|
1852
|
+
# Although it is possible to call `GetFederationToken` using the
|
1853
|
+
# security credentials of an Amazon Web Services account root user
|
1854
|
+
# rather than an IAM user that you create for the purpose of a proxy
|
1855
|
+
# application, we do not recommend it. For more information, see
|
1856
|
+
# [Safeguard your root user credentials and don't use them for everyday
|
1857
|
+
# tasks][3] in the *IAM User Guide*.
|
1858
|
+
#
|
1794
1859
|
# <note markdown="1"> You can create a mobile-based or browser-based app that can
|
1795
1860
|
# authenticate users using a web identity provider like Login with
|
1796
1861
|
# Amazon, Facebook, Google, or an OpenID Connect-compatible identity
|
1797
|
-
# provider. In this case, we recommend that you use [Amazon Cognito][
|
1862
|
+
# provider. In this case, we recommend that you use [Amazon Cognito][4]
|
1798
1863
|
# or `AssumeRoleWithWebIdentity`. For more information, see [Federation
|
1799
|
-
# Through a Web-based Identity Provider][
|
1864
|
+
# Through a Web-based Identity Provider][5] in the *IAM User Guide*.
|
1800
1865
|
#
|
1801
1866
|
# </note>
|
1802
1867
|
#
|
1803
|
-
# You can also call `GetFederationToken` using the security credentials
|
1804
|
-
# of an Amazon Web Services account root user, but we do not recommend
|
1805
|
-
# it. Instead, we recommend that you create an IAM user for the purpose
|
1806
|
-
# of the proxy application. Then attach a policy to the IAM user that
|
1807
|
-
# limits federated users to only the actions and resources that they
|
1808
|
-
# need to access. For more information, see [IAM Best Practices][5] in
|
1809
|
-
# the *IAM User Guide*.
|
1810
|
-
#
|
1811
1868
|
# **Session duration**
|
1812
1869
|
#
|
1813
1870
|
# The temporary credentials are valid for the specified duration, from
|
1814
1871
|
# 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36
|
1815
1872
|
# hours). The default session duration is 43,200 seconds (12 hours).
|
1816
|
-
# Temporary credentials obtained by using the
|
1817
|
-
#
|
1818
|
-
# (1 hour).
|
1873
|
+
# Temporary credentials obtained by using the root user credentials have
|
1874
|
+
# a maximum duration of 3,600 seconds (1 hour).
|
1819
1875
|
#
|
1820
1876
|
# **Permissions**
|
1821
1877
|
#
|
1822
1878
|
# You can use the temporary credentials created by `GetFederationToken`
|
1823
|
-
# in any Amazon Web Services service
|
1879
|
+
# in any Amazon Web Services service with the following exceptions:
|
1824
1880
|
#
|
1825
1881
|
# * You cannot call any IAM operations using the CLI or the Amazon Web
|
1826
|
-
# Services API.
|
1882
|
+
# Services API. This limitation does not apply to console sessions.
|
1827
1883
|
#
|
1828
1884
|
# * You cannot call any STS operations except `GetCallerIdentity`.
|
1829
1885
|
#
|
1886
|
+
# You can use temporary credentials for single sign-on (SSO) to the
|
1887
|
+
# console.
|
1888
|
+
#
|
1830
1889
|
# You must pass an inline or managed [session policy][6] to this
|
1831
1890
|
# operation. You can pass a single JSON policy document to use as an
|
1832
|
-
# inline session policy. You can also specify up to 10 managed
|
1833
|
-
# to use as managed session policies. The
|
1834
|
-
# both inline and managed session policies
|
1835
|
-
# characters.
|
1891
|
+
# inline session policy. You can also specify up to 10 managed policy
|
1892
|
+
# Amazon Resource Names (ARNs) to use as managed session policies. The
|
1893
|
+
# plaintext that you use for both inline and managed session policies
|
1894
|
+
# can't exceed 2,048 characters.
|
1836
1895
|
#
|
1837
1896
|
# Though the session policy parameters are optional, if you do not pass
|
1838
1897
|
# a policy, then the resulting federated user session has no
|
@@ -1862,9 +1921,9 @@ module Aws::STS
|
|
1862
1921
|
# <note markdown="1"> You can create a mobile-based or browser-based app that can
|
1863
1922
|
# authenticate users using a web identity provider like Login with
|
1864
1923
|
# Amazon, Facebook, Google, or an OpenID Connect-compatible identity
|
1865
|
-
# provider. In this case, we recommend that you use [Amazon Cognito][
|
1924
|
+
# provider. In this case, we recommend that you use [Amazon Cognito][4]
|
1866
1925
|
# or `AssumeRoleWithWebIdentity`. For more information, see [Federation
|
1867
|
-
# Through a Web-based Identity Provider][
|
1926
|
+
# Through a Web-based Identity Provider][5] in the *IAM User Guide*.
|
1868
1927
|
#
|
1869
1928
|
# </note>
|
1870
1929
|
#
|
@@ -1886,9 +1945,9 @@ module Aws::STS
|
|
1886
1945
|
#
|
1887
1946
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
1888
1947
|
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
|
1889
|
-
# [3]:
|
1890
|
-
# [4]:
|
1891
|
-
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1948
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials
|
1949
|
+
# [4]: http://aws.amazon.com/cognito/
|
1950
|
+
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
|
1892
1951
|
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
1893
1952
|
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken
|
1894
1953
|
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
@@ -1911,8 +1970,8 @@ module Aws::STS
|
|
1911
1970
|
#
|
1912
1971
|
# You must pass an inline or managed [session policy][1] to this
|
1913
1972
|
# operation. You can pass a single JSON policy document to use as an
|
1914
|
-
# inline session policy. You can also specify up to 10 managed
|
1915
|
-
# to use as managed session policies.
|
1973
|
+
# inline session policy. You can also specify up to 10 managed policy
|
1974
|
+
# Amazon Resource Names (ARNs) to use as managed session policies.
|
1916
1975
|
#
|
1917
1976
|
# This parameter is optional. However, if you do not pass any session
|
1918
1977
|
# policies, then the resulting federated user session has no
|
@@ -1940,12 +1999,12 @@ module Aws::STS
|
|
1940
1999
|
# the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
1941
2000
|
# characters.
|
1942
2001
|
#
|
1943
|
-
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
1944
|
-
#
|
1945
|
-
# separate limit. Your request can fail for this limit
|
1946
|
-
# plaintext meets the other requirements. The
|
1947
|
-
# response element indicates by percentage how close
|
1948
|
-
# tags for your request are to the upper size limit.
|
2002
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
|
2003
|
+
# policy, managed policy ARNs, and session tags into a packed binary
|
2004
|
+
# format that has a separate limit. Your request can fail for this limit
|
2005
|
+
# even if your plaintext meets the other requirements. The
|
2006
|
+
# `PackedPolicySize` response element indicates by percentage how close
|
2007
|
+
# the policies and tags for your request are to the upper size limit.
|
1949
2008
|
#
|
1950
2009
|
# </note>
|
1951
2010
|
#
|
@@ -1960,13 +2019,13 @@ module Aws::STS
|
|
1960
2019
|
#
|
1961
2020
|
# You must pass an inline or managed [session policy][1] to this
|
1962
2021
|
# operation. You can pass a single JSON policy document to use as an
|
1963
|
-
# inline session policy. You can also specify up to 10 managed
|
1964
|
-
# to use as managed session policies. The
|
1965
|
-
# both inline and managed session policies
|
1966
|
-
# characters. You can provide up to 10 managed
|
1967
|
-
# information about ARNs, see [Amazon Resource
|
1968
|
-
# Web Services Service Namespaces][2] in the
|
1969
|
-
# Reference.
|
2022
|
+
# inline session policy. You can also specify up to 10 managed policy
|
2023
|
+
# Amazon Resource Names (ARNs) to use as managed session policies. The
|
2024
|
+
# plaintext that you use for both inline and managed session policies
|
2025
|
+
# can't exceed 2,048 characters. You can provide up to 10 managed
|
2026
|
+
# policy ARNs. For more information about ARNs, see [Amazon Resource
|
2027
|
+
# Names (ARNs) and Amazon Web Services Service Namespaces][2] in the
|
2028
|
+
# Amazon Web Services General Reference.
|
1970
2029
|
#
|
1971
2030
|
# This parameter is optional. However, if you do not pass any session
|
1972
2031
|
# policies, then the resulting federated user session has no
|
@@ -1987,12 +2046,12 @@ module Aws::STS
|
|
1987
2046
|
# are granted in addition to the permissions that are granted by the
|
1988
2047
|
# session policies.
|
1989
2048
|
#
|
1990
|
-
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
1991
|
-
#
|
1992
|
-
# separate limit. Your request can fail for this limit
|
1993
|
-
# plaintext meets the other requirements. The
|
1994
|
-
# response element indicates by percentage how close
|
1995
|
-
# tags for your request are to the upper size limit.
|
2049
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
|
2050
|
+
# policy, managed policy ARNs, and session tags into a packed binary
|
2051
|
+
# format that has a separate limit. Your request can fail for this limit
|
2052
|
+
# even if your plaintext meets the other requirements. The
|
2053
|
+
# `PackedPolicySize` response element indicates by percentage how close
|
2054
|
+
# the policies and tags for your request are to the upper size limit.
|
1996
2055
|
#
|
1997
2056
|
# </note>
|
1998
2057
|
#
|
@@ -2005,10 +2064,10 @@ module Aws::STS
|
|
2005
2064
|
# The duration, in seconds, that the session should last. Acceptable
|
2006
2065
|
# durations for federation sessions range from 900 seconds (15 minutes)
|
2007
2066
|
# to 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the
|
2008
|
-
# default. Sessions obtained using
|
2009
|
-
#
|
2010
|
-
#
|
2011
|
-
#
|
2067
|
+
# default. Sessions obtained using root user credentials are restricted
|
2068
|
+
# to a maximum of 3,600 seconds (one hour). If the specified duration is
|
2069
|
+
# longer than one hour, the session obtained by using root user
|
2070
|
+
# credentials defaults to one hour.
|
2012
2071
|
#
|
2013
2072
|
# @option params [Array<Types::Tag>] :tags
|
2014
2073
|
# A list of session tags. Each session tag consists of a key name and an
|
@@ -2020,12 +2079,12 @@ module Aws::STS
|
|
2020
2079
|
# can’t exceed 256 characters. For these and additional limits, see [IAM
|
2021
2080
|
# and STS Character Limits][2] in the *IAM User Guide*.
|
2022
2081
|
#
|
2023
|
-
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
2024
|
-
#
|
2025
|
-
# separate limit. Your request can fail for this limit
|
2026
|
-
# plaintext meets the other requirements. The
|
2027
|
-
# response element indicates by percentage how close
|
2028
|
-
# tags for your request are to the upper size limit.
|
2082
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
|
2083
|
+
# policy, managed policy ARNs, and session tags into a packed binary
|
2084
|
+
# format that has a separate limit. Your request can fail for this limit
|
2085
|
+
# even if your plaintext meets the other requirements. The
|
2086
|
+
# `PackedPolicySize` response element indicates by percentage how close
|
2087
|
+
# the policies and tags for your request are to the upper size limit.
|
2029
2088
|
#
|
2030
2089
|
# </note>
|
2031
2090
|
#
|
@@ -2128,27 +2187,36 @@ module Aws::STS
|
|
2128
2187
|
# secret access key, and a security token. Typically, you use
|
2129
2188
|
# `GetSessionToken` if you want to use MFA to protect programmatic calls
|
2130
2189
|
# to specific Amazon Web Services API operations like Amazon EC2
|
2131
|
-
# `StopInstances`.
|
2132
|
-
#
|
2133
|
-
# MFA
|
2134
|
-
#
|
2135
|
-
#
|
2136
|
-
#
|
2137
|
-
#
|
2138
|
-
#
|
2190
|
+
# `StopInstances`.
|
2191
|
+
#
|
2192
|
+
# MFA-enabled IAM users must call `GetSessionToken` and submit an MFA
|
2193
|
+
# code that is associated with their MFA device. Using the temporary
|
2194
|
+
# security credentials that the call returns, IAM users can then make
|
2195
|
+
# programmatic calls to API operations that require MFA authentication.
|
2196
|
+
# An incorrect MFA code causes the API to return an access denied error.
|
2197
|
+
# For a comparison of `GetSessionToken` with the other API operations
|
2198
|
+
# that produce temporary credentials, see [Requesting Temporary Security
|
2139
2199
|
# Credentials][1] and [Comparing the Amazon Web Services STS API
|
2140
2200
|
# operations][2] in the *IAM User Guide*.
|
2141
2201
|
#
|
2202
|
+
# <note markdown="1"> No permissions are required for users to perform this operation. The
|
2203
|
+
# purpose of the `sts:GetSessionToken` operation is to authenticate the
|
2204
|
+
# user using MFA. You cannot use policies to control authentication
|
2205
|
+
# operations. For more information, see [Permissions for
|
2206
|
+
# GetSessionToken][3] in the *IAM User Guide*.
|
2207
|
+
#
|
2208
|
+
# </note>
|
2209
|
+
#
|
2142
2210
|
# **Session Duration**
|
2143
2211
|
#
|
2144
2212
|
# The `GetSessionToken` operation must be called by using the long-term
|
2145
|
-
# Amazon Web Services security credentials of
|
2146
|
-
#
|
2147
|
-
#
|
2148
|
-
#
|
2149
|
-
# (
|
2150
|
-
#
|
2151
|
-
#
|
2213
|
+
# Amazon Web Services security credentials of an IAM user. Credentials
|
2214
|
+
# that are created by IAM users are valid for the duration that you
|
2215
|
+
# specify. This duration can range from 900 seconds (15 minutes) up to a
|
2216
|
+
# maximum of 129,600 seconds (36 hours), with a default of 43,200
|
2217
|
+
# seconds (12 hours). Credentials based on account credentials can range
|
2218
|
+
# from 900 seconds (15 minutes) up to 3,600 seconds (1 hour), with a
|
2219
|
+
# default of 1 hour.
|
2152
2220
|
#
|
2153
2221
|
# **Permissions**
|
2154
2222
|
#
|
@@ -2162,32 +2230,32 @@ module Aws::STS
|
|
2162
2230
|
# * You cannot call any STS API *except* `AssumeRole` or
|
2163
2231
|
# `GetCallerIdentity`.
|
2164
2232
|
#
|
2165
|
-
#
|
2166
|
-
#
|
2167
|
-
#
|
2168
|
-
#
|
2169
|
-
# with Amazon Web Services.
|
2233
|
+
# The credentials that `GetSessionToken` returns are based on
|
2234
|
+
# permissions associated with the IAM user whose credentials were used
|
2235
|
+
# to call the operation. The temporary credentials have the same
|
2236
|
+
# permissions as the IAM user.
|
2170
2237
|
#
|
2171
|
-
#
|
2238
|
+
# <note markdown="1"> Although it is possible to call `GetSessionToken` using the security
|
2239
|
+
# credentials of an Amazon Web Services account root user rather than an
|
2240
|
+
# IAM user, we do not recommend it. If `GetSessionToken` is called using
|
2241
|
+
# root user credentials, the temporary credentials have root user
|
2242
|
+
# permissions. For more information, see [Safeguard your root user
|
2243
|
+
# credentials and don't use them for everyday tasks][4] in the *IAM
|
2244
|
+
# User Guide*
|
2172
2245
|
#
|
2173
|
-
#
|
2174
|
-
# permissions associated with the user whose credentials were used to
|
2175
|
-
# call the operation. If `GetSessionToken` is called using Amazon Web
|
2176
|
-
# Services account root user credentials, the temporary credentials have
|
2177
|
-
# root user permissions. Similarly, if `GetSessionToken` is called using
|
2178
|
-
# the credentials of an IAM user, the temporary credentials have the
|
2179
|
-
# same permissions as the IAM user.
|
2246
|
+
# </note>
|
2180
2247
|
#
|
2181
2248
|
# For more information about using `GetSessionToken` to create temporary
|
2182
|
-
# credentials,
|
2183
|
-
# Environments][
|
2249
|
+
# credentials, see [Temporary Credentials for Users in Untrusted
|
2250
|
+
# Environments][5] in the *IAM User Guide*.
|
2184
2251
|
#
|
2185
2252
|
#
|
2186
2253
|
#
|
2187
2254
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
2188
2255
|
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
|
2189
|
-
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
2190
|
-
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
2256
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html
|
2257
|
+
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials
|
2258
|
+
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken
|
2191
2259
|
#
|
2192
2260
|
# @option params [Integer] :duration_seconds
|
2193
2261
|
# The duration, in seconds, that the credentials should remain valid.
|
@@ -2284,7 +2352,7 @@ module Aws::STS
|
|
2284
2352
|
params: params,
|
2285
2353
|
config: config)
|
2286
2354
|
context[:gem_name] = 'aws-sdk-core'
|
2287
|
-
context[:gem_version] = '3.
|
2355
|
+
context[:gem_version] = '3.188.0'
|
2288
2356
|
Seahorse::Client::Request.new(handlers, context)
|
2289
2357
|
end
|
2290
2358
|
|