aws-sdk-core 3.131.3 → 3.176.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +330 -1
- data/VERSION +1 -1
- data/lib/aws-defaults/default_configuration.rb +4 -4
- data/lib/aws-sdk-core/arn.rb +13 -0
- data/lib/aws-sdk-core/binary/encode_handler.rb +12 -1
- data/lib/aws-sdk-core/credential_provider.rb +3 -0
- data/lib/aws-sdk-core/credential_provider_chain.rb +8 -5
- data/lib/aws-sdk-core/ecs_credentials.rb +111 -53
- data/lib/aws-sdk-core/endpoints/condition.rb +41 -0
- data/lib/aws-sdk-core/endpoints/endpoint.rb +17 -0
- data/lib/aws-sdk-core/endpoints/endpoint_rule.rb +75 -0
- data/lib/aws-sdk-core/endpoints/error_rule.rb +42 -0
- data/lib/aws-sdk-core/endpoints/function.rb +80 -0
- data/lib/aws-sdk-core/endpoints/matchers.rb +127 -0
- data/lib/aws-sdk-core/endpoints/reference.rb +31 -0
- data/lib/aws-sdk-core/endpoints/rule.rb +25 -0
- data/lib/aws-sdk-core/endpoints/rule_set.rb +52 -0
- data/lib/aws-sdk-core/endpoints/rules_provider.rb +37 -0
- data/lib/aws-sdk-core/endpoints/templater.rb +58 -0
- data/lib/aws-sdk-core/endpoints/tree_rule.rb +45 -0
- data/lib/aws-sdk-core/endpoints/url.rb +60 -0
- data/lib/aws-sdk-core/endpoints.rb +78 -0
- data/lib/aws-sdk-core/errors.rb +13 -0
- data/lib/aws-sdk-core/json/error_handler.rb +20 -1
- data/lib/aws-sdk-core/log/formatter.rb +6 -0
- data/lib/aws-sdk-core/pageable_response.rb +10 -1
- data/lib/aws-sdk-core/plugins/bearer_authorization.rb +67 -0
- data/lib/aws-sdk-core/plugins/checksum_algorithm.rb +1 -1
- data/lib/aws-sdk-core/plugins/credentials_configuration.rb +24 -0
- data/lib/aws-sdk-core/plugins/endpoint_discovery.rb +6 -2
- data/lib/aws-sdk-core/plugins/recursion_detection.rb +14 -3
- data/lib/aws-sdk-core/plugins/regional_endpoint.rb +5 -0
- data/lib/aws-sdk-core/plugins/retries/error_inspector.rb +2 -1
- data/lib/aws-sdk-core/plugins/sign.rb +201 -0
- data/lib/aws-sdk-core/plugins/signature_v2.rb +1 -0
- data/lib/aws-sdk-core/plugins/signature_v4.rb +13 -7
- data/lib/aws-sdk-core/plugins/user_agent.rb +117 -14
- data/lib/aws-sdk-core/refreshing_credentials.rb +0 -6
- data/lib/aws-sdk-core/refreshing_token.rb +71 -0
- data/lib/aws-sdk-core/rest/request/headers.rb +2 -6
- data/lib/aws-sdk-core/shared_config.rb +78 -6
- data/lib/aws-sdk-core/sso_credentials.rb +80 -45
- data/lib/aws-sdk-core/sso_token_provider.rb +135 -0
- data/lib/aws-sdk-core/static_token_provider.rb +14 -0
- data/lib/aws-sdk-core/structure.rb +6 -4
- data/lib/aws-sdk-core/token.rb +31 -0
- data/lib/aws-sdk-core/token_provider.rb +15 -0
- data/lib/aws-sdk-core/token_provider_chain.rb +51 -0
- data/lib/aws-sdk-core/waiters/poller.rb +3 -1
- data/lib/aws-sdk-core/xml/parser/engines/oga.rb +2 -0
- data/lib/aws-sdk-core.rb +14 -0
- data/lib/aws-sdk-sso/client.rb +56 -11
- data/lib/aws-sdk-sso/endpoint_parameters.rb +66 -0
- data/lib/aws-sdk-sso/endpoint_provider.rb +51 -0
- data/lib/aws-sdk-sso/endpoints.rb +72 -0
- data/lib/aws-sdk-sso/plugins/endpoints.rb +76 -0
- data/lib/aws-sdk-sso/types.rb +8 -43
- data/lib/aws-sdk-sso.rb +5 -1
- data/lib/aws-sdk-ssooidc/client.rb +611 -0
- data/lib/aws-sdk-ssooidc/client_api.rb +216 -0
- data/lib/aws-sdk-ssooidc/customizations.rb +1 -0
- data/lib/aws-sdk-ssooidc/endpoint_parameters.rb +66 -0
- data/lib/aws-sdk-ssooidc/endpoint_provider.rb +51 -0
- data/lib/aws-sdk-ssooidc/endpoints.rb +58 -0
- data/lib/aws-sdk-ssooidc/errors.rb +290 -0
- data/lib/aws-sdk-ssooidc/plugins/endpoints.rb +74 -0
- data/lib/aws-sdk-ssooidc/resource.rb +26 -0
- data/lib/aws-sdk-ssooidc/types.rb +502 -0
- data/lib/aws-sdk-ssooidc.rb +59 -0
- data/lib/aws-sdk-sts/client.rb +263 -243
- data/lib/aws-sdk-sts/endpoint_parameters.rb +78 -0
- data/lib/aws-sdk-sts/endpoint_provider.rb +112 -0
- data/lib/aws-sdk-sts/endpoints.rb +136 -0
- data/lib/aws-sdk-sts/plugins/endpoints.rb +84 -0
- data/lib/aws-sdk-sts/presigner.rb +13 -15
- data/lib/aws-sdk-sts/types.rb +87 -195
- data/lib/aws-sdk-sts.rb +5 -1
- data/lib/seahorse/client/async_base.rb +0 -1
- data/lib/seahorse/client/configuration.rb +2 -2
- data/lib/seahorse/client/h2/connection.rb +12 -11
- data/lib/seahorse/client/plugins/request_callback.rb +9 -9
- data/lib/seahorse/util.rb +4 -0
- metadata +47 -6
data/lib/aws-sdk-sts/client.rb
CHANGED
|
@@ -30,7 +30,7 @@ require 'aws-sdk-core/plugins/http_checksum.rb'
|
|
|
30
30
|
require 'aws-sdk-core/plugins/checksum_algorithm.rb'
|
|
31
31
|
require 'aws-sdk-core/plugins/defaults_mode.rb'
|
|
32
32
|
require 'aws-sdk-core/plugins/recursion_detection.rb'
|
|
33
|
-
require 'aws-sdk-core/plugins/
|
|
33
|
+
require 'aws-sdk-core/plugins/sign.rb'
|
|
34
34
|
require 'aws-sdk-core/plugins/protocols/query.rb'
|
|
35
35
|
require 'aws-sdk-sts/plugins/sts_regional_endpoints.rb'
|
|
36
36
|
|
|
@@ -80,9 +80,10 @@ module Aws::STS
|
|
|
80
80
|
add_plugin(Aws::Plugins::ChecksumAlgorithm)
|
|
81
81
|
add_plugin(Aws::Plugins::DefaultsMode)
|
|
82
82
|
add_plugin(Aws::Plugins::RecursionDetection)
|
|
83
|
-
add_plugin(Aws::Plugins::
|
|
83
|
+
add_plugin(Aws::Plugins::Sign)
|
|
84
84
|
add_plugin(Aws::Plugins::Protocols::Query)
|
|
85
85
|
add_plugin(Aws::STS::Plugins::STSRegionalEndpoints)
|
|
86
|
+
add_plugin(Aws::STS::Plugins::Endpoints)
|
|
86
87
|
|
|
87
88
|
# @overload initialize(options)
|
|
88
89
|
# @param [Hash] options
|
|
@@ -276,6 +277,11 @@ module Aws::STS
|
|
|
276
277
|
# in the future.
|
|
277
278
|
#
|
|
278
279
|
#
|
|
280
|
+
# @option options [String] :sdk_ua_app_id
|
|
281
|
+
# A unique and opaque application ID that is appended to the
|
|
282
|
+
# User-Agent header as app/<sdk_ua_app_id>. It should have a
|
|
283
|
+
# maximum length of 50.
|
|
284
|
+
#
|
|
279
285
|
# @option options [String] :secret_access_key
|
|
280
286
|
#
|
|
281
287
|
# @option options [String] :session_token
|
|
@@ -294,6 +300,19 @@ module Aws::STS
|
|
|
294
300
|
# ** Please note ** When response stubbing is enabled, no HTTP
|
|
295
301
|
# requests are made, and retries are disabled.
|
|
296
302
|
#
|
|
303
|
+
# @option options [Aws::TokenProvider] :token_provider
|
|
304
|
+
# A Bearer Token Provider. This can be an instance of any one of the
|
|
305
|
+
# following classes:
|
|
306
|
+
#
|
|
307
|
+
# * `Aws::StaticTokenProvider` - Used for configuring static, non-refreshing
|
|
308
|
+
# tokens.
|
|
309
|
+
#
|
|
310
|
+
# * `Aws::SSOTokenProvider` - Used for loading tokens from AWS SSO using an
|
|
311
|
+
# access token generated from `aws login`.
|
|
312
|
+
#
|
|
313
|
+
# When `:token_provider` is not configured directly, the `Aws::TokenProviderChain`
|
|
314
|
+
# will be used to search for tokens configured for your profile in shared configuration files.
|
|
315
|
+
#
|
|
297
316
|
# @option options [Boolean] :use_dualstack_endpoint
|
|
298
317
|
# When set to `true`, dualstack enabled endpoints (with `.aws` TLD)
|
|
299
318
|
# will be used if available.
|
|
@@ -307,6 +326,9 @@ module Aws::STS
|
|
|
307
326
|
# When `true`, request parameters are validated before
|
|
308
327
|
# sending the request.
|
|
309
328
|
#
|
|
329
|
+
# @option options [Aws::STS::EndpointProvider] :endpoint_provider
|
|
330
|
+
# The endpoint provider used to resolve endpoints. Any object that responds to `#resolve_endpoint(parameters)` where `parameters` is a Struct similar to `Aws::STS::EndpointParameters`
|
|
331
|
+
#
|
|
310
332
|
# @option options [URI::HTTP,String] :http_proxy A proxy to send
|
|
311
333
|
# requests through. Formatted like 'http://proxy.com:123'.
|
|
312
334
|
#
|
|
@@ -359,14 +381,13 @@ module Aws::STS
|
|
|
359
381
|
# @!group API Operations
|
|
360
382
|
|
|
361
383
|
# Returns a set of temporary security credentials that you can use to
|
|
362
|
-
# access Amazon Web Services resources
|
|
363
|
-
#
|
|
364
|
-
#
|
|
365
|
-
#
|
|
366
|
-
#
|
|
367
|
-
#
|
|
368
|
-
#
|
|
369
|
-
# operations][2] in the *IAM User Guide*.
|
|
384
|
+
# access Amazon Web Services resources. These temporary credentials
|
|
385
|
+
# consist of an access key ID, a secret access key, and a security
|
|
386
|
+
# token. Typically, you use `AssumeRole` within your account or for
|
|
387
|
+
# cross-account access. For a comparison of `AssumeRole` with other API
|
|
388
|
+
# operations that produce temporary credentials, see [Requesting
|
|
389
|
+
# Temporary Security Credentials][1] and [Comparing the Amazon Web
|
|
390
|
+
# Services STS API operations][2] in the *IAM User Guide*.
|
|
370
391
|
#
|
|
371
392
|
# **Permissions**
|
|
372
393
|
#
|
|
@@ -377,23 +398,24 @@ module Aws::STS
|
|
|
377
398
|
#
|
|
378
399
|
# (Optional) You can pass inline or managed [session policies][3] to
|
|
379
400
|
# this operation. You can pass a single JSON policy document to use as
|
|
380
|
-
# an inline session policy. You can also specify up to 10 managed
|
|
381
|
-
#
|
|
382
|
-
# use for both inline and managed session policies
|
|
383
|
-
# characters. Passing policies to this operation
|
|
384
|
-
# credentials. The resulting session's
|
|
385
|
-
# of the role's identity-based policy
|
|
386
|
-
# use the role's temporary
|
|
387
|
-
# Services API calls to access
|
|
388
|
-
# role. You cannot use session
|
|
389
|
-
#
|
|
390
|
-
#
|
|
391
|
-
# User Guide*.
|
|
392
|
-
#
|
|
393
|
-
# When you create a role, you create two policies:
|
|
394
|
-
# that specifies *who* can assume the role and a permissions policy
|
|
395
|
-
# specifies *what* can be done with the role. You specify the
|
|
396
|
-
# principal
|
|
401
|
+
# an inline session policy. You can also specify up to 10 managed policy
|
|
402
|
+
# Amazon Resource Names (ARNs) to use as managed session policies. The
|
|
403
|
+
# plaintext that you use for both inline and managed session policies
|
|
404
|
+
# can't exceed 2,048 characters. Passing policies to this operation
|
|
405
|
+
# returns new temporary credentials. The resulting session's
|
|
406
|
+
# permissions are the intersection of the role's identity-based policy
|
|
407
|
+
# and the session policies. You can use the role's temporary
|
|
408
|
+
# credentials in subsequent Amazon Web Services API calls to access
|
|
409
|
+
# resources in the account that owns the role. You cannot use session
|
|
410
|
+
# policies to grant more permissions than those allowed by the
|
|
411
|
+
# identity-based policy of the role that is being assumed. For more
|
|
412
|
+
# information, see [Session Policies][3] in the *IAM User Guide*.
|
|
413
|
+
#
|
|
414
|
+
# When you create a role, you create two policies: a role trust policy
|
|
415
|
+
# that specifies *who* can assume the role, and a permissions policy
|
|
416
|
+
# that specifies *what* can be done with the role. You specify the
|
|
417
|
+
# trusted principal that is allowed to assume the role in the role trust
|
|
418
|
+
# policy.
|
|
397
419
|
#
|
|
398
420
|
# To assume a role from a different account, your Amazon Web Services
|
|
399
421
|
# account must be trusted by the role. The trust relationship is defined
|
|
@@ -402,10 +424,9 @@ module Aws::STS
|
|
|
402
424
|
# users in the account.
|
|
403
425
|
#
|
|
404
426
|
# A user who wants to access a role in a different account must also
|
|
405
|
-
# have permissions that are delegated from the
|
|
406
|
-
#
|
|
407
|
-
#
|
|
408
|
-
# account.
|
|
427
|
+
# have permissions that are delegated from the account administrator.
|
|
428
|
+
# The administrator must attach a policy that allows the user to call
|
|
429
|
+
# `AssumeRole` for the ARN of the role in the other account.
|
|
409
430
|
#
|
|
410
431
|
# To allow a user to assume a role in the same account, you can do
|
|
411
432
|
# either of the following:
|
|
@@ -502,12 +523,12 @@ module Aws::STS
|
|
|
502
523
|
# about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services
|
|
503
524
|
# Service Namespaces][1] in the Amazon Web Services General Reference.
|
|
504
525
|
#
|
|
505
|
-
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
|
506
|
-
#
|
|
507
|
-
# separate limit. Your request can fail for this limit
|
|
508
|
-
# plaintext meets the other requirements. The
|
|
509
|
-
# response element indicates by percentage how close
|
|
510
|
-
# tags for your request are to the upper size limit.
|
|
526
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
|
|
527
|
+
# policy, managed policy ARNs, and session tags into a packed binary
|
|
528
|
+
# format that has a separate limit. Your request can fail for this limit
|
|
529
|
+
# even if your plaintext meets the other requirements. The
|
|
530
|
+
# `PackedPolicySize` response element indicates by percentage how close
|
|
531
|
+
# the policies and tags for your request are to the upper size limit.
|
|
511
532
|
#
|
|
512
533
|
# </note>
|
|
513
534
|
#
|
|
@@ -547,12 +568,12 @@ module Aws::STS
|
|
|
547
568
|
# the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
|
548
569
|
# characters.
|
|
549
570
|
#
|
|
550
|
-
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
|
551
|
-
#
|
|
552
|
-
# separate limit. Your request can fail for this limit
|
|
553
|
-
# plaintext meets the other requirements. The
|
|
554
|
-
# response element indicates by percentage how close
|
|
555
|
-
# tags for your request are to the upper size limit.
|
|
571
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
|
|
572
|
+
# policy, managed policy ARNs, and session tags into a packed binary
|
|
573
|
+
# format that has a separate limit. Your request can fail for this limit
|
|
574
|
+
# even if your plaintext meets the other requirements. The
|
|
575
|
+
# `PackedPolicySize` response element indicates by percentage how close
|
|
576
|
+
# the policies and tags for your request are to the upper size limit.
|
|
556
577
|
#
|
|
557
578
|
# </note>
|
|
558
579
|
#
|
|
@@ -610,12 +631,12 @@ module Aws::STS
|
|
|
610
631
|
# can’t exceed 256 characters. For these and additional limits, see [IAM
|
|
611
632
|
# and STS Character Limits][2] in the *IAM User Guide*.
|
|
612
633
|
#
|
|
613
|
-
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
|
614
|
-
#
|
|
615
|
-
# separate limit. Your request can fail for this limit
|
|
616
|
-
# plaintext meets the other requirements. The
|
|
617
|
-
# response element indicates by percentage how close
|
|
618
|
-
# tags for your request are to the upper size limit.
|
|
634
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
|
|
635
|
+
# policy, managed policy ARNs, and session tags into a packed binary
|
|
636
|
+
# format that has a separate limit. Your request can fail for this limit
|
|
637
|
+
# even if your plaintext meets the other requirements. The
|
|
638
|
+
# `PackedPolicySize` response element indicates by percentage how close
|
|
639
|
+
# the policies and tags for your request are to the upper size limit.
|
|
619
640
|
#
|
|
620
641
|
# </note>
|
|
621
642
|
#
|
|
@@ -878,18 +899,18 @@ module Aws::STS
|
|
|
878
899
|
#
|
|
879
900
|
# (Optional) You can pass inline or managed [session policies][6] to
|
|
880
901
|
# this operation. You can pass a single JSON policy document to use as
|
|
881
|
-
# an inline session policy. You can also specify up to 10 managed
|
|
882
|
-
#
|
|
883
|
-
# use for both inline and managed session policies
|
|
884
|
-
# characters. Passing policies to this operation
|
|
885
|
-
# credentials. The resulting session's
|
|
886
|
-
# of the role's identity-based policy
|
|
887
|
-
# use the role's temporary
|
|
888
|
-
# Services API calls to access
|
|
889
|
-
# role. You cannot use session
|
|
890
|
-
#
|
|
891
|
-
#
|
|
892
|
-
# User Guide*.
|
|
902
|
+
# an inline session policy. You can also specify up to 10 managed policy
|
|
903
|
+
# Amazon Resource Names (ARNs) to use as managed session policies. The
|
|
904
|
+
# plaintext that you use for both inline and managed session policies
|
|
905
|
+
# can't exceed 2,048 characters. Passing policies to this operation
|
|
906
|
+
# returns new temporary credentials. The resulting session's
|
|
907
|
+
# permissions are the intersection of the role's identity-based policy
|
|
908
|
+
# and the session policies. You can use the role's temporary
|
|
909
|
+
# credentials in subsequent Amazon Web Services API calls to access
|
|
910
|
+
# resources in the account that owns the role. You cannot use session
|
|
911
|
+
# policies to grant more permissions than those allowed by the
|
|
912
|
+
# identity-based policy of the role that is being assumed. For more
|
|
913
|
+
# information, see [Session Policies][6] in the *IAM User Guide*.
|
|
893
914
|
#
|
|
894
915
|
# Calling `AssumeRoleWithSAML` does not require the use of Amazon Web
|
|
895
916
|
# Services security credentials. The identity of the caller is validated
|
|
@@ -915,12 +936,12 @@ module Aws::STS
|
|
|
915
936
|
# characters. For these and additional limits, see [IAM and STS
|
|
916
937
|
# Character Limits][8] in the *IAM User Guide*.
|
|
917
938
|
#
|
|
918
|
-
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
|
919
|
-
#
|
|
920
|
-
# separate limit. Your request can fail for this limit
|
|
921
|
-
# plaintext meets the other requirements. The
|
|
922
|
-
# response element indicates by percentage how close
|
|
923
|
-
# tags for your request are to the upper size limit.
|
|
939
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
|
|
940
|
+
# policy, managed policy ARNs, and session tags into a packed binary
|
|
941
|
+
# format that has a separate limit. Your request can fail for this limit
|
|
942
|
+
# even if your plaintext meets the other requirements. The
|
|
943
|
+
# `PackedPolicySize` response element indicates by percentage how close
|
|
944
|
+
# the policies and tags for your request are to the upper size limit.
|
|
924
945
|
#
|
|
925
946
|
# </note>
|
|
926
947
|
#
|
|
@@ -1006,12 +1027,12 @@ module Aws::STS
|
|
|
1006
1027
|
# about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services
|
|
1007
1028
|
# Service Namespaces][1] in the Amazon Web Services General Reference.
|
|
1008
1029
|
#
|
|
1009
|
-
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
|
1010
|
-
#
|
|
1011
|
-
# separate limit. Your request can fail for this limit
|
|
1012
|
-
# plaintext meets the other requirements. The
|
|
1013
|
-
# response element indicates by percentage how close
|
|
1014
|
-
# tags for your request are to the upper size limit.
|
|
1030
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
|
|
1031
|
+
# policy, managed policy ARNs, and session tags into a packed binary
|
|
1032
|
+
# format that has a separate limit. Your request can fail for this limit
|
|
1033
|
+
# even if your plaintext meets the other requirements. The
|
|
1034
|
+
# `PackedPolicySize` response element indicates by percentage how close
|
|
1035
|
+
# the policies and tags for your request are to the upper size limit.
|
|
1015
1036
|
#
|
|
1016
1037
|
# </note>
|
|
1017
1038
|
#
|
|
@@ -1051,12 +1072,12 @@ module Aws::STS
|
|
|
1051
1072
|
# the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
|
1052
1073
|
# characters.
|
|
1053
1074
|
#
|
|
1054
|
-
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
|
1055
|
-
#
|
|
1056
|
-
# separate limit. Your request can fail for this limit
|
|
1057
|
-
# plaintext meets the other requirements. The
|
|
1058
|
-
# response element indicates by percentage how close
|
|
1059
|
-
# tags for your request are to the upper size limit.
|
|
1075
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
|
|
1076
|
+
# policy, managed policy ARNs, and session tags into a packed binary
|
|
1077
|
+
# format that has a separate limit. Your request can fail for this limit
|
|
1078
|
+
# even if your plaintext meets the other requirements. The
|
|
1079
|
+
# `PackedPolicySize` response element indicates by percentage how close
|
|
1080
|
+
# the policies and tags for your request are to the upper size limit.
|
|
1060
1081
|
#
|
|
1061
1082
|
# </note>
|
|
1062
1083
|
#
|
|
@@ -1190,10 +1211,8 @@ module Aws::STS
|
|
|
1190
1211
|
# the user with a consistent identity throughout the lifetime of an
|
|
1191
1212
|
# application.
|
|
1192
1213
|
#
|
|
1193
|
-
# To learn more about Amazon Cognito, see [Amazon Cognito
|
|
1194
|
-
# in *Amazon
|
|
1195
|
-
# Cognito Overview][5] in the *Amazon Web Services SDK for iOS Developer
|
|
1196
|
-
# Guide*.
|
|
1214
|
+
# To learn more about Amazon Cognito, see [Amazon Cognito identity
|
|
1215
|
+
# pools][1] in *Amazon Cognito Developer Guide*.
|
|
1197
1216
|
#
|
|
1198
1217
|
# </note>
|
|
1199
1218
|
#
|
|
@@ -1207,8 +1226,8 @@ module Aws::STS
|
|
|
1207
1226
|
# a token from the web identity provider. For a comparison of
|
|
1208
1227
|
# `AssumeRoleWithWebIdentity` with the other API operations that produce
|
|
1209
1228
|
# temporary credentials, see [Requesting Temporary Security
|
|
1210
|
-
# Credentials][
|
|
1211
|
-
# operations][
|
|
1229
|
+
# Credentials][4] and [Comparing the Amazon Web Services STS API
|
|
1230
|
+
# operations][5] in the *IAM User Guide*.
|
|
1212
1231
|
#
|
|
1213
1232
|
# The temporary security credentials returned by this API consist of an
|
|
1214
1233
|
# access key ID, a secret access key, and a security token. Applications
|
|
@@ -1224,11 +1243,11 @@ module Aws::STS
|
|
|
1224
1243
|
# to the maximum session duration setting for the role. This setting can
|
|
1225
1244
|
# have a value from 1 hour to 12 hours. To learn how to view the maximum
|
|
1226
1245
|
# value for your role, see [View the Maximum Session Duration Setting
|
|
1227
|
-
# for a Role][
|
|
1246
|
+
# for a Role][6] in the *IAM User Guide*. The maximum session duration
|
|
1228
1247
|
# limit applies when you use the `AssumeRole*` API operations or the
|
|
1229
1248
|
# `assume-role*` CLI commands. However the limit does not apply when you
|
|
1230
1249
|
# use those operations to create a console URL. For more information,
|
|
1231
|
-
# see [Using IAM Roles][
|
|
1250
|
+
# see [Using IAM Roles][7] in the *IAM User Guide*.
|
|
1232
1251
|
#
|
|
1233
1252
|
# **Permissions**
|
|
1234
1253
|
#
|
|
@@ -1237,39 +1256,39 @@ module Aws::STS
|
|
|
1237
1256
|
# Amazon Web Services service with the following exception: you cannot
|
|
1238
1257
|
# call the STS `GetFederationToken` or `GetSessionToken` API operations.
|
|
1239
1258
|
#
|
|
1240
|
-
# (Optional) You can pass inline or managed [session policies][
|
|
1259
|
+
# (Optional) You can pass inline or managed [session policies][8] to
|
|
1241
1260
|
# this operation. You can pass a single JSON policy document to use as
|
|
1242
|
-
# an inline session policy. You can also specify up to 10 managed
|
|
1243
|
-
#
|
|
1244
|
-
# use for both inline and managed session policies
|
|
1245
|
-
# characters. Passing policies to this operation
|
|
1246
|
-
# credentials. The resulting session's
|
|
1247
|
-
# of the role's identity-based policy
|
|
1248
|
-
# use the role's temporary
|
|
1249
|
-
# Services API calls to access
|
|
1250
|
-
# role. You cannot use session
|
|
1251
|
-
#
|
|
1252
|
-
#
|
|
1253
|
-
# User Guide*.
|
|
1261
|
+
# an inline session policy. You can also specify up to 10 managed policy
|
|
1262
|
+
# Amazon Resource Names (ARNs) to use as managed session policies. The
|
|
1263
|
+
# plaintext that you use for both inline and managed session policies
|
|
1264
|
+
# can't exceed 2,048 characters. Passing policies to this operation
|
|
1265
|
+
# returns new temporary credentials. The resulting session's
|
|
1266
|
+
# permissions are the intersection of the role's identity-based policy
|
|
1267
|
+
# and the session policies. You can use the role's temporary
|
|
1268
|
+
# credentials in subsequent Amazon Web Services API calls to access
|
|
1269
|
+
# resources in the account that owns the role. You cannot use session
|
|
1270
|
+
# policies to grant more permissions than those allowed by the
|
|
1271
|
+
# identity-based policy of the role that is being assumed. For more
|
|
1272
|
+
# information, see [Session Policies][8] in the *IAM User Guide*.
|
|
1254
1273
|
#
|
|
1255
1274
|
# **Tags**
|
|
1256
1275
|
#
|
|
1257
1276
|
# (Optional) You can configure your IdP to pass attributes into your web
|
|
1258
1277
|
# identity token as session tags. Each session tag consists of a key
|
|
1259
1278
|
# name and an associated value. For more information about session tags,
|
|
1260
|
-
# see [Passing Session Tags in STS][
|
|
1279
|
+
# see [Passing Session Tags in STS][9] in the *IAM User Guide*.
|
|
1261
1280
|
#
|
|
1262
1281
|
# You can pass up to 50 session tags. The plaintext session tag keys
|
|
1263
1282
|
# can’t exceed 128 characters and the values can’t exceed 256
|
|
1264
1283
|
# characters. For these and additional limits, see [IAM and STS
|
|
1265
|
-
# Character Limits][
|
|
1284
|
+
# Character Limits][10] in the *IAM User Guide*.
|
|
1266
1285
|
#
|
|
1267
|
-
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
|
1268
|
-
#
|
|
1269
|
-
# separate limit. Your request can fail for this limit
|
|
1270
|
-
# plaintext meets the other requirements. The
|
|
1271
|
-
# response element indicates by percentage how close
|
|
1272
|
-
# tags for your request are to the upper size limit.
|
|
1286
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
|
|
1287
|
+
# policy, managed policy ARNs, and session tags into a packed binary
|
|
1288
|
+
# format that has a separate limit. Your request can fail for this limit
|
|
1289
|
+
# even if your plaintext meets the other requirements. The
|
|
1290
|
+
# `PackedPolicySize` response element indicates by percentage how close
|
|
1291
|
+
# the policies and tags for your request are to the upper size limit.
|
|
1273
1292
|
#
|
|
1274
1293
|
# </note>
|
|
1275
1294
|
#
|
|
@@ -1280,12 +1299,12 @@ module Aws::STS
|
|
|
1280
1299
|
# An administrator must grant you the permissions necessary to pass
|
|
1281
1300
|
# session tags. The administrator can also create granular permissions
|
|
1282
1301
|
# to allow you to pass only specific session tags. For more information,
|
|
1283
|
-
# see [Tutorial: Using Tags for Attribute-Based Access Control][
|
|
1302
|
+
# see [Tutorial: Using Tags for Attribute-Based Access Control][11] in
|
|
1284
1303
|
# the *IAM User Guide*.
|
|
1285
1304
|
#
|
|
1286
1305
|
# You can set the session tags as transitive. Transitive tags persist
|
|
1287
1306
|
# during role chaining. For more information, see [Chaining Roles with
|
|
1288
|
-
# Session Tags][
|
|
1307
|
+
# Session Tags][12] in the *IAM User Guide*.
|
|
1289
1308
|
#
|
|
1290
1309
|
# **Identities**
|
|
1291
1310
|
#
|
|
@@ -1297,19 +1316,19 @@ module Aws::STS
|
|
|
1297
1316
|
# specified in the role's trust policy.
|
|
1298
1317
|
#
|
|
1299
1318
|
# Calling `AssumeRoleWithWebIdentity` can result in an entry in your
|
|
1300
|
-
# CloudTrail logs. The entry includes the [Subject][
|
|
1319
|
+
# CloudTrail logs. The entry includes the [Subject][13] of the provided
|
|
1301
1320
|
# web identity token. We recommend that you avoid using any personally
|
|
1302
1321
|
# identifiable information (PII) in this field. For example, you could
|
|
1303
1322
|
# instead use a GUID or a pairwise identifier, as [suggested in the OIDC
|
|
1304
|
-
# specification][
|
|
1323
|
+
# specification][14].
|
|
1305
1324
|
#
|
|
1306
1325
|
# For more information about how to use web identity federation and the
|
|
1307
1326
|
# `AssumeRoleWithWebIdentity` API, see the following resources:
|
|
1308
1327
|
#
|
|
1309
|
-
# * [Using Web Identity Federation API Operations for Mobile Apps][
|
|
1310
|
-
# and [Federation Through a Web-based Identity Provider][
|
|
1328
|
+
# * [Using Web Identity Federation API Operations for Mobile Apps][15]
|
|
1329
|
+
# and [Federation Through a Web-based Identity Provider][16].
|
|
1311
1330
|
#
|
|
1312
|
-
# * [ Web Identity Federation Playground][
|
|
1331
|
+
# * [ Web Identity Federation Playground][17]. Walk through the process
|
|
1313
1332
|
# of authenticating through Login with Amazon, Facebook, or Google,
|
|
1314
1333
|
# getting temporary security credentials, and then using those
|
|
1315
1334
|
# credentials to make a request to Amazon Web Services.
|
|
@@ -1320,7 +1339,7 @@ module Aws::STS
|
|
|
1320
1339
|
# toolkits then show how to use the information from these providers
|
|
1321
1340
|
# to get and use temporary security credentials.
|
|
1322
1341
|
#
|
|
1323
|
-
# * [Web Identity Federation with Mobile Applications][
|
|
1342
|
+
# * [Web Identity Federation with Mobile Applications][18]. This article
|
|
1324
1343
|
# discusses web identity federation and shows an example of how to use
|
|
1325
1344
|
# web identity federation to get access to content in Amazon S3.
|
|
1326
1345
|
#
|
|
@@ -1329,23 +1348,21 @@ module Aws::STS
|
|
|
1329
1348
|
# [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html
|
|
1330
1349
|
# [2]: http://aws.amazon.com/sdkforios/
|
|
1331
1350
|
# [3]: http://aws.amazon.com/sdkforandroid/
|
|
1332
|
-
# [4]: https://docs.aws.amazon.com/
|
|
1333
|
-
# [5]: https://docs.aws.amazon.com/
|
|
1334
|
-
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
|
1335
|
-
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
|
1336
|
-
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
|
1337
|
-
# [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
|
1338
|
-
# [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
|
1339
|
-
# [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
|
1340
|
-
# [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
|
1341
|
-
# [13]:
|
|
1342
|
-
# [14]:
|
|
1343
|
-
# [15]:
|
|
1344
|
-
# [16]:
|
|
1345
|
-
# [17]: https://
|
|
1346
|
-
# [18]:
|
|
1347
|
-
# [19]: https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/
|
|
1348
|
-
# [20]: http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications
|
|
1351
|
+
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
|
1352
|
+
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
|
|
1353
|
+
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
|
|
1354
|
+
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
|
|
1355
|
+
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
|
1356
|
+
# [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
|
1357
|
+
# [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
|
|
1358
|
+
# [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
|
|
1359
|
+
# [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
|
|
1360
|
+
# [13]: http://openid.net/specs/openid-connect-core-1_0.html#Claims
|
|
1361
|
+
# [14]: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
|
|
1362
|
+
# [15]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html
|
|
1363
|
+
# [16]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
|
|
1364
|
+
# [17]: https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/
|
|
1365
|
+
# [18]: http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications
|
|
1349
1366
|
#
|
|
1350
1367
|
# @option params [required, String] :role_arn
|
|
1351
1368
|
# The Amazon Resource Name (ARN) of the role that the caller is
|
|
@@ -1393,12 +1410,12 @@ module Aws::STS
|
|
|
1393
1410
|
# about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services
|
|
1394
1411
|
# Service Namespaces][1] in the Amazon Web Services General Reference.
|
|
1395
1412
|
#
|
|
1396
|
-
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
|
1397
|
-
#
|
|
1398
|
-
# separate limit. Your request can fail for this limit
|
|
1399
|
-
# plaintext meets the other requirements. The
|
|
1400
|
-
# response element indicates by percentage how close
|
|
1401
|
-
# tags for your request are to the upper size limit.
|
|
1413
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
|
|
1414
|
+
# policy, managed policy ARNs, and session tags into a packed binary
|
|
1415
|
+
# format that has a separate limit. Your request can fail for this limit
|
|
1416
|
+
# even if your plaintext meets the other requirements. The
|
|
1417
|
+
# `PackedPolicySize` response element indicates by percentage how close
|
|
1418
|
+
# the policies and tags for your request are to the upper size limit.
|
|
1402
1419
|
#
|
|
1403
1420
|
# </note>
|
|
1404
1421
|
#
|
|
@@ -1438,12 +1455,12 @@ module Aws::STS
|
|
|
1438
1455
|
# the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
|
1439
1456
|
# characters.
|
|
1440
1457
|
#
|
|
1441
|
-
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
|
1442
|
-
#
|
|
1443
|
-
# separate limit. Your request can fail for this limit
|
|
1444
|
-
# plaintext meets the other requirements. The
|
|
1445
|
-
# response element indicates by percentage how close
|
|
1446
|
-
# tags for your request are to the upper size limit.
|
|
1458
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
|
|
1459
|
+
# policy, managed policy ARNs, and session tags into a packed binary
|
|
1460
|
+
# format that has a separate limit. Your request can fail for this limit
|
|
1461
|
+
# even if your plaintext meets the other requirements. The
|
|
1462
|
+
# `PackedPolicySize` response element indicates by percentage how close
|
|
1463
|
+
# the policies and tags for your request are to the upper size limit.
|
|
1447
1464
|
#
|
|
1448
1465
|
# </note>
|
|
1449
1466
|
#
|
|
@@ -1704,11 +1721,11 @@ module Aws::STS
|
|
|
1704
1721
|
# to call the operation.
|
|
1705
1722
|
#
|
|
1706
1723
|
# <note markdown="1"> No permissions are required to perform this operation. If an
|
|
1707
|
-
# administrator
|
|
1724
|
+
# administrator attaches a policy to your identity that explicitly
|
|
1708
1725
|
# denies access to the `sts:GetCallerIdentity` action, you can still
|
|
1709
1726
|
# perform this operation. Permissions are not required because the same
|
|
1710
|
-
# information is returned when
|
|
1711
|
-
#
|
|
1727
|
+
# information is returned when access is denied. To view an example
|
|
1728
|
+
# response, see [I Am Not Authorized to Perform:
|
|
1712
1729
|
# iam:DeleteVirtualMFADevice][1] in the *IAM User Guide*.
|
|
1713
1730
|
#
|
|
1714
1731
|
# </note>
|
|
@@ -1785,60 +1802,63 @@ module Aws::STS
|
|
|
1785
1802
|
end
|
|
1786
1803
|
|
|
1787
1804
|
# Returns a set of temporary security credentials (consisting of an
|
|
1788
|
-
# access key ID, a secret access key, and a security token) for a
|
|
1789
|
-
#
|
|
1790
|
-
#
|
|
1791
|
-
#
|
|
1792
|
-
#
|
|
1793
|
-
#
|
|
1794
|
-
#
|
|
1795
|
-
#
|
|
1796
|
-
#
|
|
1805
|
+
# access key ID, a secret access key, and a security token) for a user.
|
|
1806
|
+
# A typical use is in a proxy application that gets temporary security
|
|
1807
|
+
# credentials on behalf of distributed applications inside a corporate
|
|
1808
|
+
# network.
|
|
1809
|
+
#
|
|
1810
|
+
# You must call the `GetFederationToken` operation using the long-term
|
|
1811
|
+
# security credentials of an IAM user. As a result, this call is
|
|
1812
|
+
# appropriate in contexts where those credentials can be safeguarded,
|
|
1813
|
+
# usually in a server-based application. For a comparison of
|
|
1814
|
+
# `GetFederationToken` with the other API operations that produce
|
|
1815
|
+
# temporary credentials, see [Requesting Temporary Security
|
|
1797
1816
|
# Credentials][1] and [Comparing the Amazon Web Services STS API
|
|
1798
1817
|
# operations][2] in the *IAM User Guide*.
|
|
1799
1818
|
#
|
|
1819
|
+
# Although it is possible to call `GetFederationToken` using the
|
|
1820
|
+
# security credentials of an Amazon Web Services account root user
|
|
1821
|
+
# rather than an IAM user that you create for the purpose of a proxy
|
|
1822
|
+
# application, we do not recommend it. For more information, see
|
|
1823
|
+
# [Safeguard your root user credentials and don't use them for everyday
|
|
1824
|
+
# tasks][3] in the *IAM User Guide*.
|
|
1825
|
+
#
|
|
1800
1826
|
# <note markdown="1"> You can create a mobile-based or browser-based app that can
|
|
1801
1827
|
# authenticate users using a web identity provider like Login with
|
|
1802
1828
|
# Amazon, Facebook, Google, or an OpenID Connect-compatible identity
|
|
1803
|
-
# provider. In this case, we recommend that you use [Amazon Cognito][
|
|
1829
|
+
# provider. In this case, we recommend that you use [Amazon Cognito][4]
|
|
1804
1830
|
# or `AssumeRoleWithWebIdentity`. For more information, see [Federation
|
|
1805
|
-
# Through a Web-based Identity Provider][
|
|
1831
|
+
# Through a Web-based Identity Provider][5] in the *IAM User Guide*.
|
|
1806
1832
|
#
|
|
1807
1833
|
# </note>
|
|
1808
1834
|
#
|
|
1809
|
-
# You can also call `GetFederationToken` using the security credentials
|
|
1810
|
-
# of an Amazon Web Services account root user, but we do not recommend
|
|
1811
|
-
# it. Instead, we recommend that you create an IAM user for the purpose
|
|
1812
|
-
# of the proxy application. Then attach a policy to the IAM user that
|
|
1813
|
-
# limits federated users to only the actions and resources that they
|
|
1814
|
-
# need to access. For more information, see [IAM Best Practices][5] in
|
|
1815
|
-
# the *IAM User Guide*.
|
|
1816
|
-
#
|
|
1817
1835
|
# **Session duration**
|
|
1818
1836
|
#
|
|
1819
1837
|
# The temporary credentials are valid for the specified duration, from
|
|
1820
1838
|
# 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36
|
|
1821
1839
|
# hours). The default session duration is 43,200 seconds (12 hours).
|
|
1822
|
-
# Temporary credentials obtained by using the
|
|
1823
|
-
#
|
|
1824
|
-
# (1 hour).
|
|
1840
|
+
# Temporary credentials obtained by using the root user credentials have
|
|
1841
|
+
# a maximum duration of 3,600 seconds (1 hour).
|
|
1825
1842
|
#
|
|
1826
1843
|
# **Permissions**
|
|
1827
1844
|
#
|
|
1828
1845
|
# You can use the temporary credentials created by `GetFederationToken`
|
|
1829
|
-
# in any Amazon Web Services service
|
|
1846
|
+
# in any Amazon Web Services service with the following exceptions:
|
|
1830
1847
|
#
|
|
1831
1848
|
# * You cannot call any IAM operations using the CLI or the Amazon Web
|
|
1832
|
-
# Services API.
|
|
1849
|
+
# Services API. This limitation does not apply to console sessions.
|
|
1833
1850
|
#
|
|
1834
1851
|
# * You cannot call any STS operations except `GetCallerIdentity`.
|
|
1835
1852
|
#
|
|
1853
|
+
# You can use temporary credentials for single sign-on (SSO) to the
|
|
1854
|
+
# console.
|
|
1855
|
+
#
|
|
1836
1856
|
# You must pass an inline or managed [session policy][6] to this
|
|
1837
1857
|
# operation. You can pass a single JSON policy document to use as an
|
|
1838
|
-
# inline session policy. You can also specify up to 10 managed
|
|
1839
|
-
# to use as managed session policies. The
|
|
1840
|
-
# both inline and managed session policies
|
|
1841
|
-
# characters.
|
|
1858
|
+
# inline session policy. You can also specify up to 10 managed policy
|
|
1859
|
+
# Amazon Resource Names (ARNs) to use as managed session policies. The
|
|
1860
|
+
# plaintext that you use for both inline and managed session policies
|
|
1861
|
+
# can't exceed 2,048 characters.
|
|
1842
1862
|
#
|
|
1843
1863
|
# Though the session policy parameters are optional, if you do not pass
|
|
1844
1864
|
# a policy, then the resulting federated user session has no
|
|
@@ -1868,9 +1888,9 @@ module Aws::STS
|
|
|
1868
1888
|
# <note markdown="1"> You can create a mobile-based or browser-based app that can
|
|
1869
1889
|
# authenticate users using a web identity provider like Login with
|
|
1870
1890
|
# Amazon, Facebook, Google, or an OpenID Connect-compatible identity
|
|
1871
|
-
# provider. In this case, we recommend that you use [Amazon Cognito][
|
|
1891
|
+
# provider. In this case, we recommend that you use [Amazon Cognito][4]
|
|
1872
1892
|
# or `AssumeRoleWithWebIdentity`. For more information, see [Federation
|
|
1873
|
-
# Through a Web-based Identity Provider][
|
|
1893
|
+
# Through a Web-based Identity Provider][5] in the *IAM User Guide*.
|
|
1874
1894
|
#
|
|
1875
1895
|
# </note>
|
|
1876
1896
|
#
|
|
@@ -1892,9 +1912,9 @@ module Aws::STS
|
|
|
1892
1912
|
#
|
|
1893
1913
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
|
1894
1914
|
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
|
|
1895
|
-
# [3]:
|
|
1896
|
-
# [4]:
|
|
1897
|
-
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
|
1915
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials
|
|
1916
|
+
# [4]: http://aws.amazon.com/cognito/
|
|
1917
|
+
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
|
|
1898
1918
|
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
|
1899
1919
|
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken
|
|
1900
1920
|
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
|
@@ -1917,8 +1937,8 @@ module Aws::STS
|
|
|
1917
1937
|
#
|
|
1918
1938
|
# You must pass an inline or managed [session policy][1] to this
|
|
1919
1939
|
# operation. You can pass a single JSON policy document to use as an
|
|
1920
|
-
# inline session policy. You can also specify up to 10 managed
|
|
1921
|
-
# to use as managed session policies.
|
|
1940
|
+
# inline session policy. You can also specify up to 10 managed policy
|
|
1941
|
+
# Amazon Resource Names (ARNs) to use as managed session policies.
|
|
1922
1942
|
#
|
|
1923
1943
|
# This parameter is optional. However, if you do not pass any session
|
|
1924
1944
|
# policies, then the resulting federated user session has no
|
|
@@ -1946,12 +1966,12 @@ module Aws::STS
|
|
|
1946
1966
|
# the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
|
1947
1967
|
# characters.
|
|
1948
1968
|
#
|
|
1949
|
-
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
|
1950
|
-
#
|
|
1951
|
-
# separate limit. Your request can fail for this limit
|
|
1952
|
-
# plaintext meets the other requirements. The
|
|
1953
|
-
# response element indicates by percentage how close
|
|
1954
|
-
# tags for your request are to the upper size limit.
|
|
1969
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
|
|
1970
|
+
# policy, managed policy ARNs, and session tags into a packed binary
|
|
1971
|
+
# format that has a separate limit. Your request can fail for this limit
|
|
1972
|
+
# even if your plaintext meets the other requirements. The
|
|
1973
|
+
# `PackedPolicySize` response element indicates by percentage how close
|
|
1974
|
+
# the policies and tags for your request are to the upper size limit.
|
|
1955
1975
|
#
|
|
1956
1976
|
# </note>
|
|
1957
1977
|
#
|
|
@@ -1966,13 +1986,13 @@ module Aws::STS
|
|
|
1966
1986
|
#
|
|
1967
1987
|
# You must pass an inline or managed [session policy][1] to this
|
|
1968
1988
|
# operation. You can pass a single JSON policy document to use as an
|
|
1969
|
-
# inline session policy. You can also specify up to 10 managed
|
|
1970
|
-
# to use as managed session policies. The
|
|
1971
|
-
# both inline and managed session policies
|
|
1972
|
-
# characters. You can provide up to 10 managed
|
|
1973
|
-
# information about ARNs, see [Amazon Resource
|
|
1974
|
-
# Web Services Service Namespaces][2] in the
|
|
1975
|
-
# Reference.
|
|
1989
|
+
# inline session policy. You can also specify up to 10 managed policy
|
|
1990
|
+
# Amazon Resource Names (ARNs) to use as managed session policies. The
|
|
1991
|
+
# plaintext that you use for both inline and managed session policies
|
|
1992
|
+
# can't exceed 2,048 characters. You can provide up to 10 managed
|
|
1993
|
+
# policy ARNs. For more information about ARNs, see [Amazon Resource
|
|
1994
|
+
# Names (ARNs) and Amazon Web Services Service Namespaces][2] in the
|
|
1995
|
+
# Amazon Web Services General Reference.
|
|
1976
1996
|
#
|
|
1977
1997
|
# This parameter is optional. However, if you do not pass any session
|
|
1978
1998
|
# policies, then the resulting federated user session has no
|
|
@@ -1993,12 +2013,12 @@ module Aws::STS
|
|
|
1993
2013
|
# are granted in addition to the permissions that are granted by the
|
|
1994
2014
|
# session policies.
|
|
1995
2015
|
#
|
|
1996
|
-
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
|
1997
|
-
#
|
|
1998
|
-
# separate limit. Your request can fail for this limit
|
|
1999
|
-
# plaintext meets the other requirements. The
|
|
2000
|
-
# response element indicates by percentage how close
|
|
2001
|
-
# tags for your request are to the upper size limit.
|
|
2016
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
|
|
2017
|
+
# policy, managed policy ARNs, and session tags into a packed binary
|
|
2018
|
+
# format that has a separate limit. Your request can fail for this limit
|
|
2019
|
+
# even if your plaintext meets the other requirements. The
|
|
2020
|
+
# `PackedPolicySize` response element indicates by percentage how close
|
|
2021
|
+
# the policies and tags for your request are to the upper size limit.
|
|
2002
2022
|
#
|
|
2003
2023
|
# </note>
|
|
2004
2024
|
#
|
|
@@ -2011,10 +2031,10 @@ module Aws::STS
|
|
|
2011
2031
|
# The duration, in seconds, that the session should last. Acceptable
|
|
2012
2032
|
# durations for federation sessions range from 900 seconds (15 minutes)
|
|
2013
2033
|
# to 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the
|
|
2014
|
-
# default. Sessions obtained using
|
|
2015
|
-
#
|
|
2016
|
-
#
|
|
2017
|
-
#
|
|
2034
|
+
# default. Sessions obtained using root user credentials are restricted
|
|
2035
|
+
# to a maximum of 3,600 seconds (one hour). If the specified duration is
|
|
2036
|
+
# longer than one hour, the session obtained by using root user
|
|
2037
|
+
# credentials defaults to one hour.
|
|
2018
2038
|
#
|
|
2019
2039
|
# @option params [Array<Types::Tag>] :tags
|
|
2020
2040
|
# A list of session tags. Each session tag consists of a key name and an
|
|
@@ -2026,12 +2046,12 @@ module Aws::STS
|
|
|
2026
2046
|
# can’t exceed 256 characters. For these and additional limits, see [IAM
|
|
2027
2047
|
# and STS Character Limits][2] in the *IAM User Guide*.
|
|
2028
2048
|
#
|
|
2029
|
-
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
|
2030
|
-
#
|
|
2031
|
-
# separate limit. Your request can fail for this limit
|
|
2032
|
-
# plaintext meets the other requirements. The
|
|
2033
|
-
# response element indicates by percentage how close
|
|
2034
|
-
# tags for your request are to the upper size limit.
|
|
2049
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
|
|
2050
|
+
# policy, managed policy ARNs, and session tags into a packed binary
|
|
2051
|
+
# format that has a separate limit. Your request can fail for this limit
|
|
2052
|
+
# even if your plaintext meets the other requirements. The
|
|
2053
|
+
# `PackedPolicySize` response element indicates by percentage how close
|
|
2054
|
+
# the policies and tags for your request are to the upper size limit.
|
|
2035
2055
|
#
|
|
2036
2056
|
# </note>
|
|
2037
2057
|
#
|
|
@@ -2134,14 +2154,15 @@ module Aws::STS
|
|
|
2134
2154
|
# secret access key, and a security token. Typically, you use
|
|
2135
2155
|
# `GetSessionToken` if you want to use MFA to protect programmatic calls
|
|
2136
2156
|
# to specific Amazon Web Services API operations like Amazon EC2
|
|
2137
|
-
# `StopInstances`.
|
|
2138
|
-
#
|
|
2139
|
-
# MFA
|
|
2140
|
-
#
|
|
2141
|
-
#
|
|
2142
|
-
#
|
|
2143
|
-
#
|
|
2144
|
-
#
|
|
2157
|
+
# `StopInstances`.
|
|
2158
|
+
#
|
|
2159
|
+
# MFA-enabled IAM users must call `GetSessionToken` and submit an MFA
|
|
2160
|
+
# code that is associated with their MFA device. Using the temporary
|
|
2161
|
+
# security credentials that the call returns, IAM users can then make
|
|
2162
|
+
# programmatic calls to API operations that require MFA authentication.
|
|
2163
|
+
# An incorrect MFA code causes the API to return an access denied error.
|
|
2164
|
+
# For a comparison of `GetSessionToken` with the other API operations
|
|
2165
|
+
# that produce temporary credentials, see [Requesting Temporary Security
|
|
2145
2166
|
# Credentials][1] and [Comparing the Amazon Web Services STS API
|
|
2146
2167
|
# operations][2] in the *IAM User Guide*.
|
|
2147
2168
|
#
|
|
@@ -2156,13 +2177,13 @@ module Aws::STS
|
|
|
2156
2177
|
# **Session Duration**
|
|
2157
2178
|
#
|
|
2158
2179
|
# The `GetSessionToken` operation must be called by using the long-term
|
|
2159
|
-
# Amazon Web Services security credentials of
|
|
2160
|
-
#
|
|
2161
|
-
#
|
|
2162
|
-
#
|
|
2163
|
-
# (
|
|
2164
|
-
#
|
|
2165
|
-
#
|
|
2180
|
+
# Amazon Web Services security credentials of an IAM user. Credentials
|
|
2181
|
+
# that are created by IAM users are valid for the duration that you
|
|
2182
|
+
# specify. This duration can range from 900 seconds (15 minutes) up to a
|
|
2183
|
+
# maximum of 129,600 seconds (36 hours), with a default of 43,200
|
|
2184
|
+
# seconds (12 hours). Credentials based on account credentials can range
|
|
2185
|
+
# from 900 seconds (15 minutes) up to 3,600 seconds (1 hour), with a
|
|
2186
|
+
# default of 1 hour.
|
|
2166
2187
|
#
|
|
2167
2188
|
# **Permissions**
|
|
2168
2189
|
#
|
|
@@ -2176,24 +2197,23 @@ module Aws::STS
|
|
|
2176
2197
|
# * You cannot call any STS API *except* `AssumeRole` or
|
|
2177
2198
|
# `GetCallerIdentity`.
|
|
2178
2199
|
#
|
|
2179
|
-
#
|
|
2180
|
-
#
|
|
2181
|
-
#
|
|
2182
|
-
#
|
|
2183
|
-
# with Amazon Web Services.
|
|
2200
|
+
# The credentials that `GetSessionToken` returns are based on
|
|
2201
|
+
# permissions associated with the IAM user whose credentials were used
|
|
2202
|
+
# to call the operation. The temporary credentials have the same
|
|
2203
|
+
# permissions as the IAM user.
|
|
2184
2204
|
#
|
|
2185
|
-
#
|
|
2205
|
+
# <note markdown="1"> Although it is possible to call `GetSessionToken` using the security
|
|
2206
|
+
# credentials of an Amazon Web Services account root user rather than an
|
|
2207
|
+
# IAM user, we do not recommend it. If `GetSessionToken` is called using
|
|
2208
|
+
# root user credentials, the temporary credentials have root user
|
|
2209
|
+
# permissions. For more information, see [Safeguard your root user
|
|
2210
|
+
# credentials and don't use them for everyday tasks][4] in the *IAM
|
|
2211
|
+
# User Guide*
|
|
2186
2212
|
#
|
|
2187
|
-
#
|
|
2188
|
-
# permissions associated with the user whose credentials were used to
|
|
2189
|
-
# call the operation. If `GetSessionToken` is called using Amazon Web
|
|
2190
|
-
# Services account root user credentials, the temporary credentials have
|
|
2191
|
-
# root user permissions. Similarly, if `GetSessionToken` is called using
|
|
2192
|
-
# the credentials of an IAM user, the temporary credentials have the
|
|
2193
|
-
# same permissions as the IAM user.
|
|
2213
|
+
# </note>
|
|
2194
2214
|
#
|
|
2195
2215
|
# For more information about using `GetSessionToken` to create temporary
|
|
2196
|
-
# credentials,
|
|
2216
|
+
# credentials, see [Temporary Credentials for Users in Untrusted
|
|
2197
2217
|
# Environments][5] in the *IAM User Guide*.
|
|
2198
2218
|
#
|
|
2199
2219
|
#
|
|
@@ -2201,7 +2221,7 @@ module Aws::STS
|
|
|
2201
2221
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
|
2202
2222
|
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
|
|
2203
2223
|
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html
|
|
2204
|
-
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#
|
|
2224
|
+
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials
|
|
2205
2225
|
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken
|
|
2206
2226
|
#
|
|
2207
2227
|
# @option params [Integer] :duration_seconds
|
|
@@ -2299,7 +2319,7 @@ module Aws::STS
|
|
|
2299
2319
|
params: params,
|
|
2300
2320
|
config: config)
|
|
2301
2321
|
context[:gem_name] = 'aws-sdk-core'
|
|
2302
|
-
context[:gem_version] = '3.
|
|
2322
|
+
context[:gem_version] = '3.176.1'
|
|
2303
2323
|
Seahorse::Client::Request.new(handlers, context)
|
|
2304
2324
|
end
|
|
2305
2325
|
|