aws-sdk-core 3.131.3 → 3.176.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (84) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +330 -1
  3. data/VERSION +1 -1
  4. data/lib/aws-defaults/default_configuration.rb +4 -4
  5. data/lib/aws-sdk-core/arn.rb +13 -0
  6. data/lib/aws-sdk-core/binary/encode_handler.rb +12 -1
  7. data/lib/aws-sdk-core/credential_provider.rb +3 -0
  8. data/lib/aws-sdk-core/credential_provider_chain.rb +8 -5
  9. data/lib/aws-sdk-core/ecs_credentials.rb +111 -53
  10. data/lib/aws-sdk-core/endpoints/condition.rb +41 -0
  11. data/lib/aws-sdk-core/endpoints/endpoint.rb +17 -0
  12. data/lib/aws-sdk-core/endpoints/endpoint_rule.rb +75 -0
  13. data/lib/aws-sdk-core/endpoints/error_rule.rb +42 -0
  14. data/lib/aws-sdk-core/endpoints/function.rb +80 -0
  15. data/lib/aws-sdk-core/endpoints/matchers.rb +127 -0
  16. data/lib/aws-sdk-core/endpoints/reference.rb +31 -0
  17. data/lib/aws-sdk-core/endpoints/rule.rb +25 -0
  18. data/lib/aws-sdk-core/endpoints/rule_set.rb +52 -0
  19. data/lib/aws-sdk-core/endpoints/rules_provider.rb +37 -0
  20. data/lib/aws-sdk-core/endpoints/templater.rb +58 -0
  21. data/lib/aws-sdk-core/endpoints/tree_rule.rb +45 -0
  22. data/lib/aws-sdk-core/endpoints/url.rb +60 -0
  23. data/lib/aws-sdk-core/endpoints.rb +78 -0
  24. data/lib/aws-sdk-core/errors.rb +13 -0
  25. data/lib/aws-sdk-core/json/error_handler.rb +20 -1
  26. data/lib/aws-sdk-core/log/formatter.rb +6 -0
  27. data/lib/aws-sdk-core/pageable_response.rb +10 -1
  28. data/lib/aws-sdk-core/plugins/bearer_authorization.rb +67 -0
  29. data/lib/aws-sdk-core/plugins/checksum_algorithm.rb +1 -1
  30. data/lib/aws-sdk-core/plugins/credentials_configuration.rb +24 -0
  31. data/lib/aws-sdk-core/plugins/endpoint_discovery.rb +6 -2
  32. data/lib/aws-sdk-core/plugins/recursion_detection.rb +14 -3
  33. data/lib/aws-sdk-core/plugins/regional_endpoint.rb +5 -0
  34. data/lib/aws-sdk-core/plugins/retries/error_inspector.rb +2 -1
  35. data/lib/aws-sdk-core/plugins/sign.rb +201 -0
  36. data/lib/aws-sdk-core/plugins/signature_v2.rb +1 -0
  37. data/lib/aws-sdk-core/plugins/signature_v4.rb +13 -7
  38. data/lib/aws-sdk-core/plugins/user_agent.rb +117 -14
  39. data/lib/aws-sdk-core/refreshing_credentials.rb +0 -6
  40. data/lib/aws-sdk-core/refreshing_token.rb +71 -0
  41. data/lib/aws-sdk-core/rest/request/headers.rb +2 -6
  42. data/lib/aws-sdk-core/shared_config.rb +78 -6
  43. data/lib/aws-sdk-core/sso_credentials.rb +80 -45
  44. data/lib/aws-sdk-core/sso_token_provider.rb +135 -0
  45. data/lib/aws-sdk-core/static_token_provider.rb +14 -0
  46. data/lib/aws-sdk-core/structure.rb +6 -4
  47. data/lib/aws-sdk-core/token.rb +31 -0
  48. data/lib/aws-sdk-core/token_provider.rb +15 -0
  49. data/lib/aws-sdk-core/token_provider_chain.rb +51 -0
  50. data/lib/aws-sdk-core/waiters/poller.rb +3 -1
  51. data/lib/aws-sdk-core/xml/parser/engines/oga.rb +2 -0
  52. data/lib/aws-sdk-core.rb +14 -0
  53. data/lib/aws-sdk-sso/client.rb +56 -11
  54. data/lib/aws-sdk-sso/endpoint_parameters.rb +66 -0
  55. data/lib/aws-sdk-sso/endpoint_provider.rb +51 -0
  56. data/lib/aws-sdk-sso/endpoints.rb +72 -0
  57. data/lib/aws-sdk-sso/plugins/endpoints.rb +76 -0
  58. data/lib/aws-sdk-sso/types.rb +8 -43
  59. data/lib/aws-sdk-sso.rb +5 -1
  60. data/lib/aws-sdk-ssooidc/client.rb +611 -0
  61. data/lib/aws-sdk-ssooidc/client_api.rb +216 -0
  62. data/lib/aws-sdk-ssooidc/customizations.rb +1 -0
  63. data/lib/aws-sdk-ssooidc/endpoint_parameters.rb +66 -0
  64. data/lib/aws-sdk-ssooidc/endpoint_provider.rb +51 -0
  65. data/lib/aws-sdk-ssooidc/endpoints.rb +58 -0
  66. data/lib/aws-sdk-ssooidc/errors.rb +290 -0
  67. data/lib/aws-sdk-ssooidc/plugins/endpoints.rb +74 -0
  68. data/lib/aws-sdk-ssooidc/resource.rb +26 -0
  69. data/lib/aws-sdk-ssooidc/types.rb +502 -0
  70. data/lib/aws-sdk-ssooidc.rb +59 -0
  71. data/lib/aws-sdk-sts/client.rb +263 -243
  72. data/lib/aws-sdk-sts/endpoint_parameters.rb +78 -0
  73. data/lib/aws-sdk-sts/endpoint_provider.rb +112 -0
  74. data/lib/aws-sdk-sts/endpoints.rb +136 -0
  75. data/lib/aws-sdk-sts/plugins/endpoints.rb +84 -0
  76. data/lib/aws-sdk-sts/presigner.rb +13 -15
  77. data/lib/aws-sdk-sts/types.rb +87 -195
  78. data/lib/aws-sdk-sts.rb +5 -1
  79. data/lib/seahorse/client/async_base.rb +0 -1
  80. data/lib/seahorse/client/configuration.rb +2 -2
  81. data/lib/seahorse/client/h2/connection.rb +12 -11
  82. data/lib/seahorse/client/plugins/request_callback.rb +9 -9
  83. data/lib/seahorse/util.rb +4 -0
  84. metadata +47 -6
@@ -30,7 +30,7 @@ require 'aws-sdk-core/plugins/http_checksum.rb'
30
30
  require 'aws-sdk-core/plugins/checksum_algorithm.rb'
31
31
  require 'aws-sdk-core/plugins/defaults_mode.rb'
32
32
  require 'aws-sdk-core/plugins/recursion_detection.rb'
33
- require 'aws-sdk-core/plugins/signature_v4.rb'
33
+ require 'aws-sdk-core/plugins/sign.rb'
34
34
  require 'aws-sdk-core/plugins/protocols/query.rb'
35
35
  require 'aws-sdk-sts/plugins/sts_regional_endpoints.rb'
36
36
 
@@ -80,9 +80,10 @@ module Aws::STS
80
80
  add_plugin(Aws::Plugins::ChecksumAlgorithm)
81
81
  add_plugin(Aws::Plugins::DefaultsMode)
82
82
  add_plugin(Aws::Plugins::RecursionDetection)
83
- add_plugin(Aws::Plugins::SignatureV4)
83
+ add_plugin(Aws::Plugins::Sign)
84
84
  add_plugin(Aws::Plugins::Protocols::Query)
85
85
  add_plugin(Aws::STS::Plugins::STSRegionalEndpoints)
86
+ add_plugin(Aws::STS::Plugins::Endpoints)
86
87
 
87
88
  # @overload initialize(options)
88
89
  # @param [Hash] options
@@ -276,6 +277,11 @@ module Aws::STS
276
277
  # in the future.
277
278
  #
278
279
  #
280
+ # @option options [String] :sdk_ua_app_id
281
+ # A unique and opaque application ID that is appended to the
282
+ # User-Agent header as app/<sdk_ua_app_id>. It should have a
283
+ # maximum length of 50.
284
+ #
279
285
  # @option options [String] :secret_access_key
280
286
  #
281
287
  # @option options [String] :session_token
@@ -294,6 +300,19 @@ module Aws::STS
294
300
  # ** Please note ** When response stubbing is enabled, no HTTP
295
301
  # requests are made, and retries are disabled.
296
302
  #
303
+ # @option options [Aws::TokenProvider] :token_provider
304
+ # A Bearer Token Provider. This can be an instance of any one of the
305
+ # following classes:
306
+ #
307
+ # * `Aws::StaticTokenProvider` - Used for configuring static, non-refreshing
308
+ # tokens.
309
+ #
310
+ # * `Aws::SSOTokenProvider` - Used for loading tokens from AWS SSO using an
311
+ # access token generated from `aws login`.
312
+ #
313
+ # When `:token_provider` is not configured directly, the `Aws::TokenProviderChain`
314
+ # will be used to search for tokens configured for your profile in shared configuration files.
315
+ #
297
316
  # @option options [Boolean] :use_dualstack_endpoint
298
317
  # When set to `true`, dualstack enabled endpoints (with `.aws` TLD)
299
318
  # will be used if available.
@@ -307,6 +326,9 @@ module Aws::STS
307
326
  # When `true`, request parameters are validated before
308
327
  # sending the request.
309
328
  #
329
+ # @option options [Aws::STS::EndpointProvider] :endpoint_provider
330
+ # The endpoint provider used to resolve endpoints. Any object that responds to `#resolve_endpoint(parameters)` where `parameters` is a Struct similar to `Aws::STS::EndpointParameters`
331
+ #
310
332
  # @option options [URI::HTTP,String] :http_proxy A proxy to send
311
333
  # requests through. Formatted like 'http://proxy.com:123'.
312
334
  #
@@ -359,14 +381,13 @@ module Aws::STS
359
381
  # @!group API Operations
360
382
 
361
383
  # Returns a set of temporary security credentials that you can use to
362
- # access Amazon Web Services resources that you might not normally have
363
- # access to. These temporary credentials consist of an access key ID, a
364
- # secret access key, and a security token. Typically, you use
365
- # `AssumeRole` within your account or for cross-account access. For a
366
- # comparison of `AssumeRole` with other API operations that produce
367
- # temporary credentials, see [Requesting Temporary Security
368
- # Credentials][1] and [Comparing the Amazon Web Services STS API
369
- # operations][2] in the *IAM User Guide*.
384
+ # access Amazon Web Services resources. These temporary credentials
385
+ # consist of an access key ID, a secret access key, and a security
386
+ # token. Typically, you use `AssumeRole` within your account or for
387
+ # cross-account access. For a comparison of `AssumeRole` with other API
388
+ # operations that produce temporary credentials, see [Requesting
389
+ # Temporary Security Credentials][1] and [Comparing the Amazon Web
390
+ # Services STS API operations][2] in the *IAM User Guide*.
370
391
  #
371
392
  # **Permissions**
372
393
  #
@@ -377,23 +398,24 @@ module Aws::STS
377
398
  #
378
399
  # (Optional) You can pass inline or managed [session policies][3] to
379
400
  # this operation. You can pass a single JSON policy document to use as
380
- # an inline session policy. You can also specify up to 10 managed
381
- # policies to use as managed session policies. The plaintext that you
382
- # use for both inline and managed session policies can't exceed 2,048
383
- # characters. Passing policies to this operation returns new temporary
384
- # credentials. The resulting session's permissions are the intersection
385
- # of the role's identity-based policy and the session policies. You can
386
- # use the role's temporary credentials in subsequent Amazon Web
387
- # Services API calls to access resources in the account that owns the
388
- # role. You cannot use session policies to grant more permissions than
389
- # those allowed by the identity-based policy of the role that is being
390
- # assumed. For more information, see [Session Policies][3] in the *IAM
391
- # User Guide*.
392
- #
393
- # When you create a role, you create two policies: A role trust policy
394
- # that specifies *who* can assume the role and a permissions policy that
395
- # specifies *what* can be done with the role. You specify the trusted
396
- # principal who is allowed to assume the role in the role trust policy.
401
+ # an inline session policy. You can also specify up to 10 managed policy
402
+ # Amazon Resource Names (ARNs) to use as managed session policies. The
403
+ # plaintext that you use for both inline and managed session policies
404
+ # can't exceed 2,048 characters. Passing policies to this operation
405
+ # returns new temporary credentials. The resulting session's
406
+ # permissions are the intersection of the role's identity-based policy
407
+ # and the session policies. You can use the role's temporary
408
+ # credentials in subsequent Amazon Web Services API calls to access
409
+ # resources in the account that owns the role. You cannot use session
410
+ # policies to grant more permissions than those allowed by the
411
+ # identity-based policy of the role that is being assumed. For more
412
+ # information, see [Session Policies][3] in the *IAM User Guide*.
413
+ #
414
+ # When you create a role, you create two policies: a role trust policy
415
+ # that specifies *who* can assume the role, and a permissions policy
416
+ # that specifies *what* can be done with the role. You specify the
417
+ # trusted principal that is allowed to assume the role in the role trust
418
+ # policy.
397
419
  #
398
420
  # To assume a role from a different account, your Amazon Web Services
399
421
  # account must be trusted by the role. The trust relationship is defined
@@ -402,10 +424,9 @@ module Aws::STS
402
424
  # users in the account.
403
425
  #
404
426
  # A user who wants to access a role in a different account must also
405
- # have permissions that are delegated from the user account
406
- # administrator. The administrator must attach a policy that allows the
407
- # user to call `AssumeRole` for the ARN of the role in the other
408
- # account.
427
+ # have permissions that are delegated from the account administrator.
428
+ # The administrator must attach a policy that allows the user to call
429
+ # `AssumeRole` for the ARN of the role in the other account.
409
430
  #
410
431
  # To allow a user to assume a role in the same account, you can do
411
432
  # either of the following:
@@ -502,12 +523,12 @@ module Aws::STS
502
523
  # about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services
503
524
  # Service Namespaces][1] in the Amazon Web Services General Reference.
504
525
  #
505
- # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
506
- # policies and session tags into a packed binary format that has a
507
- # separate limit. Your request can fail for this limit even if your
508
- # plaintext meets the other requirements. The `PackedPolicySize`
509
- # response element indicates by percentage how close the policies and
510
- # tags for your request are to the upper size limit.
526
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
527
+ # policy, managed policy ARNs, and session tags into a packed binary
528
+ # format that has a separate limit. Your request can fail for this limit
529
+ # even if your plaintext meets the other requirements. The
530
+ # `PackedPolicySize` response element indicates by percentage how close
531
+ # the policies and tags for your request are to the upper size limit.
511
532
  #
512
533
  # </note>
513
534
  #
@@ -547,12 +568,12 @@ module Aws::STS
547
568
  # the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
548
569
  # characters.
549
570
  #
550
- # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
551
- # policies and session tags into a packed binary format that has a
552
- # separate limit. Your request can fail for this limit even if your
553
- # plaintext meets the other requirements. The `PackedPolicySize`
554
- # response element indicates by percentage how close the policies and
555
- # tags for your request are to the upper size limit.
571
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
572
+ # policy, managed policy ARNs, and session tags into a packed binary
573
+ # format that has a separate limit. Your request can fail for this limit
574
+ # even if your plaintext meets the other requirements. The
575
+ # `PackedPolicySize` response element indicates by percentage how close
576
+ # the policies and tags for your request are to the upper size limit.
556
577
  #
557
578
  # </note>
558
579
  #
@@ -610,12 +631,12 @@ module Aws::STS
610
631
  # can’t exceed 256 characters. For these and additional limits, see [IAM
611
632
  # and STS Character Limits][2] in the *IAM User Guide*.
612
633
  #
613
- # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
614
- # policies and session tags into a packed binary format that has a
615
- # separate limit. Your request can fail for this limit even if your
616
- # plaintext meets the other requirements. The `PackedPolicySize`
617
- # response element indicates by percentage how close the policies and
618
- # tags for your request are to the upper size limit.
634
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
635
+ # policy, managed policy ARNs, and session tags into a packed binary
636
+ # format that has a separate limit. Your request can fail for this limit
637
+ # even if your plaintext meets the other requirements. The
638
+ # `PackedPolicySize` response element indicates by percentage how close
639
+ # the policies and tags for your request are to the upper size limit.
619
640
  #
620
641
  # </note>
621
642
  #
@@ -878,18 +899,18 @@ module Aws::STS
878
899
  #
879
900
  # (Optional) You can pass inline or managed [session policies][6] to
880
901
  # this operation. You can pass a single JSON policy document to use as
881
- # an inline session policy. You can also specify up to 10 managed
882
- # policies to use as managed session policies. The plaintext that you
883
- # use for both inline and managed session policies can't exceed 2,048
884
- # characters. Passing policies to this operation returns new temporary
885
- # credentials. The resulting session's permissions are the intersection
886
- # of the role's identity-based policy and the session policies. You can
887
- # use the role's temporary credentials in subsequent Amazon Web
888
- # Services API calls to access resources in the account that owns the
889
- # role. You cannot use session policies to grant more permissions than
890
- # those allowed by the identity-based policy of the role that is being
891
- # assumed. For more information, see [Session Policies][6] in the *IAM
892
- # User Guide*.
902
+ # an inline session policy. You can also specify up to 10 managed policy
903
+ # Amazon Resource Names (ARNs) to use as managed session policies. The
904
+ # plaintext that you use for both inline and managed session policies
905
+ # can't exceed 2,048 characters. Passing policies to this operation
906
+ # returns new temporary credentials. The resulting session's
907
+ # permissions are the intersection of the role's identity-based policy
908
+ # and the session policies. You can use the role's temporary
909
+ # credentials in subsequent Amazon Web Services API calls to access
910
+ # resources in the account that owns the role. You cannot use session
911
+ # policies to grant more permissions than those allowed by the
912
+ # identity-based policy of the role that is being assumed. For more
913
+ # information, see [Session Policies][6] in the *IAM User Guide*.
893
914
  #
894
915
  # Calling `AssumeRoleWithSAML` does not require the use of Amazon Web
895
916
  # Services security credentials. The identity of the caller is validated
@@ -915,12 +936,12 @@ module Aws::STS
915
936
  # characters. For these and additional limits, see [IAM and STS
916
937
  # Character Limits][8] in the *IAM User Guide*.
917
938
  #
918
- # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
919
- # policies and session tags into a packed binary format that has a
920
- # separate limit. Your request can fail for this limit even if your
921
- # plaintext meets the other requirements. The `PackedPolicySize`
922
- # response element indicates by percentage how close the policies and
923
- # tags for your request are to the upper size limit.
939
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
940
+ # policy, managed policy ARNs, and session tags into a packed binary
941
+ # format that has a separate limit. Your request can fail for this limit
942
+ # even if your plaintext meets the other requirements. The
943
+ # `PackedPolicySize` response element indicates by percentage how close
944
+ # the policies and tags for your request are to the upper size limit.
924
945
  #
925
946
  # </note>
926
947
  #
@@ -1006,12 +1027,12 @@ module Aws::STS
1006
1027
  # about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services
1007
1028
  # Service Namespaces][1] in the Amazon Web Services General Reference.
1008
1029
  #
1009
- # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
1010
- # policies and session tags into a packed binary format that has a
1011
- # separate limit. Your request can fail for this limit even if your
1012
- # plaintext meets the other requirements. The `PackedPolicySize`
1013
- # response element indicates by percentage how close the policies and
1014
- # tags for your request are to the upper size limit.
1030
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
1031
+ # policy, managed policy ARNs, and session tags into a packed binary
1032
+ # format that has a separate limit. Your request can fail for this limit
1033
+ # even if your plaintext meets the other requirements. The
1034
+ # `PackedPolicySize` response element indicates by percentage how close
1035
+ # the policies and tags for your request are to the upper size limit.
1015
1036
  #
1016
1037
  # </note>
1017
1038
  #
@@ -1051,12 +1072,12 @@ module Aws::STS
1051
1072
  # the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
1052
1073
  # characters.
1053
1074
  #
1054
- # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
1055
- # policies and session tags into a packed binary format that has a
1056
- # separate limit. Your request can fail for this limit even if your
1057
- # plaintext meets the other requirements. The `PackedPolicySize`
1058
- # response element indicates by percentage how close the policies and
1059
- # tags for your request are to the upper size limit.
1075
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
1076
+ # policy, managed policy ARNs, and session tags into a packed binary
1077
+ # format that has a separate limit. Your request can fail for this limit
1078
+ # even if your plaintext meets the other requirements. The
1079
+ # `PackedPolicySize` response element indicates by percentage how close
1080
+ # the policies and tags for your request are to the upper size limit.
1060
1081
  #
1061
1082
  # </note>
1062
1083
  #
@@ -1190,10 +1211,8 @@ module Aws::STS
1190
1211
  # the user with a consistent identity throughout the lifetime of an
1191
1212
  # application.
1192
1213
  #
1193
- # To learn more about Amazon Cognito, see [Amazon Cognito Overview][4]
1194
- # in *Amazon Web Services SDK for Android Developer Guide* and [Amazon
1195
- # Cognito Overview][5] in the *Amazon Web Services SDK for iOS Developer
1196
- # Guide*.
1214
+ # To learn more about Amazon Cognito, see [Amazon Cognito identity
1215
+ # pools][1] in *Amazon Cognito Developer Guide*.
1197
1216
  #
1198
1217
  # </note>
1199
1218
  #
@@ -1207,8 +1226,8 @@ module Aws::STS
1207
1226
  # a token from the web identity provider. For a comparison of
1208
1227
  # `AssumeRoleWithWebIdentity` with the other API operations that produce
1209
1228
  # temporary credentials, see [Requesting Temporary Security
1210
- # Credentials][6] and [Comparing the Amazon Web Services STS API
1211
- # operations][7] in the *IAM User Guide*.
1229
+ # Credentials][4] and [Comparing the Amazon Web Services STS API
1230
+ # operations][5] in the *IAM User Guide*.
1212
1231
  #
1213
1232
  # The temporary security credentials returned by this API consist of an
1214
1233
  # access key ID, a secret access key, and a security token. Applications
@@ -1224,11 +1243,11 @@ module Aws::STS
1224
1243
  # to the maximum session duration setting for the role. This setting can
1225
1244
  # have a value from 1 hour to 12 hours. To learn how to view the maximum
1226
1245
  # value for your role, see [View the Maximum Session Duration Setting
1227
- # for a Role][8] in the *IAM User Guide*. The maximum session duration
1246
+ # for a Role][6] in the *IAM User Guide*. The maximum session duration
1228
1247
  # limit applies when you use the `AssumeRole*` API operations or the
1229
1248
  # `assume-role*` CLI commands. However the limit does not apply when you
1230
1249
  # use those operations to create a console URL. For more information,
1231
- # see [Using IAM Roles][9] in the *IAM User Guide*.
1250
+ # see [Using IAM Roles][7] in the *IAM User Guide*.
1232
1251
  #
1233
1252
  # **Permissions**
1234
1253
  #
@@ -1237,39 +1256,39 @@ module Aws::STS
1237
1256
  # Amazon Web Services service with the following exception: you cannot
1238
1257
  # call the STS `GetFederationToken` or `GetSessionToken` API operations.
1239
1258
  #
1240
- # (Optional) You can pass inline or managed [session policies][10] to
1259
+ # (Optional) You can pass inline or managed [session policies][8] to
1241
1260
  # this operation. You can pass a single JSON policy document to use as
1242
- # an inline session policy. You can also specify up to 10 managed
1243
- # policies to use as managed session policies. The plaintext that you
1244
- # use for both inline and managed session policies can't exceed 2,048
1245
- # characters. Passing policies to this operation returns new temporary
1246
- # credentials. The resulting session's permissions are the intersection
1247
- # of the role's identity-based policy and the session policies. You can
1248
- # use the role's temporary credentials in subsequent Amazon Web
1249
- # Services API calls to access resources in the account that owns the
1250
- # role. You cannot use session policies to grant more permissions than
1251
- # those allowed by the identity-based policy of the role that is being
1252
- # assumed. For more information, see [Session Policies][10] in the *IAM
1253
- # User Guide*.
1261
+ # an inline session policy. You can also specify up to 10 managed policy
1262
+ # Amazon Resource Names (ARNs) to use as managed session policies. The
1263
+ # plaintext that you use for both inline and managed session policies
1264
+ # can't exceed 2,048 characters. Passing policies to this operation
1265
+ # returns new temporary credentials. The resulting session's
1266
+ # permissions are the intersection of the role's identity-based policy
1267
+ # and the session policies. You can use the role's temporary
1268
+ # credentials in subsequent Amazon Web Services API calls to access
1269
+ # resources in the account that owns the role. You cannot use session
1270
+ # policies to grant more permissions than those allowed by the
1271
+ # identity-based policy of the role that is being assumed. For more
1272
+ # information, see [Session Policies][8] in the *IAM User Guide*.
1254
1273
  #
1255
1274
  # **Tags**
1256
1275
  #
1257
1276
  # (Optional) You can configure your IdP to pass attributes into your web
1258
1277
  # identity token as session tags. Each session tag consists of a key
1259
1278
  # name and an associated value. For more information about session tags,
1260
- # see [Passing Session Tags in STS][11] in the *IAM User Guide*.
1279
+ # see [Passing Session Tags in STS][9] in the *IAM User Guide*.
1261
1280
  #
1262
1281
  # You can pass up to 50 session tags. The plaintext session tag keys
1263
1282
  # can’t exceed 128 characters and the values can’t exceed 256
1264
1283
  # characters. For these and additional limits, see [IAM and STS
1265
- # Character Limits][12] in the *IAM User Guide*.
1284
+ # Character Limits][10] in the *IAM User Guide*.
1266
1285
  #
1267
- # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
1268
- # policies and session tags into a packed binary format that has a
1269
- # separate limit. Your request can fail for this limit even if your
1270
- # plaintext meets the other requirements. The `PackedPolicySize`
1271
- # response element indicates by percentage how close the policies and
1272
- # tags for your request are to the upper size limit.
1286
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
1287
+ # policy, managed policy ARNs, and session tags into a packed binary
1288
+ # format that has a separate limit. Your request can fail for this limit
1289
+ # even if your plaintext meets the other requirements. The
1290
+ # `PackedPolicySize` response element indicates by percentage how close
1291
+ # the policies and tags for your request are to the upper size limit.
1273
1292
  #
1274
1293
  # </note>
1275
1294
  #
@@ -1280,12 +1299,12 @@ module Aws::STS
1280
1299
  # An administrator must grant you the permissions necessary to pass
1281
1300
  # session tags. The administrator can also create granular permissions
1282
1301
  # to allow you to pass only specific session tags. For more information,
1283
- # see [Tutorial: Using Tags for Attribute-Based Access Control][13] in
1302
+ # see [Tutorial: Using Tags for Attribute-Based Access Control][11] in
1284
1303
  # the *IAM User Guide*.
1285
1304
  #
1286
1305
  # You can set the session tags as transitive. Transitive tags persist
1287
1306
  # during role chaining. For more information, see [Chaining Roles with
1288
- # Session Tags][14] in the *IAM User Guide*.
1307
+ # Session Tags][12] in the *IAM User Guide*.
1289
1308
  #
1290
1309
  # **Identities**
1291
1310
  #
@@ -1297,19 +1316,19 @@ module Aws::STS
1297
1316
  # specified in the role's trust policy.
1298
1317
  #
1299
1318
  # Calling `AssumeRoleWithWebIdentity` can result in an entry in your
1300
- # CloudTrail logs. The entry includes the [Subject][15] of the provided
1319
+ # CloudTrail logs. The entry includes the [Subject][13] of the provided
1301
1320
  # web identity token. We recommend that you avoid using any personally
1302
1321
  # identifiable information (PII) in this field. For example, you could
1303
1322
  # instead use a GUID or a pairwise identifier, as [suggested in the OIDC
1304
- # specification][16].
1323
+ # specification][14].
1305
1324
  #
1306
1325
  # For more information about how to use web identity federation and the
1307
1326
  # `AssumeRoleWithWebIdentity` API, see the following resources:
1308
1327
  #
1309
- # * [Using Web Identity Federation API Operations for Mobile Apps][17]
1310
- # and [Federation Through a Web-based Identity Provider][18].
1328
+ # * [Using Web Identity Federation API Operations for Mobile Apps][15]
1329
+ # and [Federation Through a Web-based Identity Provider][16].
1311
1330
  #
1312
- # * [ Web Identity Federation Playground][19]. Walk through the process
1331
+ # * [ Web Identity Federation Playground][17]. Walk through the process
1313
1332
  # of authenticating through Login with Amazon, Facebook, or Google,
1314
1333
  # getting temporary security credentials, and then using those
1315
1334
  # credentials to make a request to Amazon Web Services.
@@ -1320,7 +1339,7 @@ module Aws::STS
1320
1339
  # toolkits then show how to use the information from these providers
1321
1340
  # to get and use temporary security credentials.
1322
1341
  #
1323
- # * [Web Identity Federation with Mobile Applications][20]. This article
1342
+ # * [Web Identity Federation with Mobile Applications][18]. This article
1324
1343
  # discusses web identity federation and shows an example of how to use
1325
1344
  # web identity federation to get access to content in Amazon S3.
1326
1345
  #
@@ -1329,23 +1348,21 @@ module Aws::STS
1329
1348
  # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html
1330
1349
  # [2]: http://aws.amazon.com/sdkforios/
1331
1350
  # [3]: http://aws.amazon.com/sdkforandroid/
1332
- # [4]: https://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840
1333
- # [5]: https://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664
1334
- # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
1335
- # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
1336
- # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
1337
- # [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
1338
- # [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
1339
- # [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
1340
- # [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
1341
- # [13]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
1342
- # [14]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
1343
- # [15]: http://openid.net/specs/openid-connect-core-1_0.html#Claims
1344
- # [16]: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
1345
- # [17]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html
1346
- # [18]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
1347
- # [19]: https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/
1348
- # [20]: http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications
1351
+ # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
1352
+ # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
1353
+ # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
1354
+ # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
1355
+ # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
1356
+ # [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
1357
+ # [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
1358
+ # [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
1359
+ # [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
1360
+ # [13]: http://openid.net/specs/openid-connect-core-1_0.html#Claims
1361
+ # [14]: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
1362
+ # [15]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html
1363
+ # [16]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
1364
+ # [17]: https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/
1365
+ # [18]: http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications
1349
1366
  #
1350
1367
  # @option params [required, String] :role_arn
1351
1368
  # The Amazon Resource Name (ARN) of the role that the caller is
@@ -1393,12 +1410,12 @@ module Aws::STS
1393
1410
  # about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services
1394
1411
  # Service Namespaces][1] in the Amazon Web Services General Reference.
1395
1412
  #
1396
- # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
1397
- # policies and session tags into a packed binary format that has a
1398
- # separate limit. Your request can fail for this limit even if your
1399
- # plaintext meets the other requirements. The `PackedPolicySize`
1400
- # response element indicates by percentage how close the policies and
1401
- # tags for your request are to the upper size limit.
1413
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
1414
+ # policy, managed policy ARNs, and session tags into a packed binary
1415
+ # format that has a separate limit. Your request can fail for this limit
1416
+ # even if your plaintext meets the other requirements. The
1417
+ # `PackedPolicySize` response element indicates by percentage how close
1418
+ # the policies and tags for your request are to the upper size limit.
1402
1419
  #
1403
1420
  # </note>
1404
1421
  #
@@ -1438,12 +1455,12 @@ module Aws::STS
1438
1455
  # the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
1439
1456
  # characters.
1440
1457
  #
1441
- # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
1442
- # policies and session tags into a packed binary format that has a
1443
- # separate limit. Your request can fail for this limit even if your
1444
- # plaintext meets the other requirements. The `PackedPolicySize`
1445
- # response element indicates by percentage how close the policies and
1446
- # tags for your request are to the upper size limit.
1458
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
1459
+ # policy, managed policy ARNs, and session tags into a packed binary
1460
+ # format that has a separate limit. Your request can fail for this limit
1461
+ # even if your plaintext meets the other requirements. The
1462
+ # `PackedPolicySize` response element indicates by percentage how close
1463
+ # the policies and tags for your request are to the upper size limit.
1447
1464
  #
1448
1465
  # </note>
1449
1466
  #
@@ -1704,11 +1721,11 @@ module Aws::STS
1704
1721
  # to call the operation.
1705
1722
  #
1706
1723
  # <note markdown="1"> No permissions are required to perform this operation. If an
1707
- # administrator adds a policy to your IAM user or role that explicitly
1724
+ # administrator attaches a policy to your identity that explicitly
1708
1725
  # denies access to the `sts:GetCallerIdentity` action, you can still
1709
1726
  # perform this operation. Permissions are not required because the same
1710
- # information is returned when an IAM user or role is denied access. To
1711
- # view an example response, see [I Am Not Authorized to Perform:
1727
+ # information is returned when access is denied. To view an example
1728
+ # response, see [I Am Not Authorized to Perform:
1712
1729
  # iam:DeleteVirtualMFADevice][1] in the *IAM User Guide*.
1713
1730
  #
1714
1731
  # </note>
@@ -1785,60 +1802,63 @@ module Aws::STS
1785
1802
  end
1786
1803
 
1787
1804
  # Returns a set of temporary security credentials (consisting of an
1788
- # access key ID, a secret access key, and a security token) for a
1789
- # federated user. A typical use is in a proxy application that gets
1790
- # temporary security credentials on behalf of distributed applications
1791
- # inside a corporate network. You must call the `GetFederationToken`
1792
- # operation using the long-term security credentials of an IAM user. As
1793
- # a result, this call is appropriate in contexts where those credentials
1794
- # can be safely stored, usually in a server-based application. For a
1795
- # comparison of `GetFederationToken` with the other API operations that
1796
- # produce temporary credentials, see [Requesting Temporary Security
1805
+ # access key ID, a secret access key, and a security token) for a user.
1806
+ # A typical use is in a proxy application that gets temporary security
1807
+ # credentials on behalf of distributed applications inside a corporate
1808
+ # network.
1809
+ #
1810
+ # You must call the `GetFederationToken` operation using the long-term
1811
+ # security credentials of an IAM user. As a result, this call is
1812
+ # appropriate in contexts where those credentials can be safeguarded,
1813
+ # usually in a server-based application. For a comparison of
1814
+ # `GetFederationToken` with the other API operations that produce
1815
+ # temporary credentials, see [Requesting Temporary Security
1797
1816
  # Credentials][1] and [Comparing the Amazon Web Services STS API
1798
1817
  # operations][2] in the *IAM User Guide*.
1799
1818
  #
1819
+ # Although it is possible to call `GetFederationToken` using the
1820
+ # security credentials of an Amazon Web Services account root user
1821
+ # rather than an IAM user that you create for the purpose of a proxy
1822
+ # application, we do not recommend it. For more information, see
1823
+ # [Safeguard your root user credentials and don't use them for everyday
1824
+ # tasks][3] in the *IAM User Guide*.
1825
+ #
1800
1826
  # <note markdown="1"> You can create a mobile-based or browser-based app that can
1801
1827
  # authenticate users using a web identity provider like Login with
1802
1828
  # Amazon, Facebook, Google, or an OpenID Connect-compatible identity
1803
- # provider. In this case, we recommend that you use [Amazon Cognito][3]
1829
+ # provider. In this case, we recommend that you use [Amazon Cognito][4]
1804
1830
  # or `AssumeRoleWithWebIdentity`. For more information, see [Federation
1805
- # Through a Web-based Identity Provider][4] in the *IAM User Guide*.
1831
+ # Through a Web-based Identity Provider][5] in the *IAM User Guide*.
1806
1832
  #
1807
1833
  # </note>
1808
1834
  #
1809
- # You can also call `GetFederationToken` using the security credentials
1810
- # of an Amazon Web Services account root user, but we do not recommend
1811
- # it. Instead, we recommend that you create an IAM user for the purpose
1812
- # of the proxy application. Then attach a policy to the IAM user that
1813
- # limits federated users to only the actions and resources that they
1814
- # need to access. For more information, see [IAM Best Practices][5] in
1815
- # the *IAM User Guide*.
1816
- #
1817
1835
  # **Session duration**
1818
1836
  #
1819
1837
  # The temporary credentials are valid for the specified duration, from
1820
1838
  # 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36
1821
1839
  # hours). The default session duration is 43,200 seconds (12 hours).
1822
- # Temporary credentials obtained by using the Amazon Web Services
1823
- # account root user credentials have a maximum duration of 3,600 seconds
1824
- # (1 hour).
1840
+ # Temporary credentials obtained by using the root user credentials have
1841
+ # a maximum duration of 3,600 seconds (1 hour).
1825
1842
  #
1826
1843
  # **Permissions**
1827
1844
  #
1828
1845
  # You can use the temporary credentials created by `GetFederationToken`
1829
- # in any Amazon Web Services service except the following:
1846
+ # in any Amazon Web Services service with the following exceptions:
1830
1847
  #
1831
1848
  # * You cannot call any IAM operations using the CLI or the Amazon Web
1832
- # Services API.
1849
+ # Services API. This limitation does not apply to console sessions.
1833
1850
  #
1834
1851
  # * You cannot call any STS operations except `GetCallerIdentity`.
1835
1852
  #
1853
+ # You can use temporary credentials for single sign-on (SSO) to the
1854
+ # console.
1855
+ #
1836
1856
  # You must pass an inline or managed [session policy][6] to this
1837
1857
  # operation. You can pass a single JSON policy document to use as an
1838
- # inline session policy. You can also specify up to 10 managed policies
1839
- # to use as managed session policies. The plaintext that you use for
1840
- # both inline and managed session policies can't exceed 2,048
1841
- # characters.
1858
+ # inline session policy. You can also specify up to 10 managed policy
1859
+ # Amazon Resource Names (ARNs) to use as managed session policies. The
1860
+ # plaintext that you use for both inline and managed session policies
1861
+ # can't exceed 2,048 characters.
1842
1862
  #
1843
1863
  # Though the session policy parameters are optional, if you do not pass
1844
1864
  # a policy, then the resulting federated user session has no
@@ -1868,9 +1888,9 @@ module Aws::STS
1868
1888
  # <note markdown="1"> You can create a mobile-based or browser-based app that can
1869
1889
  # authenticate users using a web identity provider like Login with
1870
1890
  # Amazon, Facebook, Google, or an OpenID Connect-compatible identity
1871
- # provider. In this case, we recommend that you use [Amazon Cognito][3]
1891
+ # provider. In this case, we recommend that you use [Amazon Cognito][4]
1872
1892
  # or `AssumeRoleWithWebIdentity`. For more information, see [Federation
1873
- # Through a Web-based Identity Provider][4] in the *IAM User Guide*.
1893
+ # Through a Web-based Identity Provider][5] in the *IAM User Guide*.
1874
1894
  #
1875
1895
  # </note>
1876
1896
  #
@@ -1892,9 +1912,9 @@ module Aws::STS
1892
1912
  #
1893
1913
  # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
1894
1914
  # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
1895
- # [3]: http://aws.amazon.com/cognito/
1896
- # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
1897
- # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
1915
+ # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials
1916
+ # [4]: http://aws.amazon.com/cognito/
1917
+ # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
1898
1918
  # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
1899
1919
  # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken
1900
1920
  # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
@@ -1917,8 +1937,8 @@ module Aws::STS
1917
1937
  #
1918
1938
  # You must pass an inline or managed [session policy][1] to this
1919
1939
  # operation. You can pass a single JSON policy document to use as an
1920
- # inline session policy. You can also specify up to 10 managed policies
1921
- # to use as managed session policies.
1940
+ # inline session policy. You can also specify up to 10 managed policy
1941
+ # Amazon Resource Names (ARNs) to use as managed session policies.
1922
1942
  #
1923
1943
  # This parameter is optional. However, if you do not pass any session
1924
1944
  # policies, then the resulting federated user session has no
@@ -1946,12 +1966,12 @@ module Aws::STS
1946
1966
  # the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
1947
1967
  # characters.
1948
1968
  #
1949
- # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
1950
- # policies and session tags into a packed binary format that has a
1951
- # separate limit. Your request can fail for this limit even if your
1952
- # plaintext meets the other requirements. The `PackedPolicySize`
1953
- # response element indicates by percentage how close the policies and
1954
- # tags for your request are to the upper size limit.
1969
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
1970
+ # policy, managed policy ARNs, and session tags into a packed binary
1971
+ # format that has a separate limit. Your request can fail for this limit
1972
+ # even if your plaintext meets the other requirements. The
1973
+ # `PackedPolicySize` response element indicates by percentage how close
1974
+ # the policies and tags for your request are to the upper size limit.
1955
1975
  #
1956
1976
  # </note>
1957
1977
  #
@@ -1966,13 +1986,13 @@ module Aws::STS
1966
1986
  #
1967
1987
  # You must pass an inline or managed [session policy][1] to this
1968
1988
  # operation. You can pass a single JSON policy document to use as an
1969
- # inline session policy. You can also specify up to 10 managed policies
1970
- # to use as managed session policies. The plaintext that you use for
1971
- # both inline and managed session policies can't exceed 2,048
1972
- # characters. You can provide up to 10 managed policy ARNs. For more
1973
- # information about ARNs, see [Amazon Resource Names (ARNs) and Amazon
1974
- # Web Services Service Namespaces][2] in the Amazon Web Services General
1975
- # Reference.
1989
+ # inline session policy. You can also specify up to 10 managed policy
1990
+ # Amazon Resource Names (ARNs) to use as managed session policies. The
1991
+ # plaintext that you use for both inline and managed session policies
1992
+ # can't exceed 2,048 characters. You can provide up to 10 managed
1993
+ # policy ARNs. For more information about ARNs, see [Amazon Resource
1994
+ # Names (ARNs) and Amazon Web Services Service Namespaces][2] in the
1995
+ # Amazon Web Services General Reference.
1976
1996
  #
1977
1997
  # This parameter is optional. However, if you do not pass any session
1978
1998
  # policies, then the resulting federated user session has no
@@ -1993,12 +2013,12 @@ module Aws::STS
1993
2013
  # are granted in addition to the permissions that are granted by the
1994
2014
  # session policies.
1995
2015
  #
1996
- # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
1997
- # policies and session tags into a packed binary format that has a
1998
- # separate limit. Your request can fail for this limit even if your
1999
- # plaintext meets the other requirements. The `PackedPolicySize`
2000
- # response element indicates by percentage how close the policies and
2001
- # tags for your request are to the upper size limit.
2016
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
2017
+ # policy, managed policy ARNs, and session tags into a packed binary
2018
+ # format that has a separate limit. Your request can fail for this limit
2019
+ # even if your plaintext meets the other requirements. The
2020
+ # `PackedPolicySize` response element indicates by percentage how close
2021
+ # the policies and tags for your request are to the upper size limit.
2002
2022
  #
2003
2023
  # </note>
2004
2024
  #
@@ -2011,10 +2031,10 @@ module Aws::STS
2011
2031
  # The duration, in seconds, that the session should last. Acceptable
2012
2032
  # durations for federation sessions range from 900 seconds (15 minutes)
2013
2033
  # to 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the
2014
- # default. Sessions obtained using Amazon Web Services account root user
2015
- # credentials are restricted to a maximum of 3,600 seconds (one hour).
2016
- # If the specified duration is longer than one hour, the session
2017
- # obtained by using root user credentials defaults to one hour.
2034
+ # default. Sessions obtained using root user credentials are restricted
2035
+ # to a maximum of 3,600 seconds (one hour). If the specified duration is
2036
+ # longer than one hour, the session obtained by using root user
2037
+ # credentials defaults to one hour.
2018
2038
  #
2019
2039
  # @option params [Array<Types::Tag>] :tags
2020
2040
  # A list of session tags. Each session tag consists of a key name and an
@@ -2026,12 +2046,12 @@ module Aws::STS
2026
2046
  # can’t exceed 256 characters. For these and additional limits, see [IAM
2027
2047
  # and STS Character Limits][2] in the *IAM User Guide*.
2028
2048
  #
2029
- # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
2030
- # policies and session tags into a packed binary format that has a
2031
- # separate limit. Your request can fail for this limit even if your
2032
- # plaintext meets the other requirements. The `PackedPolicySize`
2033
- # response element indicates by percentage how close the policies and
2034
- # tags for your request are to the upper size limit.
2049
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
2050
+ # policy, managed policy ARNs, and session tags into a packed binary
2051
+ # format that has a separate limit. Your request can fail for this limit
2052
+ # even if your plaintext meets the other requirements. The
2053
+ # `PackedPolicySize` response element indicates by percentage how close
2054
+ # the policies and tags for your request are to the upper size limit.
2035
2055
  #
2036
2056
  # </note>
2037
2057
  #
@@ -2134,14 +2154,15 @@ module Aws::STS
2134
2154
  # secret access key, and a security token. Typically, you use
2135
2155
  # `GetSessionToken` if you want to use MFA to protect programmatic calls
2136
2156
  # to specific Amazon Web Services API operations like Amazon EC2
2137
- # `StopInstances`. MFA-enabled IAM users would need to call
2138
- # `GetSessionToken` and submit an MFA code that is associated with their
2139
- # MFA device. Using the temporary security credentials that are returned
2140
- # from the call, IAM users can then make programmatic calls to API
2141
- # operations that require MFA authentication. If you do not supply a
2142
- # correct MFA code, then the API returns an access denied error. For a
2143
- # comparison of `GetSessionToken` with the other API operations that
2144
- # produce temporary credentials, see [Requesting Temporary Security
2157
+ # `StopInstances`.
2158
+ #
2159
+ # MFA-enabled IAM users must call `GetSessionToken` and submit an MFA
2160
+ # code that is associated with their MFA device. Using the temporary
2161
+ # security credentials that the call returns, IAM users can then make
2162
+ # programmatic calls to API operations that require MFA authentication.
2163
+ # An incorrect MFA code causes the API to return an access denied error.
2164
+ # For a comparison of `GetSessionToken` with the other API operations
2165
+ # that produce temporary credentials, see [Requesting Temporary Security
2145
2166
  # Credentials][1] and [Comparing the Amazon Web Services STS API
2146
2167
  # operations][2] in the *IAM User Guide*.
2147
2168
  #
@@ -2156,13 +2177,13 @@ module Aws::STS
2156
2177
  # **Session Duration**
2157
2178
  #
2158
2179
  # The `GetSessionToken` operation must be called by using the long-term
2159
- # Amazon Web Services security credentials of the Amazon Web Services
2160
- # account root user or an IAM user. Credentials that are created by IAM
2161
- # users are valid for the duration that you specify. This duration can
2162
- # range from 900 seconds (15 minutes) up to a maximum of 129,600 seconds
2163
- # (36 hours), with a default of 43,200 seconds (12 hours). Credentials
2164
- # based on account credentials can range from 900 seconds (15 minutes)
2165
- # up to 3,600 seconds (1 hour), with a default of 1 hour.
2180
+ # Amazon Web Services security credentials of an IAM user. Credentials
2181
+ # that are created by IAM users are valid for the duration that you
2182
+ # specify. This duration can range from 900 seconds (15 minutes) up to a
2183
+ # maximum of 129,600 seconds (36 hours), with a default of 43,200
2184
+ # seconds (12 hours). Credentials based on account credentials can range
2185
+ # from 900 seconds (15 minutes) up to 3,600 seconds (1 hour), with a
2186
+ # default of 1 hour.
2166
2187
  #
2167
2188
  # **Permissions**
2168
2189
  #
@@ -2176,24 +2197,23 @@ module Aws::STS
2176
2197
  # * You cannot call any STS API *except* `AssumeRole` or
2177
2198
  # `GetCallerIdentity`.
2178
2199
  #
2179
- # <note markdown="1"> We recommend that you do not call `GetSessionToken` with Amazon Web
2180
- # Services account root user credentials. Instead, follow our [best
2181
- # practices][4] by creating one or more IAM users, giving them the
2182
- # necessary permissions, and using IAM users for everyday interaction
2183
- # with Amazon Web Services.
2200
+ # The credentials that `GetSessionToken` returns are based on
2201
+ # permissions associated with the IAM user whose credentials were used
2202
+ # to call the operation. The temporary credentials have the same
2203
+ # permissions as the IAM user.
2184
2204
  #
2185
- # </note>
2205
+ # <note markdown="1"> Although it is possible to call `GetSessionToken` using the security
2206
+ # credentials of an Amazon Web Services account root user rather than an
2207
+ # IAM user, we do not recommend it. If `GetSessionToken` is called using
2208
+ # root user credentials, the temporary credentials have root user
2209
+ # permissions. For more information, see [Safeguard your root user
2210
+ # credentials and don't use them for everyday tasks][4] in the *IAM
2211
+ # User Guide*
2186
2212
  #
2187
- # The credentials that are returned by `GetSessionToken` are based on
2188
- # permissions associated with the user whose credentials were used to
2189
- # call the operation. If `GetSessionToken` is called using Amazon Web
2190
- # Services account root user credentials, the temporary credentials have
2191
- # root user permissions. Similarly, if `GetSessionToken` is called using
2192
- # the credentials of an IAM user, the temporary credentials have the
2193
- # same permissions as the IAM user.
2213
+ # </note>
2194
2214
  #
2195
2215
  # For more information about using `GetSessionToken` to create temporary
2196
- # credentials, go to [Temporary Credentials for Users in Untrusted
2216
+ # credentials, see [Temporary Credentials for Users in Untrusted
2197
2217
  # Environments][5] in the *IAM User Guide*.
2198
2218
  #
2199
2219
  #
@@ -2201,7 +2221,7 @@ module Aws::STS
2201
2221
  # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
2202
2222
  # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
2203
2223
  # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html
2204
- # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users
2224
+ # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials
2205
2225
  # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken
2206
2226
  #
2207
2227
  # @option params [Integer] :duration_seconds
@@ -2299,7 +2319,7 @@ module Aws::STS
2299
2319
  params: params,
2300
2320
  config: config)
2301
2321
  context[:gem_name] = 'aws-sdk-core'
2302
- context[:gem_version] = '3.131.3'
2322
+ context[:gem_version] = '3.176.1'
2303
2323
  Seahorse::Client::Request.new(handlers, context)
2304
2324
  end
2305
2325