aws-sdk-core 3.168.4 → 3.190.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +231 -0
- data/VERSION +1 -1
- data/lib/aws-defaults/default_configuration.rb +4 -4
- data/lib/aws-sdk-core/client_stubs.rb +15 -12
- data/lib/aws-sdk-core/credential_provider.rb +3 -0
- data/lib/aws-sdk-core/credential_provider_chain.rb +2 -1
- data/lib/aws-sdk-core/ecs_credentials.rb +177 -53
- data/lib/aws-sdk-core/endpoints/condition.rb +5 -0
- data/lib/aws-sdk-core/endpoints/endpoint_rule.rb +5 -1
- data/lib/aws-sdk-core/endpoints/error_rule.rb +5 -0
- data/lib/aws-sdk-core/endpoints/function.rb +5 -0
- data/lib/aws-sdk-core/endpoints/matchers.rb +13 -9
- data/lib/aws-sdk-core/endpoints/reference.rb +5 -0
- data/lib/aws-sdk-core/endpoints/rule.rb +5 -0
- data/lib/aws-sdk-core/endpoints/rule_set.rb +5 -0
- data/lib/aws-sdk-core/endpoints/rules_provider.rb +5 -0
- data/lib/aws-sdk-core/endpoints/templater.rb +6 -0
- data/lib/aws-sdk-core/endpoints/tree_rule.rb +5 -0
- data/lib/aws-sdk-core/endpoints/url.rb +1 -0
- data/lib/aws-sdk-core/endpoints.rb +6 -2
- data/lib/aws-sdk-core/errors.rb +1 -1
- data/lib/aws-sdk-core/ini_parser.rb +7 -0
- data/lib/aws-sdk-core/instance_profile_credentials.rb +52 -30
- data/lib/aws-sdk-core/json/error_handler.rb +15 -5
- data/lib/aws-sdk-core/json/handler.rb +8 -1
- data/lib/aws-sdk-core/json/parser.rb +27 -2
- data/lib/aws-sdk-core/log/formatter.rb +6 -0
- data/lib/aws-sdk-core/pageable_response.rb +3 -1
- data/lib/aws-sdk-core/param_validator.rb +2 -2
- data/lib/aws-sdk-core/plugins/checksum_algorithm.rb +5 -3
- data/lib/aws-sdk-core/plugins/http_checksum.rb +2 -1
- data/lib/aws-sdk-core/plugins/regional_endpoint.rb +109 -33
- data/lib/aws-sdk-core/plugins/request_compression.rb +217 -0
- data/lib/aws-sdk-core/plugins/sign.rb +16 -10
- data/lib/aws-sdk-core/plugins/user_agent.rb +117 -14
- data/lib/aws-sdk-core/refreshing_credentials.rb +12 -12
- data/lib/aws-sdk-core/rest/request/querystring_builder.rb +43 -29
- data/lib/aws-sdk-core/shared_config.rb +48 -18
- data/lib/aws-sdk-core/sso_credentials.rb +1 -1
- data/lib/aws-sdk-core/stubbing/stub_data.rb +11 -0
- data/lib/aws-sdk-core/waiters/poller.rb +4 -2
- data/lib/aws-sdk-core/xml/parser/engines/oga.rb +2 -0
- data/lib/aws-sdk-sso/client.rb +21 -1
- data/lib/aws-sdk-sso/endpoint_provider.rb +41 -96
- data/lib/aws-sdk-sso/endpoints.rb +1 -0
- data/lib/aws-sdk-sso/plugins/endpoints.rb +3 -2
- data/lib/aws-sdk-sso.rb +1 -1
- data/lib/aws-sdk-ssooidc/client.rb +358 -29
- data/lib/aws-sdk-ssooidc/client_api.rb +56 -1
- data/lib/aws-sdk-ssooidc/endpoint_provider.rb +41 -95
- data/lib/aws-sdk-ssooidc/endpoints.rb +15 -0
- data/lib/aws-sdk-ssooidc/errors.rb +31 -0
- data/lib/aws-sdk-ssooidc/plugins/endpoints.rb +5 -2
- data/lib/aws-sdk-ssooidc/types.rb +302 -49
- data/lib/aws-sdk-ssooidc.rb +1 -1
- data/lib/aws-sdk-sts/client.rb +158 -122
- data/lib/aws-sdk-sts/client_api.rb +12 -1
- data/lib/aws-sdk-sts/endpoint_provider.rb +96 -213
- data/lib/aws-sdk-sts/endpoints.rb +1 -0
- data/lib/aws-sdk-sts/plugins/endpoints.rb +3 -2
- data/lib/aws-sdk-sts/presigner.rb +1 -1
- data/lib/aws-sdk-sts/types.rb +49 -11
- data/lib/aws-sdk-sts.rb +1 -1
- data/lib/seahorse/client/configuration.rb +0 -4
- data/lib/seahorse/client/h2/connection.rb +10 -6
- data/lib/seahorse/client/net_http/patches.rb +1 -4
- data/lib/seahorse/client/plugins/h2.rb +3 -3
- data/lib/seahorse/client/plugins/request_callback.rb +31 -0
- data/lib/seahorse/client/response.rb +6 -0
- data/lib/seahorse/model/operation.rb +3 -0
- metadata +13 -12
data/lib/aws-sdk-sts/client.rb
CHANGED
@@ -28,6 +28,7 @@ require 'aws-sdk-core/plugins/client_metrics_send_plugin.rb'
|
|
28
28
|
require 'aws-sdk-core/plugins/transfer_encoding.rb'
|
29
29
|
require 'aws-sdk-core/plugins/http_checksum.rb'
|
30
30
|
require 'aws-sdk-core/plugins/checksum_algorithm.rb'
|
31
|
+
require 'aws-sdk-core/plugins/request_compression.rb'
|
31
32
|
require 'aws-sdk-core/plugins/defaults_mode.rb'
|
32
33
|
require 'aws-sdk-core/plugins/recursion_detection.rb'
|
33
34
|
require 'aws-sdk-core/plugins/sign.rb'
|
@@ -78,6 +79,7 @@ module Aws::STS
|
|
78
79
|
add_plugin(Aws::Plugins::TransferEncoding)
|
79
80
|
add_plugin(Aws::Plugins::HttpChecksum)
|
80
81
|
add_plugin(Aws::Plugins::ChecksumAlgorithm)
|
82
|
+
add_plugin(Aws::Plugins::RequestCompression)
|
81
83
|
add_plugin(Aws::Plugins::DefaultsMode)
|
82
84
|
add_plugin(Aws::Plugins::RecursionDetection)
|
83
85
|
add_plugin(Aws::Plugins::Sign)
|
@@ -192,6 +194,10 @@ module Aws::STS
|
|
192
194
|
# Set to true to disable SDK automatically adding host prefix
|
193
195
|
# to default service endpoint when available.
|
194
196
|
#
|
197
|
+
# @option options [Boolean] :disable_request_compression (false)
|
198
|
+
# When set to 'true' the request body will not be compressed
|
199
|
+
# for supported operations.
|
200
|
+
#
|
195
201
|
# @option options [String] :endpoint
|
196
202
|
# The client endpoint is normally constructed from the `:region`
|
197
203
|
# option. You should only configure an `:endpoint` when connecting
|
@@ -212,6 +218,10 @@ module Aws::STS
|
|
212
218
|
# @option options [Boolean] :endpoint_discovery (false)
|
213
219
|
# When set to `true`, endpoint discovery will be enabled for operations when available.
|
214
220
|
#
|
221
|
+
# @option options [Boolean] :ignore_configured_endpoint_urls
|
222
|
+
# Setting to true disables use of endpoint URLs provided via environment
|
223
|
+
# variables and the shared configuration file.
|
224
|
+
#
|
215
225
|
# @option options [Aws::Log::Formatter] :log_formatter (Aws::Log::Formatter.default)
|
216
226
|
# The log formatter.
|
217
227
|
#
|
@@ -232,6 +242,11 @@ module Aws::STS
|
|
232
242
|
# Used when loading credentials from the shared credentials file
|
233
243
|
# at HOME/.aws/credentials. When not specified, 'default' is used.
|
234
244
|
#
|
245
|
+
# @option options [Integer] :request_min_compression_size_bytes (10240)
|
246
|
+
# The minimum size in bytes that triggers compression for request
|
247
|
+
# bodies. The value must be non-negative integer value between 0
|
248
|
+
# and 10485780 bytes inclusive.
|
249
|
+
#
|
235
250
|
# @option options [Proc] :retry_backoff
|
236
251
|
# A proc or lambda used for backoff. Defaults to 2**retries * retry_base_delay.
|
237
252
|
# This option is only used in the `legacy` retry mode.
|
@@ -277,6 +292,11 @@ module Aws::STS
|
|
277
292
|
# in the future.
|
278
293
|
#
|
279
294
|
#
|
295
|
+
# @option options [String] :sdk_ua_app_id
|
296
|
+
# A unique and opaque application ID that is appended to the
|
297
|
+
# User-Agent header as app/<sdk_ua_app_id>. It should have a
|
298
|
+
# maximum length of 50.
|
299
|
+
#
|
280
300
|
# @option options [String] :secret_access_key
|
281
301
|
#
|
282
302
|
# @option options [String] :session_token
|
@@ -376,14 +396,13 @@ module Aws::STS
|
|
376
396
|
# @!group API Operations
|
377
397
|
|
378
398
|
# Returns a set of temporary security credentials that you can use to
|
379
|
-
# access Amazon Web Services resources
|
380
|
-
#
|
381
|
-
#
|
382
|
-
#
|
383
|
-
#
|
384
|
-
#
|
385
|
-
#
|
386
|
-
# operations][2] in the *IAM User Guide*.
|
399
|
+
# access Amazon Web Services resources. These temporary credentials
|
400
|
+
# consist of an access key ID, a secret access key, and a security
|
401
|
+
# token. Typically, you use `AssumeRole` within your account or for
|
402
|
+
# cross-account access. For a comparison of `AssumeRole` with other API
|
403
|
+
# operations that produce temporary credentials, see [Requesting
|
404
|
+
# Temporary Security Credentials][1] and [Comparing the Amazon Web
|
405
|
+
# Services STS API operations][2] in the *IAM User Guide*.
|
387
406
|
#
|
388
407
|
# **Permissions**
|
389
408
|
#
|
@@ -407,10 +426,11 @@ module Aws::STS
|
|
407
426
|
# identity-based policy of the role that is being assumed. For more
|
408
427
|
# information, see [Session Policies][3] in the *IAM User Guide*.
|
409
428
|
#
|
410
|
-
# When you create a role, you create two policies:
|
411
|
-
# that specifies *who* can assume the role and a permissions policy
|
412
|
-
# specifies *what* can be done with the role. You specify the
|
413
|
-
# principal
|
429
|
+
# When you create a role, you create two policies: a role trust policy
|
430
|
+
# that specifies *who* can assume the role, and a permissions policy
|
431
|
+
# that specifies *what* can be done with the role. You specify the
|
432
|
+
# trusted principal that is allowed to assume the role in the role trust
|
433
|
+
# policy.
|
414
434
|
#
|
415
435
|
# To assume a role from a different account, your Amazon Web Services
|
416
436
|
# account must be trusted by the role. The trust relationship is defined
|
@@ -419,10 +439,9 @@ module Aws::STS
|
|
419
439
|
# users in the account.
|
420
440
|
#
|
421
441
|
# A user who wants to access a role in a different account must also
|
422
|
-
# have permissions that are delegated from the
|
423
|
-
#
|
424
|
-
#
|
425
|
-
# account.
|
442
|
+
# have permissions that are delegated from the account administrator.
|
443
|
+
# The administrator must attach a policy that allows the user to call
|
444
|
+
# `AssumeRole` for the ARN of the role in the other account.
|
426
445
|
#
|
427
446
|
# To allow a user to assume a role in the same account, you can do
|
428
447
|
# either of the following:
|
@@ -747,6 +766,17 @@ module Aws::STS
|
|
747
766
|
#
|
748
767
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
|
749
768
|
#
|
769
|
+
# @option params [Array<Types::ProvidedContext>] :provided_contexts
|
770
|
+
# A list of previously acquired trusted context assertions in the format
|
771
|
+
# of a JSON array. The trusted context assertion is signed and encrypted
|
772
|
+
# by Amazon Web Services STS.
|
773
|
+
#
|
774
|
+
# The following is an example of a `ProvidedContext` value that includes
|
775
|
+
# a single trusted context assertion and the ARN of the context provider
|
776
|
+
# from which the trusted context assertion was generated.
|
777
|
+
#
|
778
|
+
# `[\{"ProviderArn":"arn:aws:iam::aws:contextProvider/IdentityCenter","ContextAssertion":"trusted-context-assertion"\}]`
|
779
|
+
#
|
750
780
|
# @return [Types::AssumeRoleResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
751
781
|
#
|
752
782
|
# * {Types::AssumeRoleResponse#credentials #credentials} => Types::Credentials
|
@@ -807,7 +837,7 @@ module Aws::STS
|
|
807
837
|
# arn: "arnType",
|
808
838
|
# },
|
809
839
|
# ],
|
810
|
-
# policy: "
|
840
|
+
# policy: "unrestrictedSessionPolicyDocumentType",
|
811
841
|
# duration_seconds: 1,
|
812
842
|
# tags: [
|
813
843
|
# {
|
@@ -820,6 +850,12 @@ module Aws::STS
|
|
820
850
|
# serial_number: "serialNumberType",
|
821
851
|
# token_code: "tokenCodeType",
|
822
852
|
# source_identity: "sourceIdentityType",
|
853
|
+
# provided_contexts: [
|
854
|
+
# {
|
855
|
+
# provider_arn: "arnType",
|
856
|
+
# context_assertion: "contextAssertionType",
|
857
|
+
# },
|
858
|
+
# ],
|
823
859
|
# })
|
824
860
|
#
|
825
861
|
# @example Response structure
|
@@ -1207,10 +1243,8 @@ module Aws::STS
|
|
1207
1243
|
# the user with a consistent identity throughout the lifetime of an
|
1208
1244
|
# application.
|
1209
1245
|
#
|
1210
|
-
# To learn more about Amazon Cognito, see [Amazon Cognito
|
1211
|
-
# in *Amazon
|
1212
|
-
# Cognito Overview][5] in the *Amazon Web Services SDK for iOS Developer
|
1213
|
-
# Guide*.
|
1246
|
+
# To learn more about Amazon Cognito, see [Amazon Cognito identity
|
1247
|
+
# pools][1] in *Amazon Cognito Developer Guide*.
|
1214
1248
|
#
|
1215
1249
|
# </note>
|
1216
1250
|
#
|
@@ -1224,8 +1258,8 @@ module Aws::STS
|
|
1224
1258
|
# a token from the web identity provider. For a comparison of
|
1225
1259
|
# `AssumeRoleWithWebIdentity` with the other API operations that produce
|
1226
1260
|
# temporary credentials, see [Requesting Temporary Security
|
1227
|
-
# Credentials][
|
1228
|
-
# operations][
|
1261
|
+
# Credentials][4] and [Comparing the Amazon Web Services STS API
|
1262
|
+
# operations][5] in the *IAM User Guide*.
|
1229
1263
|
#
|
1230
1264
|
# The temporary security credentials returned by this API consist of an
|
1231
1265
|
# access key ID, a secret access key, and a security token. Applications
|
@@ -1241,11 +1275,11 @@ module Aws::STS
|
|
1241
1275
|
# to the maximum session duration setting for the role. This setting can
|
1242
1276
|
# have a value from 1 hour to 12 hours. To learn how to view the maximum
|
1243
1277
|
# value for your role, see [View the Maximum Session Duration Setting
|
1244
|
-
# for a Role][
|
1278
|
+
# for a Role][6] in the *IAM User Guide*. The maximum session duration
|
1245
1279
|
# limit applies when you use the `AssumeRole*` API operations or the
|
1246
1280
|
# `assume-role*` CLI commands. However the limit does not apply when you
|
1247
1281
|
# use those operations to create a console URL. For more information,
|
1248
|
-
# see [Using IAM Roles][
|
1282
|
+
# see [Using IAM Roles][7] in the *IAM User Guide*.
|
1249
1283
|
#
|
1250
1284
|
# **Permissions**
|
1251
1285
|
#
|
@@ -1254,7 +1288,7 @@ module Aws::STS
|
|
1254
1288
|
# Amazon Web Services service with the following exception: you cannot
|
1255
1289
|
# call the STS `GetFederationToken` or `GetSessionToken` API operations.
|
1256
1290
|
#
|
1257
|
-
# (Optional) You can pass inline or managed [session policies][
|
1291
|
+
# (Optional) You can pass inline or managed [session policies][8] to
|
1258
1292
|
# this operation. You can pass a single JSON policy document to use as
|
1259
1293
|
# an inline session policy. You can also specify up to 10 managed policy
|
1260
1294
|
# Amazon Resource Names (ARNs) to use as managed session policies. The
|
@@ -1267,19 +1301,19 @@ module Aws::STS
|
|
1267
1301
|
# resources in the account that owns the role. You cannot use session
|
1268
1302
|
# policies to grant more permissions than those allowed by the
|
1269
1303
|
# identity-based policy of the role that is being assumed. For more
|
1270
|
-
# information, see [Session Policies][
|
1304
|
+
# information, see [Session Policies][8] in the *IAM User Guide*.
|
1271
1305
|
#
|
1272
1306
|
# **Tags**
|
1273
1307
|
#
|
1274
1308
|
# (Optional) You can configure your IdP to pass attributes into your web
|
1275
1309
|
# identity token as session tags. Each session tag consists of a key
|
1276
1310
|
# name and an associated value. For more information about session tags,
|
1277
|
-
# see [Passing Session Tags in STS][
|
1311
|
+
# see [Passing Session Tags in STS][9] in the *IAM User Guide*.
|
1278
1312
|
#
|
1279
1313
|
# You can pass up to 50 session tags. The plaintext session tag keys
|
1280
1314
|
# can’t exceed 128 characters and the values can’t exceed 256
|
1281
1315
|
# characters. For these and additional limits, see [IAM and STS
|
1282
|
-
# Character Limits][
|
1316
|
+
# Character Limits][10] in the *IAM User Guide*.
|
1283
1317
|
#
|
1284
1318
|
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
|
1285
1319
|
# policy, managed policy ARNs, and session tags into a packed binary
|
@@ -1297,12 +1331,12 @@ module Aws::STS
|
|
1297
1331
|
# An administrator must grant you the permissions necessary to pass
|
1298
1332
|
# session tags. The administrator can also create granular permissions
|
1299
1333
|
# to allow you to pass only specific session tags. For more information,
|
1300
|
-
# see [Tutorial: Using Tags for Attribute-Based Access Control][
|
1334
|
+
# see [Tutorial: Using Tags for Attribute-Based Access Control][11] in
|
1301
1335
|
# the *IAM User Guide*.
|
1302
1336
|
#
|
1303
1337
|
# You can set the session tags as transitive. Transitive tags persist
|
1304
1338
|
# during role chaining. For more information, see [Chaining Roles with
|
1305
|
-
# Session Tags][
|
1339
|
+
# Session Tags][12] in the *IAM User Guide*.
|
1306
1340
|
#
|
1307
1341
|
# **Identities**
|
1308
1342
|
#
|
@@ -1314,19 +1348,19 @@ module Aws::STS
|
|
1314
1348
|
# specified in the role's trust policy.
|
1315
1349
|
#
|
1316
1350
|
# Calling `AssumeRoleWithWebIdentity` can result in an entry in your
|
1317
|
-
# CloudTrail logs. The entry includes the [Subject][
|
1351
|
+
# CloudTrail logs. The entry includes the [Subject][13] of the provided
|
1318
1352
|
# web identity token. We recommend that you avoid using any personally
|
1319
1353
|
# identifiable information (PII) in this field. For example, you could
|
1320
1354
|
# instead use a GUID or a pairwise identifier, as [suggested in the OIDC
|
1321
|
-
# specification][
|
1355
|
+
# specification][14].
|
1322
1356
|
#
|
1323
1357
|
# For more information about how to use web identity federation and the
|
1324
1358
|
# `AssumeRoleWithWebIdentity` API, see the following resources:
|
1325
1359
|
#
|
1326
|
-
# * [Using Web Identity Federation API Operations for Mobile Apps][
|
1327
|
-
# and [Federation Through a Web-based Identity Provider][
|
1360
|
+
# * [Using Web Identity Federation API Operations for Mobile Apps][15]
|
1361
|
+
# and [Federation Through a Web-based Identity Provider][16].
|
1328
1362
|
#
|
1329
|
-
# * [ Web Identity Federation Playground][
|
1363
|
+
# * [ Web Identity Federation Playground][17]. Walk through the process
|
1330
1364
|
# of authenticating through Login with Amazon, Facebook, or Google,
|
1331
1365
|
# getting temporary security credentials, and then using those
|
1332
1366
|
# credentials to make a request to Amazon Web Services.
|
@@ -1337,7 +1371,7 @@ module Aws::STS
|
|
1337
1371
|
# toolkits then show how to use the information from these providers
|
1338
1372
|
# to get and use temporary security credentials.
|
1339
1373
|
#
|
1340
|
-
# * [Web Identity Federation with Mobile Applications][
|
1374
|
+
# * [Web Identity Federation with Mobile Applications][18]. This article
|
1341
1375
|
# discusses web identity federation and shows an example of how to use
|
1342
1376
|
# web identity federation to get access to content in Amazon S3.
|
1343
1377
|
#
|
@@ -1346,23 +1380,21 @@ module Aws::STS
|
|
1346
1380
|
# [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html
|
1347
1381
|
# [2]: http://aws.amazon.com/sdkforios/
|
1348
1382
|
# [3]: http://aws.amazon.com/sdkforandroid/
|
1349
|
-
# [4]: https://docs.aws.amazon.com/
|
1350
|
-
# [5]: https://docs.aws.amazon.com/
|
1351
|
-
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1352
|
-
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1353
|
-
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1354
|
-
# [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1355
|
-
# [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1356
|
-
# [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1357
|
-
# [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1358
|
-
# [13]:
|
1359
|
-
# [14]:
|
1360
|
-
# [15]:
|
1361
|
-
# [16]:
|
1362
|
-
# [17]: https://
|
1363
|
-
# [18]:
|
1364
|
-
# [19]: https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/
|
1365
|
-
# [20]: http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications
|
1383
|
+
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
1384
|
+
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
|
1385
|
+
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
|
1386
|
+
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
|
1387
|
+
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
1388
|
+
# [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
1389
|
+
# [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
|
1390
|
+
# [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
|
1391
|
+
# [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
|
1392
|
+
# [13]: http://openid.net/specs/openid-connect-core-1_0.html#Claims
|
1393
|
+
# [14]: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
|
1394
|
+
# [15]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html
|
1395
|
+
# [16]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
|
1396
|
+
# [17]: https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/
|
1397
|
+
# [18]: http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications
|
1366
1398
|
#
|
1367
1399
|
# @option params [required, String] :role_arn
|
1368
1400
|
# The Amazon Resource Name (ARN) of the role that the caller is
|
@@ -1386,7 +1418,8 @@ module Aws::STS
|
|
1386
1418
|
# by the identity provider. Your application must get this token by
|
1387
1419
|
# authenticating the user who is using your application with a web
|
1388
1420
|
# identity provider before the application makes an
|
1389
|
-
# `AssumeRoleWithWebIdentity` call.
|
1421
|
+
# `AssumeRoleWithWebIdentity` call. Only tokens with RSA algorithms
|
1422
|
+
# (RS256) are supported.
|
1390
1423
|
#
|
1391
1424
|
# @option params [String] :provider_id
|
1392
1425
|
# The fully qualified host component of the domain name of the OAuth 2.0
|
@@ -1721,11 +1754,11 @@ module Aws::STS
|
|
1721
1754
|
# to call the operation.
|
1722
1755
|
#
|
1723
1756
|
# <note markdown="1"> No permissions are required to perform this operation. If an
|
1724
|
-
# administrator
|
1757
|
+
# administrator attaches a policy to your identity that explicitly
|
1725
1758
|
# denies access to the `sts:GetCallerIdentity` action, you can still
|
1726
1759
|
# perform this operation. Permissions are not required because the same
|
1727
|
-
# information is returned when
|
1728
|
-
#
|
1760
|
+
# information is returned when access is denied. To view an example
|
1761
|
+
# response, see [I Am Not Authorized to Perform:
|
1729
1762
|
# iam:DeleteVirtualMFADevice][1] in the *IAM User Guide*.
|
1730
1763
|
#
|
1731
1764
|
# </note>
|
@@ -1802,54 +1835,57 @@ module Aws::STS
|
|
1802
1835
|
end
|
1803
1836
|
|
1804
1837
|
# Returns a set of temporary security credentials (consisting of an
|
1805
|
-
# access key ID, a secret access key, and a security token) for a
|
1806
|
-
#
|
1807
|
-
#
|
1808
|
-
#
|
1809
|
-
#
|
1810
|
-
#
|
1811
|
-
#
|
1812
|
-
#
|
1813
|
-
#
|
1838
|
+
# access key ID, a secret access key, and a security token) for a user.
|
1839
|
+
# A typical use is in a proxy application that gets temporary security
|
1840
|
+
# credentials on behalf of distributed applications inside a corporate
|
1841
|
+
# network.
|
1842
|
+
#
|
1843
|
+
# You must call the `GetFederationToken` operation using the long-term
|
1844
|
+
# security credentials of an IAM user. As a result, this call is
|
1845
|
+
# appropriate in contexts where those credentials can be safeguarded,
|
1846
|
+
# usually in a server-based application. For a comparison of
|
1847
|
+
# `GetFederationToken` with the other API operations that produce
|
1848
|
+
# temporary credentials, see [Requesting Temporary Security
|
1814
1849
|
# Credentials][1] and [Comparing the Amazon Web Services STS API
|
1815
1850
|
# operations][2] in the *IAM User Guide*.
|
1816
1851
|
#
|
1852
|
+
# Although it is possible to call `GetFederationToken` using the
|
1853
|
+
# security credentials of an Amazon Web Services account root user
|
1854
|
+
# rather than an IAM user that you create for the purpose of a proxy
|
1855
|
+
# application, we do not recommend it. For more information, see
|
1856
|
+
# [Safeguard your root user credentials and don't use them for everyday
|
1857
|
+
# tasks][3] in the *IAM User Guide*.
|
1858
|
+
#
|
1817
1859
|
# <note markdown="1"> You can create a mobile-based or browser-based app that can
|
1818
1860
|
# authenticate users using a web identity provider like Login with
|
1819
1861
|
# Amazon, Facebook, Google, or an OpenID Connect-compatible identity
|
1820
|
-
# provider. In this case, we recommend that you use [Amazon Cognito][
|
1862
|
+
# provider. In this case, we recommend that you use [Amazon Cognito][4]
|
1821
1863
|
# or `AssumeRoleWithWebIdentity`. For more information, see [Federation
|
1822
|
-
# Through a Web-based Identity Provider][
|
1864
|
+
# Through a Web-based Identity Provider][5] in the *IAM User Guide*.
|
1823
1865
|
#
|
1824
1866
|
# </note>
|
1825
1867
|
#
|
1826
|
-
# You can also call `GetFederationToken` using the security credentials
|
1827
|
-
# of an Amazon Web Services account root user, but we do not recommend
|
1828
|
-
# it. Instead, we recommend that you create an IAM user for the purpose
|
1829
|
-
# of the proxy application. Then attach a policy to the IAM user that
|
1830
|
-
# limits federated users to only the actions and resources that they
|
1831
|
-
# need to access. For more information, see [IAM Best Practices][5] in
|
1832
|
-
# the *IAM User Guide*.
|
1833
|
-
#
|
1834
1868
|
# **Session duration**
|
1835
1869
|
#
|
1836
1870
|
# The temporary credentials are valid for the specified duration, from
|
1837
1871
|
# 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36
|
1838
1872
|
# hours). The default session duration is 43,200 seconds (12 hours).
|
1839
|
-
# Temporary credentials obtained by using the
|
1840
|
-
#
|
1841
|
-
# (1 hour).
|
1873
|
+
# Temporary credentials obtained by using the root user credentials have
|
1874
|
+
# a maximum duration of 3,600 seconds (1 hour).
|
1842
1875
|
#
|
1843
1876
|
# **Permissions**
|
1844
1877
|
#
|
1845
1878
|
# You can use the temporary credentials created by `GetFederationToken`
|
1846
|
-
# in any Amazon Web Services service
|
1879
|
+
# in any Amazon Web Services service with the following exceptions:
|
1847
1880
|
#
|
1848
1881
|
# * You cannot call any IAM operations using the CLI or the Amazon Web
|
1849
|
-
# Services API.
|
1882
|
+
# Services API. This limitation does not apply to console sessions.
|
1850
1883
|
#
|
1851
1884
|
# * You cannot call any STS operations except `GetCallerIdentity`.
|
1852
1885
|
#
|
1886
|
+
# You can use temporary credentials for single sign-on (SSO) to the
|
1887
|
+
# console.
|
1888
|
+
#
|
1853
1889
|
# You must pass an inline or managed [session policy][6] to this
|
1854
1890
|
# operation. You can pass a single JSON policy document to use as an
|
1855
1891
|
# inline session policy. You can also specify up to 10 managed policy
|
@@ -1885,9 +1921,9 @@ module Aws::STS
|
|
1885
1921
|
# <note markdown="1"> You can create a mobile-based or browser-based app that can
|
1886
1922
|
# authenticate users using a web identity provider like Login with
|
1887
1923
|
# Amazon, Facebook, Google, or an OpenID Connect-compatible identity
|
1888
|
-
# provider. In this case, we recommend that you use [Amazon Cognito][
|
1924
|
+
# provider. In this case, we recommend that you use [Amazon Cognito][4]
|
1889
1925
|
# or `AssumeRoleWithWebIdentity`. For more information, see [Federation
|
1890
|
-
# Through a Web-based Identity Provider][
|
1926
|
+
# Through a Web-based Identity Provider][5] in the *IAM User Guide*.
|
1891
1927
|
#
|
1892
1928
|
# </note>
|
1893
1929
|
#
|
@@ -1909,9 +1945,9 @@ module Aws::STS
|
|
1909
1945
|
#
|
1910
1946
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
1911
1947
|
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
|
1912
|
-
# [3]:
|
1913
|
-
# [4]:
|
1914
|
-
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1948
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials
|
1949
|
+
# [4]: http://aws.amazon.com/cognito/
|
1950
|
+
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
|
1915
1951
|
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
1916
1952
|
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken
|
1917
1953
|
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
@@ -2028,10 +2064,10 @@ module Aws::STS
|
|
2028
2064
|
# The duration, in seconds, that the session should last. Acceptable
|
2029
2065
|
# durations for federation sessions range from 900 seconds (15 minutes)
|
2030
2066
|
# to 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the
|
2031
|
-
# default. Sessions obtained using
|
2032
|
-
#
|
2033
|
-
#
|
2034
|
-
#
|
2067
|
+
# default. Sessions obtained using root user credentials are restricted
|
2068
|
+
# to a maximum of 3,600 seconds (one hour). If the specified duration is
|
2069
|
+
# longer than one hour, the session obtained by using root user
|
2070
|
+
# credentials defaults to one hour.
|
2035
2071
|
#
|
2036
2072
|
# @option params [Array<Types::Tag>] :tags
|
2037
2073
|
# A list of session tags. Each session tag consists of a key name and an
|
@@ -2151,14 +2187,15 @@ module Aws::STS
|
|
2151
2187
|
# secret access key, and a security token. Typically, you use
|
2152
2188
|
# `GetSessionToken` if you want to use MFA to protect programmatic calls
|
2153
2189
|
# to specific Amazon Web Services API operations like Amazon EC2
|
2154
|
-
# `StopInstances`.
|
2155
|
-
#
|
2156
|
-
# MFA
|
2157
|
-
#
|
2158
|
-
#
|
2159
|
-
#
|
2160
|
-
#
|
2161
|
-
#
|
2190
|
+
# `StopInstances`.
|
2191
|
+
#
|
2192
|
+
# MFA-enabled IAM users must call `GetSessionToken` and submit an MFA
|
2193
|
+
# code that is associated with their MFA device. Using the temporary
|
2194
|
+
# security credentials that the call returns, IAM users can then make
|
2195
|
+
# programmatic calls to API operations that require MFA authentication.
|
2196
|
+
# An incorrect MFA code causes the API to return an access denied error.
|
2197
|
+
# For a comparison of `GetSessionToken` with the other API operations
|
2198
|
+
# that produce temporary credentials, see [Requesting Temporary Security
|
2162
2199
|
# Credentials][1] and [Comparing the Amazon Web Services STS API
|
2163
2200
|
# operations][2] in the *IAM User Guide*.
|
2164
2201
|
#
|
@@ -2173,13 +2210,13 @@ module Aws::STS
|
|
2173
2210
|
# **Session Duration**
|
2174
2211
|
#
|
2175
2212
|
# The `GetSessionToken` operation must be called by using the long-term
|
2176
|
-
# Amazon Web Services security credentials of
|
2177
|
-
#
|
2178
|
-
#
|
2179
|
-
#
|
2180
|
-
# (
|
2181
|
-
#
|
2182
|
-
#
|
2213
|
+
# Amazon Web Services security credentials of an IAM user. Credentials
|
2214
|
+
# that are created by IAM users are valid for the duration that you
|
2215
|
+
# specify. This duration can range from 900 seconds (15 minutes) up to a
|
2216
|
+
# maximum of 129,600 seconds (36 hours), with a default of 43,200
|
2217
|
+
# seconds (12 hours). Credentials based on account credentials can range
|
2218
|
+
# from 900 seconds (15 minutes) up to 3,600 seconds (1 hour), with a
|
2219
|
+
# default of 1 hour.
|
2183
2220
|
#
|
2184
2221
|
# **Permissions**
|
2185
2222
|
#
|
@@ -2193,24 +2230,23 @@ module Aws::STS
|
|
2193
2230
|
# * You cannot call any STS API *except* `AssumeRole` or
|
2194
2231
|
# `GetCallerIdentity`.
|
2195
2232
|
#
|
2196
|
-
#
|
2197
|
-
#
|
2198
|
-
#
|
2199
|
-
#
|
2200
|
-
# with Amazon Web Services.
|
2233
|
+
# The credentials that `GetSessionToken` returns are based on
|
2234
|
+
# permissions associated with the IAM user whose credentials were used
|
2235
|
+
# to call the operation. The temporary credentials have the same
|
2236
|
+
# permissions as the IAM user.
|
2201
2237
|
#
|
2202
|
-
#
|
2238
|
+
# <note markdown="1"> Although it is possible to call `GetSessionToken` using the security
|
2239
|
+
# credentials of an Amazon Web Services account root user rather than an
|
2240
|
+
# IAM user, we do not recommend it. If `GetSessionToken` is called using
|
2241
|
+
# root user credentials, the temporary credentials have root user
|
2242
|
+
# permissions. For more information, see [Safeguard your root user
|
2243
|
+
# credentials and don't use them for everyday tasks][4] in the *IAM
|
2244
|
+
# User Guide*
|
2203
2245
|
#
|
2204
|
-
#
|
2205
|
-
# permissions associated with the user whose credentials were used to
|
2206
|
-
# call the operation. If `GetSessionToken` is called using Amazon Web
|
2207
|
-
# Services account root user credentials, the temporary credentials have
|
2208
|
-
# root user permissions. Similarly, if `GetSessionToken` is called using
|
2209
|
-
# the credentials of an IAM user, the temporary credentials have the
|
2210
|
-
# same permissions as the IAM user.
|
2246
|
+
# </note>
|
2211
2247
|
#
|
2212
2248
|
# For more information about using `GetSessionToken` to create temporary
|
2213
|
-
# credentials,
|
2249
|
+
# credentials, see [Temporary Credentials for Users in Untrusted
|
2214
2250
|
# Environments][5] in the *IAM User Guide*.
|
2215
2251
|
#
|
2216
2252
|
#
|
@@ -2218,7 +2254,7 @@ module Aws::STS
|
|
2218
2254
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
2219
2255
|
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
|
2220
2256
|
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html
|
2221
|
-
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#
|
2257
|
+
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials
|
2222
2258
|
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken
|
2223
2259
|
#
|
2224
2260
|
# @option params [Integer] :duration_seconds
|
@@ -2316,7 +2352,7 @@ module Aws::STS
|
|
2316
2352
|
params: params,
|
2317
2353
|
config: config)
|
2318
2354
|
context[:gem_name] = 'aws-sdk-core'
|
2319
|
-
context[:gem_version] = '3.
|
2355
|
+
context[:gem_version] = '3.190.3'
|
2320
2356
|
Seahorse::Client::Request.new(handlers, context)
|
2321
2357
|
end
|
2322
2358
|
|
@@ -43,6 +43,8 @@ module Aws::STS
|
|
43
43
|
NameQualifier = Shapes::StringShape.new(name: 'NameQualifier')
|
44
44
|
PackedPolicyTooLargeException = Shapes::StructureShape.new(name: 'PackedPolicyTooLargeException')
|
45
45
|
PolicyDescriptorType = Shapes::StructureShape.new(name: 'PolicyDescriptorType')
|
46
|
+
ProvidedContext = Shapes::StructureShape.new(name: 'ProvidedContext')
|
47
|
+
ProvidedContextsListType = Shapes::ListShape.new(name: 'ProvidedContextsListType')
|
46
48
|
RegionDisabledException = Shapes::StructureShape.new(name: 'RegionDisabledException')
|
47
49
|
SAMLAssertionType = Shapes::StringShape.new(name: 'SAMLAssertionType')
|
48
50
|
Subject = Shapes::StringShape.new(name: 'Subject')
|
@@ -54,6 +56,7 @@ module Aws::STS
|
|
54
56
|
arnType = Shapes::StringShape.new(name: 'arnType')
|
55
57
|
assumedRoleIdType = Shapes::StringShape.new(name: 'assumedRoleIdType')
|
56
58
|
clientTokenType = Shapes::StringShape.new(name: 'clientTokenType')
|
59
|
+
contextAssertionType = Shapes::StringShape.new(name: 'contextAssertionType')
|
57
60
|
dateType = Shapes::TimestampShape.new(name: 'dateType')
|
58
61
|
decodedMessageType = Shapes::StringShape.new(name: 'decodedMessageType')
|
59
62
|
durationSecondsType = Shapes::IntegerShape.new(name: 'durationSecondsType')
|
@@ -81,6 +84,7 @@ module Aws::STS
|
|
81
84
|
tagValueType = Shapes::StringShape.new(name: 'tagValueType')
|
82
85
|
tokenCodeType = Shapes::StringShape.new(name: 'tokenCodeType')
|
83
86
|
tokenType = Shapes::StringShape.new(name: 'tokenType')
|
87
|
+
unrestrictedSessionPolicyDocumentType = Shapes::StringShape.new(name: 'unrestrictedSessionPolicyDocumentType')
|
84
88
|
urlType = Shapes::StringShape.new(name: 'urlType')
|
85
89
|
userIdType = Shapes::StringShape.new(name: 'userIdType')
|
86
90
|
userNameType = Shapes::StringShape.new(name: 'userNameType')
|
@@ -89,7 +93,7 @@ module Aws::STS
|
|
89
93
|
AssumeRoleRequest.add_member(:role_arn, Shapes::ShapeRef.new(shape: arnType, required: true, location_name: "RoleArn"))
|
90
94
|
AssumeRoleRequest.add_member(:role_session_name, Shapes::ShapeRef.new(shape: roleSessionNameType, required: true, location_name: "RoleSessionName"))
|
91
95
|
AssumeRoleRequest.add_member(:policy_arns, Shapes::ShapeRef.new(shape: policyDescriptorListType, location_name: "PolicyArns"))
|
92
|
-
AssumeRoleRequest.add_member(:policy, Shapes::ShapeRef.new(shape:
|
96
|
+
AssumeRoleRequest.add_member(:policy, Shapes::ShapeRef.new(shape: unrestrictedSessionPolicyDocumentType, location_name: "Policy"))
|
93
97
|
AssumeRoleRequest.add_member(:duration_seconds, Shapes::ShapeRef.new(shape: roleDurationSecondsType, location_name: "DurationSeconds"))
|
94
98
|
AssumeRoleRequest.add_member(:tags, Shapes::ShapeRef.new(shape: tagListType, location_name: "Tags"))
|
95
99
|
AssumeRoleRequest.add_member(:transitive_tag_keys, Shapes::ShapeRef.new(shape: tagKeyListType, location_name: "TransitiveTagKeys"))
|
@@ -97,6 +101,7 @@ module Aws::STS
|
|
97
101
|
AssumeRoleRequest.add_member(:serial_number, Shapes::ShapeRef.new(shape: serialNumberType, location_name: "SerialNumber"))
|
98
102
|
AssumeRoleRequest.add_member(:token_code, Shapes::ShapeRef.new(shape: tokenCodeType, location_name: "TokenCode"))
|
99
103
|
AssumeRoleRequest.add_member(:source_identity, Shapes::ShapeRef.new(shape: sourceIdentityType, location_name: "SourceIdentity"))
|
104
|
+
AssumeRoleRequest.add_member(:provided_contexts, Shapes::ShapeRef.new(shape: ProvidedContextsListType, location_name: "ProvidedContexts"))
|
100
105
|
AssumeRoleRequest.struct_class = Types::AssumeRoleRequest
|
101
106
|
|
102
107
|
AssumeRoleResponse.add_member(:credentials, Shapes::ShapeRef.new(shape: Credentials, location_name: "Credentials"))
|
@@ -219,6 +224,12 @@ module Aws::STS
|
|
219
224
|
PolicyDescriptorType.add_member(:arn, Shapes::ShapeRef.new(shape: arnType, location_name: "arn"))
|
220
225
|
PolicyDescriptorType.struct_class = Types::PolicyDescriptorType
|
221
226
|
|
227
|
+
ProvidedContext.add_member(:provider_arn, Shapes::ShapeRef.new(shape: arnType, location_name: "ProviderArn"))
|
228
|
+
ProvidedContext.add_member(:context_assertion, Shapes::ShapeRef.new(shape: contextAssertionType, location_name: "ContextAssertion"))
|
229
|
+
ProvidedContext.struct_class = Types::ProvidedContext
|
230
|
+
|
231
|
+
ProvidedContextsListType.member = Shapes::ShapeRef.new(shape: ProvidedContext)
|
232
|
+
|
222
233
|
RegionDisabledException.add_member(:message, Shapes::ShapeRef.new(shape: regionDisabledMessage, location_name: "message"))
|
223
234
|
RegionDisabledException.struct_class = Types::RegionDisabledException
|
224
235
|
|