aws-sdk-core 3.168.4 → 3.190.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (72) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +231 -0
  3. data/VERSION +1 -1
  4. data/lib/aws-defaults/default_configuration.rb +4 -4
  5. data/lib/aws-sdk-core/client_stubs.rb +15 -12
  6. data/lib/aws-sdk-core/credential_provider.rb +3 -0
  7. data/lib/aws-sdk-core/credential_provider_chain.rb +2 -1
  8. data/lib/aws-sdk-core/ecs_credentials.rb +177 -53
  9. data/lib/aws-sdk-core/endpoints/condition.rb +5 -0
  10. data/lib/aws-sdk-core/endpoints/endpoint_rule.rb +5 -1
  11. data/lib/aws-sdk-core/endpoints/error_rule.rb +5 -0
  12. data/lib/aws-sdk-core/endpoints/function.rb +5 -0
  13. data/lib/aws-sdk-core/endpoints/matchers.rb +13 -9
  14. data/lib/aws-sdk-core/endpoints/reference.rb +5 -0
  15. data/lib/aws-sdk-core/endpoints/rule.rb +5 -0
  16. data/lib/aws-sdk-core/endpoints/rule_set.rb +5 -0
  17. data/lib/aws-sdk-core/endpoints/rules_provider.rb +5 -0
  18. data/lib/aws-sdk-core/endpoints/templater.rb +6 -0
  19. data/lib/aws-sdk-core/endpoints/tree_rule.rb +5 -0
  20. data/lib/aws-sdk-core/endpoints/url.rb +1 -0
  21. data/lib/aws-sdk-core/endpoints.rb +6 -2
  22. data/lib/aws-sdk-core/errors.rb +1 -1
  23. data/lib/aws-sdk-core/ini_parser.rb +7 -0
  24. data/lib/aws-sdk-core/instance_profile_credentials.rb +52 -30
  25. data/lib/aws-sdk-core/json/error_handler.rb +15 -5
  26. data/lib/aws-sdk-core/json/handler.rb +8 -1
  27. data/lib/aws-sdk-core/json/parser.rb +27 -2
  28. data/lib/aws-sdk-core/log/formatter.rb +6 -0
  29. data/lib/aws-sdk-core/pageable_response.rb +3 -1
  30. data/lib/aws-sdk-core/param_validator.rb +2 -2
  31. data/lib/aws-sdk-core/plugins/checksum_algorithm.rb +5 -3
  32. data/lib/aws-sdk-core/plugins/http_checksum.rb +2 -1
  33. data/lib/aws-sdk-core/plugins/regional_endpoint.rb +109 -33
  34. data/lib/aws-sdk-core/plugins/request_compression.rb +217 -0
  35. data/lib/aws-sdk-core/plugins/sign.rb +16 -10
  36. data/lib/aws-sdk-core/plugins/user_agent.rb +117 -14
  37. data/lib/aws-sdk-core/refreshing_credentials.rb +12 -12
  38. data/lib/aws-sdk-core/rest/request/querystring_builder.rb +43 -29
  39. data/lib/aws-sdk-core/shared_config.rb +48 -18
  40. data/lib/aws-sdk-core/sso_credentials.rb +1 -1
  41. data/lib/aws-sdk-core/stubbing/stub_data.rb +11 -0
  42. data/lib/aws-sdk-core/waiters/poller.rb +4 -2
  43. data/lib/aws-sdk-core/xml/parser/engines/oga.rb +2 -0
  44. data/lib/aws-sdk-sso/client.rb +21 -1
  45. data/lib/aws-sdk-sso/endpoint_provider.rb +41 -96
  46. data/lib/aws-sdk-sso/endpoints.rb +1 -0
  47. data/lib/aws-sdk-sso/plugins/endpoints.rb +3 -2
  48. data/lib/aws-sdk-sso.rb +1 -1
  49. data/lib/aws-sdk-ssooidc/client.rb +358 -29
  50. data/lib/aws-sdk-ssooidc/client_api.rb +56 -1
  51. data/lib/aws-sdk-ssooidc/endpoint_provider.rb +41 -95
  52. data/lib/aws-sdk-ssooidc/endpoints.rb +15 -0
  53. data/lib/aws-sdk-ssooidc/errors.rb +31 -0
  54. data/lib/aws-sdk-ssooidc/plugins/endpoints.rb +5 -2
  55. data/lib/aws-sdk-ssooidc/types.rb +302 -49
  56. data/lib/aws-sdk-ssooidc.rb +1 -1
  57. data/lib/aws-sdk-sts/client.rb +158 -122
  58. data/lib/aws-sdk-sts/client_api.rb +12 -1
  59. data/lib/aws-sdk-sts/endpoint_provider.rb +96 -213
  60. data/lib/aws-sdk-sts/endpoints.rb +1 -0
  61. data/lib/aws-sdk-sts/plugins/endpoints.rb +3 -2
  62. data/lib/aws-sdk-sts/presigner.rb +1 -1
  63. data/lib/aws-sdk-sts/types.rb +49 -11
  64. data/lib/aws-sdk-sts.rb +1 -1
  65. data/lib/seahorse/client/configuration.rb +0 -4
  66. data/lib/seahorse/client/h2/connection.rb +10 -6
  67. data/lib/seahorse/client/net_http/patches.rb +1 -4
  68. data/lib/seahorse/client/plugins/h2.rb +3 -3
  69. data/lib/seahorse/client/plugins/request_callback.rb +31 -0
  70. data/lib/seahorse/client/response.rb +6 -0
  71. data/lib/seahorse/model/operation.rb +3 -0
  72. metadata +13 -12
@@ -28,6 +28,7 @@ require 'aws-sdk-core/plugins/client_metrics_send_plugin.rb'
28
28
  require 'aws-sdk-core/plugins/transfer_encoding.rb'
29
29
  require 'aws-sdk-core/plugins/http_checksum.rb'
30
30
  require 'aws-sdk-core/plugins/checksum_algorithm.rb'
31
+ require 'aws-sdk-core/plugins/request_compression.rb'
31
32
  require 'aws-sdk-core/plugins/defaults_mode.rb'
32
33
  require 'aws-sdk-core/plugins/recursion_detection.rb'
33
34
  require 'aws-sdk-core/plugins/sign.rb'
@@ -78,6 +79,7 @@ module Aws::STS
78
79
  add_plugin(Aws::Plugins::TransferEncoding)
79
80
  add_plugin(Aws::Plugins::HttpChecksum)
80
81
  add_plugin(Aws::Plugins::ChecksumAlgorithm)
82
+ add_plugin(Aws::Plugins::RequestCompression)
81
83
  add_plugin(Aws::Plugins::DefaultsMode)
82
84
  add_plugin(Aws::Plugins::RecursionDetection)
83
85
  add_plugin(Aws::Plugins::Sign)
@@ -192,6 +194,10 @@ module Aws::STS
192
194
  # Set to true to disable SDK automatically adding host prefix
193
195
  # to default service endpoint when available.
194
196
  #
197
+ # @option options [Boolean] :disable_request_compression (false)
198
+ # When set to 'true' the request body will not be compressed
199
+ # for supported operations.
200
+ #
195
201
  # @option options [String] :endpoint
196
202
  # The client endpoint is normally constructed from the `:region`
197
203
  # option. You should only configure an `:endpoint` when connecting
@@ -212,6 +218,10 @@ module Aws::STS
212
218
  # @option options [Boolean] :endpoint_discovery (false)
213
219
  # When set to `true`, endpoint discovery will be enabled for operations when available.
214
220
  #
221
+ # @option options [Boolean] :ignore_configured_endpoint_urls
222
+ # Setting to true disables use of endpoint URLs provided via environment
223
+ # variables and the shared configuration file.
224
+ #
215
225
  # @option options [Aws::Log::Formatter] :log_formatter (Aws::Log::Formatter.default)
216
226
  # The log formatter.
217
227
  #
@@ -232,6 +242,11 @@ module Aws::STS
232
242
  # Used when loading credentials from the shared credentials file
233
243
  # at HOME/.aws/credentials. When not specified, 'default' is used.
234
244
  #
245
+ # @option options [Integer] :request_min_compression_size_bytes (10240)
246
+ # The minimum size in bytes that triggers compression for request
247
+ # bodies. The value must be non-negative integer value between 0
248
+ # and 10485780 bytes inclusive.
249
+ #
235
250
  # @option options [Proc] :retry_backoff
236
251
  # A proc or lambda used for backoff. Defaults to 2**retries * retry_base_delay.
237
252
  # This option is only used in the `legacy` retry mode.
@@ -277,6 +292,11 @@ module Aws::STS
277
292
  # in the future.
278
293
  #
279
294
  #
295
+ # @option options [String] :sdk_ua_app_id
296
+ # A unique and opaque application ID that is appended to the
297
+ # User-Agent header as app/<sdk_ua_app_id>. It should have a
298
+ # maximum length of 50.
299
+ #
280
300
  # @option options [String] :secret_access_key
281
301
  #
282
302
  # @option options [String] :session_token
@@ -376,14 +396,13 @@ module Aws::STS
376
396
  # @!group API Operations
377
397
 
378
398
  # Returns a set of temporary security credentials that you can use to
379
- # access Amazon Web Services resources that you might not normally have
380
- # access to. These temporary credentials consist of an access key ID, a
381
- # secret access key, and a security token. Typically, you use
382
- # `AssumeRole` within your account or for cross-account access. For a
383
- # comparison of `AssumeRole` with other API operations that produce
384
- # temporary credentials, see [Requesting Temporary Security
385
- # Credentials][1] and [Comparing the Amazon Web Services STS API
386
- # operations][2] in the *IAM User Guide*.
399
+ # access Amazon Web Services resources. These temporary credentials
400
+ # consist of an access key ID, a secret access key, and a security
401
+ # token. Typically, you use `AssumeRole` within your account or for
402
+ # cross-account access. For a comparison of `AssumeRole` with other API
403
+ # operations that produce temporary credentials, see [Requesting
404
+ # Temporary Security Credentials][1] and [Comparing the Amazon Web
405
+ # Services STS API operations][2] in the *IAM User Guide*.
387
406
  #
388
407
  # **Permissions**
389
408
  #
@@ -407,10 +426,11 @@ module Aws::STS
407
426
  # identity-based policy of the role that is being assumed. For more
408
427
  # information, see [Session Policies][3] in the *IAM User Guide*.
409
428
  #
410
- # When you create a role, you create two policies: A role trust policy
411
- # that specifies *who* can assume the role and a permissions policy that
412
- # specifies *what* can be done with the role. You specify the trusted
413
- # principal who is allowed to assume the role in the role trust policy.
429
+ # When you create a role, you create two policies: a role trust policy
430
+ # that specifies *who* can assume the role, and a permissions policy
431
+ # that specifies *what* can be done with the role. You specify the
432
+ # trusted principal that is allowed to assume the role in the role trust
433
+ # policy.
414
434
  #
415
435
  # To assume a role from a different account, your Amazon Web Services
416
436
  # account must be trusted by the role. The trust relationship is defined
@@ -419,10 +439,9 @@ module Aws::STS
419
439
  # users in the account.
420
440
  #
421
441
  # A user who wants to access a role in a different account must also
422
- # have permissions that are delegated from the user account
423
- # administrator. The administrator must attach a policy that allows the
424
- # user to call `AssumeRole` for the ARN of the role in the other
425
- # account.
442
+ # have permissions that are delegated from the account administrator.
443
+ # The administrator must attach a policy that allows the user to call
444
+ # `AssumeRole` for the ARN of the role in the other account.
426
445
  #
427
446
  # To allow a user to assume a role in the same account, you can do
428
447
  # either of the following:
@@ -747,6 +766,17 @@ module Aws::STS
747
766
  #
748
767
  # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
749
768
  #
769
+ # @option params [Array<Types::ProvidedContext>] :provided_contexts
770
+ # A list of previously acquired trusted context assertions in the format
771
+ # of a JSON array. The trusted context assertion is signed and encrypted
772
+ # by Amazon Web Services STS.
773
+ #
774
+ # The following is an example of a `ProvidedContext` value that includes
775
+ # a single trusted context assertion and the ARN of the context provider
776
+ # from which the trusted context assertion was generated.
777
+ #
778
+ # `[\{"ProviderArn":"arn:aws:iam::aws:contextProvider/IdentityCenter","ContextAssertion":"trusted-context-assertion"\}]`
779
+ #
750
780
  # @return [Types::AssumeRoleResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
751
781
  #
752
782
  # * {Types::AssumeRoleResponse#credentials #credentials} => Types::Credentials
@@ -807,7 +837,7 @@ module Aws::STS
807
837
  # arn: "arnType",
808
838
  # },
809
839
  # ],
810
- # policy: "sessionPolicyDocumentType",
840
+ # policy: "unrestrictedSessionPolicyDocumentType",
811
841
  # duration_seconds: 1,
812
842
  # tags: [
813
843
  # {
@@ -820,6 +850,12 @@ module Aws::STS
820
850
  # serial_number: "serialNumberType",
821
851
  # token_code: "tokenCodeType",
822
852
  # source_identity: "sourceIdentityType",
853
+ # provided_contexts: [
854
+ # {
855
+ # provider_arn: "arnType",
856
+ # context_assertion: "contextAssertionType",
857
+ # },
858
+ # ],
823
859
  # })
824
860
  #
825
861
  # @example Response structure
@@ -1207,10 +1243,8 @@ module Aws::STS
1207
1243
  # the user with a consistent identity throughout the lifetime of an
1208
1244
  # application.
1209
1245
  #
1210
- # To learn more about Amazon Cognito, see [Amazon Cognito Overview][4]
1211
- # in *Amazon Web Services SDK for Android Developer Guide* and [Amazon
1212
- # Cognito Overview][5] in the *Amazon Web Services SDK for iOS Developer
1213
- # Guide*.
1246
+ # To learn more about Amazon Cognito, see [Amazon Cognito identity
1247
+ # pools][1] in *Amazon Cognito Developer Guide*.
1214
1248
  #
1215
1249
  # </note>
1216
1250
  #
@@ -1224,8 +1258,8 @@ module Aws::STS
1224
1258
  # a token from the web identity provider. For a comparison of
1225
1259
  # `AssumeRoleWithWebIdentity` with the other API operations that produce
1226
1260
  # temporary credentials, see [Requesting Temporary Security
1227
- # Credentials][6] and [Comparing the Amazon Web Services STS API
1228
- # operations][7] in the *IAM User Guide*.
1261
+ # Credentials][4] and [Comparing the Amazon Web Services STS API
1262
+ # operations][5] in the *IAM User Guide*.
1229
1263
  #
1230
1264
  # The temporary security credentials returned by this API consist of an
1231
1265
  # access key ID, a secret access key, and a security token. Applications
@@ -1241,11 +1275,11 @@ module Aws::STS
1241
1275
  # to the maximum session duration setting for the role. This setting can
1242
1276
  # have a value from 1 hour to 12 hours. To learn how to view the maximum
1243
1277
  # value for your role, see [View the Maximum Session Duration Setting
1244
- # for a Role][8] in the *IAM User Guide*. The maximum session duration
1278
+ # for a Role][6] in the *IAM User Guide*. The maximum session duration
1245
1279
  # limit applies when you use the `AssumeRole*` API operations or the
1246
1280
  # `assume-role*` CLI commands. However the limit does not apply when you
1247
1281
  # use those operations to create a console URL. For more information,
1248
- # see [Using IAM Roles][9] in the *IAM User Guide*.
1282
+ # see [Using IAM Roles][7] in the *IAM User Guide*.
1249
1283
  #
1250
1284
  # **Permissions**
1251
1285
  #
@@ -1254,7 +1288,7 @@ module Aws::STS
1254
1288
  # Amazon Web Services service with the following exception: you cannot
1255
1289
  # call the STS `GetFederationToken` or `GetSessionToken` API operations.
1256
1290
  #
1257
- # (Optional) You can pass inline or managed [session policies][10] to
1291
+ # (Optional) You can pass inline or managed [session policies][8] to
1258
1292
  # this operation. You can pass a single JSON policy document to use as
1259
1293
  # an inline session policy. You can also specify up to 10 managed policy
1260
1294
  # Amazon Resource Names (ARNs) to use as managed session policies. The
@@ -1267,19 +1301,19 @@ module Aws::STS
1267
1301
  # resources in the account that owns the role. You cannot use session
1268
1302
  # policies to grant more permissions than those allowed by the
1269
1303
  # identity-based policy of the role that is being assumed. For more
1270
- # information, see [Session Policies][10] in the *IAM User Guide*.
1304
+ # information, see [Session Policies][8] in the *IAM User Guide*.
1271
1305
  #
1272
1306
  # **Tags**
1273
1307
  #
1274
1308
  # (Optional) You can configure your IdP to pass attributes into your web
1275
1309
  # identity token as session tags. Each session tag consists of a key
1276
1310
  # name and an associated value. For more information about session tags,
1277
- # see [Passing Session Tags in STS][11] in the *IAM User Guide*.
1311
+ # see [Passing Session Tags in STS][9] in the *IAM User Guide*.
1278
1312
  #
1279
1313
  # You can pass up to 50 session tags. The plaintext session tag keys
1280
1314
  # can’t exceed 128 characters and the values can’t exceed 256
1281
1315
  # characters. For these and additional limits, see [IAM and STS
1282
- # Character Limits][12] in the *IAM User Guide*.
1316
+ # Character Limits][10] in the *IAM User Guide*.
1283
1317
  #
1284
1318
  # <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
1285
1319
  # policy, managed policy ARNs, and session tags into a packed binary
@@ -1297,12 +1331,12 @@ module Aws::STS
1297
1331
  # An administrator must grant you the permissions necessary to pass
1298
1332
  # session tags. The administrator can also create granular permissions
1299
1333
  # to allow you to pass only specific session tags. For more information,
1300
- # see [Tutorial: Using Tags for Attribute-Based Access Control][13] in
1334
+ # see [Tutorial: Using Tags for Attribute-Based Access Control][11] in
1301
1335
  # the *IAM User Guide*.
1302
1336
  #
1303
1337
  # You can set the session tags as transitive. Transitive tags persist
1304
1338
  # during role chaining. For more information, see [Chaining Roles with
1305
- # Session Tags][14] in the *IAM User Guide*.
1339
+ # Session Tags][12] in the *IAM User Guide*.
1306
1340
  #
1307
1341
  # **Identities**
1308
1342
  #
@@ -1314,19 +1348,19 @@ module Aws::STS
1314
1348
  # specified in the role's trust policy.
1315
1349
  #
1316
1350
  # Calling `AssumeRoleWithWebIdentity` can result in an entry in your
1317
- # CloudTrail logs. The entry includes the [Subject][15] of the provided
1351
+ # CloudTrail logs. The entry includes the [Subject][13] of the provided
1318
1352
  # web identity token. We recommend that you avoid using any personally
1319
1353
  # identifiable information (PII) in this field. For example, you could
1320
1354
  # instead use a GUID or a pairwise identifier, as [suggested in the OIDC
1321
- # specification][16].
1355
+ # specification][14].
1322
1356
  #
1323
1357
  # For more information about how to use web identity federation and the
1324
1358
  # `AssumeRoleWithWebIdentity` API, see the following resources:
1325
1359
  #
1326
- # * [Using Web Identity Federation API Operations for Mobile Apps][17]
1327
- # and [Federation Through a Web-based Identity Provider][18].
1360
+ # * [Using Web Identity Federation API Operations for Mobile Apps][15]
1361
+ # and [Federation Through a Web-based Identity Provider][16].
1328
1362
  #
1329
- # * [ Web Identity Federation Playground][19]. Walk through the process
1363
+ # * [ Web Identity Federation Playground][17]. Walk through the process
1330
1364
  # of authenticating through Login with Amazon, Facebook, or Google,
1331
1365
  # getting temporary security credentials, and then using those
1332
1366
  # credentials to make a request to Amazon Web Services.
@@ -1337,7 +1371,7 @@ module Aws::STS
1337
1371
  # toolkits then show how to use the information from these providers
1338
1372
  # to get and use temporary security credentials.
1339
1373
  #
1340
- # * [Web Identity Federation with Mobile Applications][20]. This article
1374
+ # * [Web Identity Federation with Mobile Applications][18]. This article
1341
1375
  # discusses web identity federation and shows an example of how to use
1342
1376
  # web identity federation to get access to content in Amazon S3.
1343
1377
  #
@@ -1346,23 +1380,21 @@ module Aws::STS
1346
1380
  # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html
1347
1381
  # [2]: http://aws.amazon.com/sdkforios/
1348
1382
  # [3]: http://aws.amazon.com/sdkforandroid/
1349
- # [4]: https://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840
1350
- # [5]: https://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664
1351
- # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
1352
- # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
1353
- # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
1354
- # [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
1355
- # [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
1356
- # [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
1357
- # [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
1358
- # [13]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
1359
- # [14]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
1360
- # [15]: http://openid.net/specs/openid-connect-core-1_0.html#Claims
1361
- # [16]: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
1362
- # [17]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html
1363
- # [18]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
1364
- # [19]: https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/
1365
- # [20]: http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications
1383
+ # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
1384
+ # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
1385
+ # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
1386
+ # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
1387
+ # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
1388
+ # [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
1389
+ # [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
1390
+ # [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
1391
+ # [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
1392
+ # [13]: http://openid.net/specs/openid-connect-core-1_0.html#Claims
1393
+ # [14]: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
1394
+ # [15]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html
1395
+ # [16]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
1396
+ # [17]: https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/
1397
+ # [18]: http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications
1366
1398
  #
1367
1399
  # @option params [required, String] :role_arn
1368
1400
  # The Amazon Resource Name (ARN) of the role that the caller is
@@ -1386,7 +1418,8 @@ module Aws::STS
1386
1418
  # by the identity provider. Your application must get this token by
1387
1419
  # authenticating the user who is using your application with a web
1388
1420
  # identity provider before the application makes an
1389
- # `AssumeRoleWithWebIdentity` call.
1421
+ # `AssumeRoleWithWebIdentity` call. Only tokens with RSA algorithms
1422
+ # (RS256) are supported.
1390
1423
  #
1391
1424
  # @option params [String] :provider_id
1392
1425
  # The fully qualified host component of the domain name of the OAuth 2.0
@@ -1721,11 +1754,11 @@ module Aws::STS
1721
1754
  # to call the operation.
1722
1755
  #
1723
1756
  # <note markdown="1"> No permissions are required to perform this operation. If an
1724
- # administrator adds a policy to your IAM user or role that explicitly
1757
+ # administrator attaches a policy to your identity that explicitly
1725
1758
  # denies access to the `sts:GetCallerIdentity` action, you can still
1726
1759
  # perform this operation. Permissions are not required because the same
1727
- # information is returned when an IAM user or role is denied access. To
1728
- # view an example response, see [I Am Not Authorized to Perform:
1760
+ # information is returned when access is denied. To view an example
1761
+ # response, see [I Am Not Authorized to Perform:
1729
1762
  # iam:DeleteVirtualMFADevice][1] in the *IAM User Guide*.
1730
1763
  #
1731
1764
  # </note>
@@ -1802,54 +1835,57 @@ module Aws::STS
1802
1835
  end
1803
1836
 
1804
1837
  # Returns a set of temporary security credentials (consisting of an
1805
- # access key ID, a secret access key, and a security token) for a
1806
- # federated user. A typical use is in a proxy application that gets
1807
- # temporary security credentials on behalf of distributed applications
1808
- # inside a corporate network. You must call the `GetFederationToken`
1809
- # operation using the long-term security credentials of an IAM user. As
1810
- # a result, this call is appropriate in contexts where those credentials
1811
- # can be safely stored, usually in a server-based application. For a
1812
- # comparison of `GetFederationToken` with the other API operations that
1813
- # produce temporary credentials, see [Requesting Temporary Security
1838
+ # access key ID, a secret access key, and a security token) for a user.
1839
+ # A typical use is in a proxy application that gets temporary security
1840
+ # credentials on behalf of distributed applications inside a corporate
1841
+ # network.
1842
+ #
1843
+ # You must call the `GetFederationToken` operation using the long-term
1844
+ # security credentials of an IAM user. As a result, this call is
1845
+ # appropriate in contexts where those credentials can be safeguarded,
1846
+ # usually in a server-based application. For a comparison of
1847
+ # `GetFederationToken` with the other API operations that produce
1848
+ # temporary credentials, see [Requesting Temporary Security
1814
1849
  # Credentials][1] and [Comparing the Amazon Web Services STS API
1815
1850
  # operations][2] in the *IAM User Guide*.
1816
1851
  #
1852
+ # Although it is possible to call `GetFederationToken` using the
1853
+ # security credentials of an Amazon Web Services account root user
1854
+ # rather than an IAM user that you create for the purpose of a proxy
1855
+ # application, we do not recommend it. For more information, see
1856
+ # [Safeguard your root user credentials and don't use them for everyday
1857
+ # tasks][3] in the *IAM User Guide*.
1858
+ #
1817
1859
  # <note markdown="1"> You can create a mobile-based or browser-based app that can
1818
1860
  # authenticate users using a web identity provider like Login with
1819
1861
  # Amazon, Facebook, Google, or an OpenID Connect-compatible identity
1820
- # provider. In this case, we recommend that you use [Amazon Cognito][3]
1862
+ # provider. In this case, we recommend that you use [Amazon Cognito][4]
1821
1863
  # or `AssumeRoleWithWebIdentity`. For more information, see [Federation
1822
- # Through a Web-based Identity Provider][4] in the *IAM User Guide*.
1864
+ # Through a Web-based Identity Provider][5] in the *IAM User Guide*.
1823
1865
  #
1824
1866
  # </note>
1825
1867
  #
1826
- # You can also call `GetFederationToken` using the security credentials
1827
- # of an Amazon Web Services account root user, but we do not recommend
1828
- # it. Instead, we recommend that you create an IAM user for the purpose
1829
- # of the proxy application. Then attach a policy to the IAM user that
1830
- # limits federated users to only the actions and resources that they
1831
- # need to access. For more information, see [IAM Best Practices][5] in
1832
- # the *IAM User Guide*.
1833
- #
1834
1868
  # **Session duration**
1835
1869
  #
1836
1870
  # The temporary credentials are valid for the specified duration, from
1837
1871
  # 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36
1838
1872
  # hours). The default session duration is 43,200 seconds (12 hours).
1839
- # Temporary credentials obtained by using the Amazon Web Services
1840
- # account root user credentials have a maximum duration of 3,600 seconds
1841
- # (1 hour).
1873
+ # Temporary credentials obtained by using the root user credentials have
1874
+ # a maximum duration of 3,600 seconds (1 hour).
1842
1875
  #
1843
1876
  # **Permissions**
1844
1877
  #
1845
1878
  # You can use the temporary credentials created by `GetFederationToken`
1846
- # in any Amazon Web Services service except the following:
1879
+ # in any Amazon Web Services service with the following exceptions:
1847
1880
  #
1848
1881
  # * You cannot call any IAM operations using the CLI or the Amazon Web
1849
- # Services API.
1882
+ # Services API. This limitation does not apply to console sessions.
1850
1883
  #
1851
1884
  # * You cannot call any STS operations except `GetCallerIdentity`.
1852
1885
  #
1886
+ # You can use temporary credentials for single sign-on (SSO) to the
1887
+ # console.
1888
+ #
1853
1889
  # You must pass an inline or managed [session policy][6] to this
1854
1890
  # operation. You can pass a single JSON policy document to use as an
1855
1891
  # inline session policy. You can also specify up to 10 managed policy
@@ -1885,9 +1921,9 @@ module Aws::STS
1885
1921
  # <note markdown="1"> You can create a mobile-based or browser-based app that can
1886
1922
  # authenticate users using a web identity provider like Login with
1887
1923
  # Amazon, Facebook, Google, or an OpenID Connect-compatible identity
1888
- # provider. In this case, we recommend that you use [Amazon Cognito][3]
1924
+ # provider. In this case, we recommend that you use [Amazon Cognito][4]
1889
1925
  # or `AssumeRoleWithWebIdentity`. For more information, see [Federation
1890
- # Through a Web-based Identity Provider][4] in the *IAM User Guide*.
1926
+ # Through a Web-based Identity Provider][5] in the *IAM User Guide*.
1891
1927
  #
1892
1928
  # </note>
1893
1929
  #
@@ -1909,9 +1945,9 @@ module Aws::STS
1909
1945
  #
1910
1946
  # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
1911
1947
  # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
1912
- # [3]: http://aws.amazon.com/cognito/
1913
- # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
1914
- # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
1948
+ # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials
1949
+ # [4]: http://aws.amazon.com/cognito/
1950
+ # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
1915
1951
  # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
1916
1952
  # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken
1917
1953
  # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
@@ -2028,10 +2064,10 @@ module Aws::STS
2028
2064
  # The duration, in seconds, that the session should last. Acceptable
2029
2065
  # durations for federation sessions range from 900 seconds (15 minutes)
2030
2066
  # to 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the
2031
- # default. Sessions obtained using Amazon Web Services account root user
2032
- # credentials are restricted to a maximum of 3,600 seconds (one hour).
2033
- # If the specified duration is longer than one hour, the session
2034
- # obtained by using root user credentials defaults to one hour.
2067
+ # default. Sessions obtained using root user credentials are restricted
2068
+ # to a maximum of 3,600 seconds (one hour). If the specified duration is
2069
+ # longer than one hour, the session obtained by using root user
2070
+ # credentials defaults to one hour.
2035
2071
  #
2036
2072
  # @option params [Array<Types::Tag>] :tags
2037
2073
  # A list of session tags. Each session tag consists of a key name and an
@@ -2151,14 +2187,15 @@ module Aws::STS
2151
2187
  # secret access key, and a security token. Typically, you use
2152
2188
  # `GetSessionToken` if you want to use MFA to protect programmatic calls
2153
2189
  # to specific Amazon Web Services API operations like Amazon EC2
2154
- # `StopInstances`. MFA-enabled IAM users would need to call
2155
- # `GetSessionToken` and submit an MFA code that is associated with their
2156
- # MFA device. Using the temporary security credentials that are returned
2157
- # from the call, IAM users can then make programmatic calls to API
2158
- # operations that require MFA authentication. If you do not supply a
2159
- # correct MFA code, then the API returns an access denied error. For a
2160
- # comparison of `GetSessionToken` with the other API operations that
2161
- # produce temporary credentials, see [Requesting Temporary Security
2190
+ # `StopInstances`.
2191
+ #
2192
+ # MFA-enabled IAM users must call `GetSessionToken` and submit an MFA
2193
+ # code that is associated with their MFA device. Using the temporary
2194
+ # security credentials that the call returns, IAM users can then make
2195
+ # programmatic calls to API operations that require MFA authentication.
2196
+ # An incorrect MFA code causes the API to return an access denied error.
2197
+ # For a comparison of `GetSessionToken` with the other API operations
2198
+ # that produce temporary credentials, see [Requesting Temporary Security
2162
2199
  # Credentials][1] and [Comparing the Amazon Web Services STS API
2163
2200
  # operations][2] in the *IAM User Guide*.
2164
2201
  #
@@ -2173,13 +2210,13 @@ module Aws::STS
2173
2210
  # **Session Duration**
2174
2211
  #
2175
2212
  # The `GetSessionToken` operation must be called by using the long-term
2176
- # Amazon Web Services security credentials of the Amazon Web Services
2177
- # account root user or an IAM user. Credentials that are created by IAM
2178
- # users are valid for the duration that you specify. This duration can
2179
- # range from 900 seconds (15 minutes) up to a maximum of 129,600 seconds
2180
- # (36 hours), with a default of 43,200 seconds (12 hours). Credentials
2181
- # based on account credentials can range from 900 seconds (15 minutes)
2182
- # up to 3,600 seconds (1 hour), with a default of 1 hour.
2213
+ # Amazon Web Services security credentials of an IAM user. Credentials
2214
+ # that are created by IAM users are valid for the duration that you
2215
+ # specify. This duration can range from 900 seconds (15 minutes) up to a
2216
+ # maximum of 129,600 seconds (36 hours), with a default of 43,200
2217
+ # seconds (12 hours). Credentials based on account credentials can range
2218
+ # from 900 seconds (15 minutes) up to 3,600 seconds (1 hour), with a
2219
+ # default of 1 hour.
2183
2220
  #
2184
2221
  # **Permissions**
2185
2222
  #
@@ -2193,24 +2230,23 @@ module Aws::STS
2193
2230
  # * You cannot call any STS API *except* `AssumeRole` or
2194
2231
  # `GetCallerIdentity`.
2195
2232
  #
2196
- # <note markdown="1"> We recommend that you do not call `GetSessionToken` with Amazon Web
2197
- # Services account root user credentials. Instead, follow our [best
2198
- # practices][4] by creating one or more IAM users, giving them the
2199
- # necessary permissions, and using IAM users for everyday interaction
2200
- # with Amazon Web Services.
2233
+ # The credentials that `GetSessionToken` returns are based on
2234
+ # permissions associated with the IAM user whose credentials were used
2235
+ # to call the operation. The temporary credentials have the same
2236
+ # permissions as the IAM user.
2201
2237
  #
2202
- # </note>
2238
+ # <note markdown="1"> Although it is possible to call `GetSessionToken` using the security
2239
+ # credentials of an Amazon Web Services account root user rather than an
2240
+ # IAM user, we do not recommend it. If `GetSessionToken` is called using
2241
+ # root user credentials, the temporary credentials have root user
2242
+ # permissions. For more information, see [Safeguard your root user
2243
+ # credentials and don't use them for everyday tasks][4] in the *IAM
2244
+ # User Guide*
2203
2245
  #
2204
- # The credentials that are returned by `GetSessionToken` are based on
2205
- # permissions associated with the user whose credentials were used to
2206
- # call the operation. If `GetSessionToken` is called using Amazon Web
2207
- # Services account root user credentials, the temporary credentials have
2208
- # root user permissions. Similarly, if `GetSessionToken` is called using
2209
- # the credentials of an IAM user, the temporary credentials have the
2210
- # same permissions as the IAM user.
2246
+ # </note>
2211
2247
  #
2212
2248
  # For more information about using `GetSessionToken` to create temporary
2213
- # credentials, go to [Temporary Credentials for Users in Untrusted
2249
+ # credentials, see [Temporary Credentials for Users in Untrusted
2214
2250
  # Environments][5] in the *IAM User Guide*.
2215
2251
  #
2216
2252
  #
@@ -2218,7 +2254,7 @@ module Aws::STS
2218
2254
  # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
2219
2255
  # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
2220
2256
  # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html
2221
- # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users
2257
+ # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials
2222
2258
  # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken
2223
2259
  #
2224
2260
  # @option params [Integer] :duration_seconds
@@ -2316,7 +2352,7 @@ module Aws::STS
2316
2352
  params: params,
2317
2353
  config: config)
2318
2354
  context[:gem_name] = 'aws-sdk-core'
2319
- context[:gem_version] = '3.168.4'
2355
+ context[:gem_version] = '3.190.3'
2320
2356
  Seahorse::Client::Request.new(handlers, context)
2321
2357
  end
2322
2358
 
@@ -43,6 +43,8 @@ module Aws::STS
43
43
  NameQualifier = Shapes::StringShape.new(name: 'NameQualifier')
44
44
  PackedPolicyTooLargeException = Shapes::StructureShape.new(name: 'PackedPolicyTooLargeException')
45
45
  PolicyDescriptorType = Shapes::StructureShape.new(name: 'PolicyDescriptorType')
46
+ ProvidedContext = Shapes::StructureShape.new(name: 'ProvidedContext')
47
+ ProvidedContextsListType = Shapes::ListShape.new(name: 'ProvidedContextsListType')
46
48
  RegionDisabledException = Shapes::StructureShape.new(name: 'RegionDisabledException')
47
49
  SAMLAssertionType = Shapes::StringShape.new(name: 'SAMLAssertionType')
48
50
  Subject = Shapes::StringShape.new(name: 'Subject')
@@ -54,6 +56,7 @@ module Aws::STS
54
56
  arnType = Shapes::StringShape.new(name: 'arnType')
55
57
  assumedRoleIdType = Shapes::StringShape.new(name: 'assumedRoleIdType')
56
58
  clientTokenType = Shapes::StringShape.new(name: 'clientTokenType')
59
+ contextAssertionType = Shapes::StringShape.new(name: 'contextAssertionType')
57
60
  dateType = Shapes::TimestampShape.new(name: 'dateType')
58
61
  decodedMessageType = Shapes::StringShape.new(name: 'decodedMessageType')
59
62
  durationSecondsType = Shapes::IntegerShape.new(name: 'durationSecondsType')
@@ -81,6 +84,7 @@ module Aws::STS
81
84
  tagValueType = Shapes::StringShape.new(name: 'tagValueType')
82
85
  tokenCodeType = Shapes::StringShape.new(name: 'tokenCodeType')
83
86
  tokenType = Shapes::StringShape.new(name: 'tokenType')
87
+ unrestrictedSessionPolicyDocumentType = Shapes::StringShape.new(name: 'unrestrictedSessionPolicyDocumentType')
84
88
  urlType = Shapes::StringShape.new(name: 'urlType')
85
89
  userIdType = Shapes::StringShape.new(name: 'userIdType')
86
90
  userNameType = Shapes::StringShape.new(name: 'userNameType')
@@ -89,7 +93,7 @@ module Aws::STS
89
93
  AssumeRoleRequest.add_member(:role_arn, Shapes::ShapeRef.new(shape: arnType, required: true, location_name: "RoleArn"))
90
94
  AssumeRoleRequest.add_member(:role_session_name, Shapes::ShapeRef.new(shape: roleSessionNameType, required: true, location_name: "RoleSessionName"))
91
95
  AssumeRoleRequest.add_member(:policy_arns, Shapes::ShapeRef.new(shape: policyDescriptorListType, location_name: "PolicyArns"))
92
- AssumeRoleRequest.add_member(:policy, Shapes::ShapeRef.new(shape: sessionPolicyDocumentType, location_name: "Policy"))
96
+ AssumeRoleRequest.add_member(:policy, Shapes::ShapeRef.new(shape: unrestrictedSessionPolicyDocumentType, location_name: "Policy"))
93
97
  AssumeRoleRequest.add_member(:duration_seconds, Shapes::ShapeRef.new(shape: roleDurationSecondsType, location_name: "DurationSeconds"))
94
98
  AssumeRoleRequest.add_member(:tags, Shapes::ShapeRef.new(shape: tagListType, location_name: "Tags"))
95
99
  AssumeRoleRequest.add_member(:transitive_tag_keys, Shapes::ShapeRef.new(shape: tagKeyListType, location_name: "TransitiveTagKeys"))
@@ -97,6 +101,7 @@ module Aws::STS
97
101
  AssumeRoleRequest.add_member(:serial_number, Shapes::ShapeRef.new(shape: serialNumberType, location_name: "SerialNumber"))
98
102
  AssumeRoleRequest.add_member(:token_code, Shapes::ShapeRef.new(shape: tokenCodeType, location_name: "TokenCode"))
99
103
  AssumeRoleRequest.add_member(:source_identity, Shapes::ShapeRef.new(shape: sourceIdentityType, location_name: "SourceIdentity"))
104
+ AssumeRoleRequest.add_member(:provided_contexts, Shapes::ShapeRef.new(shape: ProvidedContextsListType, location_name: "ProvidedContexts"))
100
105
  AssumeRoleRequest.struct_class = Types::AssumeRoleRequest
101
106
 
102
107
  AssumeRoleResponse.add_member(:credentials, Shapes::ShapeRef.new(shape: Credentials, location_name: "Credentials"))
@@ -219,6 +224,12 @@ module Aws::STS
219
224
  PolicyDescriptorType.add_member(:arn, Shapes::ShapeRef.new(shape: arnType, location_name: "arn"))
220
225
  PolicyDescriptorType.struct_class = Types::PolicyDescriptorType
221
226
 
227
+ ProvidedContext.add_member(:provider_arn, Shapes::ShapeRef.new(shape: arnType, location_name: "ProviderArn"))
228
+ ProvidedContext.add_member(:context_assertion, Shapes::ShapeRef.new(shape: contextAssertionType, location_name: "ContextAssertion"))
229
+ ProvidedContext.struct_class = Types::ProvidedContext
230
+
231
+ ProvidedContextsListType.member = Shapes::ShapeRef.new(shape: ProvidedContext)
232
+
222
233
  RegionDisabledException.add_member(:message, Shapes::ShapeRef.new(shape: regionDisabledMessage, location_name: "message"))
223
234
  RegionDisabledException.struct_class = Types::RegionDisabledException
224
235