aws-sdk-core 3.171.0 → 3.172.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +12 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-core/json/error_handler.rb +15 -5
- data/lib/aws-sdk-core/log/formatter.rb +6 -0
- data/lib/aws-sdk-sso/client.rb +1 -1
- data/lib/aws-sdk-sso.rb +1 -1
- data/lib/aws-sdk-ssooidc/client.rb +1 -1
- data/lib/aws-sdk-ssooidc.rb +1 -1
- data/lib/aws-sdk-sts/client.rb +106 -110
- data/lib/aws-sdk-sts/endpoint_provider.rb +81 -78
- data/lib/aws-sdk-sts/types.rb +5 -6
- data/lib/aws-sdk-sts.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 746f82369d60381064a023bbb6acf6d34175a24c1efabb7a321413e4d2d9de88
|
|
4
|
+
data.tar.gz: 463ab018b652877c3dcd0ad4b9c5dfae3c17ad3c0d90b48b97d076a2d92cb946
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: cf6fe14a282f4dfe099643be4f34cac8ea6646db4017edad82bcaa44078611f3c3a17945c83079f30be804ae022dc8f66c123cb993d22cb31e262e49a05cce8e
|
|
7
|
+
data.tar.gz: '088d17868e17675ad2ab7baea66aba02c07905a912b2fefb51ec306299d48da5cdba325ff022e7eedf7e0ee27c09721de1c9070da233fa6353169762900b1cf1'
|
data/CHANGELOG.md
CHANGED
|
@@ -1,6 +1,18 @@
|
|
|
1
1
|
Unreleased Changes
|
|
2
2
|
------------------
|
|
3
3
|
|
|
4
|
+
3.172.0 (2023-05-08)
|
|
5
|
+
------------------
|
|
6
|
+
|
|
7
|
+
* Feature - Updated Aws::STS::Client with the latest API changes.
|
|
8
|
+
|
|
9
|
+
* Feature - Add :region option to `Aws::Log::Formatter`.
|
|
10
|
+
|
|
11
|
+
3.171.1 (2023-05-04)
|
|
12
|
+
------------------
|
|
13
|
+
|
|
14
|
+
* Issue - Fix error code parsing in AWS query compatible JSON services.
|
|
15
|
+
|
|
4
16
|
3.171.0 (2023-03-22)
|
|
5
17
|
------------------
|
|
6
18
|
|
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
3.
|
|
1
|
+
3.172.0
|
|
@@ -26,11 +26,13 @@ module Aws
|
|
|
26
26
|
end
|
|
27
27
|
|
|
28
28
|
def error_code(json, context)
|
|
29
|
-
code =
|
|
30
|
-
context
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
29
|
+
code =
|
|
30
|
+
if aws_query_error?(context)
|
|
31
|
+
error = context.http_response.headers['x-amzn-query-error'].split(';')[0]
|
|
32
|
+
remove_prefix(error, context)
|
|
33
|
+
else
|
|
34
|
+
json['__type']
|
|
35
|
+
end
|
|
34
36
|
code ||= json['code']
|
|
35
37
|
code ||= context.http_response.headers['x-amzn-errortype']
|
|
36
38
|
if code
|
|
@@ -45,6 +47,14 @@ module Aws
|
|
|
45
47
|
context.http_response.headers['x-amzn-query-error']
|
|
46
48
|
end
|
|
47
49
|
|
|
50
|
+
def remove_prefix(error_code, context)
|
|
51
|
+
if prefix = context.config.api.metadata['errorPrefix']
|
|
52
|
+
error_code.sub(/^#{prefix}/, '')
|
|
53
|
+
else
|
|
54
|
+
error_code
|
|
55
|
+
end
|
|
56
|
+
end
|
|
57
|
+
|
|
48
58
|
def error_message(code, json)
|
|
49
59
|
if code == 'RequestEntityTooLarge'
|
|
50
60
|
'Request body must be less than 1 MB'
|
|
@@ -26,6 +26,8 @@ module Aws
|
|
|
26
26
|
#
|
|
27
27
|
# You can put any of these placeholders into you pattern.
|
|
28
28
|
#
|
|
29
|
+
# * `:region` - The region configured for the client.
|
|
30
|
+
#
|
|
29
31
|
# * `:client_class` - The name of the client class.
|
|
30
32
|
#
|
|
31
33
|
# * `:operation` - The name of the client request method.
|
|
@@ -116,6 +118,10 @@ module Aws
|
|
|
116
118
|
|
|
117
119
|
private
|
|
118
120
|
|
|
121
|
+
def _region(response)
|
|
122
|
+
response.context.config.region
|
|
123
|
+
end
|
|
124
|
+
|
|
119
125
|
def _client_class(response)
|
|
120
126
|
response.context.client.class.name
|
|
121
127
|
end
|
data/lib/aws-sdk-sso/client.rb
CHANGED
data/lib/aws-sdk-sso.rb
CHANGED
data/lib/aws-sdk-ssooidc.rb
CHANGED
data/lib/aws-sdk-sts/client.rb
CHANGED
|
@@ -406,10 +406,11 @@ module Aws::STS
|
|
|
406
406
|
# identity-based policy of the role that is being assumed. For more
|
|
407
407
|
# information, see [Session Policies][3] in the *IAM User Guide*.
|
|
408
408
|
#
|
|
409
|
-
# When you create a role, you create two policies:
|
|
410
|
-
# that specifies *who* can assume the role and a permissions policy
|
|
411
|
-
# specifies *what* can be done with the role. You specify the
|
|
412
|
-
# principal
|
|
409
|
+
# When you create a role, you create two policies: a role trust policy
|
|
410
|
+
# that specifies *who* can assume the role, and a permissions policy
|
|
411
|
+
# that specifies *what* can be done with the role. You specify the
|
|
412
|
+
# trusted principal that is allowed to assume the role in the role trust
|
|
413
|
+
# policy.
|
|
413
414
|
#
|
|
414
415
|
# To assume a role from a different account, your Amazon Web Services
|
|
415
416
|
# account must be trusted by the role. The trust relationship is defined
|
|
@@ -418,10 +419,9 @@ module Aws::STS
|
|
|
418
419
|
# users in the account.
|
|
419
420
|
#
|
|
420
421
|
# A user who wants to access a role in a different account must also
|
|
421
|
-
# have permissions that are delegated from the
|
|
422
|
-
#
|
|
423
|
-
#
|
|
424
|
-
# account.
|
|
422
|
+
# have permissions that are delegated from the account administrator.
|
|
423
|
+
# The administrator must attach a policy that allows the user to call
|
|
424
|
+
# `AssumeRole` for the ARN of the role in the other account.
|
|
425
425
|
#
|
|
426
426
|
# To allow a user to assume a role in the same account, you can do
|
|
427
427
|
# either of the following:
|
|
@@ -1206,10 +1206,8 @@ module Aws::STS
|
|
|
1206
1206
|
# the user with a consistent identity throughout the lifetime of an
|
|
1207
1207
|
# application.
|
|
1208
1208
|
#
|
|
1209
|
-
# To learn more about Amazon Cognito, see [Amazon Cognito
|
|
1210
|
-
# in *Amazon
|
|
1211
|
-
# Cognito Overview][5] in the *Amazon Web Services SDK for iOS Developer
|
|
1212
|
-
# Guide*.
|
|
1209
|
+
# To learn more about Amazon Cognito, see [Amazon Cognito identity
|
|
1210
|
+
# pools][1] in *Amazon Cognito Developer Guide*.
|
|
1213
1211
|
#
|
|
1214
1212
|
# </note>
|
|
1215
1213
|
#
|
|
@@ -1223,8 +1221,8 @@ module Aws::STS
|
|
|
1223
1221
|
# a token from the web identity provider. For a comparison of
|
|
1224
1222
|
# `AssumeRoleWithWebIdentity` with the other API operations that produce
|
|
1225
1223
|
# temporary credentials, see [Requesting Temporary Security
|
|
1226
|
-
# Credentials][
|
|
1227
|
-
# operations][
|
|
1224
|
+
# Credentials][4] and [Comparing the Amazon Web Services STS API
|
|
1225
|
+
# operations][5] in the *IAM User Guide*.
|
|
1228
1226
|
#
|
|
1229
1227
|
# The temporary security credentials returned by this API consist of an
|
|
1230
1228
|
# access key ID, a secret access key, and a security token. Applications
|
|
@@ -1240,11 +1238,11 @@ module Aws::STS
|
|
|
1240
1238
|
# to the maximum session duration setting for the role. This setting can
|
|
1241
1239
|
# have a value from 1 hour to 12 hours. To learn how to view the maximum
|
|
1242
1240
|
# value for your role, see [View the Maximum Session Duration Setting
|
|
1243
|
-
# for a Role][
|
|
1241
|
+
# for a Role][6] in the *IAM User Guide*. The maximum session duration
|
|
1244
1242
|
# limit applies when you use the `AssumeRole*` API operations or the
|
|
1245
1243
|
# `assume-role*` CLI commands. However the limit does not apply when you
|
|
1246
1244
|
# use those operations to create a console URL. For more information,
|
|
1247
|
-
# see [Using IAM Roles][
|
|
1245
|
+
# see [Using IAM Roles][7] in the *IAM User Guide*.
|
|
1248
1246
|
#
|
|
1249
1247
|
# **Permissions**
|
|
1250
1248
|
#
|
|
@@ -1253,7 +1251,7 @@ module Aws::STS
|
|
|
1253
1251
|
# Amazon Web Services service with the following exception: you cannot
|
|
1254
1252
|
# call the STS `GetFederationToken` or `GetSessionToken` API operations.
|
|
1255
1253
|
#
|
|
1256
|
-
# (Optional) You can pass inline or managed [session policies][
|
|
1254
|
+
# (Optional) You can pass inline or managed [session policies][8] to
|
|
1257
1255
|
# this operation. You can pass a single JSON policy document to use as
|
|
1258
1256
|
# an inline session policy. You can also specify up to 10 managed policy
|
|
1259
1257
|
# Amazon Resource Names (ARNs) to use as managed session policies. The
|
|
@@ -1266,19 +1264,19 @@ module Aws::STS
|
|
|
1266
1264
|
# resources in the account that owns the role. You cannot use session
|
|
1267
1265
|
# policies to grant more permissions than those allowed by the
|
|
1268
1266
|
# identity-based policy of the role that is being assumed. For more
|
|
1269
|
-
# information, see [Session Policies][
|
|
1267
|
+
# information, see [Session Policies][8] in the *IAM User Guide*.
|
|
1270
1268
|
#
|
|
1271
1269
|
# **Tags**
|
|
1272
1270
|
#
|
|
1273
1271
|
# (Optional) You can configure your IdP to pass attributes into your web
|
|
1274
1272
|
# identity token as session tags. Each session tag consists of a key
|
|
1275
1273
|
# name and an associated value. For more information about session tags,
|
|
1276
|
-
# see [Passing Session Tags in STS][
|
|
1274
|
+
# see [Passing Session Tags in STS][9] in the *IAM User Guide*.
|
|
1277
1275
|
#
|
|
1278
1276
|
# You can pass up to 50 session tags. The plaintext session tag keys
|
|
1279
1277
|
# can’t exceed 128 characters and the values can’t exceed 256
|
|
1280
1278
|
# characters. For these and additional limits, see [IAM and STS
|
|
1281
|
-
# Character Limits][
|
|
1279
|
+
# Character Limits][10] in the *IAM User Guide*.
|
|
1282
1280
|
#
|
|
1283
1281
|
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
|
|
1284
1282
|
# policy, managed policy ARNs, and session tags into a packed binary
|
|
@@ -1296,12 +1294,12 @@ module Aws::STS
|
|
|
1296
1294
|
# An administrator must grant you the permissions necessary to pass
|
|
1297
1295
|
# session tags. The administrator can also create granular permissions
|
|
1298
1296
|
# to allow you to pass only specific session tags. For more information,
|
|
1299
|
-
# see [Tutorial: Using Tags for Attribute-Based Access Control][
|
|
1297
|
+
# see [Tutorial: Using Tags for Attribute-Based Access Control][11] in
|
|
1300
1298
|
# the *IAM User Guide*.
|
|
1301
1299
|
#
|
|
1302
1300
|
# You can set the session tags as transitive. Transitive tags persist
|
|
1303
1301
|
# during role chaining. For more information, see [Chaining Roles with
|
|
1304
|
-
# Session Tags][
|
|
1302
|
+
# Session Tags][12] in the *IAM User Guide*.
|
|
1305
1303
|
#
|
|
1306
1304
|
# **Identities**
|
|
1307
1305
|
#
|
|
@@ -1313,19 +1311,19 @@ module Aws::STS
|
|
|
1313
1311
|
# specified in the role's trust policy.
|
|
1314
1312
|
#
|
|
1315
1313
|
# Calling `AssumeRoleWithWebIdentity` can result in an entry in your
|
|
1316
|
-
# CloudTrail logs. The entry includes the [Subject][
|
|
1314
|
+
# CloudTrail logs. The entry includes the [Subject][13] of the provided
|
|
1317
1315
|
# web identity token. We recommend that you avoid using any personally
|
|
1318
1316
|
# identifiable information (PII) in this field. For example, you could
|
|
1319
1317
|
# instead use a GUID or a pairwise identifier, as [suggested in the OIDC
|
|
1320
|
-
# specification][
|
|
1318
|
+
# specification][14].
|
|
1321
1319
|
#
|
|
1322
1320
|
# For more information about how to use web identity federation and the
|
|
1323
1321
|
# `AssumeRoleWithWebIdentity` API, see the following resources:
|
|
1324
1322
|
#
|
|
1325
|
-
# * [Using Web Identity Federation API Operations for Mobile Apps][
|
|
1326
|
-
# and [Federation Through a Web-based Identity Provider][
|
|
1323
|
+
# * [Using Web Identity Federation API Operations for Mobile Apps][15]
|
|
1324
|
+
# and [Federation Through a Web-based Identity Provider][16].
|
|
1327
1325
|
#
|
|
1328
|
-
# * [ Web Identity Federation Playground][
|
|
1326
|
+
# * [ Web Identity Federation Playground][17]. Walk through the process
|
|
1329
1327
|
# of authenticating through Login with Amazon, Facebook, or Google,
|
|
1330
1328
|
# getting temporary security credentials, and then using those
|
|
1331
1329
|
# credentials to make a request to Amazon Web Services.
|
|
@@ -1336,7 +1334,7 @@ module Aws::STS
|
|
|
1336
1334
|
# toolkits then show how to use the information from these providers
|
|
1337
1335
|
# to get and use temporary security credentials.
|
|
1338
1336
|
#
|
|
1339
|
-
# * [Web Identity Federation with Mobile Applications][
|
|
1337
|
+
# * [Web Identity Federation with Mobile Applications][18]. This article
|
|
1340
1338
|
# discusses web identity federation and shows an example of how to use
|
|
1341
1339
|
# web identity federation to get access to content in Amazon S3.
|
|
1342
1340
|
#
|
|
@@ -1345,23 +1343,21 @@ module Aws::STS
|
|
|
1345
1343
|
# [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html
|
|
1346
1344
|
# [2]: http://aws.amazon.com/sdkforios/
|
|
1347
1345
|
# [3]: http://aws.amazon.com/sdkforandroid/
|
|
1348
|
-
# [4]: https://docs.aws.amazon.com/
|
|
1349
|
-
# [5]: https://docs.aws.amazon.com/
|
|
1350
|
-
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
|
1351
|
-
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
|
1352
|
-
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
|
1353
|
-
# [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
|
1354
|
-
# [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
|
1355
|
-
# [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
|
1356
|
-
# [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
|
1357
|
-
# [13]:
|
|
1358
|
-
# [14]:
|
|
1359
|
-
# [15]:
|
|
1360
|
-
# [16]:
|
|
1361
|
-
# [17]: https://
|
|
1362
|
-
# [18]:
|
|
1363
|
-
# [19]: https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/
|
|
1364
|
-
# [20]: http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications
|
|
1346
|
+
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
|
1347
|
+
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
|
|
1348
|
+
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
|
|
1349
|
+
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
|
|
1350
|
+
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
|
1351
|
+
# [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
|
1352
|
+
# [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
|
|
1353
|
+
# [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
|
|
1354
|
+
# [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
|
|
1355
|
+
# [13]: http://openid.net/specs/openid-connect-core-1_0.html#Claims
|
|
1356
|
+
# [14]: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
|
|
1357
|
+
# [15]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html
|
|
1358
|
+
# [16]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
|
|
1359
|
+
# [17]: https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/
|
|
1360
|
+
# [18]: http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications
|
|
1365
1361
|
#
|
|
1366
1362
|
# @option params [required, String] :role_arn
|
|
1367
1363
|
# The Amazon Resource Name (ARN) of the role that the caller is
|
|
@@ -1720,11 +1716,11 @@ module Aws::STS
|
|
|
1720
1716
|
# to call the operation.
|
|
1721
1717
|
#
|
|
1722
1718
|
# <note markdown="1"> No permissions are required to perform this operation. If an
|
|
1723
|
-
# administrator
|
|
1719
|
+
# administrator attaches a policy to your identity that explicitly
|
|
1724
1720
|
# denies access to the `sts:GetCallerIdentity` action, you can still
|
|
1725
1721
|
# perform this operation. Permissions are not required because the same
|
|
1726
|
-
# information is returned when
|
|
1727
|
-
#
|
|
1722
|
+
# information is returned when access is denied. To view an example
|
|
1723
|
+
# response, see [I Am Not Authorized to Perform:
|
|
1728
1724
|
# iam:DeleteVirtualMFADevice][1] in the *IAM User Guide*.
|
|
1729
1725
|
#
|
|
1730
1726
|
# </note>
|
|
@@ -1801,43 +1797,43 @@ module Aws::STS
|
|
|
1801
1797
|
end
|
|
1802
1798
|
|
|
1803
1799
|
# Returns a set of temporary security credentials (consisting of an
|
|
1804
|
-
# access key ID, a secret access key, and a security token) for a
|
|
1805
|
-
#
|
|
1806
|
-
#
|
|
1807
|
-
#
|
|
1808
|
-
#
|
|
1809
|
-
#
|
|
1810
|
-
#
|
|
1811
|
-
#
|
|
1812
|
-
#
|
|
1800
|
+
# access key ID, a secret access key, and a security token) for a user.
|
|
1801
|
+
# A typical use is in a proxy application that gets temporary security
|
|
1802
|
+
# credentials on behalf of distributed applications inside a corporate
|
|
1803
|
+
# network.
|
|
1804
|
+
#
|
|
1805
|
+
# You must call the `GetFederationToken` operation using the long-term
|
|
1806
|
+
# security credentials of an IAM user. As a result, this call is
|
|
1807
|
+
# appropriate in contexts where those credentials can be safeguarded,
|
|
1808
|
+
# usually in a server-based application. For a comparison of
|
|
1809
|
+
# `GetFederationToken` with the other API operations that produce
|
|
1810
|
+
# temporary credentials, see [Requesting Temporary Security
|
|
1813
1811
|
# Credentials][1] and [Comparing the Amazon Web Services STS API
|
|
1814
1812
|
# operations][2] in the *IAM User Guide*.
|
|
1815
1813
|
#
|
|
1814
|
+
# Although it is possible to call `GetFederationToken` using the
|
|
1815
|
+
# security credentials of an Amazon Web Services account root user
|
|
1816
|
+
# rather than an IAM user that you create for the purpose of a proxy
|
|
1817
|
+
# application, we do not recommend it. For more information, see
|
|
1818
|
+
# [Safeguard your root user credentials and don't use them for everyday
|
|
1819
|
+
# tasks][3] in the *IAM User Guide*.
|
|
1820
|
+
#
|
|
1816
1821
|
# <note markdown="1"> You can create a mobile-based or browser-based app that can
|
|
1817
1822
|
# authenticate users using a web identity provider like Login with
|
|
1818
1823
|
# Amazon, Facebook, Google, or an OpenID Connect-compatible identity
|
|
1819
|
-
# provider. In this case, we recommend that you use [Amazon Cognito][
|
|
1824
|
+
# provider. In this case, we recommend that you use [Amazon Cognito][4]
|
|
1820
1825
|
# or `AssumeRoleWithWebIdentity`. For more information, see [Federation
|
|
1821
|
-
# Through a Web-based Identity Provider][
|
|
1826
|
+
# Through a Web-based Identity Provider][5] in the *IAM User Guide*.
|
|
1822
1827
|
#
|
|
1823
1828
|
# </note>
|
|
1824
1829
|
#
|
|
1825
|
-
# You can also call `GetFederationToken` using the security credentials
|
|
1826
|
-
# of an Amazon Web Services account root user, but we do not recommend
|
|
1827
|
-
# it. Instead, we recommend that you create an IAM user for the purpose
|
|
1828
|
-
# of the proxy application. Then attach a policy to the IAM user that
|
|
1829
|
-
# limits federated users to only the actions and resources that they
|
|
1830
|
-
# need to access. For more information, see [IAM Best Practices][5] in
|
|
1831
|
-
# the *IAM User Guide*.
|
|
1832
|
-
#
|
|
1833
1830
|
# **Session duration**
|
|
1834
1831
|
#
|
|
1835
1832
|
# The temporary credentials are valid for the specified duration, from
|
|
1836
1833
|
# 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36
|
|
1837
1834
|
# hours). The default session duration is 43,200 seconds (12 hours).
|
|
1838
|
-
# Temporary credentials obtained by using the
|
|
1839
|
-
#
|
|
1840
|
-
# (1 hour).
|
|
1835
|
+
# Temporary credentials obtained by using the root user credentials have
|
|
1836
|
+
# a maximum duration of 3,600 seconds (1 hour).
|
|
1841
1837
|
#
|
|
1842
1838
|
# **Permissions**
|
|
1843
1839
|
#
|
|
@@ -1887,9 +1883,9 @@ module Aws::STS
|
|
|
1887
1883
|
# <note markdown="1"> You can create a mobile-based or browser-based app that can
|
|
1888
1884
|
# authenticate users using a web identity provider like Login with
|
|
1889
1885
|
# Amazon, Facebook, Google, or an OpenID Connect-compatible identity
|
|
1890
|
-
# provider. In this case, we recommend that you use [Amazon Cognito][
|
|
1886
|
+
# provider. In this case, we recommend that you use [Amazon Cognito][4]
|
|
1891
1887
|
# or `AssumeRoleWithWebIdentity`. For more information, see [Federation
|
|
1892
|
-
# Through a Web-based Identity Provider][
|
|
1888
|
+
# Through a Web-based Identity Provider][5] in the *IAM User Guide*.
|
|
1893
1889
|
#
|
|
1894
1890
|
# </note>
|
|
1895
1891
|
#
|
|
@@ -1911,9 +1907,9 @@ module Aws::STS
|
|
|
1911
1907
|
#
|
|
1912
1908
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
|
1913
1909
|
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
|
|
1914
|
-
# [3]:
|
|
1915
|
-
# [4]:
|
|
1916
|
-
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
|
1910
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials
|
|
1911
|
+
# [4]: http://aws.amazon.com/cognito/
|
|
1912
|
+
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
|
|
1917
1913
|
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
|
1918
1914
|
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken
|
|
1919
1915
|
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
|
@@ -2030,10 +2026,10 @@ module Aws::STS
|
|
|
2030
2026
|
# The duration, in seconds, that the session should last. Acceptable
|
|
2031
2027
|
# durations for federation sessions range from 900 seconds (15 minutes)
|
|
2032
2028
|
# to 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the
|
|
2033
|
-
# default. Sessions obtained using
|
|
2034
|
-
#
|
|
2035
|
-
#
|
|
2036
|
-
#
|
|
2029
|
+
# default. Sessions obtained using root user credentials are restricted
|
|
2030
|
+
# to a maximum of 3,600 seconds (one hour). If the specified duration is
|
|
2031
|
+
# longer than one hour, the session obtained by using root user
|
|
2032
|
+
# credentials defaults to one hour.
|
|
2037
2033
|
#
|
|
2038
2034
|
# @option params [Array<Types::Tag>] :tags
|
|
2039
2035
|
# A list of session tags. Each session tag consists of a key name and an
|
|
@@ -2153,14 +2149,15 @@ module Aws::STS
|
|
|
2153
2149
|
# secret access key, and a security token. Typically, you use
|
|
2154
2150
|
# `GetSessionToken` if you want to use MFA to protect programmatic calls
|
|
2155
2151
|
# to specific Amazon Web Services API operations like Amazon EC2
|
|
2156
|
-
# `StopInstances`.
|
|
2157
|
-
#
|
|
2158
|
-
# MFA
|
|
2159
|
-
#
|
|
2160
|
-
#
|
|
2161
|
-
#
|
|
2162
|
-
#
|
|
2163
|
-
#
|
|
2152
|
+
# `StopInstances`.
|
|
2153
|
+
#
|
|
2154
|
+
# MFA-enabled IAM users must call `GetSessionToken` and submit an MFA
|
|
2155
|
+
# code that is associated with their MFA device. Using the temporary
|
|
2156
|
+
# security credentials that the call returns, IAM users can then make
|
|
2157
|
+
# programmatic calls to API operations that require MFA authentication.
|
|
2158
|
+
# An incorrect MFA code causes the API to return an access denied error.
|
|
2159
|
+
# For a comparison of `GetSessionToken` with the other API operations
|
|
2160
|
+
# that produce temporary credentials, see [Requesting Temporary Security
|
|
2164
2161
|
# Credentials][1] and [Comparing the Amazon Web Services STS API
|
|
2165
2162
|
# operations][2] in the *IAM User Guide*.
|
|
2166
2163
|
#
|
|
@@ -2175,13 +2172,13 @@ module Aws::STS
|
|
|
2175
2172
|
# **Session Duration**
|
|
2176
2173
|
#
|
|
2177
2174
|
# The `GetSessionToken` operation must be called by using the long-term
|
|
2178
|
-
# Amazon Web Services security credentials of
|
|
2179
|
-
#
|
|
2180
|
-
#
|
|
2181
|
-
#
|
|
2182
|
-
# (
|
|
2183
|
-
#
|
|
2184
|
-
#
|
|
2175
|
+
# Amazon Web Services security credentials of an IAM user. Credentials
|
|
2176
|
+
# that are created by IAM users are valid for the duration that you
|
|
2177
|
+
# specify. This duration can range from 900 seconds (15 minutes) up to a
|
|
2178
|
+
# maximum of 129,600 seconds (36 hours), with a default of 43,200
|
|
2179
|
+
# seconds (12 hours). Credentials based on account credentials can range
|
|
2180
|
+
# from 900 seconds (15 minutes) up to 3,600 seconds (1 hour), with a
|
|
2181
|
+
# default of 1 hour.
|
|
2185
2182
|
#
|
|
2186
2183
|
# **Permissions**
|
|
2187
2184
|
#
|
|
@@ -2195,24 +2192,23 @@ module Aws::STS
|
|
|
2195
2192
|
# * You cannot call any STS API *except* `AssumeRole` or
|
|
2196
2193
|
# `GetCallerIdentity`.
|
|
2197
2194
|
#
|
|
2198
|
-
#
|
|
2199
|
-
#
|
|
2200
|
-
#
|
|
2201
|
-
#
|
|
2202
|
-
# with Amazon Web Services.
|
|
2195
|
+
# The credentials that `GetSessionToken` returns are based on
|
|
2196
|
+
# permissions associated with the IAM user whose credentials were used
|
|
2197
|
+
# to call the operation. The temporary credentials have the same
|
|
2198
|
+
# permissions as the IAM user.
|
|
2203
2199
|
#
|
|
2204
|
-
#
|
|
2200
|
+
# <note markdown="1"> Although it is possible to call `GetSessionToken` using the security
|
|
2201
|
+
# credentials of an Amazon Web Services account root user rather than an
|
|
2202
|
+
# IAM user, we do not recommend it. If `GetSessionToken` is called using
|
|
2203
|
+
# root user credentials, the temporary credentials have root user
|
|
2204
|
+
# permissions. For more information, see [Safeguard your root user
|
|
2205
|
+
# credentials and don't use them for everyday tasks][4] in the *IAM
|
|
2206
|
+
# User Guide*
|
|
2205
2207
|
#
|
|
2206
|
-
#
|
|
2207
|
-
# permissions associated with the user whose credentials were used to
|
|
2208
|
-
# call the operation. If `GetSessionToken` is called using Amazon Web
|
|
2209
|
-
# Services account root user credentials, the temporary credentials have
|
|
2210
|
-
# root user permissions. Similarly, if `GetSessionToken` is called using
|
|
2211
|
-
# the credentials of an IAM user, the temporary credentials have the
|
|
2212
|
-
# same permissions as the IAM user.
|
|
2208
|
+
# </note>
|
|
2213
2209
|
#
|
|
2214
2210
|
# For more information about using `GetSessionToken` to create temporary
|
|
2215
|
-
# credentials,
|
|
2211
|
+
# credentials, see [Temporary Credentials for Users in Untrusted
|
|
2216
2212
|
# Environments][5] in the *IAM User Guide*.
|
|
2217
2213
|
#
|
|
2218
2214
|
#
|
|
@@ -2220,7 +2216,7 @@ module Aws::STS
|
|
|
2220
2216
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
|
2221
2217
|
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
|
|
2222
2218
|
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html
|
|
2223
|
-
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#
|
|
2219
|
+
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials
|
|
2224
2220
|
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken
|
|
2225
2221
|
#
|
|
2226
2222
|
# @option params [Integer] :duration_seconds
|
|
@@ -2318,7 +2314,7 @@ module Aws::STS
|
|
|
2318
2314
|
params: params,
|
|
2319
2315
|
config: config)
|
|
2320
2316
|
context[:gem_name] = 'aws-sdk-core'
|
|
2321
|
-
context[:gem_version] = '3.
|
|
2317
|
+
context[:gem_version] = '3.172.0'
|
|
2322
2318
|
Seahorse::Client::Request.new(handlers, context)
|
|
2323
2319
|
end
|
|
2324
2320
|
|
|
@@ -15,93 +15,96 @@ module Aws::STS
|
|
|
15
15
|
use_fips = parameters.use_fips
|
|
16
16
|
endpoint = parameters.endpoint
|
|
17
17
|
use_global_endpoint = parameters.use_global_endpoint
|
|
18
|
-
if (partition_result = Aws::Endpoints::Matchers.aws_partition(region))
|
|
19
|
-
if Aws::Endpoints::Matchers.
|
|
20
|
-
|
|
21
|
-
return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingRegion"=>"us-east-1", "signingName"=>"sts"}]})
|
|
22
|
-
end
|
|
23
|
-
if Aws::Endpoints::Matchers.string_equals?(region, "ap-south-1")
|
|
24
|
-
return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingRegion"=>"us-east-1", "signingName"=>"sts"}]})
|
|
25
|
-
end
|
|
26
|
-
if Aws::Endpoints::Matchers.string_equals?(region, "ap-southeast-1")
|
|
27
|
-
return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingRegion"=>"us-east-1", "signingName"=>"sts"}]})
|
|
28
|
-
end
|
|
29
|
-
if Aws::Endpoints::Matchers.string_equals?(region, "ap-southeast-2")
|
|
30
|
-
return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingRegion"=>"us-east-1", "signingName"=>"sts"}]})
|
|
31
|
-
end
|
|
32
|
-
if Aws::Endpoints::Matchers.string_equals?(region, "aws-global")
|
|
33
|
-
return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingRegion"=>"us-east-1", "signingName"=>"sts"}]})
|
|
34
|
-
end
|
|
35
|
-
if Aws::Endpoints::Matchers.string_equals?(region, "ca-central-1")
|
|
36
|
-
return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingRegion"=>"us-east-1", "signingName"=>"sts"}]})
|
|
37
|
-
end
|
|
38
|
-
if Aws::Endpoints::Matchers.string_equals?(region, "eu-central-1")
|
|
39
|
-
return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingRegion"=>"us-east-1", "signingName"=>"sts"}]})
|
|
40
|
-
end
|
|
41
|
-
if Aws::Endpoints::Matchers.string_equals?(region, "eu-north-1")
|
|
42
|
-
return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingRegion"=>"us-east-1", "signingName"=>"sts"}]})
|
|
43
|
-
end
|
|
44
|
-
if Aws::Endpoints::Matchers.string_equals?(region, "eu-west-1")
|
|
45
|
-
return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingRegion"=>"us-east-1", "signingName"=>"sts"}]})
|
|
46
|
-
end
|
|
47
|
-
if Aws::Endpoints::Matchers.string_equals?(region, "eu-west-2")
|
|
48
|
-
return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingRegion"=>"us-east-1", "signingName"=>"sts"}]})
|
|
49
|
-
end
|
|
50
|
-
if Aws::Endpoints::Matchers.string_equals?(region, "eu-west-3")
|
|
51
|
-
return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingRegion"=>"us-east-1", "signingName"=>"sts"}]})
|
|
52
|
-
end
|
|
53
|
-
if Aws::Endpoints::Matchers.string_equals?(region, "sa-east-1")
|
|
54
|
-
return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingRegion"=>"us-east-1", "signingName"=>"sts"}]})
|
|
55
|
-
end
|
|
56
|
-
if Aws::Endpoints::Matchers.string_equals?(region, "us-east-1")
|
|
57
|
-
return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingRegion"=>"us-east-1", "signingName"=>"sts"}]})
|
|
58
|
-
end
|
|
59
|
-
if Aws::Endpoints::Matchers.string_equals?(region, "us-east-2")
|
|
60
|
-
return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingRegion"=>"us-east-1", "signingName"=>"sts"}]})
|
|
61
|
-
end
|
|
62
|
-
if Aws::Endpoints::Matchers.string_equals?(region, "us-west-1")
|
|
63
|
-
return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingRegion"=>"us-east-1", "signingName"=>"sts"}]})
|
|
64
|
-
end
|
|
65
|
-
if Aws::Endpoints::Matchers.string_equals?(region, "us-west-2")
|
|
66
|
-
return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingRegion"=>"us-east-1", "signingName"=>"sts"}]})
|
|
67
|
-
end
|
|
68
|
-
return Aws::Endpoints::Endpoint.new(url: "https://sts.#{region}.#{partition_result['dnsSuffix']}", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingRegion"=>"#{region}", "signingName"=>"sts"}]})
|
|
18
|
+
if Aws::Endpoints::Matchers.boolean_equals?(use_global_endpoint, true) && Aws::Endpoints::Matchers.not(Aws::Endpoints::Matchers.set?(endpoint)) && Aws::Endpoints::Matchers.set?(region) && (partition_result = Aws::Endpoints::Matchers.aws_partition(region)) && Aws::Endpoints::Matchers.boolean_equals?(use_fips, false) && Aws::Endpoints::Matchers.boolean_equals?(use_dual_stack, false)
|
|
19
|
+
if Aws::Endpoints::Matchers.string_equals?(region, "ap-northeast-1")
|
|
20
|
+
return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingName"=>"sts", "signingRegion"=>"us-east-1"}]})
|
|
69
21
|
end
|
|
70
|
-
if Aws::Endpoints::Matchers.
|
|
71
|
-
|
|
72
|
-
raise ArgumentError, "Invalid Configuration: FIPS and custom endpoint are not supported"
|
|
73
|
-
end
|
|
74
|
-
if Aws::Endpoints::Matchers.boolean_equals?(use_dual_stack, true)
|
|
75
|
-
raise ArgumentError, "Invalid Configuration: Dualstack and custom endpoint are not supported"
|
|
76
|
-
end
|
|
77
|
-
return Aws::Endpoints::Endpoint.new(url: endpoint, headers: {}, properties: {})
|
|
22
|
+
if Aws::Endpoints::Matchers.string_equals?(region, "ap-south-1")
|
|
23
|
+
return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingName"=>"sts", "signingRegion"=>"us-east-1"}]})
|
|
78
24
|
end
|
|
79
|
-
if Aws::Endpoints::Matchers.
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
25
|
+
if Aws::Endpoints::Matchers.string_equals?(region, "ap-southeast-1")
|
|
26
|
+
return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingName"=>"sts", "signingRegion"=>"us-east-1"}]})
|
|
27
|
+
end
|
|
28
|
+
if Aws::Endpoints::Matchers.string_equals?(region, "ap-southeast-2")
|
|
29
|
+
return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingName"=>"sts", "signingRegion"=>"us-east-1"}]})
|
|
30
|
+
end
|
|
31
|
+
if Aws::Endpoints::Matchers.string_equals?(region, "aws-global")
|
|
32
|
+
return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingName"=>"sts", "signingRegion"=>"us-east-1"}]})
|
|
33
|
+
end
|
|
34
|
+
if Aws::Endpoints::Matchers.string_equals?(region, "ca-central-1")
|
|
35
|
+
return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingName"=>"sts", "signingRegion"=>"us-east-1"}]})
|
|
84
36
|
end
|
|
37
|
+
if Aws::Endpoints::Matchers.string_equals?(region, "eu-central-1")
|
|
38
|
+
return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingName"=>"sts", "signingRegion"=>"us-east-1"}]})
|
|
39
|
+
end
|
|
40
|
+
if Aws::Endpoints::Matchers.string_equals?(region, "eu-north-1")
|
|
41
|
+
return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingName"=>"sts", "signingRegion"=>"us-east-1"}]})
|
|
42
|
+
end
|
|
43
|
+
if Aws::Endpoints::Matchers.string_equals?(region, "eu-west-1")
|
|
44
|
+
return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingName"=>"sts", "signingRegion"=>"us-east-1"}]})
|
|
45
|
+
end
|
|
46
|
+
if Aws::Endpoints::Matchers.string_equals?(region, "eu-west-2")
|
|
47
|
+
return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingName"=>"sts", "signingRegion"=>"us-east-1"}]})
|
|
48
|
+
end
|
|
49
|
+
if Aws::Endpoints::Matchers.string_equals?(region, "eu-west-3")
|
|
50
|
+
return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingName"=>"sts", "signingRegion"=>"us-east-1"}]})
|
|
51
|
+
end
|
|
52
|
+
if Aws::Endpoints::Matchers.string_equals?(region, "sa-east-1")
|
|
53
|
+
return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingName"=>"sts", "signingRegion"=>"us-east-1"}]})
|
|
54
|
+
end
|
|
55
|
+
if Aws::Endpoints::Matchers.string_equals?(region, "us-east-1")
|
|
56
|
+
return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingName"=>"sts", "signingRegion"=>"us-east-1"}]})
|
|
57
|
+
end
|
|
58
|
+
if Aws::Endpoints::Matchers.string_equals?(region, "us-east-2")
|
|
59
|
+
return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingName"=>"sts", "signingRegion"=>"us-east-1"}]})
|
|
60
|
+
end
|
|
61
|
+
if Aws::Endpoints::Matchers.string_equals?(region, "us-west-1")
|
|
62
|
+
return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingName"=>"sts", "signingRegion"=>"us-east-1"}]})
|
|
63
|
+
end
|
|
64
|
+
if Aws::Endpoints::Matchers.string_equals?(region, "us-west-2")
|
|
65
|
+
return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingName"=>"sts", "signingRegion"=>"us-east-1"}]})
|
|
66
|
+
end
|
|
67
|
+
return Aws::Endpoints::Endpoint.new(url: "https://sts.#{region}.#{partition_result['dnsSuffix']}", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingName"=>"sts", "signingRegion"=>"#{region}"}]})
|
|
68
|
+
end
|
|
69
|
+
if Aws::Endpoints::Matchers.set?(endpoint)
|
|
85
70
|
if Aws::Endpoints::Matchers.boolean_equals?(use_fips, true)
|
|
86
|
-
|
|
87
|
-
if Aws::Endpoints::Matchers.string_equals?("aws-us-gov", Aws::Endpoints::Matchers.attr(partition_result, "name"))
|
|
88
|
-
return Aws::Endpoints::Endpoint.new(url: "https://sts.#{region}.#{partition_result['dnsSuffix']}", headers: {}, properties: {})
|
|
89
|
-
end
|
|
90
|
-
return Aws::Endpoints::Endpoint.new(url: "https://sts-fips.#{region}.#{partition_result['dnsSuffix']}", headers: {}, properties: {})
|
|
91
|
-
end
|
|
92
|
-
raise ArgumentError, "FIPS is enabled but this partition does not support FIPS"
|
|
71
|
+
raise ArgumentError, "Invalid Configuration: FIPS and custom endpoint are not supported"
|
|
93
72
|
end
|
|
94
73
|
if Aws::Endpoints::Matchers.boolean_equals?(use_dual_stack, true)
|
|
95
|
-
|
|
96
|
-
return Aws::Endpoints::Endpoint.new(url: "https://sts.#{region}.#{partition_result['dualStackDnsSuffix']}", headers: {}, properties: {})
|
|
97
|
-
end
|
|
98
|
-
raise ArgumentError, "DualStack is enabled but this partition does not support DualStack"
|
|
74
|
+
raise ArgumentError, "Invalid Configuration: Dualstack and custom endpoint are not supported"
|
|
99
75
|
end
|
|
100
|
-
|
|
101
|
-
|
|
76
|
+
return Aws::Endpoints::Endpoint.new(url: endpoint, headers: {}, properties: {})
|
|
77
|
+
end
|
|
78
|
+
if Aws::Endpoints::Matchers.set?(region)
|
|
79
|
+
if (partition_result = Aws::Endpoints::Matchers.aws_partition(region))
|
|
80
|
+
if Aws::Endpoints::Matchers.boolean_equals?(use_fips, true) && Aws::Endpoints::Matchers.boolean_equals?(use_dual_stack, true)
|
|
81
|
+
if Aws::Endpoints::Matchers.boolean_equals?(true, Aws::Endpoints::Matchers.attr(partition_result, "supportsFIPS")) && Aws::Endpoints::Matchers.boolean_equals?(true, Aws::Endpoints::Matchers.attr(partition_result, "supportsDualStack"))
|
|
82
|
+
return Aws::Endpoints::Endpoint.new(url: "https://sts-fips.#{region}.#{partition_result['dualStackDnsSuffix']}", headers: {}, properties: {})
|
|
83
|
+
end
|
|
84
|
+
raise ArgumentError, "FIPS and DualStack are enabled, but this partition does not support one or both"
|
|
85
|
+
end
|
|
86
|
+
if Aws::Endpoints::Matchers.boolean_equals?(use_fips, true)
|
|
87
|
+
if Aws::Endpoints::Matchers.boolean_equals?(true, Aws::Endpoints::Matchers.attr(partition_result, "supportsFIPS"))
|
|
88
|
+
if Aws::Endpoints::Matchers.string_equals?("aws-us-gov", Aws::Endpoints::Matchers.attr(partition_result, "name"))
|
|
89
|
+
return Aws::Endpoints::Endpoint.new(url: "https://sts.#{region}.amazonaws.com", headers: {}, properties: {})
|
|
90
|
+
end
|
|
91
|
+
return Aws::Endpoints::Endpoint.new(url: "https://sts-fips.#{region}.#{partition_result['dnsSuffix']}", headers: {}, properties: {})
|
|
92
|
+
end
|
|
93
|
+
raise ArgumentError, "FIPS is enabled but this partition does not support FIPS"
|
|
94
|
+
end
|
|
95
|
+
if Aws::Endpoints::Matchers.boolean_equals?(use_dual_stack, true)
|
|
96
|
+
if Aws::Endpoints::Matchers.boolean_equals?(true, Aws::Endpoints::Matchers.attr(partition_result, "supportsDualStack"))
|
|
97
|
+
return Aws::Endpoints::Endpoint.new(url: "https://sts.#{region}.#{partition_result['dualStackDnsSuffix']}", headers: {}, properties: {})
|
|
98
|
+
end
|
|
99
|
+
raise ArgumentError, "DualStack is enabled but this partition does not support DualStack"
|
|
100
|
+
end
|
|
101
|
+
if Aws::Endpoints::Matchers.string_equals?(region, "aws-global")
|
|
102
|
+
return Aws::Endpoints::Endpoint.new(url: "https://sts.amazonaws.com", headers: {}, properties: {"authSchemes"=>[{"name"=>"sigv4", "signingName"=>"sts", "signingRegion"=>"us-east-1"}]})
|
|
103
|
+
end
|
|
104
|
+
return Aws::Endpoints::Endpoint.new(url: "https://sts.#{region}.#{partition_result['dnsSuffix']}", headers: {}, properties: {})
|
|
102
105
|
end
|
|
103
|
-
return Aws::Endpoints::Endpoint.new(url: "https://sts.#{region}.#{partition_result['dnsSuffix']}", headers: {}, properties: {})
|
|
104
106
|
end
|
|
107
|
+
raise ArgumentError, "Invalid Configuration: Missing Region"
|
|
105
108
|
raise ArgumentError, 'No endpoint could be resolved'
|
|
106
109
|
|
|
107
110
|
end
|
data/lib/aws-sdk-sts/types.rb
CHANGED
|
@@ -576,7 +576,7 @@ module Aws::STS
|
|
|
576
576
|
# in IAM.
|
|
577
577
|
#
|
|
578
578
|
# The combination of `NameQualifier` and `Subject` can be used to
|
|
579
|
-
# uniquely identify a
|
|
579
|
+
# uniquely identify a user.
|
|
580
580
|
#
|
|
581
581
|
# The following pseudocode shows how the hash value is calculated:
|
|
582
582
|
#
|
|
@@ -1200,11 +1200,10 @@ module Aws::STS
|
|
|
1200
1200
|
# The duration, in seconds, that the session should last. Acceptable
|
|
1201
1201
|
# durations for federation sessions range from 900 seconds (15
|
|
1202
1202
|
# minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12
|
|
1203
|
-
# hours) as the default. Sessions obtained using
|
|
1204
|
-
#
|
|
1205
|
-
#
|
|
1206
|
-
#
|
|
1207
|
-
# to one hour.
|
|
1203
|
+
# hours) as the default. Sessions obtained using root user credentials
|
|
1204
|
+
# are restricted to a maximum of 3,600 seconds (one hour). If the
|
|
1205
|
+
# specified duration is longer than one hour, the session obtained by
|
|
1206
|
+
# using root user credentials defaults to one hour.
|
|
1208
1207
|
# @return [Integer]
|
|
1209
1208
|
#
|
|
1210
1209
|
# @!attribute [rw] tags
|
data/lib/aws-sdk-sts.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: aws-sdk-core
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.
|
|
4
|
+
version: 3.172.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Amazon Web Services
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2023-
|
|
11
|
+
date: 2023-05-08 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: jmespath
|