aws-sdk-core 3.171.0 → 3.186.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +155 -0
- data/VERSION +1 -1
- data/lib/aws-defaults/default_configuration.rb +4 -4
- data/lib/aws-sdk-core/credential_provider.rb +3 -0
- data/lib/aws-sdk-core/endpoints/matchers.rb +13 -9
- data/lib/aws-sdk-core/endpoints.rb +5 -1
- data/lib/aws-sdk-core/errors.rb +1 -1
- data/lib/aws-sdk-core/ini_parser.rb +7 -0
- data/lib/aws-sdk-core/instance_profile_credentials.rb +52 -30
- data/lib/aws-sdk-core/json/error_handler.rb +15 -5
- data/lib/aws-sdk-core/json/parser.rb +1 -1
- data/lib/aws-sdk-core/log/formatter.rb +6 -0
- data/lib/aws-sdk-core/pageable_response.rb +3 -1
- data/lib/aws-sdk-core/param_validator.rb +2 -2
- data/lib/aws-sdk-core/plugins/checksum_algorithm.rb +1 -1
- data/lib/aws-sdk-core/plugins/regional_endpoint.rb +109 -33
- data/lib/aws-sdk-core/plugins/request_compression.rb +217 -0
- data/lib/aws-sdk-core/plugins/sign.rb +1 -0
- data/lib/aws-sdk-core/plugins/user_agent.rb +117 -14
- data/lib/aws-sdk-core/refreshing_credentials.rb +0 -6
- data/lib/aws-sdk-core/rest/request/querystring_builder.rb +43 -29
- data/lib/aws-sdk-core/shared_config.rb +47 -18
- data/lib/aws-sdk-core/sso_credentials.rb +1 -1
- data/lib/aws-sdk-core/stubbing/stub_data.rb +11 -0
- data/lib/aws-sdk-core/waiters/poller.rb +3 -1
- data/lib/aws-sdk-sso/client.rb +21 -1
- data/lib/aws-sdk-sso/endpoint_provider.rb +30 -24
- data/lib/aws-sdk-sso/endpoints.rb +1 -0
- data/lib/aws-sdk-sso.rb +1 -1
- data/lib/aws-sdk-ssooidc/client.rb +21 -1
- data/lib/aws-sdk-ssooidc/endpoint_provider.rb +30 -24
- data/lib/aws-sdk-ssooidc/endpoints.rb +1 -0
- data/lib/aws-sdk-ssooidc.rb +1 -1
- data/lib/aws-sdk-sts/client.rb +138 -112
- data/lib/aws-sdk-sts/client_api.rb +12 -1
- data/lib/aws-sdk-sts/endpoint_provider.rb +81 -78
- data/lib/aws-sdk-sts/endpoints.rb +1 -0
- data/lib/aws-sdk-sts/types.rb +35 -11
- data/lib/aws-sdk-sts.rb +1 -1
- data/lib/seahorse/client/configuration.rb +0 -4
- data/lib/seahorse/client/plugins/request_callback.rb +31 -0
- data/lib/seahorse/client/response.rb +6 -0
- data/lib/seahorse/model/operation.rb +3 -0
- metadata +3 -2
data/lib/aws-sdk-sts/client.rb
CHANGED
@@ -28,6 +28,7 @@ require 'aws-sdk-core/plugins/client_metrics_send_plugin.rb'
|
|
28
28
|
require 'aws-sdk-core/plugins/transfer_encoding.rb'
|
29
29
|
require 'aws-sdk-core/plugins/http_checksum.rb'
|
30
30
|
require 'aws-sdk-core/plugins/checksum_algorithm.rb'
|
31
|
+
require 'aws-sdk-core/plugins/request_compression.rb'
|
31
32
|
require 'aws-sdk-core/plugins/defaults_mode.rb'
|
32
33
|
require 'aws-sdk-core/plugins/recursion_detection.rb'
|
33
34
|
require 'aws-sdk-core/plugins/sign.rb'
|
@@ -78,6 +79,7 @@ module Aws::STS
|
|
78
79
|
add_plugin(Aws::Plugins::TransferEncoding)
|
79
80
|
add_plugin(Aws::Plugins::HttpChecksum)
|
80
81
|
add_plugin(Aws::Plugins::ChecksumAlgorithm)
|
82
|
+
add_plugin(Aws::Plugins::RequestCompression)
|
81
83
|
add_plugin(Aws::Plugins::DefaultsMode)
|
82
84
|
add_plugin(Aws::Plugins::RecursionDetection)
|
83
85
|
add_plugin(Aws::Plugins::Sign)
|
@@ -192,6 +194,10 @@ module Aws::STS
|
|
192
194
|
# Set to true to disable SDK automatically adding host prefix
|
193
195
|
# to default service endpoint when available.
|
194
196
|
#
|
197
|
+
# @option options [Boolean] :disable_request_compression (false)
|
198
|
+
# When set to 'true' the request body will not be compressed
|
199
|
+
# for supported operations.
|
200
|
+
#
|
195
201
|
# @option options [String] :endpoint
|
196
202
|
# The client endpoint is normally constructed from the `:region`
|
197
203
|
# option. You should only configure an `:endpoint` when connecting
|
@@ -212,6 +218,10 @@ module Aws::STS
|
|
212
218
|
# @option options [Boolean] :endpoint_discovery (false)
|
213
219
|
# When set to `true`, endpoint discovery will be enabled for operations when available.
|
214
220
|
#
|
221
|
+
# @option options [Boolean] :ignore_configured_endpoint_urls
|
222
|
+
# Setting to true disables use of endpoint URLs provided via environment
|
223
|
+
# variables and the shared configuration file.
|
224
|
+
#
|
215
225
|
# @option options [Aws::Log::Formatter] :log_formatter (Aws::Log::Formatter.default)
|
216
226
|
# The log formatter.
|
217
227
|
#
|
@@ -232,6 +242,11 @@ module Aws::STS
|
|
232
242
|
# Used when loading credentials from the shared credentials file
|
233
243
|
# at HOME/.aws/credentials. When not specified, 'default' is used.
|
234
244
|
#
|
245
|
+
# @option options [Integer] :request_min_compression_size_bytes (10240)
|
246
|
+
# The minimum size in bytes that triggers compression for request
|
247
|
+
# bodies. The value must be non-negative integer value between 0
|
248
|
+
# and 10485780 bytes inclusive.
|
249
|
+
#
|
235
250
|
# @option options [Proc] :retry_backoff
|
236
251
|
# A proc or lambda used for backoff. Defaults to 2**retries * retry_base_delay.
|
237
252
|
# This option is only used in the `legacy` retry mode.
|
@@ -277,6 +292,11 @@ module Aws::STS
|
|
277
292
|
# in the future.
|
278
293
|
#
|
279
294
|
#
|
295
|
+
# @option options [String] :sdk_ua_app_id
|
296
|
+
# A unique and opaque application ID that is appended to the
|
297
|
+
# User-Agent header as app/<sdk_ua_app_id>. It should have a
|
298
|
+
# maximum length of 50.
|
299
|
+
#
|
280
300
|
# @option options [String] :secret_access_key
|
281
301
|
#
|
282
302
|
# @option options [String] :session_token
|
@@ -406,10 +426,11 @@ module Aws::STS
|
|
406
426
|
# identity-based policy of the role that is being assumed. For more
|
407
427
|
# information, see [Session Policies][3] in the *IAM User Guide*.
|
408
428
|
#
|
409
|
-
# When you create a role, you create two policies:
|
410
|
-
# that specifies *who* can assume the role and a permissions policy
|
411
|
-
# specifies *what* can be done with the role. You specify the
|
412
|
-
# principal
|
429
|
+
# When you create a role, you create two policies: a role trust policy
|
430
|
+
# that specifies *who* can assume the role, and a permissions policy
|
431
|
+
# that specifies *what* can be done with the role. You specify the
|
432
|
+
# trusted principal that is allowed to assume the role in the role trust
|
433
|
+
# policy.
|
413
434
|
#
|
414
435
|
# To assume a role from a different account, your Amazon Web Services
|
415
436
|
# account must be trusted by the role. The trust relationship is defined
|
@@ -418,10 +439,9 @@ module Aws::STS
|
|
418
439
|
# users in the account.
|
419
440
|
#
|
420
441
|
# A user who wants to access a role in a different account must also
|
421
|
-
# have permissions that are delegated from the
|
422
|
-
#
|
423
|
-
#
|
424
|
-
# account.
|
442
|
+
# have permissions that are delegated from the account administrator.
|
443
|
+
# The administrator must attach a policy that allows the user to call
|
444
|
+
# `AssumeRole` for the ARN of the role in the other account.
|
425
445
|
#
|
426
446
|
# To allow a user to assume a role in the same account, you can do
|
427
447
|
# either of the following:
|
@@ -746,6 +766,9 @@ module Aws::STS
|
|
746
766
|
#
|
747
767
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
|
748
768
|
#
|
769
|
+
# @option params [Array<Types::ProvidedContext>] :provided_contexts
|
770
|
+
# Reserved for future use.
|
771
|
+
#
|
749
772
|
# @return [Types::AssumeRoleResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
750
773
|
#
|
751
774
|
# * {Types::AssumeRoleResponse#credentials #credentials} => Types::Credentials
|
@@ -806,7 +829,7 @@ module Aws::STS
|
|
806
829
|
# arn: "arnType",
|
807
830
|
# },
|
808
831
|
# ],
|
809
|
-
# policy: "
|
832
|
+
# policy: "unrestrictedSessionPolicyDocumentType",
|
810
833
|
# duration_seconds: 1,
|
811
834
|
# tags: [
|
812
835
|
# {
|
@@ -819,6 +842,12 @@ module Aws::STS
|
|
819
842
|
# serial_number: "serialNumberType",
|
820
843
|
# token_code: "tokenCodeType",
|
821
844
|
# source_identity: "sourceIdentityType",
|
845
|
+
# provided_contexts: [
|
846
|
+
# {
|
847
|
+
# provider_arn: "arnType",
|
848
|
+
# context_assertion: "contextAssertionType",
|
849
|
+
# },
|
850
|
+
# ],
|
822
851
|
# })
|
823
852
|
#
|
824
853
|
# @example Response structure
|
@@ -1206,10 +1235,8 @@ module Aws::STS
|
|
1206
1235
|
# the user with a consistent identity throughout the lifetime of an
|
1207
1236
|
# application.
|
1208
1237
|
#
|
1209
|
-
# To learn more about Amazon Cognito, see [Amazon Cognito
|
1210
|
-
# in *Amazon
|
1211
|
-
# Cognito Overview][5] in the *Amazon Web Services SDK for iOS Developer
|
1212
|
-
# Guide*.
|
1238
|
+
# To learn more about Amazon Cognito, see [Amazon Cognito identity
|
1239
|
+
# pools][1] in *Amazon Cognito Developer Guide*.
|
1213
1240
|
#
|
1214
1241
|
# </note>
|
1215
1242
|
#
|
@@ -1223,8 +1250,8 @@ module Aws::STS
|
|
1223
1250
|
# a token from the web identity provider. For a comparison of
|
1224
1251
|
# `AssumeRoleWithWebIdentity` with the other API operations that produce
|
1225
1252
|
# temporary credentials, see [Requesting Temporary Security
|
1226
|
-
# Credentials][
|
1227
|
-
# operations][
|
1253
|
+
# Credentials][4] and [Comparing the Amazon Web Services STS API
|
1254
|
+
# operations][5] in the *IAM User Guide*.
|
1228
1255
|
#
|
1229
1256
|
# The temporary security credentials returned by this API consist of an
|
1230
1257
|
# access key ID, a secret access key, and a security token. Applications
|
@@ -1240,11 +1267,11 @@ module Aws::STS
|
|
1240
1267
|
# to the maximum session duration setting for the role. This setting can
|
1241
1268
|
# have a value from 1 hour to 12 hours. To learn how to view the maximum
|
1242
1269
|
# value for your role, see [View the Maximum Session Duration Setting
|
1243
|
-
# for a Role][
|
1270
|
+
# for a Role][6] in the *IAM User Guide*. The maximum session duration
|
1244
1271
|
# limit applies when you use the `AssumeRole*` API operations or the
|
1245
1272
|
# `assume-role*` CLI commands. However the limit does not apply when you
|
1246
1273
|
# use those operations to create a console URL. For more information,
|
1247
|
-
# see [Using IAM Roles][
|
1274
|
+
# see [Using IAM Roles][7] in the *IAM User Guide*.
|
1248
1275
|
#
|
1249
1276
|
# **Permissions**
|
1250
1277
|
#
|
@@ -1253,7 +1280,7 @@ module Aws::STS
|
|
1253
1280
|
# Amazon Web Services service with the following exception: you cannot
|
1254
1281
|
# call the STS `GetFederationToken` or `GetSessionToken` API operations.
|
1255
1282
|
#
|
1256
|
-
# (Optional) You can pass inline or managed [session policies][
|
1283
|
+
# (Optional) You can pass inline or managed [session policies][8] to
|
1257
1284
|
# this operation. You can pass a single JSON policy document to use as
|
1258
1285
|
# an inline session policy. You can also specify up to 10 managed policy
|
1259
1286
|
# Amazon Resource Names (ARNs) to use as managed session policies. The
|
@@ -1266,19 +1293,19 @@ module Aws::STS
|
|
1266
1293
|
# resources in the account that owns the role. You cannot use session
|
1267
1294
|
# policies to grant more permissions than those allowed by the
|
1268
1295
|
# identity-based policy of the role that is being assumed. For more
|
1269
|
-
# information, see [Session Policies][
|
1296
|
+
# information, see [Session Policies][8] in the *IAM User Guide*.
|
1270
1297
|
#
|
1271
1298
|
# **Tags**
|
1272
1299
|
#
|
1273
1300
|
# (Optional) You can configure your IdP to pass attributes into your web
|
1274
1301
|
# identity token as session tags. Each session tag consists of a key
|
1275
1302
|
# name and an associated value. For more information about session tags,
|
1276
|
-
# see [Passing Session Tags in STS][
|
1303
|
+
# see [Passing Session Tags in STS][9] in the *IAM User Guide*.
|
1277
1304
|
#
|
1278
1305
|
# You can pass up to 50 session tags. The plaintext session tag keys
|
1279
1306
|
# can’t exceed 128 characters and the values can’t exceed 256
|
1280
1307
|
# characters. For these and additional limits, see [IAM and STS
|
1281
|
-
# Character Limits][
|
1308
|
+
# Character Limits][10] in the *IAM User Guide*.
|
1282
1309
|
#
|
1283
1310
|
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
|
1284
1311
|
# policy, managed policy ARNs, and session tags into a packed binary
|
@@ -1296,12 +1323,12 @@ module Aws::STS
|
|
1296
1323
|
# An administrator must grant you the permissions necessary to pass
|
1297
1324
|
# session tags. The administrator can also create granular permissions
|
1298
1325
|
# to allow you to pass only specific session tags. For more information,
|
1299
|
-
# see [Tutorial: Using Tags for Attribute-Based Access Control][
|
1326
|
+
# see [Tutorial: Using Tags for Attribute-Based Access Control][11] in
|
1300
1327
|
# the *IAM User Guide*.
|
1301
1328
|
#
|
1302
1329
|
# You can set the session tags as transitive. Transitive tags persist
|
1303
1330
|
# during role chaining. For more information, see [Chaining Roles with
|
1304
|
-
# Session Tags][
|
1331
|
+
# Session Tags][12] in the *IAM User Guide*.
|
1305
1332
|
#
|
1306
1333
|
# **Identities**
|
1307
1334
|
#
|
@@ -1313,19 +1340,19 @@ module Aws::STS
|
|
1313
1340
|
# specified in the role's trust policy.
|
1314
1341
|
#
|
1315
1342
|
# Calling `AssumeRoleWithWebIdentity` can result in an entry in your
|
1316
|
-
# CloudTrail logs. The entry includes the [Subject][
|
1343
|
+
# CloudTrail logs. The entry includes the [Subject][13] of the provided
|
1317
1344
|
# web identity token. We recommend that you avoid using any personally
|
1318
1345
|
# identifiable information (PII) in this field. For example, you could
|
1319
1346
|
# instead use a GUID or a pairwise identifier, as [suggested in the OIDC
|
1320
|
-
# specification][
|
1347
|
+
# specification][14].
|
1321
1348
|
#
|
1322
1349
|
# For more information about how to use web identity federation and the
|
1323
1350
|
# `AssumeRoleWithWebIdentity` API, see the following resources:
|
1324
1351
|
#
|
1325
|
-
# * [Using Web Identity Federation API Operations for Mobile Apps][
|
1326
|
-
# and [Federation Through a Web-based Identity Provider][
|
1352
|
+
# * [Using Web Identity Federation API Operations for Mobile Apps][15]
|
1353
|
+
# and [Federation Through a Web-based Identity Provider][16].
|
1327
1354
|
#
|
1328
|
-
# * [ Web Identity Federation Playground][
|
1355
|
+
# * [ Web Identity Federation Playground][17]. Walk through the process
|
1329
1356
|
# of authenticating through Login with Amazon, Facebook, or Google,
|
1330
1357
|
# getting temporary security credentials, and then using those
|
1331
1358
|
# credentials to make a request to Amazon Web Services.
|
@@ -1336,7 +1363,7 @@ module Aws::STS
|
|
1336
1363
|
# toolkits then show how to use the information from these providers
|
1337
1364
|
# to get and use temporary security credentials.
|
1338
1365
|
#
|
1339
|
-
# * [Web Identity Federation with Mobile Applications][
|
1366
|
+
# * [Web Identity Federation with Mobile Applications][18]. This article
|
1340
1367
|
# discusses web identity federation and shows an example of how to use
|
1341
1368
|
# web identity federation to get access to content in Amazon S3.
|
1342
1369
|
#
|
@@ -1345,23 +1372,21 @@ module Aws::STS
|
|
1345
1372
|
# [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html
|
1346
1373
|
# [2]: http://aws.amazon.com/sdkforios/
|
1347
1374
|
# [3]: http://aws.amazon.com/sdkforandroid/
|
1348
|
-
# [4]: https://docs.aws.amazon.com/
|
1349
|
-
# [5]: https://docs.aws.amazon.com/
|
1350
|
-
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1351
|
-
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1352
|
-
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1353
|
-
# [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1354
|
-
# [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1355
|
-
# [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1356
|
-
# [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1357
|
-
# [13]:
|
1358
|
-
# [14]:
|
1359
|
-
# [15]:
|
1360
|
-
# [16]:
|
1361
|
-
# [17]: https://
|
1362
|
-
# [18]:
|
1363
|
-
# [19]: https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/
|
1364
|
-
# [20]: http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications
|
1375
|
+
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
1376
|
+
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
|
1377
|
+
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
|
1378
|
+
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
|
1379
|
+
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
1380
|
+
# [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
1381
|
+
# [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
|
1382
|
+
# [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
|
1383
|
+
# [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
|
1384
|
+
# [13]: http://openid.net/specs/openid-connect-core-1_0.html#Claims
|
1385
|
+
# [14]: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
|
1386
|
+
# [15]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html
|
1387
|
+
# [16]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
|
1388
|
+
# [17]: https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/
|
1389
|
+
# [18]: http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications
|
1365
1390
|
#
|
1366
1391
|
# @option params [required, String] :role_arn
|
1367
1392
|
# The Amazon Resource Name (ARN) of the role that the caller is
|
@@ -1385,7 +1410,8 @@ module Aws::STS
|
|
1385
1410
|
# by the identity provider. Your application must get this token by
|
1386
1411
|
# authenticating the user who is using your application with a web
|
1387
1412
|
# identity provider before the application makes an
|
1388
|
-
# `AssumeRoleWithWebIdentity` call.
|
1413
|
+
# `AssumeRoleWithWebIdentity` call. Only tokens with RSA algorithms
|
1414
|
+
# (RS256) are supported.
|
1389
1415
|
#
|
1390
1416
|
# @option params [String] :provider_id
|
1391
1417
|
# The fully qualified host component of the domain name of the OAuth 2.0
|
@@ -1720,11 +1746,11 @@ module Aws::STS
|
|
1720
1746
|
# to call the operation.
|
1721
1747
|
#
|
1722
1748
|
# <note markdown="1"> No permissions are required to perform this operation. If an
|
1723
|
-
# administrator
|
1749
|
+
# administrator attaches a policy to your identity that explicitly
|
1724
1750
|
# denies access to the `sts:GetCallerIdentity` action, you can still
|
1725
1751
|
# perform this operation. Permissions are not required because the same
|
1726
|
-
# information is returned when
|
1727
|
-
#
|
1752
|
+
# information is returned when access is denied. To view an example
|
1753
|
+
# response, see [I Am Not Authorized to Perform:
|
1728
1754
|
# iam:DeleteVirtualMFADevice][1] in the *IAM User Guide*.
|
1729
1755
|
#
|
1730
1756
|
# </note>
|
@@ -1801,43 +1827,43 @@ module Aws::STS
|
|
1801
1827
|
end
|
1802
1828
|
|
1803
1829
|
# Returns a set of temporary security credentials (consisting of an
|
1804
|
-
# access key ID, a secret access key, and a security token) for a
|
1805
|
-
#
|
1806
|
-
#
|
1807
|
-
#
|
1808
|
-
#
|
1809
|
-
#
|
1810
|
-
#
|
1811
|
-
#
|
1812
|
-
#
|
1830
|
+
# access key ID, a secret access key, and a security token) for a user.
|
1831
|
+
# A typical use is in a proxy application that gets temporary security
|
1832
|
+
# credentials on behalf of distributed applications inside a corporate
|
1833
|
+
# network.
|
1834
|
+
#
|
1835
|
+
# You must call the `GetFederationToken` operation using the long-term
|
1836
|
+
# security credentials of an IAM user. As a result, this call is
|
1837
|
+
# appropriate in contexts where those credentials can be safeguarded,
|
1838
|
+
# usually in a server-based application. For a comparison of
|
1839
|
+
# `GetFederationToken` with the other API operations that produce
|
1840
|
+
# temporary credentials, see [Requesting Temporary Security
|
1813
1841
|
# Credentials][1] and [Comparing the Amazon Web Services STS API
|
1814
1842
|
# operations][2] in the *IAM User Guide*.
|
1815
1843
|
#
|
1844
|
+
# Although it is possible to call `GetFederationToken` using the
|
1845
|
+
# security credentials of an Amazon Web Services account root user
|
1846
|
+
# rather than an IAM user that you create for the purpose of a proxy
|
1847
|
+
# application, we do not recommend it. For more information, see
|
1848
|
+
# [Safeguard your root user credentials and don't use them for everyday
|
1849
|
+
# tasks][3] in the *IAM User Guide*.
|
1850
|
+
#
|
1816
1851
|
# <note markdown="1"> You can create a mobile-based or browser-based app that can
|
1817
1852
|
# authenticate users using a web identity provider like Login with
|
1818
1853
|
# Amazon, Facebook, Google, or an OpenID Connect-compatible identity
|
1819
|
-
# provider. In this case, we recommend that you use [Amazon Cognito][
|
1854
|
+
# provider. In this case, we recommend that you use [Amazon Cognito][4]
|
1820
1855
|
# or `AssumeRoleWithWebIdentity`. For more information, see [Federation
|
1821
|
-
# Through a Web-based Identity Provider][
|
1856
|
+
# Through a Web-based Identity Provider][5] in the *IAM User Guide*.
|
1822
1857
|
#
|
1823
1858
|
# </note>
|
1824
1859
|
#
|
1825
|
-
# You can also call `GetFederationToken` using the security credentials
|
1826
|
-
# of an Amazon Web Services account root user, but we do not recommend
|
1827
|
-
# it. Instead, we recommend that you create an IAM user for the purpose
|
1828
|
-
# of the proxy application. Then attach a policy to the IAM user that
|
1829
|
-
# limits federated users to only the actions and resources that they
|
1830
|
-
# need to access. For more information, see [IAM Best Practices][5] in
|
1831
|
-
# the *IAM User Guide*.
|
1832
|
-
#
|
1833
1860
|
# **Session duration**
|
1834
1861
|
#
|
1835
1862
|
# The temporary credentials are valid for the specified duration, from
|
1836
1863
|
# 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36
|
1837
1864
|
# hours). The default session duration is 43,200 seconds (12 hours).
|
1838
|
-
# Temporary credentials obtained by using the
|
1839
|
-
#
|
1840
|
-
# (1 hour).
|
1865
|
+
# Temporary credentials obtained by using the root user credentials have
|
1866
|
+
# a maximum duration of 3,600 seconds (1 hour).
|
1841
1867
|
#
|
1842
1868
|
# **Permissions**
|
1843
1869
|
#
|
@@ -1887,9 +1913,9 @@ module Aws::STS
|
|
1887
1913
|
# <note markdown="1"> You can create a mobile-based or browser-based app that can
|
1888
1914
|
# authenticate users using a web identity provider like Login with
|
1889
1915
|
# Amazon, Facebook, Google, or an OpenID Connect-compatible identity
|
1890
|
-
# provider. In this case, we recommend that you use [Amazon Cognito][
|
1916
|
+
# provider. In this case, we recommend that you use [Amazon Cognito][4]
|
1891
1917
|
# or `AssumeRoleWithWebIdentity`. For more information, see [Federation
|
1892
|
-
# Through a Web-based Identity Provider][
|
1918
|
+
# Through a Web-based Identity Provider][5] in the *IAM User Guide*.
|
1893
1919
|
#
|
1894
1920
|
# </note>
|
1895
1921
|
#
|
@@ -1911,9 +1937,9 @@ module Aws::STS
|
|
1911
1937
|
#
|
1912
1938
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
1913
1939
|
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
|
1914
|
-
# [3]:
|
1915
|
-
# [4]:
|
1916
|
-
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1940
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials
|
1941
|
+
# [4]: http://aws.amazon.com/cognito/
|
1942
|
+
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
|
1917
1943
|
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
1918
1944
|
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken
|
1919
1945
|
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
@@ -2030,10 +2056,10 @@ module Aws::STS
|
|
2030
2056
|
# The duration, in seconds, that the session should last. Acceptable
|
2031
2057
|
# durations for federation sessions range from 900 seconds (15 minutes)
|
2032
2058
|
# to 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the
|
2033
|
-
# default. Sessions obtained using
|
2034
|
-
#
|
2035
|
-
#
|
2036
|
-
#
|
2059
|
+
# default. Sessions obtained using root user credentials are restricted
|
2060
|
+
# to a maximum of 3,600 seconds (one hour). If the specified duration is
|
2061
|
+
# longer than one hour, the session obtained by using root user
|
2062
|
+
# credentials defaults to one hour.
|
2037
2063
|
#
|
2038
2064
|
# @option params [Array<Types::Tag>] :tags
|
2039
2065
|
# A list of session tags. Each session tag consists of a key name and an
|
@@ -2153,14 +2179,15 @@ module Aws::STS
|
|
2153
2179
|
# secret access key, and a security token. Typically, you use
|
2154
2180
|
# `GetSessionToken` if you want to use MFA to protect programmatic calls
|
2155
2181
|
# to specific Amazon Web Services API operations like Amazon EC2
|
2156
|
-
# `StopInstances`.
|
2157
|
-
#
|
2158
|
-
# MFA
|
2159
|
-
#
|
2160
|
-
#
|
2161
|
-
#
|
2162
|
-
#
|
2163
|
-
#
|
2182
|
+
# `StopInstances`.
|
2183
|
+
#
|
2184
|
+
# MFA-enabled IAM users must call `GetSessionToken` and submit an MFA
|
2185
|
+
# code that is associated with their MFA device. Using the temporary
|
2186
|
+
# security credentials that the call returns, IAM users can then make
|
2187
|
+
# programmatic calls to API operations that require MFA authentication.
|
2188
|
+
# An incorrect MFA code causes the API to return an access denied error.
|
2189
|
+
# For a comparison of `GetSessionToken` with the other API operations
|
2190
|
+
# that produce temporary credentials, see [Requesting Temporary Security
|
2164
2191
|
# Credentials][1] and [Comparing the Amazon Web Services STS API
|
2165
2192
|
# operations][2] in the *IAM User Guide*.
|
2166
2193
|
#
|
@@ -2175,13 +2202,13 @@ module Aws::STS
|
|
2175
2202
|
# **Session Duration**
|
2176
2203
|
#
|
2177
2204
|
# The `GetSessionToken` operation must be called by using the long-term
|
2178
|
-
# Amazon Web Services security credentials of
|
2179
|
-
#
|
2180
|
-
#
|
2181
|
-
#
|
2182
|
-
# (
|
2183
|
-
#
|
2184
|
-
#
|
2205
|
+
# Amazon Web Services security credentials of an IAM user. Credentials
|
2206
|
+
# that are created by IAM users are valid for the duration that you
|
2207
|
+
# specify. This duration can range from 900 seconds (15 minutes) up to a
|
2208
|
+
# maximum of 129,600 seconds (36 hours), with a default of 43,200
|
2209
|
+
# seconds (12 hours). Credentials based on account credentials can range
|
2210
|
+
# from 900 seconds (15 minutes) up to 3,600 seconds (1 hour), with a
|
2211
|
+
# default of 1 hour.
|
2185
2212
|
#
|
2186
2213
|
# **Permissions**
|
2187
2214
|
#
|
@@ -2195,24 +2222,23 @@ module Aws::STS
|
|
2195
2222
|
# * You cannot call any STS API *except* `AssumeRole` or
|
2196
2223
|
# `GetCallerIdentity`.
|
2197
2224
|
#
|
2198
|
-
#
|
2199
|
-
#
|
2200
|
-
#
|
2201
|
-
#
|
2202
|
-
# with Amazon Web Services.
|
2225
|
+
# The credentials that `GetSessionToken` returns are based on
|
2226
|
+
# permissions associated with the IAM user whose credentials were used
|
2227
|
+
# to call the operation. The temporary credentials have the same
|
2228
|
+
# permissions as the IAM user.
|
2203
2229
|
#
|
2204
|
-
#
|
2230
|
+
# <note markdown="1"> Although it is possible to call `GetSessionToken` using the security
|
2231
|
+
# credentials of an Amazon Web Services account root user rather than an
|
2232
|
+
# IAM user, we do not recommend it. If `GetSessionToken` is called using
|
2233
|
+
# root user credentials, the temporary credentials have root user
|
2234
|
+
# permissions. For more information, see [Safeguard your root user
|
2235
|
+
# credentials and don't use them for everyday tasks][4] in the *IAM
|
2236
|
+
# User Guide*
|
2205
2237
|
#
|
2206
|
-
#
|
2207
|
-
# permissions associated with the user whose credentials were used to
|
2208
|
-
# call the operation. If `GetSessionToken` is called using Amazon Web
|
2209
|
-
# Services account root user credentials, the temporary credentials have
|
2210
|
-
# root user permissions. Similarly, if `GetSessionToken` is called using
|
2211
|
-
# the credentials of an IAM user, the temporary credentials have the
|
2212
|
-
# same permissions as the IAM user.
|
2238
|
+
# </note>
|
2213
2239
|
#
|
2214
2240
|
# For more information about using `GetSessionToken` to create temporary
|
2215
|
-
# credentials,
|
2241
|
+
# credentials, see [Temporary Credentials for Users in Untrusted
|
2216
2242
|
# Environments][5] in the *IAM User Guide*.
|
2217
2243
|
#
|
2218
2244
|
#
|
@@ -2220,7 +2246,7 @@ module Aws::STS
|
|
2220
2246
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
2221
2247
|
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
|
2222
2248
|
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html
|
2223
|
-
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#
|
2249
|
+
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials
|
2224
2250
|
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken
|
2225
2251
|
#
|
2226
2252
|
# @option params [Integer] :duration_seconds
|
@@ -2318,7 +2344,7 @@ module Aws::STS
|
|
2318
2344
|
params: params,
|
2319
2345
|
config: config)
|
2320
2346
|
context[:gem_name] = 'aws-sdk-core'
|
2321
|
-
context[:gem_version] = '3.
|
2347
|
+
context[:gem_version] = '3.186.0'
|
2322
2348
|
Seahorse::Client::Request.new(handlers, context)
|
2323
2349
|
end
|
2324
2350
|
|
@@ -43,6 +43,8 @@ module Aws::STS
|
|
43
43
|
NameQualifier = Shapes::StringShape.new(name: 'NameQualifier')
|
44
44
|
PackedPolicyTooLargeException = Shapes::StructureShape.new(name: 'PackedPolicyTooLargeException')
|
45
45
|
PolicyDescriptorType = Shapes::StructureShape.new(name: 'PolicyDescriptorType')
|
46
|
+
ProvidedContext = Shapes::StructureShape.new(name: 'ProvidedContext')
|
47
|
+
ProvidedContextsListType = Shapes::ListShape.new(name: 'ProvidedContextsListType')
|
46
48
|
RegionDisabledException = Shapes::StructureShape.new(name: 'RegionDisabledException')
|
47
49
|
SAMLAssertionType = Shapes::StringShape.new(name: 'SAMLAssertionType')
|
48
50
|
Subject = Shapes::StringShape.new(name: 'Subject')
|
@@ -54,6 +56,7 @@ module Aws::STS
|
|
54
56
|
arnType = Shapes::StringShape.new(name: 'arnType')
|
55
57
|
assumedRoleIdType = Shapes::StringShape.new(name: 'assumedRoleIdType')
|
56
58
|
clientTokenType = Shapes::StringShape.new(name: 'clientTokenType')
|
59
|
+
contextAssertionType = Shapes::StringShape.new(name: 'contextAssertionType')
|
57
60
|
dateType = Shapes::TimestampShape.new(name: 'dateType')
|
58
61
|
decodedMessageType = Shapes::StringShape.new(name: 'decodedMessageType')
|
59
62
|
durationSecondsType = Shapes::IntegerShape.new(name: 'durationSecondsType')
|
@@ -81,6 +84,7 @@ module Aws::STS
|
|
81
84
|
tagValueType = Shapes::StringShape.new(name: 'tagValueType')
|
82
85
|
tokenCodeType = Shapes::StringShape.new(name: 'tokenCodeType')
|
83
86
|
tokenType = Shapes::StringShape.new(name: 'tokenType')
|
87
|
+
unrestrictedSessionPolicyDocumentType = Shapes::StringShape.new(name: 'unrestrictedSessionPolicyDocumentType')
|
84
88
|
urlType = Shapes::StringShape.new(name: 'urlType')
|
85
89
|
userIdType = Shapes::StringShape.new(name: 'userIdType')
|
86
90
|
userNameType = Shapes::StringShape.new(name: 'userNameType')
|
@@ -89,7 +93,7 @@ module Aws::STS
|
|
89
93
|
AssumeRoleRequest.add_member(:role_arn, Shapes::ShapeRef.new(shape: arnType, required: true, location_name: "RoleArn"))
|
90
94
|
AssumeRoleRequest.add_member(:role_session_name, Shapes::ShapeRef.new(shape: roleSessionNameType, required: true, location_name: "RoleSessionName"))
|
91
95
|
AssumeRoleRequest.add_member(:policy_arns, Shapes::ShapeRef.new(shape: policyDescriptorListType, location_name: "PolicyArns"))
|
92
|
-
AssumeRoleRequest.add_member(:policy, Shapes::ShapeRef.new(shape:
|
96
|
+
AssumeRoleRequest.add_member(:policy, Shapes::ShapeRef.new(shape: unrestrictedSessionPolicyDocumentType, location_name: "Policy"))
|
93
97
|
AssumeRoleRequest.add_member(:duration_seconds, Shapes::ShapeRef.new(shape: roleDurationSecondsType, location_name: "DurationSeconds"))
|
94
98
|
AssumeRoleRequest.add_member(:tags, Shapes::ShapeRef.new(shape: tagListType, location_name: "Tags"))
|
95
99
|
AssumeRoleRequest.add_member(:transitive_tag_keys, Shapes::ShapeRef.new(shape: tagKeyListType, location_name: "TransitiveTagKeys"))
|
@@ -97,6 +101,7 @@ module Aws::STS
|
|
97
101
|
AssumeRoleRequest.add_member(:serial_number, Shapes::ShapeRef.new(shape: serialNumberType, location_name: "SerialNumber"))
|
98
102
|
AssumeRoleRequest.add_member(:token_code, Shapes::ShapeRef.new(shape: tokenCodeType, location_name: "TokenCode"))
|
99
103
|
AssumeRoleRequest.add_member(:source_identity, Shapes::ShapeRef.new(shape: sourceIdentityType, location_name: "SourceIdentity"))
|
104
|
+
AssumeRoleRequest.add_member(:provided_contexts, Shapes::ShapeRef.new(shape: ProvidedContextsListType, location_name: "ProvidedContexts"))
|
100
105
|
AssumeRoleRequest.struct_class = Types::AssumeRoleRequest
|
101
106
|
|
102
107
|
AssumeRoleResponse.add_member(:credentials, Shapes::ShapeRef.new(shape: Credentials, location_name: "Credentials"))
|
@@ -219,6 +224,12 @@ module Aws::STS
|
|
219
224
|
PolicyDescriptorType.add_member(:arn, Shapes::ShapeRef.new(shape: arnType, location_name: "arn"))
|
220
225
|
PolicyDescriptorType.struct_class = Types::PolicyDescriptorType
|
221
226
|
|
227
|
+
ProvidedContext.add_member(:provider_arn, Shapes::ShapeRef.new(shape: arnType, location_name: "ProviderArn"))
|
228
|
+
ProvidedContext.add_member(:context_assertion, Shapes::ShapeRef.new(shape: contextAssertionType, location_name: "ContextAssertion"))
|
229
|
+
ProvidedContext.struct_class = Types::ProvidedContext
|
230
|
+
|
231
|
+
ProvidedContextsListType.member = Shapes::ShapeRef.new(shape: ProvidedContext)
|
232
|
+
|
222
233
|
RegionDisabledException.add_member(:message, Shapes::ShapeRef.new(shape: regionDisabledMessage, location_name: "message"))
|
223
234
|
RegionDisabledException.struct_class = Types::RegionDisabledException
|
224
235
|
|