aws-sdk-core 3.209.1 → 3.214.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +35 -0
- data/VERSION +1 -1
- data/lib/aws-defaults/default_configuration.rb +1 -2
- data/lib/aws-sdk-core/cbor.rb +3 -56
- data/lib/aws-sdk-core/client_stubs.rb +7 -7
- data/lib/aws-sdk-core/endpoints/matchers.rb +1 -8
- data/lib/aws-sdk-core/json/error_handler.rb +2 -1
- data/lib/aws-sdk-core/json/handler.rb +1 -0
- data/lib/aws-sdk-core/plugins/regional_endpoint.rb +44 -25
- data/lib/aws-sdk-core/rest/request/headers.rb +2 -2
- data/lib/aws-sdk-core/rpc_v2/builder.rb +1 -1
- data/lib/aws-sdk-core/{cbor → rpc_v2}/cbor_engine.rb +4 -5
- data/lib/aws-sdk-core/rpc_v2/content_type_handler.rb +3 -1
- data/lib/aws-sdk-core/rpc_v2/error_handler.rb +3 -2
- data/lib/aws-sdk-core/rpc_v2/handler.rb +2 -1
- data/lib/aws-sdk-core/rpc_v2/parser.rb +1 -1
- data/lib/aws-sdk-core/rpc_v2.rb +65 -2
- data/lib/aws-sdk-core/stubbing/protocols/ec2.rb +12 -11
- data/lib/aws-sdk-core/stubbing/protocols/json.rb +11 -10
- data/lib/aws-sdk-core/stubbing/protocols/query.rb +7 -6
- data/lib/aws-sdk-core/stubbing/protocols/rest.rb +2 -1
- data/lib/aws-sdk-core/stubbing/protocols/rest_json.rb +9 -8
- data/lib/aws-sdk-core/stubbing/protocols/rest_xml.rb +6 -5
- data/lib/aws-sdk-core/stubbing/protocols/rpc_v2.rb +13 -15
- data/lib/aws-sdk-core/stubbing.rb +2 -2
- data/lib/aws-sdk-sso/client.rb +1 -1
- data/lib/aws-sdk-sso/endpoint_parameters.rb +9 -6
- data/lib/aws-sdk-sso/endpoints.rb +2 -42
- data/lib/aws-sdk-sso/plugins/endpoints.rb +1 -14
- data/lib/aws-sdk-sso.rb +1 -1
- data/lib/aws-sdk-ssooidc/client.rb +1 -1
- data/lib/aws-sdk-ssooidc/endpoint_parameters.rb +9 -6
- data/lib/aws-sdk-ssooidc/endpoints.rb +2 -42
- data/lib/aws-sdk-ssooidc/plugins/endpoints.rb +1 -14
- data/lib/aws-sdk-ssooidc.rb +1 -1
- data/lib/aws-sdk-sts/client.rb +208 -51
- data/lib/aws-sdk-sts/client_api.rb +23 -0
- data/lib/aws-sdk-sts/endpoint_parameters.rb +10 -9
- data/lib/aws-sdk-sts/endpoints.rb +2 -94
- data/lib/aws-sdk-sts/plugins/endpoints.rb +1 -22
- data/lib/aws-sdk-sts/types.rb +170 -27
- data/lib/aws-sdk-sts.rb +1 -1
- metadata +5 -5
@@ -12,101 +12,9 @@ module Aws::STS
|
|
12
12
|
# @api private
|
13
13
|
module Endpoints
|
14
14
|
|
15
|
-
class AssumeRole
|
16
|
-
def self.build(context)
|
17
|
-
Aws::STS::EndpointParameters.new(
|
18
|
-
region: context.config.region,
|
19
|
-
use_dual_stack: context.config.use_dualstack_endpoint,
|
20
|
-
use_fips: context.config.use_fips_endpoint,
|
21
|
-
endpoint: context.config.regional_endpoint ? nil : context.config.endpoint.to_s,
|
22
|
-
use_global_endpoint: context.config.sts_regional_endpoints == 'legacy',
|
23
|
-
)
|
24
|
-
end
|
25
|
-
end
|
26
|
-
|
27
|
-
class AssumeRoleWithSAML
|
28
|
-
def self.build(context)
|
29
|
-
Aws::STS::EndpointParameters.new(
|
30
|
-
region: context.config.region,
|
31
|
-
use_dual_stack: context.config.use_dualstack_endpoint,
|
32
|
-
use_fips: context.config.use_fips_endpoint,
|
33
|
-
endpoint: context.config.regional_endpoint ? nil : context.config.endpoint.to_s,
|
34
|
-
use_global_endpoint: context.config.sts_regional_endpoints == 'legacy',
|
35
|
-
)
|
36
|
-
end
|
37
|
-
end
|
38
|
-
|
39
|
-
class AssumeRoleWithWebIdentity
|
40
|
-
def self.build(context)
|
41
|
-
Aws::STS::EndpointParameters.new(
|
42
|
-
region: context.config.region,
|
43
|
-
use_dual_stack: context.config.use_dualstack_endpoint,
|
44
|
-
use_fips: context.config.use_fips_endpoint,
|
45
|
-
endpoint: context.config.regional_endpoint ? nil : context.config.endpoint.to_s,
|
46
|
-
use_global_endpoint: context.config.sts_regional_endpoints == 'legacy',
|
47
|
-
)
|
48
|
-
end
|
49
|
-
end
|
50
|
-
|
51
|
-
class DecodeAuthorizationMessage
|
52
|
-
def self.build(context)
|
53
|
-
Aws::STS::EndpointParameters.new(
|
54
|
-
region: context.config.region,
|
55
|
-
use_dual_stack: context.config.use_dualstack_endpoint,
|
56
|
-
use_fips: context.config.use_fips_endpoint,
|
57
|
-
endpoint: context.config.regional_endpoint ? nil : context.config.endpoint.to_s,
|
58
|
-
use_global_endpoint: context.config.sts_regional_endpoints == 'legacy',
|
59
|
-
)
|
60
|
-
end
|
61
|
-
end
|
62
15
|
|
63
|
-
|
64
|
-
|
65
|
-
Aws::STS::EndpointParameters.new(
|
66
|
-
region: context.config.region,
|
67
|
-
use_dual_stack: context.config.use_dualstack_endpoint,
|
68
|
-
use_fips: context.config.use_fips_endpoint,
|
69
|
-
endpoint: context.config.regional_endpoint ? nil : context.config.endpoint.to_s,
|
70
|
-
use_global_endpoint: context.config.sts_regional_endpoints == 'legacy',
|
71
|
-
)
|
72
|
-
end
|
16
|
+
def self.parameters_for_operation(context)
|
17
|
+
Aws::STS::EndpointParameters.create(context.config)
|
73
18
|
end
|
74
|
-
|
75
|
-
class GetCallerIdentity
|
76
|
-
def self.build(context)
|
77
|
-
Aws::STS::EndpointParameters.new(
|
78
|
-
region: context.config.region,
|
79
|
-
use_dual_stack: context.config.use_dualstack_endpoint,
|
80
|
-
use_fips: context.config.use_fips_endpoint,
|
81
|
-
endpoint: context.config.regional_endpoint ? nil : context.config.endpoint.to_s,
|
82
|
-
use_global_endpoint: context.config.sts_regional_endpoints == 'legacy',
|
83
|
-
)
|
84
|
-
end
|
85
|
-
end
|
86
|
-
|
87
|
-
class GetFederationToken
|
88
|
-
def self.build(context)
|
89
|
-
Aws::STS::EndpointParameters.new(
|
90
|
-
region: context.config.region,
|
91
|
-
use_dual_stack: context.config.use_dualstack_endpoint,
|
92
|
-
use_fips: context.config.use_fips_endpoint,
|
93
|
-
endpoint: context.config.regional_endpoint ? nil : context.config.endpoint.to_s,
|
94
|
-
use_global_endpoint: context.config.sts_regional_endpoints == 'legacy',
|
95
|
-
)
|
96
|
-
end
|
97
|
-
end
|
98
|
-
|
99
|
-
class GetSessionToken
|
100
|
-
def self.build(context)
|
101
|
-
Aws::STS::EndpointParameters.new(
|
102
|
-
region: context.config.region,
|
103
|
-
use_dual_stack: context.config.use_dualstack_endpoint,
|
104
|
-
use_fips: context.config.use_fips_endpoint,
|
105
|
-
endpoint: context.config.regional_endpoint ? nil : context.config.endpoint.to_s,
|
106
|
-
use_global_endpoint: context.config.sts_regional_endpoints == 'legacy',
|
107
|
-
)
|
108
|
-
end
|
109
|
-
end
|
110
|
-
|
111
19
|
end
|
112
20
|
end
|
@@ -27,7 +27,7 @@ The endpoint provider used to resolve endpoints. Any object that responds to
|
|
27
27
|
class Handler < Seahorse::Client::Handler
|
28
28
|
def call(context)
|
29
29
|
unless context[:discovered_endpoint]
|
30
|
-
params = parameters_for_operation(context)
|
30
|
+
params = Aws::STS::Endpoints.parameters_for_operation(context)
|
31
31
|
endpoint = context.config.endpoint_provider.resolve_endpoint(params)
|
32
32
|
|
33
33
|
context.http_request.endpoint = endpoint.url
|
@@ -67,27 +67,6 @@ The endpoint provider used to resolve endpoints. Any object that responds to
|
|
67
67
|
context.http_request.headers[key] = value
|
68
68
|
end
|
69
69
|
end
|
70
|
-
|
71
|
-
def parameters_for_operation(context)
|
72
|
-
case context.operation_name
|
73
|
-
when :assume_role
|
74
|
-
Aws::STS::Endpoints::AssumeRole.build(context)
|
75
|
-
when :assume_role_with_saml
|
76
|
-
Aws::STS::Endpoints::AssumeRoleWithSAML.build(context)
|
77
|
-
when :assume_role_with_web_identity
|
78
|
-
Aws::STS::Endpoints::AssumeRoleWithWebIdentity.build(context)
|
79
|
-
when :decode_authorization_message
|
80
|
-
Aws::STS::Endpoints::DecodeAuthorizationMessage.build(context)
|
81
|
-
when :get_access_key_info
|
82
|
-
Aws::STS::Endpoints::GetAccessKeyInfo.build(context)
|
83
|
-
when :get_caller_identity
|
84
|
-
Aws::STS::Endpoints::GetCallerIdentity.build(context)
|
85
|
-
when :get_federation_token
|
86
|
-
Aws::STS::Endpoints::GetFederationToken.build(context)
|
87
|
-
when :get_session_token
|
88
|
-
Aws::STS::Endpoints::GetSessionToken.build(context)
|
89
|
-
end
|
90
|
-
end
|
91
70
|
end
|
92
71
|
|
93
72
|
def add_handlers(handlers, _config)
|
data/lib/aws-sdk-sts/types.rb
CHANGED
@@ -26,10 +26,21 @@ module Aws::STS
|
|
26
26
|
# that use the temporary security credentials will expose the role
|
27
27
|
# session name to the external account in their CloudTrail logs.
|
28
28
|
#
|
29
|
+
# For security purposes, administrators can view this field in
|
30
|
+
# [CloudTrail logs][1] to help identify who performed an action in
|
31
|
+
# Amazon Web Services. Your administrator might require that you
|
32
|
+
# specify your user name as the session name when you assume the role.
|
33
|
+
# For more information, see [ `sts:RoleSessionName` ][2].
|
34
|
+
#
|
29
35
|
# The regex used to validate this parameter is a string of characters
|
30
36
|
# consisting of upper- and lower-case alphanumeric characters with no
|
31
37
|
# spaces. You can also include underscores or any of the following
|
32
38
|
# characters: =,.@-
|
39
|
+
#
|
40
|
+
#
|
41
|
+
#
|
42
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html#cloudtrail-integration_signin-tempcreds
|
43
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_rolesessionname
|
33
44
|
# @return [String]
|
34
45
|
#
|
35
46
|
# @!attribute [rw] policy_arns
|
@@ -101,6 +112,9 @@ module Aws::STS
|
|
101
112
|
#
|
102
113
|
# </note>
|
103
114
|
#
|
115
|
+
# For more information about role session permissions, see [Session
|
116
|
+
# policies][1].
|
117
|
+
#
|
104
118
|
#
|
105
119
|
#
|
106
120
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
@@ -125,8 +139,7 @@ module Aws::STS
|
|
125
139
|
# However, if you assume a role using role chaining and provide a
|
126
140
|
# `DurationSeconds` parameter value greater than one hour, the
|
127
141
|
# operation fails. To learn how to view the maximum value for your
|
128
|
-
# role, see [
|
129
|
-
# in the *IAM User Guide*.
|
142
|
+
# role, see [Update the maximum session duration for a role][1].
|
130
143
|
#
|
131
144
|
# By default, the value is set to `3600` seconds.
|
132
145
|
#
|
@@ -142,7 +155,7 @@ module Aws::STS
|
|
142
155
|
#
|
143
156
|
#
|
144
157
|
#
|
145
|
-
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
158
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-role-settings.html#id_roles_update-session-duration
|
146
159
|
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
|
147
160
|
# @return [Integer]
|
148
161
|
#
|
@@ -199,9 +212,8 @@ module Aws::STS
|
|
199
212
|
# passes to subsequent sessions in a role chain. For more information,
|
200
213
|
# see [Chaining Roles with Session Tags][1] in the *IAM User Guide*.
|
201
214
|
#
|
202
|
-
# This parameter is optional.
|
203
|
-
#
|
204
|
-
# affected.
|
215
|
+
# This parameter is optional. The transitive status of a session tag
|
216
|
+
# does not impact its packed binary size.
|
205
217
|
#
|
206
218
|
# If you choose not to specify a transitive tag key, then no tags are
|
207
219
|
# passed from this session to any subsequent sessions.
|
@@ -263,17 +275,18 @@ module Aws::STS
|
|
263
275
|
#
|
264
276
|
# @!attribute [rw] source_identity
|
265
277
|
# The source identity specified by the principal that is calling the
|
266
|
-
# `AssumeRole` operation.
|
278
|
+
# `AssumeRole` operation. The source identity value persists across
|
279
|
+
# [chained role][1] sessions.
|
267
280
|
#
|
268
281
|
# You can require users to specify a source identity when they assume
|
269
|
-
# a role. You do this by using the `sts:SourceIdentity`
|
270
|
-
# in a role trust policy. You can use source identity
|
271
|
-
# CloudTrail logs to determine who took actions with a
|
272
|
-
# use the `aws:SourceIdentity` condition key to further
|
273
|
-
# to Amazon Web Services resources based on the value
|
274
|
-
# identity. For more information about using source
|
275
|
-
# [Monitor and control actions taken with assumed
|
276
|
-
# *IAM User Guide*.
|
282
|
+
# a role. You do this by using the [ `sts:SourceIdentity` ][2]
|
283
|
+
# condition key in a role trust policy. You can use source identity
|
284
|
+
# information in CloudTrail logs to determine who took actions with a
|
285
|
+
# role. You can use the `aws:SourceIdentity` condition key to further
|
286
|
+
# control access to Amazon Web Services resources based on the value
|
287
|
+
# of source identity. For more information about using source
|
288
|
+
# identity, see [Monitor and control actions taken with assumed
|
289
|
+
# roles][3] in the *IAM User Guide*.
|
277
290
|
#
|
278
291
|
# The regex used to validate this parameter is a string of characters
|
279
292
|
# consisting of upper- and lower-case alphanumeric characters with no
|
@@ -284,7 +297,9 @@ module Aws::STS
|
|
284
297
|
#
|
285
298
|
#
|
286
299
|
#
|
287
|
-
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
300
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#iam-term-role-chaining
|
301
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceidentity
|
302
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
|
288
303
|
# @return [String]
|
289
304
|
#
|
290
305
|
# @!attribute [rw] provided_contexts
|
@@ -297,7 +312,7 @@ module Aws::STS
|
|
297
312
|
# context provider from which the trusted context assertion was
|
298
313
|
# generated.
|
299
314
|
#
|
300
|
-
# `[
|
315
|
+
# `[{"ProviderArn":"arn:aws:iam::aws:contextProvider/IdentityCenter","ContextAssertion":"trusted-context-assertion"}]`
|
301
316
|
# @return [Array<Types::ProvidedContext>]
|
302
317
|
#
|
303
318
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleRequest AWS API Documentation
|
@@ -465,6 +480,9 @@ module Aws::STS
|
|
465
480
|
# include the tab (\\u0009), linefeed (\\u000A), and carriage return
|
466
481
|
# (\\u000D) characters.
|
467
482
|
#
|
483
|
+
# For more information about role session permissions, see [Session
|
484
|
+
# policies][1].
|
485
|
+
#
|
468
486
|
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline
|
469
487
|
# session policy, managed policy ARNs, and session tags into a packed
|
470
488
|
# binary format that has a separate limit. Your request can fail for
|
@@ -600,6 +618,8 @@ module Aws::STS
|
|
600
618
|
#
|
601
619
|
# @!attribute [rw] source_identity
|
602
620
|
# The value in the `SourceIdentity` attribute in the SAML assertion.
|
621
|
+
# The source identity value persists across [chained role][1]
|
622
|
+
# sessions.
|
603
623
|
#
|
604
624
|
# You can require users to set a source identity value when they
|
605
625
|
# assume a role. You do this by using the `sts:SourceIdentity`
|
@@ -607,12 +627,12 @@ module Aws::STS
|
|
607
627
|
# taken with the role are associated with that user. After the source
|
608
628
|
# identity is set, the value cannot be changed. It is present in the
|
609
629
|
# request for all actions that are taken by the role and persists
|
610
|
-
# across [chained role][
|
630
|
+
# across [chained role][2] sessions. You can configure your SAML
|
611
631
|
# identity provider to use an attribute associated with your users,
|
612
632
|
# like user name or email, as the source identity when calling
|
613
633
|
# `AssumeRoleWithSAML`. You do this by adding an attribute to the SAML
|
614
634
|
# assertion. For more information about using source identity, see
|
615
|
-
# [Monitor and control actions taken with assumed roles][
|
635
|
+
# [Monitor and control actions taken with assumed roles][3] in the
|
616
636
|
# *IAM User Guide*.
|
617
637
|
#
|
618
638
|
# The regex used to validate this parameter is a string of characters
|
@@ -622,8 +642,9 @@ module Aws::STS
|
|
622
642
|
#
|
623
643
|
#
|
624
644
|
#
|
625
|
-
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
626
|
-
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
645
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#iam-term-role-chaining
|
646
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts
|
647
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
|
627
648
|
# @return [String]
|
628
649
|
#
|
629
650
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAMLResponse AWS API Documentation
|
@@ -645,6 +666,24 @@ module Aws::STS
|
|
645
666
|
# @!attribute [rw] role_arn
|
646
667
|
# The Amazon Resource Name (ARN) of the role that the caller is
|
647
668
|
# assuming.
|
669
|
+
#
|
670
|
+
# <note markdown="1"> Additional considerations apply to Amazon Cognito identity pools
|
671
|
+
# that assume [cross-account IAM roles][1]. The trust policies of
|
672
|
+
# these roles must accept the `cognito-identity.amazonaws.com` service
|
673
|
+
# principal and must contain the `cognito-identity.amazonaws.com:aud`
|
674
|
+
# condition key to restrict role assumption to users from your
|
675
|
+
# intended identity pools. A policy that trusts Amazon Cognito
|
676
|
+
# identity pools without this condition creates a risk that a user
|
677
|
+
# from an unintended identity pool can assume the role. For more
|
678
|
+
# information, see [ Trust policies for IAM roles in Basic (Classic)
|
679
|
+
# authentication ][2] in the *Amazon Cognito Developer Guide*.
|
680
|
+
#
|
681
|
+
# </note>
|
682
|
+
#
|
683
|
+
#
|
684
|
+
#
|
685
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html
|
686
|
+
# [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html#trust-policies
|
648
687
|
# @return [String]
|
649
688
|
#
|
650
689
|
# @!attribute [rw] role_session_name
|
@@ -655,10 +694,21 @@ module Aws::STS
|
|
655
694
|
# session name is included as part of the ARN and assumed role ID in
|
656
695
|
# the `AssumedRoleUser` response element.
|
657
696
|
#
|
697
|
+
# For security purposes, administrators can view this field in
|
698
|
+
# [CloudTrail logs][1] to help identify who performed an action in
|
699
|
+
# Amazon Web Services. Your administrator might require that you
|
700
|
+
# specify your user name as the session name when you assume the role.
|
701
|
+
# For more information, see [ `sts:RoleSessionName` ][2].
|
702
|
+
#
|
658
703
|
# The regex used to validate this parameter is a string of characters
|
659
704
|
# consisting of upper- and lower-case alphanumeric characters with no
|
660
705
|
# spaces. You can also include underscores or any of the following
|
661
706
|
# characters: =,.@-
|
707
|
+
#
|
708
|
+
#
|
709
|
+
#
|
710
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html#cloudtrail-integration_signin-tempcreds
|
711
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_rolesessionname
|
662
712
|
# @return [String]
|
663
713
|
#
|
664
714
|
# @!attribute [rw] web_identity_token
|
@@ -666,8 +716,9 @@ module Aws::STS
|
|
666
716
|
# provided by the identity provider. Your application must get this
|
667
717
|
# token by authenticating the user who is using your application with
|
668
718
|
# a web identity provider before the application makes an
|
669
|
-
# `AssumeRoleWithWebIdentity` call.
|
670
|
-
#
|
719
|
+
# `AssumeRoleWithWebIdentity` call. Timestamps in the token must be
|
720
|
+
# formatted as either an integer or a long integer. Only tokens with
|
721
|
+
# RSA algorithms (RS256) are supported.
|
671
722
|
# @return [String]
|
672
723
|
#
|
673
724
|
# @!attribute [rw] provider_id
|
@@ -741,6 +792,9 @@ module Aws::STS
|
|
741
792
|
# include the tab (\\u0009), linefeed (\\u000A), and carriage return
|
742
793
|
# (\\u000D) characters.
|
743
794
|
#
|
795
|
+
# For more information about role session permissions, see [Session
|
796
|
+
# policies][1].
|
797
|
+
#
|
744
798
|
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline
|
745
799
|
# session policy, managed policy ARNs, and session tags into a packed
|
746
800
|
# binary format that has a separate limit. Your request can fail for
|
@@ -881,7 +935,7 @@ module Aws::STS
|
|
881
935
|
#
|
882
936
|
#
|
883
937
|
#
|
884
|
-
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts
|
938
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts
|
885
939
|
# [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html
|
886
940
|
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
|
887
941
|
# @return [String]
|
@@ -900,6 +954,94 @@ module Aws::STS
|
|
900
954
|
include Aws::Structure
|
901
955
|
end
|
902
956
|
|
957
|
+
# @!attribute [rw] target_principal
|
958
|
+
# The member account principal ARN or account ID.
|
959
|
+
# @return [String]
|
960
|
+
#
|
961
|
+
# @!attribute [rw] task_policy_arn
|
962
|
+
# The identity based policy that scopes the session to the privileged
|
963
|
+
# tasks that can be performed. You can use one of following Amazon Web
|
964
|
+
# Services managed policies to scope root session actions. You can add
|
965
|
+
# additional customer managed policies to further limit the
|
966
|
+
# permissions for the root session.
|
967
|
+
#
|
968
|
+
# * [IAMAuditRootUserCredentials][1]
|
969
|
+
#
|
970
|
+
# * [IAMCreateRootUserPassword][2]
|
971
|
+
#
|
972
|
+
# * [IAMDeleteRootUserCredentials][3]
|
973
|
+
#
|
974
|
+
# * [S3UnlockBucketPolicy][4]
|
975
|
+
#
|
976
|
+
# * [SQSUnlockQueuePolicy][5]
|
977
|
+
#
|
978
|
+
#
|
979
|
+
#
|
980
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMAuditRootUserCredentials
|
981
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMCreateRootUserPassword
|
982
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMDeleteRootUserCredentials
|
983
|
+
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-S3UnlockBucketPolicy
|
984
|
+
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-SQSUnlockQueuePolicy
|
985
|
+
# @return [Types::PolicyDescriptorType]
|
986
|
+
#
|
987
|
+
# @!attribute [rw] duration_seconds
|
988
|
+
# The duration, in seconds, of the privileged session. The value can
|
989
|
+
# range from 0 seconds up to the maximum session duration of 900
|
990
|
+
# seconds (15 minutes). If you specify a value higher than this
|
991
|
+
# setting, the operation fails.
|
992
|
+
#
|
993
|
+
# By default, the value is set to `900` seconds.
|
994
|
+
# @return [Integer]
|
995
|
+
#
|
996
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRootRequest AWS API Documentation
|
997
|
+
#
|
998
|
+
class AssumeRootRequest < Struct.new(
|
999
|
+
:target_principal,
|
1000
|
+
:task_policy_arn,
|
1001
|
+
:duration_seconds)
|
1002
|
+
SENSITIVE = []
|
1003
|
+
include Aws::Structure
|
1004
|
+
end
|
1005
|
+
|
1006
|
+
# @!attribute [rw] credentials
|
1007
|
+
# The temporary security credentials, which include an access key ID,
|
1008
|
+
# a secret access key, and a security token.
|
1009
|
+
#
|
1010
|
+
# <note markdown="1"> The size of the security token that STS API operations return is not
|
1011
|
+
# fixed. We strongly recommend that you make no assumptions about the
|
1012
|
+
# maximum size.
|
1013
|
+
#
|
1014
|
+
# </note>
|
1015
|
+
# @return [Types::Credentials]
|
1016
|
+
#
|
1017
|
+
# @!attribute [rw] source_identity
|
1018
|
+
# The source identity specified by the principal that is calling the
|
1019
|
+
# `AssumeRoot` operation.
|
1020
|
+
#
|
1021
|
+
# You can use the `aws:SourceIdentity` condition key to control access
|
1022
|
+
# based on the value of source identity. For more information about
|
1023
|
+
# using source identity, see [Monitor and control actions taken with
|
1024
|
+
# assumed roles][1] in the *IAM User Guide*.
|
1025
|
+
#
|
1026
|
+
# The regex used to validate this parameter is a string of characters
|
1027
|
+
# consisting of upper- and lower-case alphanumeric characters with no
|
1028
|
+
# spaces. You can also include underscores or any of the following
|
1029
|
+
# characters: =,.@-
|
1030
|
+
#
|
1031
|
+
#
|
1032
|
+
#
|
1033
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
|
1034
|
+
# @return [String]
|
1035
|
+
#
|
1036
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRootResponse AWS API Documentation
|
1037
|
+
#
|
1038
|
+
class AssumeRootResponse < Struct.new(
|
1039
|
+
:credentials,
|
1040
|
+
:source_identity)
|
1041
|
+
SENSITIVE = []
|
1042
|
+
include Aws::Structure
|
1043
|
+
end
|
1044
|
+
|
903
1045
|
# The identifiers for the temporary security credentials that the
|
904
1046
|
# operation returns.
|
905
1047
|
#
|
@@ -1419,7 +1561,8 @@ module Aws::STS
|
|
1419
1561
|
|
1420
1562
|
# The error returned if the message passed to
|
1421
1563
|
# `DecodeAuthorizationMessage` was invalid. This can happen if the token
|
1422
|
-
# contains invalid characters, such as
|
1564
|
+
# contains invalid characters, such as line breaks, or if the message
|
1565
|
+
# has expired.
|
1423
1566
|
#
|
1424
1567
|
# @!attribute [rw] message
|
1425
1568
|
# @return [String]
|
@@ -1539,8 +1682,8 @@ module Aws::STS
|
|
1539
1682
|
# STS is not activated in the requested region for the account that is
|
1540
1683
|
# being asked to generate credentials. The account administrator must
|
1541
1684
|
# use the IAM console to activate STS in that region. For more
|
1542
|
-
# information, see [Activating and Deactivating Amazon Web
|
1543
|
-
#
|
1685
|
+
# information, see [Activating and Deactivating STS in an Amazon Web
|
1686
|
+
# Services Region][1] in the *IAM User Guide*.
|
1544
1687
|
#
|
1545
1688
|
#
|
1546
1689
|
#
|
data/lib/aws-sdk-sts.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: aws-sdk-core
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.
|
4
|
+
version: 3.214.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Amazon Web Services
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2024-
|
11
|
+
date: 2024-11-25 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: jmespath
|
@@ -39,7 +39,7 @@ dependencies:
|
|
39
39
|
version: '1'
|
40
40
|
- - ">="
|
41
41
|
- !ruby/object:Gem::Version
|
42
|
-
version: 1.
|
42
|
+
version: 1.992.0
|
43
43
|
type: :runtime
|
44
44
|
prerelease: false
|
45
45
|
version_requirements: !ruby/object:Gem::Requirement
|
@@ -49,7 +49,7 @@ dependencies:
|
|
49
49
|
version: '1'
|
50
50
|
- - ">="
|
51
51
|
- !ruby/object:Gem::Version
|
52
|
-
version: 1.
|
52
|
+
version: 1.992.0
|
53
53
|
- !ruby/object:Gem::Dependency
|
54
54
|
name: aws-sigv4
|
55
55
|
requirement: !ruby/object:Gem::Requirement
|
@@ -112,7 +112,6 @@ files:
|
|
112
112
|
- lib/aws-sdk-core/binary/event_stream_decoder.rb
|
113
113
|
- lib/aws-sdk-core/binary/event_stream_encoder.rb
|
114
114
|
- lib/aws-sdk-core/cbor.rb
|
115
|
-
- lib/aws-sdk-core/cbor/cbor_engine.rb
|
116
115
|
- lib/aws-sdk-core/cbor/decoder.rb
|
117
116
|
- lib/aws-sdk-core/cbor/encoder.rb
|
118
117
|
- lib/aws-sdk-core/client_side_monitoring.rb
|
@@ -236,6 +235,7 @@ files:
|
|
236
235
|
- lib/aws-sdk-core/rest/response/status_code.rb
|
237
236
|
- lib/aws-sdk-core/rpc_v2.rb
|
238
237
|
- lib/aws-sdk-core/rpc_v2/builder.rb
|
238
|
+
- lib/aws-sdk-core/rpc_v2/cbor_engine.rb
|
239
239
|
- lib/aws-sdk-core/rpc_v2/content_type_handler.rb
|
240
240
|
- lib/aws-sdk-core/rpc_v2/error_handler.rb
|
241
241
|
- lib/aws-sdk-core/rpc_v2/handler.rb
|