aws-sdk-core 3.211.0 → 3.213.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: d418a930974fa0612c72b4f3b79447d118c609226d9e831f88a816b528079da3
4
- data.tar.gz: fcd0a2ac8ca0e4bea771931e2b7da2c094437deeae84de781df5dfc23fb7561b
3
+ metadata.gz: a6f3a73413b33e6f06d9906357757e3ddd53a140b8abe22a7b61c8a316c090b9
4
+ data.tar.gz: 3e67a072f69d008280dc9b6385c6d269e81bb4441925c61fa344dd9c54092d6f
5
5
  SHA512:
6
- metadata.gz: d428f5d83ef0890bd1153b762b5ca47a5f8ee67f8c796fd53d3067419ccc792d13210de5d3eeadd0ee118bac060b9a887a2ae638e7fb8b1bc80936760fa69a49
7
- data.tar.gz: 1a9138f97f8c85c1acdb67aabf9866fcab95ac770684b817a9d2be39fd757ca0457aa219d168cfe9d5c5d8b0513bc9cd96aa2fcc96525e5fce350d8db602c259
6
+ metadata.gz: 413f47ca0e62d52310466498a472288f180b1c0c16923e243354f07c2798f467f025c556a6ec2cb97cfd903c0e54d886b8271bc8bc94633383b078ca50df56fe
7
+ data.tar.gz: 2848664939e23d6e71900b72c63628d17214167e49927f692e3d64abed012f936ffde0fe2267611103bc0c0f00139c77b99a0095e035bae0a5b0e2a2d879361e
data/CHANGELOG.md CHANGED
@@ -1,6 +1,18 @@
1
1
  Unreleased Changes
2
2
  ------------------
3
3
 
4
+ 3.213.0 (2024-11-14)
5
+ ------------------
6
+
7
+ * Feature - Updated Aws::STS::Client with the latest API changes.
8
+
9
+ * Feature - This release introduces the new API 'AssumeRoot', which returns short-term credentials that you can use to perform privileged tasks.
10
+
11
+ 3.212.0 (2024-11-06)
12
+ ------------------
13
+
14
+ * Feature - Updated Aws::STS::Client with the latest API changes.
15
+
4
16
  3.211.0 (2024-10-21)
5
17
  ------------------
6
18
 
data/VERSION CHANGED
@@ -1 +1 @@
1
- 3.211.0
1
+ 3.213.0
@@ -669,7 +669,7 @@ module Aws::SSO
669
669
  tracer: tracer
670
670
  )
671
671
  context[:gem_name] = 'aws-sdk-core'
672
- context[:gem_version] = '3.211.0'
672
+ context[:gem_version] = '3.213.0'
673
673
  Seahorse::Client::Request.new(handlers, context)
674
674
  end
675
675
 
data/lib/aws-sdk-sso.rb CHANGED
@@ -56,7 +56,7 @@ module Aws::SSO
56
56
  autoload :EndpointProvider, 'aws-sdk-sso/endpoint_provider'
57
57
  autoload :Endpoints, 'aws-sdk-sso/endpoints'
58
58
 
59
- GEM_VERSION = '3.211.0'
59
+ GEM_VERSION = '3.213.0'
60
60
 
61
61
  end
62
62
 
@@ -1022,7 +1022,7 @@ module Aws::SSOOIDC
1022
1022
  tracer: tracer
1023
1023
  )
1024
1024
  context[:gem_name] = 'aws-sdk-core'
1025
- context[:gem_version] = '3.211.0'
1025
+ context[:gem_version] = '3.213.0'
1026
1026
  Seahorse::Client::Request.new(handlers, context)
1027
1027
  end
1028
1028
 
@@ -56,7 +56,7 @@ module Aws::SSOOIDC
56
56
  autoload :EndpointProvider, 'aws-sdk-ssooidc/endpoint_provider'
57
57
  autoload :Endpoints, 'aws-sdk-ssooidc/endpoints'
58
58
 
59
- GEM_VERSION = '3.211.0'
59
+ GEM_VERSION = '3.213.0'
60
60
 
61
61
  end
62
62
 
@@ -460,8 +460,8 @@ module Aws::STS
460
460
  # token. Typically, you use `AssumeRole` within your account or for
461
461
  # cross-account access. For a comparison of `AssumeRole` with other API
462
462
  # operations that produce temporary credentials, see [Requesting
463
- # Temporary Security Credentials][1] and [Comparing the Amazon Web
464
- # Services STS API operations][2] in the *IAM User Guide*.
463
+ # Temporary Security Credentials][1] and [Compare STS credentials][2] in
464
+ # the *IAM User Guide*.
465
465
  #
466
466
  # **Permissions**
467
467
  #
@@ -470,9 +470,9 @@ module Aws::STS
470
470
  # following exception: You cannot call the Amazon Web Services STS
471
471
  # `GetFederationToken` or `GetSessionToken` API operations.
472
472
  #
473
- # (Optional) You can pass inline or managed [session policies][3] to
474
- # this operation. You can pass a single JSON policy document to use as
475
- # an inline session policy. You can also specify up to 10 managed policy
473
+ # (Optional) You can pass inline or managed session policies to this
474
+ # operation. You can pass a single JSON policy document to use as an
475
+ # inline session policy. You can also specify up to 10 managed policy
476
476
  # Amazon Resource Names (ARNs) to use as managed session policies. The
477
477
  # plaintext that you use for both inline and managed session policies
478
478
  # can't exceed 2,048 characters. Passing policies to this operation
@@ -545,7 +545,7 @@ module Aws::STS
545
545
  # denied. The condition in a trust policy that tests for MFA
546
546
  # authentication might look like the following example.
547
547
  #
548
- # `"Condition": \{"Bool": \{"aws:MultiFactorAuthPresent": true\}\}`
548
+ # `"Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}}`
549
549
  #
550
550
  # For more information, see [Configuring MFA-Protected API Access][8] in
551
551
  # the *IAM User Guide* guide.
@@ -558,7 +558,7 @@ module Aws::STS
558
558
  #
559
559
  #
560
560
  # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
561
- # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
561
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_sts-comparison.html
562
562
  # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
563
563
  # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
564
564
  # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
@@ -581,11 +581,22 @@ module Aws::STS
581
581
  # credentials will expose the role session name to the external account
582
582
  # in their CloudTrail logs.
583
583
  #
584
+ # For security purposes, administrators can view this field in
585
+ # [CloudTrail logs][1] to help identify who performed an action in
586
+ # Amazon Web Services. Your administrator might require that you specify
587
+ # your user name as the session name when you assume the role. For more
588
+ # information, see [ `sts:RoleSessionName` ][2].
589
+ #
584
590
  # The regex used to validate this parameter is a string of characters
585
591
  # consisting of upper- and lower-case alphanumeric characters with no
586
592
  # spaces. You can also include underscores or any of the following
587
593
  # characters: =,.@-
588
594
  #
595
+ #
596
+ #
597
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html#cloudtrail-integration_signin-tempcreds
598
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_rolesessionname
599
+ #
589
600
  # @option params [Array<Types::PolicyDescriptorType>] :policy_arns
590
601
  # The Amazon Resource Names (ARNs) of the IAM managed policies that you
591
602
  # want to use as managed session policies. The policies must exist in
@@ -651,6 +662,9 @@ module Aws::STS
651
662
  #
652
663
  # </note>
653
664
  #
665
+ # For more information about role session permissions, see [Session
666
+ # policies][1].
667
+ #
654
668
  #
655
669
  #
656
670
  # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
@@ -673,9 +687,8 @@ module Aws::STS
673
687
  # depending on the maximum session duration setting for your role.
674
688
  # However, if you assume a role using role chaining and provide a
675
689
  # `DurationSeconds` parameter value greater than one hour, the operation
676
- # fails. To learn how to view the maximum value for your role, see [View
677
- # the Maximum Session Duration Setting for a Role][1] in the *IAM User
678
- # Guide*.
690
+ # fails. To learn how to view the maximum value for your role, see
691
+ # [Update the maximum session duration for a role][1].
679
692
  #
680
693
  # By default, the value is set to `3600` seconds.
681
694
  #
@@ -691,7 +704,7 @@ module Aws::STS
691
704
  #
692
705
  #
693
706
  #
694
- # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
707
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-role-settings.html#id_roles_update-session-duration
695
708
  # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
696
709
  #
697
710
  # @option params [Array<Types::Tag>] :tags
@@ -744,9 +757,8 @@ module Aws::STS
744
757
  # passes to subsequent sessions in a role chain. For more information,
745
758
  # see [Chaining Roles with Session Tags][1] in the *IAM User Guide*.
746
759
  #
747
- # This parameter is optional. When you set session tags as transitive,
748
- # the session policy and session tags packed binary limit is not
749
- # affected.
760
+ # This parameter is optional. The transitive status of a session tag
761
+ # does not impact its packed binary size.
750
762
  #
751
763
  # If you choose not to specify a transitive tag key, then no tags are
752
764
  # passed from this session to any subsequent sessions.
@@ -804,16 +816,17 @@ module Aws::STS
804
816
  #
805
817
  # @option params [String] :source_identity
806
818
  # The source identity specified by the principal that is calling the
807
- # `AssumeRole` operation.
819
+ # `AssumeRole` operation. The source identity value persists across
820
+ # [chained role][1] sessions.
808
821
  #
809
822
  # You can require users to specify a source identity when they assume a
810
- # role. You do this by using the `sts:SourceIdentity` condition key in a
811
- # role trust policy. You can use source identity information in
823
+ # role. You do this by using the [ `sts:SourceIdentity` ][2] condition
824
+ # key in a role trust policy. You can use source identity information in
812
825
  # CloudTrail logs to determine who took actions with a role. You can use
813
826
  # the `aws:SourceIdentity` condition key to further control access to
814
827
  # Amazon Web Services resources based on the value of source identity.
815
828
  # For more information about using source identity, see [Monitor and
816
- # control actions taken with assumed roles][1] in the *IAM User Guide*.
829
+ # control actions taken with assumed roles][3] in the *IAM User Guide*.
817
830
  #
818
831
  # The regex used to validate this parameter is a string of characters
819
832
  # consisting of upper- and lower-case alphanumeric characters with no
@@ -823,7 +836,9 @@ module Aws::STS
823
836
  #
824
837
  #
825
838
  #
826
- # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
839
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#iam-term-role-chaining
840
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceidentity
841
+ # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
827
842
  #
828
843
  # @option params [Array<Types::ProvidedContext>] :provided_contexts
829
844
  # A list of previously acquired trusted context assertions in the format
@@ -834,7 +849,7 @@ module Aws::STS
834
849
  # a single trusted context assertion and the ARN of the context provider
835
850
  # from which the trusted context assertion was generated.
836
851
  #
837
- # `[\{"ProviderArn":"arn:aws:iam::aws:contextProvider/IdentityCenter","ContextAssertion":"trusted-context-assertion"\}]`
852
+ # `[{"ProviderArn":"arn:aws:iam::aws:contextProvider/IdentityCenter","ContextAssertion":"trusted-context-assertion"}]`
838
853
  #
839
854
  # @return [Types::AssumeRoleResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
840
855
  #
@@ -944,8 +959,8 @@ module Aws::STS
944
959
  # user-specific credentials or configuration. For a comparison of
945
960
  # `AssumeRoleWithSAML` with the other API operations that produce
946
961
  # temporary credentials, see [Requesting Temporary Security
947
- # Credentials][1] and [Comparing the Amazon Web Services STS API
948
- # operations][2] in the *IAM User Guide*.
962
+ # Credentials][1] and [Compare STS credentials][2] in the *IAM User
963
+ # Guide*.
949
964
  #
950
965
  # The temporary security credentials returned by this operation consist
951
966
  # of an access key ID, a secret access key, and a security token.
@@ -1075,7 +1090,7 @@ module Aws::STS
1075
1090
  #
1076
1091
  #
1077
1092
  # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
1078
- # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
1093
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_sts-comparison.html
1079
1094
  # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
1080
1095
  # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
1081
1096
  # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining
@@ -1163,6 +1178,9 @@ module Aws::STS
1163
1178
  # the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
1164
1179
  # characters.
1165
1180
  #
1181
+ # For more information about role session permissions, see [Session
1182
+ # policies][1].
1183
+ #
1166
1184
  # <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
1167
1185
  # policy, managed policy ARNs, and session tags into a packed binary
1168
1186
  # format that has a separate limit. Your request can fail for this limit
@@ -1317,8 +1335,8 @@ module Aws::STS
1317
1335
  # a token from the web identity provider. For a comparison of
1318
1336
  # `AssumeRoleWithWebIdentity` with the other API operations that produce
1319
1337
  # temporary credentials, see [Requesting Temporary Security
1320
- # Credentials][4] and [Comparing the Amazon Web Services STS API
1321
- # operations][5] in the *IAM User Guide*.
1338
+ # Credentials][4] and [Compare STS credentials][5] in the *IAM User
1339
+ # Guide*.
1322
1340
  #
1323
1341
  # The temporary security credentials returned by this API consist of an
1324
1342
  # access key ID, a secret access key, and a security token. Applications
@@ -1333,9 +1351,9 @@ module Aws::STS
1333
1351
  # your session. You can provide a value from 900 seconds (15 minutes) up
1334
1352
  # to the maximum session duration setting for the role. This setting can
1335
1353
  # have a value from 1 hour to 12 hours. To learn how to view the maximum
1336
- # value for your role, see [View the Maximum Session Duration Setting
1337
- # for a Role][6] in the *IAM User Guide*. The maximum session duration
1338
- # limit applies when you use the `AssumeRole*` API operations or the
1354
+ # value for your role, see [Update the maximum session duration for a
1355
+ # role ][6] in the *IAM User Guide*. The maximum session duration limit
1356
+ # applies when you use the `AssumeRole*` API operations or the
1339
1357
  # `assume-role*` CLI commands. However the limit does not apply when you
1340
1358
  # use those operations to create a console URL. For more information,
1341
1359
  # see [Using IAM Roles][7] in the *IAM User Guide*.
@@ -1413,35 +1431,26 @@ module Aws::STS
1413
1431
  # instead use a GUID or a pairwise identifier, as [suggested in the OIDC
1414
1432
  # specification][14].
1415
1433
  #
1416
- # For more information about how to use web identity federation and the
1434
+ # For more information about how to use OIDC federation and the
1417
1435
  # `AssumeRoleWithWebIdentity` API, see the following resources:
1418
1436
  #
1419
1437
  # * [Using Web Identity Federation API Operations for Mobile Apps][15]
1420
1438
  # and [Federation Through a Web-based Identity Provider][16].
1421
1439
  #
1422
- # * [ Web Identity Federation Playground][17]. Walk through the process
1423
- # of authenticating through Login with Amazon, Facebook, or Google,
1424
- # getting temporary security credentials, and then using those
1425
- # credentials to make a request to Amazon Web Services.
1426
- #
1427
1440
  # * [Amazon Web Services SDK for iOS Developer Guide][2] and [Amazon Web
1428
1441
  # Services SDK for Android Developer Guide][3]. These toolkits contain
1429
1442
  # sample apps that show how to invoke the identity providers. The
1430
1443
  # toolkits then show how to use the information from these providers
1431
1444
  # to get and use temporary security credentials.
1432
1445
  #
1433
- # * [Web Identity Federation with Mobile Applications][18]. This article
1434
- # discusses web identity federation and shows an example of how to use
1435
- # web identity federation to get access to content in Amazon S3.
1436
- #
1437
1446
  #
1438
1447
  #
1439
1448
  # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html
1440
1449
  # [2]: http://aws.amazon.com/sdkforios/
1441
1450
  # [3]: http://aws.amazon.com/sdkforandroid/
1442
1451
  # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
1443
- # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
1444
- # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
1452
+ # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_sts-comparison.html
1453
+ # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-role-settings.html#id_roles_update-session-duration
1445
1454
  # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
1446
1455
  # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
1447
1456
  # [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
@@ -1452,13 +1461,29 @@ module Aws::STS
1452
1461
  # [14]: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
1453
1462
  # [15]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html
1454
1463
  # [16]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
1455
- # [17]: https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/
1456
- # [18]: http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications
1457
1464
  #
1458
1465
  # @option params [required, String] :role_arn
1459
1466
  # The Amazon Resource Name (ARN) of the role that the caller is
1460
1467
  # assuming.
1461
1468
  #
1469
+ # <note markdown="1"> Additional considerations apply to Amazon Cognito identity pools that
1470
+ # assume [cross-account IAM roles][1]. The trust policies of these roles
1471
+ # must accept the `cognito-identity.amazonaws.com` service principal and
1472
+ # must contain the `cognito-identity.amazonaws.com:aud` condition key to
1473
+ # restrict role assumption to users from your intended identity pools. A
1474
+ # policy that trusts Amazon Cognito identity pools without this
1475
+ # condition creates a risk that a user from an unintended identity pool
1476
+ # can assume the role. For more information, see [ Trust policies for
1477
+ # IAM roles in Basic (Classic) authentication ][2] in the *Amazon
1478
+ # Cognito Developer Guide*.
1479
+ #
1480
+ # </note>
1481
+ #
1482
+ #
1483
+ #
1484
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html
1485
+ # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html#trust-policies
1486
+ #
1462
1487
  # @option params [required, String] :role_session_name
1463
1488
  # An identifier for the assumed role session. Typically, you pass the
1464
1489
  # name or identifier that is associated with the user who is using your
@@ -1467,18 +1492,30 @@ module Aws::STS
1467
1492
  # is included as part of the ARN and assumed role ID in the
1468
1493
  # `AssumedRoleUser` response element.
1469
1494
  #
1495
+ # For security purposes, administrators can view this field in
1496
+ # [CloudTrail logs][1] to help identify who performed an action in
1497
+ # Amazon Web Services. Your administrator might require that you specify
1498
+ # your user name as the session name when you assume the role. For more
1499
+ # information, see [ `sts:RoleSessionName` ][2].
1500
+ #
1470
1501
  # The regex used to validate this parameter is a string of characters
1471
1502
  # consisting of upper- and lower-case alphanumeric characters with no
1472
1503
  # spaces. You can also include underscores or any of the following
1473
1504
  # characters: =,.@-
1474
1505
  #
1506
+ #
1507
+ #
1508
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html#cloudtrail-integration_signin-tempcreds
1509
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_rolesessionname
1510
+ #
1475
1511
  # @option params [required, String] :web_identity_token
1476
1512
  # The OAuth 2.0 access token or OpenID Connect ID token that is provided
1477
1513
  # by the identity provider. Your application must get this token by
1478
1514
  # authenticating the user who is using your application with a web
1479
1515
  # identity provider before the application makes an
1480
- # `AssumeRoleWithWebIdentity` call. Only tokens with RSA algorithms
1481
- # (RS256) are supported.
1516
+ # `AssumeRoleWithWebIdentity` call. Timestamps in the token must be
1517
+ # formatted as either an integer or a long integer. Only tokens with RSA
1518
+ # algorithms (RS256) are supported.
1482
1519
  #
1483
1520
  # @option params [String] :provider_id
1484
1521
  # The fully qualified host component of the domain name of the OAuth 2.0
@@ -1547,6 +1584,9 @@ module Aws::STS
1547
1584
  # the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
1548
1585
  # characters.
1549
1586
  #
1587
+ # For more information about role session permissions, see [Session
1588
+ # policies][1].
1589
+ #
1550
1590
  # <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
1551
1591
  # policy, managed policy ARNs, and session tags into a packed binary
1552
1592
  # format that has a separate limit. Your request can fail for this limit
@@ -1667,6 +1707,123 @@ module Aws::STS
1667
1707
  req.send_request(options)
1668
1708
  end
1669
1709
 
1710
+ # Returns a set of short term credentials you can use to perform
1711
+ # privileged tasks in a member account.
1712
+ #
1713
+ # Before you can launch a privileged session, you must have enabled
1714
+ # centralized root access in your organization. For steps to enable this
1715
+ # feature, see [Centralize root access for member accounts][1] in the
1716
+ # *IAM User Guide*.
1717
+ #
1718
+ # <note markdown="1"> The global endpoint is not supported for AssumeRoot. You must send
1719
+ # this request to a Regional STS endpoint. For more information, see
1720
+ # [Endpoints][2].
1721
+ #
1722
+ # </note>
1723
+ #
1724
+ # You can track AssumeRoot in CloudTrail logs to determine what actions
1725
+ # were performed in a session. For more information, see [Track
1726
+ # privileged tasks in CloudTrail][3] in the *IAM User Guide*.
1727
+ #
1728
+ #
1729
+ #
1730
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-enable-root-access.html
1731
+ # [2]: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html#sts-endpoints
1732
+ # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-track-privileged-tasks.html
1733
+ #
1734
+ # @option params [required, String] :target_principal
1735
+ # The member account principal ARN or account ID.
1736
+ #
1737
+ # @option params [required, Types::PolicyDescriptorType] :task_policy_arn
1738
+ # The identity based policy that scopes the session to the privileged
1739
+ # tasks that can be performed. You can use one of following Amazon Web
1740
+ # Services managed policies to scope root session actions. You can add
1741
+ # additional customer managed policies to further limit the permissions
1742
+ # for the root session.
1743
+ #
1744
+ # * [IAMAuditRootUserCredentials][1]
1745
+ #
1746
+ # * [IAMCreateRootUserPassword][2]
1747
+ #
1748
+ # * [IAMDeleteRootUserCredentials][3]
1749
+ #
1750
+ # * [S3UnlockBucketPolicy][4]
1751
+ #
1752
+ # * [SQSUnlockQueuePolicy][5]
1753
+ #
1754
+ #
1755
+ #
1756
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMAuditRootUserCredentials
1757
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMCreateRootUserPassword
1758
+ # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMDeleteRootUserCredentials
1759
+ # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-S3UnlockBucketPolicy
1760
+ # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-SQSUnlockQueuePolicy
1761
+ #
1762
+ # @option params [Integer] :duration_seconds
1763
+ # The duration, in seconds, of the privileged session. The value can
1764
+ # range from 0 seconds up to the maximum session duration of 900 seconds
1765
+ # (15 minutes). If you specify a value higher than this setting, the
1766
+ # operation fails.
1767
+ #
1768
+ # By default, the value is set to `900` seconds.
1769
+ #
1770
+ # @return [Types::AssumeRootResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1771
+ #
1772
+ # * {Types::AssumeRootResponse#credentials #credentials} => Types::Credentials
1773
+ # * {Types::AssumeRootResponse#source_identity #source_identity} => String
1774
+ #
1775
+ #
1776
+ # @example Example: To launch a privileged session
1777
+ #
1778
+ # # The following command retrieves a set of short-term credentials you can use to unlock an S3 bucket for a member account
1779
+ # # by removing the bucket policy.
1780
+ #
1781
+ # resp = client.assume_root({
1782
+ # duration_seconds: 900,
1783
+ # target_principal: "111122223333",
1784
+ # task_policy_arn: {
1785
+ # arn: "arn:aws:iam::aws:policy/root-task/S3UnlockBucketPolicy",
1786
+ # },
1787
+ # })
1788
+ #
1789
+ # resp.to_h outputs the following:
1790
+ # {
1791
+ # credentials: {
1792
+ # access_key_id: "ASIAJEXAMPLEXEG2JICEA",
1793
+ # expiration: Time.parse("2024-11-15T00:05:07Z"),
1794
+ # secret_access_key: "9drTJvcXLB89EXAMPLELB8923FB892xMFI",
1795
+ # session_token: "AQoXdzELDDY//////////wEaoAK1wvxJY12r2IrDFT2IvAzTCn3zHoZ7YNtpiQLF0MqZye/qwjzP2iEXAMPLEbw/m3hsj8VBTkPORGvr9jM5sgP+w9IZWZnU+LWhmg+a5fDi2oTGUYcdg9uexQ4mtCHIHfi4citgqZTgco40Yqr4lIlo4V2b2Dyauk0eYFNebHtYlFVgAUj+7Indz3LU0aTWk1WKIjHmmMCIoTkyYp/k7kUG7moeEYKSitwQIi6Gjn+nyzM+PtoA3685ixzv0R7i5rjQi0YE0lf1oeie3bDiNHncmzosRM6SFiPzSvp6h/32xQuZsjcypmwsPSDtTPYcs0+YN/8BRi2/IcrxSpnWEXAMPLEXSDFTAQAM6Dl9zR0tXoybnlrZIwMLlMi1Kcgo5OytwU=",
1796
+ # },
1797
+ # source_identity: "Alice",
1798
+ # }
1799
+ #
1800
+ # @example Request syntax with placeholder values
1801
+ #
1802
+ # resp = client.assume_root({
1803
+ # target_principal: "TargetPrincipalType", # required
1804
+ # task_policy_arn: { # required
1805
+ # arn: "arnType",
1806
+ # },
1807
+ # duration_seconds: 1,
1808
+ # })
1809
+ #
1810
+ # @example Response structure
1811
+ #
1812
+ # resp.credentials.access_key_id #=> String
1813
+ # resp.credentials.secret_access_key #=> String
1814
+ # resp.credentials.session_token #=> String
1815
+ # resp.credentials.expiration #=> Time
1816
+ # resp.source_identity #=> String
1817
+ #
1818
+ # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoot AWS API Documentation
1819
+ #
1820
+ # @overload assume_root(params = {})
1821
+ # @param [Hash] params ({})
1822
+ def assume_root(params = {}, options = {})
1823
+ req = build_request(:assume_root, params)
1824
+ req.send_request(options)
1825
+ end
1826
+
1670
1827
  # Decodes additional information about the authorization status of a
1671
1828
  # request from an encoded message returned in response to an Amazon Web
1672
1829
  # Services request.
@@ -1905,8 +2062,8 @@ module Aws::STS
1905
2062
  # usually in a server-based application. For a comparison of
1906
2063
  # `GetFederationToken` with the other API operations that produce
1907
2064
  # temporary credentials, see [Requesting Temporary Security
1908
- # Credentials][1] and [Comparing the Amazon Web Services STS API
1909
- # operations][2] in the *IAM User Guide*.
2065
+ # Credentials][1] and [Compare STS credentials][2] in the *IAM User
2066
+ # Guide*.
1910
2067
  #
1911
2068
  # Although it is possible to call `GetFederationToken` using the
1912
2069
  # security credentials of an Amazon Web Services account root user
@@ -2003,7 +2160,7 @@ module Aws::STS
2003
2160
  #
2004
2161
  #
2005
2162
  # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
2006
- # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
2163
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_sts-comparison.html
2007
2164
  # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials
2008
2165
  # [4]: http://aws.amazon.com/cognito/
2009
2166
  # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
@@ -2255,8 +2412,8 @@ module Aws::STS
2255
2412
  # An incorrect MFA code causes the API to return an access denied error.
2256
2413
  # For a comparison of `GetSessionToken` with the other API operations
2257
2414
  # that produce temporary credentials, see [Requesting Temporary Security
2258
- # Credentials][1] and [Comparing the Amazon Web Services STS API
2259
- # operations][2] in the *IAM User Guide*.
2415
+ # Credentials][1] and [Compare STS credentials][2] in the *IAM User
2416
+ # Guide*.
2260
2417
  #
2261
2418
  # <note markdown="1"> No permissions are required for users to perform this operation. The
2262
2419
  # purpose of the `sts:GetSessionToken` operation is to authenticate the
@@ -2311,7 +2468,7 @@ module Aws::STS
2311
2468
  #
2312
2469
  #
2313
2470
  # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
2314
- # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
2471
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_sts-comparison.html
2315
2472
  # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html
2316
2473
  # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials
2317
2474
  # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken
@@ -2416,7 +2573,7 @@ module Aws::STS
2416
2573
  tracer: tracer
2417
2574
  )
2418
2575
  context[:gem_name] = 'aws-sdk-core'
2419
- context[:gem_version] = '3.211.0'
2576
+ context[:gem_version] = '3.213.0'
2420
2577
  Seahorse::Client::Request.new(handlers, context)
2421
2578
  end
2422
2579
 
@@ -20,6 +20,8 @@ module Aws::STS
20
20
  AssumeRoleWithSAMLResponse = Shapes::StructureShape.new(name: 'AssumeRoleWithSAMLResponse')
21
21
  AssumeRoleWithWebIdentityRequest = Shapes::StructureShape.new(name: 'AssumeRoleWithWebIdentityRequest')
22
22
  AssumeRoleWithWebIdentityResponse = Shapes::StructureShape.new(name: 'AssumeRoleWithWebIdentityResponse')
23
+ AssumeRootRequest = Shapes::StructureShape.new(name: 'AssumeRootRequest')
24
+ AssumeRootResponse = Shapes::StructureShape.new(name: 'AssumeRootResponse')
23
25
  AssumedRoleUser = Shapes::StructureShape.new(name: 'AssumedRoleUser')
24
26
  Audience = Shapes::StringShape.new(name: 'Audience')
25
27
  Credentials = Shapes::StructureShape.new(name: 'Credentials')
@@ -47,10 +49,12 @@ module Aws::STS
47
49
  ProvidedContext = Shapes::StructureShape.new(name: 'ProvidedContext')
48
50
  ProvidedContextsListType = Shapes::ListShape.new(name: 'ProvidedContextsListType')
49
51
  RegionDisabledException = Shapes::StructureShape.new(name: 'RegionDisabledException', error: {"code"=>"RegionDisabledException", "httpStatusCode"=>403, "senderFault"=>true})
52
+ RootDurationSecondsType = Shapes::IntegerShape.new(name: 'RootDurationSecondsType')
50
53
  SAMLAssertionType = Shapes::StringShape.new(name: 'SAMLAssertionType')
51
54
  Subject = Shapes::StringShape.new(name: 'Subject')
52
55
  SubjectType = Shapes::StringShape.new(name: 'SubjectType')
53
56
  Tag = Shapes::StructureShape.new(name: 'Tag')
57
+ TargetPrincipalType = Shapes::StringShape.new(name: 'TargetPrincipalType')
54
58
  accessKeyIdType = Shapes::StringShape.new(name: 'accessKeyIdType')
55
59
  accessKeySecretType = Shapes::StringShape.new(name: 'accessKeySecretType')
56
60
  accountType = Shapes::StringShape.new(name: 'accountType')
@@ -148,6 +152,15 @@ module Aws::STS
148
152
  AssumeRoleWithWebIdentityResponse.add_member(:source_identity, Shapes::ShapeRef.new(shape: sourceIdentityType, location_name: "SourceIdentity"))
149
153
  AssumeRoleWithWebIdentityResponse.struct_class = Types::AssumeRoleWithWebIdentityResponse
150
154
 
155
+ AssumeRootRequest.add_member(:target_principal, Shapes::ShapeRef.new(shape: TargetPrincipalType, required: true, location_name: "TargetPrincipal"))
156
+ AssumeRootRequest.add_member(:task_policy_arn, Shapes::ShapeRef.new(shape: PolicyDescriptorType, required: true, location_name: "TaskPolicyArn"))
157
+ AssumeRootRequest.add_member(:duration_seconds, Shapes::ShapeRef.new(shape: RootDurationSecondsType, location_name: "DurationSeconds"))
158
+ AssumeRootRequest.struct_class = Types::AssumeRootRequest
159
+
160
+ AssumeRootResponse.add_member(:credentials, Shapes::ShapeRef.new(shape: Credentials, location_name: "Credentials"))
161
+ AssumeRootResponse.add_member(:source_identity, Shapes::ShapeRef.new(shape: sourceIdentityType, location_name: "SourceIdentity"))
162
+ AssumeRootResponse.struct_class = Types::AssumeRootResponse
163
+
151
164
  AssumedRoleUser.add_member(:assumed_role_id, Shapes::ShapeRef.new(shape: assumedRoleIdType, required: true, location_name: "AssumedRoleId"))
152
165
  AssumedRoleUser.add_member(:arn, Shapes::ShapeRef.new(shape: arnType, required: true, location_name: "Arn"))
153
166
  AssumedRoleUser.struct_class = Types::AssumedRoleUser
@@ -308,6 +321,16 @@ module Aws::STS
308
321
  o.errors << Shapes::ShapeRef.new(shape: RegionDisabledException)
309
322
  end)
310
323
 
324
+ api.add_operation(:assume_root, Seahorse::Model::Operation.new.tap do |o|
325
+ o.name = "AssumeRoot"
326
+ o.http_method = "POST"
327
+ o.http_request_uri = "/"
328
+ o.input = Shapes::ShapeRef.new(shape: AssumeRootRequest)
329
+ o.output = Shapes::ShapeRef.new(shape: AssumeRootResponse)
330
+ o.errors << Shapes::ShapeRef.new(shape: RegionDisabledException)
331
+ o.errors << Shapes::ShapeRef.new(shape: ExpiredTokenException)
332
+ end)
333
+
311
334
  api.add_operation(:decode_authorization_message, Seahorse::Model::Operation.new.tap do |o|
312
335
  o.name = "DecodeAuthorizationMessage"
313
336
  o.http_method = "POST"
@@ -26,10 +26,21 @@ module Aws::STS
26
26
  # that use the temporary security credentials will expose the role
27
27
  # session name to the external account in their CloudTrail logs.
28
28
  #
29
+ # For security purposes, administrators can view this field in
30
+ # [CloudTrail logs][1] to help identify who performed an action in
31
+ # Amazon Web Services. Your administrator might require that you
32
+ # specify your user name as the session name when you assume the role.
33
+ # For more information, see [ `sts:RoleSessionName` ][2].
34
+ #
29
35
  # The regex used to validate this parameter is a string of characters
30
36
  # consisting of upper- and lower-case alphanumeric characters with no
31
37
  # spaces. You can also include underscores or any of the following
32
38
  # characters: =,.@-
39
+ #
40
+ #
41
+ #
42
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html#cloudtrail-integration_signin-tempcreds
43
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_rolesessionname
33
44
  # @return [String]
34
45
  #
35
46
  # @!attribute [rw] policy_arns
@@ -101,6 +112,9 @@ module Aws::STS
101
112
  #
102
113
  # </note>
103
114
  #
115
+ # For more information about role session permissions, see [Session
116
+ # policies][1].
117
+ #
104
118
  #
105
119
  #
106
120
  # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
@@ -125,8 +139,7 @@ module Aws::STS
125
139
  # However, if you assume a role using role chaining and provide a
126
140
  # `DurationSeconds` parameter value greater than one hour, the
127
141
  # operation fails. To learn how to view the maximum value for your
128
- # role, see [View the Maximum Session Duration Setting for a Role][1]
129
- # in the *IAM User Guide*.
142
+ # role, see [Update the maximum session duration for a role][1].
130
143
  #
131
144
  # By default, the value is set to `3600` seconds.
132
145
  #
@@ -142,7 +155,7 @@ module Aws::STS
142
155
  #
143
156
  #
144
157
  #
145
- # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
158
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-role-settings.html#id_roles_update-session-duration
146
159
  # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
147
160
  # @return [Integer]
148
161
  #
@@ -199,9 +212,8 @@ module Aws::STS
199
212
  # passes to subsequent sessions in a role chain. For more information,
200
213
  # see [Chaining Roles with Session Tags][1] in the *IAM User Guide*.
201
214
  #
202
- # This parameter is optional. When you set session tags as transitive,
203
- # the session policy and session tags packed binary limit is not
204
- # affected.
215
+ # This parameter is optional. The transitive status of a session tag
216
+ # does not impact its packed binary size.
205
217
  #
206
218
  # If you choose not to specify a transitive tag key, then no tags are
207
219
  # passed from this session to any subsequent sessions.
@@ -263,17 +275,18 @@ module Aws::STS
263
275
  #
264
276
  # @!attribute [rw] source_identity
265
277
  # The source identity specified by the principal that is calling the
266
- # `AssumeRole` operation.
278
+ # `AssumeRole` operation. The source identity value persists across
279
+ # [chained role][1] sessions.
267
280
  #
268
281
  # You can require users to specify a source identity when they assume
269
- # a role. You do this by using the `sts:SourceIdentity` condition key
270
- # in a role trust policy. You can use source identity information in
271
- # CloudTrail logs to determine who took actions with a role. You can
272
- # use the `aws:SourceIdentity` condition key to further control access
273
- # to Amazon Web Services resources based on the value of source
274
- # identity. For more information about using source identity, see
275
- # [Monitor and control actions taken with assumed roles][1] in the
276
- # *IAM User Guide*.
282
+ # a role. You do this by using the [ `sts:SourceIdentity` ][2]
283
+ # condition key in a role trust policy. You can use source identity
284
+ # information in CloudTrail logs to determine who took actions with a
285
+ # role. You can use the `aws:SourceIdentity` condition key to further
286
+ # control access to Amazon Web Services resources based on the value
287
+ # of source identity. For more information about using source
288
+ # identity, see [Monitor and control actions taken with assumed
289
+ # roles][3] in the *IAM User Guide*.
277
290
  #
278
291
  # The regex used to validate this parameter is a string of characters
279
292
  # consisting of upper- and lower-case alphanumeric characters with no
@@ -284,7 +297,9 @@ module Aws::STS
284
297
  #
285
298
  #
286
299
  #
287
- # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
300
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#iam-term-role-chaining
301
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceidentity
302
+ # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
288
303
  # @return [String]
289
304
  #
290
305
  # @!attribute [rw] provided_contexts
@@ -297,7 +312,7 @@ module Aws::STS
297
312
  # context provider from which the trusted context assertion was
298
313
  # generated.
299
314
  #
300
- # `[\{"ProviderArn":"arn:aws:iam::aws:contextProvider/IdentityCenter","ContextAssertion":"trusted-context-assertion"\}]`
315
+ # `[{"ProviderArn":"arn:aws:iam::aws:contextProvider/IdentityCenter","ContextAssertion":"trusted-context-assertion"}]`
301
316
  # @return [Array<Types::ProvidedContext>]
302
317
  #
303
318
  # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleRequest AWS API Documentation
@@ -465,6 +480,9 @@ module Aws::STS
465
480
  # include the tab (\\u0009), linefeed (\\u000A), and carriage return
466
481
  # (\\u000D) characters.
467
482
  #
483
+ # For more information about role session permissions, see [Session
484
+ # policies][1].
485
+ #
468
486
  # <note markdown="1"> An Amazon Web Services conversion compresses the passed inline
469
487
  # session policy, managed policy ARNs, and session tags into a packed
470
488
  # binary format that has a separate limit. Your request can fail for
@@ -600,6 +618,8 @@ module Aws::STS
600
618
  #
601
619
  # @!attribute [rw] source_identity
602
620
  # The value in the `SourceIdentity` attribute in the SAML assertion.
621
+ # The source identity value persists across [chained role][1]
622
+ # sessions.
603
623
  #
604
624
  # You can require users to set a source identity value when they
605
625
  # assume a role. You do this by using the `sts:SourceIdentity`
@@ -607,12 +627,12 @@ module Aws::STS
607
627
  # taken with the role are associated with that user. After the source
608
628
  # identity is set, the value cannot be changed. It is present in the
609
629
  # request for all actions that are taken by the role and persists
610
- # across [chained role][1] sessions. You can configure your SAML
630
+ # across [chained role][2] sessions. You can configure your SAML
611
631
  # identity provider to use an attribute associated with your users,
612
632
  # like user name or email, as the source identity when calling
613
633
  # `AssumeRoleWithSAML`. You do this by adding an attribute to the SAML
614
634
  # assertion. For more information about using source identity, see
615
- # [Monitor and control actions taken with assumed roles][2] in the
635
+ # [Monitor and control actions taken with assumed roles][3] in the
616
636
  # *IAM User Guide*.
617
637
  #
618
638
  # The regex used to validate this parameter is a string of characters
@@ -622,8 +642,9 @@ module Aws::STS
622
642
  #
623
643
  #
624
644
  #
625
- # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining
626
- # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
645
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#iam-term-role-chaining
646
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts
647
+ # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
627
648
  # @return [String]
628
649
  #
629
650
  # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAMLResponse AWS API Documentation
@@ -645,6 +666,24 @@ module Aws::STS
645
666
  # @!attribute [rw] role_arn
646
667
  # The Amazon Resource Name (ARN) of the role that the caller is
647
668
  # assuming.
669
+ #
670
+ # <note markdown="1"> Additional considerations apply to Amazon Cognito identity pools
671
+ # that assume [cross-account IAM roles][1]. The trust policies of
672
+ # these roles must accept the `cognito-identity.amazonaws.com` service
673
+ # principal and must contain the `cognito-identity.amazonaws.com:aud`
674
+ # condition key to restrict role assumption to users from your
675
+ # intended identity pools. A policy that trusts Amazon Cognito
676
+ # identity pools without this condition creates a risk that a user
677
+ # from an unintended identity pool can assume the role. For more
678
+ # information, see [ Trust policies for IAM roles in Basic (Classic)
679
+ # authentication ][2] in the *Amazon Cognito Developer Guide*.
680
+ #
681
+ # </note>
682
+ #
683
+ #
684
+ #
685
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html
686
+ # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html#trust-policies
648
687
  # @return [String]
649
688
  #
650
689
  # @!attribute [rw] role_session_name
@@ -655,10 +694,21 @@ module Aws::STS
655
694
  # session name is included as part of the ARN and assumed role ID in
656
695
  # the `AssumedRoleUser` response element.
657
696
  #
697
+ # For security purposes, administrators can view this field in
698
+ # [CloudTrail logs][1] to help identify who performed an action in
699
+ # Amazon Web Services. Your administrator might require that you
700
+ # specify your user name as the session name when you assume the role.
701
+ # For more information, see [ `sts:RoleSessionName` ][2].
702
+ #
658
703
  # The regex used to validate this parameter is a string of characters
659
704
  # consisting of upper- and lower-case alphanumeric characters with no
660
705
  # spaces. You can also include underscores or any of the following
661
706
  # characters: =,.@-
707
+ #
708
+ #
709
+ #
710
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html#cloudtrail-integration_signin-tempcreds
711
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_rolesessionname
662
712
  # @return [String]
663
713
  #
664
714
  # @!attribute [rw] web_identity_token
@@ -666,8 +716,9 @@ module Aws::STS
666
716
  # provided by the identity provider. Your application must get this
667
717
  # token by authenticating the user who is using your application with
668
718
  # a web identity provider before the application makes an
669
- # `AssumeRoleWithWebIdentity` call. Only tokens with RSA algorithms
670
- # (RS256) are supported.
719
+ # `AssumeRoleWithWebIdentity` call. Timestamps in the token must be
720
+ # formatted as either an integer or a long integer. Only tokens with
721
+ # RSA algorithms (RS256) are supported.
671
722
  # @return [String]
672
723
  #
673
724
  # @!attribute [rw] provider_id
@@ -741,6 +792,9 @@ module Aws::STS
741
792
  # include the tab (\\u0009), linefeed (\\u000A), and carriage return
742
793
  # (\\u000D) characters.
743
794
  #
795
+ # For more information about role session permissions, see [Session
796
+ # policies][1].
797
+ #
744
798
  # <note markdown="1"> An Amazon Web Services conversion compresses the passed inline
745
799
  # session policy, managed policy ARNs, and session tags into a packed
746
800
  # binary format that has a separate limit. Your request can fail for
@@ -881,7 +935,7 @@ module Aws::STS
881
935
  #
882
936
  #
883
937
  #
884
- # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining
938
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts
885
939
  # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html
886
940
  # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
887
941
  # @return [String]
@@ -900,6 +954,94 @@ module Aws::STS
900
954
  include Aws::Structure
901
955
  end
902
956
 
957
+ # @!attribute [rw] target_principal
958
+ # The member account principal ARN or account ID.
959
+ # @return [String]
960
+ #
961
+ # @!attribute [rw] task_policy_arn
962
+ # The identity based policy that scopes the session to the privileged
963
+ # tasks that can be performed. You can use one of following Amazon Web
964
+ # Services managed policies to scope root session actions. You can add
965
+ # additional customer managed policies to further limit the
966
+ # permissions for the root session.
967
+ #
968
+ # * [IAMAuditRootUserCredentials][1]
969
+ #
970
+ # * [IAMCreateRootUserPassword][2]
971
+ #
972
+ # * [IAMDeleteRootUserCredentials][3]
973
+ #
974
+ # * [S3UnlockBucketPolicy][4]
975
+ #
976
+ # * [SQSUnlockQueuePolicy][5]
977
+ #
978
+ #
979
+ #
980
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMAuditRootUserCredentials
981
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMCreateRootUserPassword
982
+ # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMDeleteRootUserCredentials
983
+ # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-S3UnlockBucketPolicy
984
+ # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-SQSUnlockQueuePolicy
985
+ # @return [Types::PolicyDescriptorType]
986
+ #
987
+ # @!attribute [rw] duration_seconds
988
+ # The duration, in seconds, of the privileged session. The value can
989
+ # range from 0 seconds up to the maximum session duration of 900
990
+ # seconds (15 minutes). If you specify a value higher than this
991
+ # setting, the operation fails.
992
+ #
993
+ # By default, the value is set to `900` seconds.
994
+ # @return [Integer]
995
+ #
996
+ # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRootRequest AWS API Documentation
997
+ #
998
+ class AssumeRootRequest < Struct.new(
999
+ :target_principal,
1000
+ :task_policy_arn,
1001
+ :duration_seconds)
1002
+ SENSITIVE = []
1003
+ include Aws::Structure
1004
+ end
1005
+
1006
+ # @!attribute [rw] credentials
1007
+ # The temporary security credentials, which include an access key ID,
1008
+ # a secret access key, and a security token.
1009
+ #
1010
+ # <note markdown="1"> The size of the security token that STS API operations return is not
1011
+ # fixed. We strongly recommend that you make no assumptions about the
1012
+ # maximum size.
1013
+ #
1014
+ # </note>
1015
+ # @return [Types::Credentials]
1016
+ #
1017
+ # @!attribute [rw] source_identity
1018
+ # The source identity specified by the principal that is calling the
1019
+ # `AssumeRoot` operation.
1020
+ #
1021
+ # You can use the `aws:SourceIdentity` condition key to control access
1022
+ # based on the value of source identity. For more information about
1023
+ # using source identity, see [Monitor and control actions taken with
1024
+ # assumed roles][1] in the *IAM User Guide*.
1025
+ #
1026
+ # The regex used to validate this parameter is a string of characters
1027
+ # consisting of upper- and lower-case alphanumeric characters with no
1028
+ # spaces. You can also include underscores or any of the following
1029
+ # characters: =,.@-
1030
+ #
1031
+ #
1032
+ #
1033
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
1034
+ # @return [String]
1035
+ #
1036
+ # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRootResponse AWS API Documentation
1037
+ #
1038
+ class AssumeRootResponse < Struct.new(
1039
+ :credentials,
1040
+ :source_identity)
1041
+ SENSITIVE = []
1042
+ include Aws::Structure
1043
+ end
1044
+
903
1045
  # The identifiers for the temporary security credentials that the
904
1046
  # operation returns.
905
1047
  #
@@ -1419,7 +1561,8 @@ module Aws::STS
1419
1561
 
1420
1562
  # The error returned if the message passed to
1421
1563
  # `DecodeAuthorizationMessage` was invalid. This can happen if the token
1422
- # contains invalid characters, such as linebreaks.
1564
+ # contains invalid characters, such as line breaks, or if the message
1565
+ # has expired.
1423
1566
  #
1424
1567
  # @!attribute [rw] message
1425
1568
  # @return [String]
@@ -1539,8 +1682,8 @@ module Aws::STS
1539
1682
  # STS is not activated in the requested region for the account that is
1540
1683
  # being asked to generate credentials. The account administrator must
1541
1684
  # use the IAM console to activate STS in that region. For more
1542
- # information, see [Activating and Deactivating Amazon Web Services STS
1543
- # in an Amazon Web Services Region][1] in the *IAM User Guide*.
1685
+ # information, see [Activating and Deactivating STS in an Amazon Web
1686
+ # Services Region][1] in the *IAM User Guide*.
1544
1687
  #
1545
1688
  #
1546
1689
  #
data/lib/aws-sdk-sts.rb CHANGED
@@ -56,7 +56,7 @@ module Aws::STS
56
56
  autoload :EndpointProvider, 'aws-sdk-sts/endpoint_provider'
57
57
  autoload :Endpoints, 'aws-sdk-sts/endpoints'
58
58
 
59
- GEM_VERSION = '3.211.0'
59
+ GEM_VERSION = '3.213.0'
60
60
 
61
61
  end
62
62
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: aws-sdk-core
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.211.0
4
+ version: 3.213.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Amazon Web Services
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-10-21 00:00:00.000000000 Z
11
+ date: 2024-11-14 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: jmespath