aws-sdk-core 3.211.0 → 3.213.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +12 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-sso/client.rb +1 -1
- data/lib/aws-sdk-sso.rb +1 -1
- data/lib/aws-sdk-ssooidc/client.rb +1 -1
- data/lib/aws-sdk-ssooidc.rb +1 -1
- data/lib/aws-sdk-sts/client.rb +208 -51
- data/lib/aws-sdk-sts/client_api.rb +23 -0
- data/lib/aws-sdk-sts/types.rb +170 -27
- data/lib/aws-sdk-sts.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: a6f3a73413b33e6f06d9906357757e3ddd53a140b8abe22a7b61c8a316c090b9
|
4
|
+
data.tar.gz: 3e67a072f69d008280dc9b6385c6d269e81bb4441925c61fa344dd9c54092d6f
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 413f47ca0e62d52310466498a472288f180b1c0c16923e243354f07c2798f467f025c556a6ec2cb97cfd903c0e54d886b8271bc8bc94633383b078ca50df56fe
|
7
|
+
data.tar.gz: 2848664939e23d6e71900b72c63628d17214167e49927f692e3d64abed012f936ffde0fe2267611103bc0c0f00139c77b99a0095e035bae0a5b0e2a2d879361e
|
data/CHANGELOG.md
CHANGED
@@ -1,6 +1,18 @@
|
|
1
1
|
Unreleased Changes
|
2
2
|
------------------
|
3
3
|
|
4
|
+
3.213.0 (2024-11-14)
|
5
|
+
------------------
|
6
|
+
|
7
|
+
* Feature - Updated Aws::STS::Client with the latest API changes.
|
8
|
+
|
9
|
+
* Feature - This release introduces the new API 'AssumeRoot', which returns short-term credentials that you can use to perform privileged tasks.
|
10
|
+
|
11
|
+
3.212.0 (2024-11-06)
|
12
|
+
------------------
|
13
|
+
|
14
|
+
* Feature - Updated Aws::STS::Client with the latest API changes.
|
15
|
+
|
4
16
|
3.211.0 (2024-10-21)
|
5
17
|
------------------
|
6
18
|
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
3.
|
1
|
+
3.213.0
|
data/lib/aws-sdk-sso/client.rb
CHANGED
data/lib/aws-sdk-sso.rb
CHANGED
data/lib/aws-sdk-ssooidc.rb
CHANGED
data/lib/aws-sdk-sts/client.rb
CHANGED
@@ -460,8 +460,8 @@ module Aws::STS
|
|
460
460
|
# token. Typically, you use `AssumeRole` within your account or for
|
461
461
|
# cross-account access. For a comparison of `AssumeRole` with other API
|
462
462
|
# operations that produce temporary credentials, see [Requesting
|
463
|
-
# Temporary Security Credentials][1] and [
|
464
|
-
#
|
463
|
+
# Temporary Security Credentials][1] and [Compare STS credentials][2] in
|
464
|
+
# the *IAM User Guide*.
|
465
465
|
#
|
466
466
|
# **Permissions**
|
467
467
|
#
|
@@ -470,9 +470,9 @@ module Aws::STS
|
|
470
470
|
# following exception: You cannot call the Amazon Web Services STS
|
471
471
|
# `GetFederationToken` or `GetSessionToken` API operations.
|
472
472
|
#
|
473
|
-
# (Optional) You can pass inline or managed
|
474
|
-
#
|
475
|
-
#
|
473
|
+
# (Optional) You can pass inline or managed session policies to this
|
474
|
+
# operation. You can pass a single JSON policy document to use as an
|
475
|
+
# inline session policy. You can also specify up to 10 managed policy
|
476
476
|
# Amazon Resource Names (ARNs) to use as managed session policies. The
|
477
477
|
# plaintext that you use for both inline and managed session policies
|
478
478
|
# can't exceed 2,048 characters. Passing policies to this operation
|
@@ -545,7 +545,7 @@ module Aws::STS
|
|
545
545
|
# denied. The condition in a trust policy that tests for MFA
|
546
546
|
# authentication might look like the following example.
|
547
547
|
#
|
548
|
-
# `"Condition":
|
548
|
+
# `"Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}}`
|
549
549
|
#
|
550
550
|
# For more information, see [Configuring MFA-Protected API Access][8] in
|
551
551
|
# the *IAM User Guide* guide.
|
@@ -558,7 +558,7 @@ module Aws::STS
|
|
558
558
|
#
|
559
559
|
#
|
560
560
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
561
|
-
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
561
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_sts-comparison.html
|
562
562
|
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
563
563
|
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
|
564
564
|
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
@@ -581,11 +581,22 @@ module Aws::STS
|
|
581
581
|
# credentials will expose the role session name to the external account
|
582
582
|
# in their CloudTrail logs.
|
583
583
|
#
|
584
|
+
# For security purposes, administrators can view this field in
|
585
|
+
# [CloudTrail logs][1] to help identify who performed an action in
|
586
|
+
# Amazon Web Services. Your administrator might require that you specify
|
587
|
+
# your user name as the session name when you assume the role. For more
|
588
|
+
# information, see [ `sts:RoleSessionName` ][2].
|
589
|
+
#
|
584
590
|
# The regex used to validate this parameter is a string of characters
|
585
591
|
# consisting of upper- and lower-case alphanumeric characters with no
|
586
592
|
# spaces. You can also include underscores or any of the following
|
587
593
|
# characters: =,.@-
|
588
594
|
#
|
595
|
+
#
|
596
|
+
#
|
597
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html#cloudtrail-integration_signin-tempcreds
|
598
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_rolesessionname
|
599
|
+
#
|
589
600
|
# @option params [Array<Types::PolicyDescriptorType>] :policy_arns
|
590
601
|
# The Amazon Resource Names (ARNs) of the IAM managed policies that you
|
591
602
|
# want to use as managed session policies. The policies must exist in
|
@@ -651,6 +662,9 @@ module Aws::STS
|
|
651
662
|
#
|
652
663
|
# </note>
|
653
664
|
#
|
665
|
+
# For more information about role session permissions, see [Session
|
666
|
+
# policies][1].
|
667
|
+
#
|
654
668
|
#
|
655
669
|
#
|
656
670
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
@@ -673,9 +687,8 @@ module Aws::STS
|
|
673
687
|
# depending on the maximum session duration setting for your role.
|
674
688
|
# However, if you assume a role using role chaining and provide a
|
675
689
|
# `DurationSeconds` parameter value greater than one hour, the operation
|
676
|
-
# fails. To learn how to view the maximum value for your role, see
|
677
|
-
# the
|
678
|
-
# Guide*.
|
690
|
+
# fails. To learn how to view the maximum value for your role, see
|
691
|
+
# [Update the maximum session duration for a role][1].
|
679
692
|
#
|
680
693
|
# By default, the value is set to `3600` seconds.
|
681
694
|
#
|
@@ -691,7 +704,7 @@ module Aws::STS
|
|
691
704
|
#
|
692
705
|
#
|
693
706
|
#
|
694
|
-
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
707
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-role-settings.html#id_roles_update-session-duration
|
695
708
|
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
|
696
709
|
#
|
697
710
|
# @option params [Array<Types::Tag>] :tags
|
@@ -744,9 +757,8 @@ module Aws::STS
|
|
744
757
|
# passes to subsequent sessions in a role chain. For more information,
|
745
758
|
# see [Chaining Roles with Session Tags][1] in the *IAM User Guide*.
|
746
759
|
#
|
747
|
-
# This parameter is optional.
|
748
|
-
#
|
749
|
-
# affected.
|
760
|
+
# This parameter is optional. The transitive status of a session tag
|
761
|
+
# does not impact its packed binary size.
|
750
762
|
#
|
751
763
|
# If you choose not to specify a transitive tag key, then no tags are
|
752
764
|
# passed from this session to any subsequent sessions.
|
@@ -804,16 +816,17 @@ module Aws::STS
|
|
804
816
|
#
|
805
817
|
# @option params [String] :source_identity
|
806
818
|
# The source identity specified by the principal that is calling the
|
807
|
-
# `AssumeRole` operation.
|
819
|
+
# `AssumeRole` operation. The source identity value persists across
|
820
|
+
# [chained role][1] sessions.
|
808
821
|
#
|
809
822
|
# You can require users to specify a source identity when they assume a
|
810
|
-
# role. You do this by using the `sts:SourceIdentity` condition
|
811
|
-
# role trust policy. You can use source identity information in
|
823
|
+
# role. You do this by using the [ `sts:SourceIdentity` ][2] condition
|
824
|
+
# key in a role trust policy. You can use source identity information in
|
812
825
|
# CloudTrail logs to determine who took actions with a role. You can use
|
813
826
|
# the `aws:SourceIdentity` condition key to further control access to
|
814
827
|
# Amazon Web Services resources based on the value of source identity.
|
815
828
|
# For more information about using source identity, see [Monitor and
|
816
|
-
# control actions taken with assumed roles][
|
829
|
+
# control actions taken with assumed roles][3] in the *IAM User Guide*.
|
817
830
|
#
|
818
831
|
# The regex used to validate this parameter is a string of characters
|
819
832
|
# consisting of upper- and lower-case alphanumeric characters with no
|
@@ -823,7 +836,9 @@ module Aws::STS
|
|
823
836
|
#
|
824
837
|
#
|
825
838
|
#
|
826
|
-
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
839
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#iam-term-role-chaining
|
840
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceidentity
|
841
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
|
827
842
|
#
|
828
843
|
# @option params [Array<Types::ProvidedContext>] :provided_contexts
|
829
844
|
# A list of previously acquired trusted context assertions in the format
|
@@ -834,7 +849,7 @@ module Aws::STS
|
|
834
849
|
# a single trusted context assertion and the ARN of the context provider
|
835
850
|
# from which the trusted context assertion was generated.
|
836
851
|
#
|
837
|
-
# `[
|
852
|
+
# `[{"ProviderArn":"arn:aws:iam::aws:contextProvider/IdentityCenter","ContextAssertion":"trusted-context-assertion"}]`
|
838
853
|
#
|
839
854
|
# @return [Types::AssumeRoleResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
840
855
|
#
|
@@ -944,8 +959,8 @@ module Aws::STS
|
|
944
959
|
# user-specific credentials or configuration. For a comparison of
|
945
960
|
# `AssumeRoleWithSAML` with the other API operations that produce
|
946
961
|
# temporary credentials, see [Requesting Temporary Security
|
947
|
-
# Credentials][1] and [
|
948
|
-
#
|
962
|
+
# Credentials][1] and [Compare STS credentials][2] in the *IAM User
|
963
|
+
# Guide*.
|
949
964
|
#
|
950
965
|
# The temporary security credentials returned by this operation consist
|
951
966
|
# of an access key ID, a secret access key, and a security token.
|
@@ -1075,7 +1090,7 @@ module Aws::STS
|
|
1075
1090
|
#
|
1076
1091
|
#
|
1077
1092
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
1078
|
-
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1093
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_sts-comparison.html
|
1079
1094
|
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
|
1080
1095
|
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
|
1081
1096
|
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining
|
@@ -1163,6 +1178,9 @@ module Aws::STS
|
|
1163
1178
|
# the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
1164
1179
|
# characters.
|
1165
1180
|
#
|
1181
|
+
# For more information about role session permissions, see [Session
|
1182
|
+
# policies][1].
|
1183
|
+
#
|
1166
1184
|
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
|
1167
1185
|
# policy, managed policy ARNs, and session tags into a packed binary
|
1168
1186
|
# format that has a separate limit. Your request can fail for this limit
|
@@ -1317,8 +1335,8 @@ module Aws::STS
|
|
1317
1335
|
# a token from the web identity provider. For a comparison of
|
1318
1336
|
# `AssumeRoleWithWebIdentity` with the other API operations that produce
|
1319
1337
|
# temporary credentials, see [Requesting Temporary Security
|
1320
|
-
# Credentials][4] and [
|
1321
|
-
#
|
1338
|
+
# Credentials][4] and [Compare STS credentials][5] in the *IAM User
|
1339
|
+
# Guide*.
|
1322
1340
|
#
|
1323
1341
|
# The temporary security credentials returned by this API consist of an
|
1324
1342
|
# access key ID, a secret access key, and a security token. Applications
|
@@ -1333,9 +1351,9 @@ module Aws::STS
|
|
1333
1351
|
# your session. You can provide a value from 900 seconds (15 minutes) up
|
1334
1352
|
# to the maximum session duration setting for the role. This setting can
|
1335
1353
|
# have a value from 1 hour to 12 hours. To learn how to view the maximum
|
1336
|
-
# value for your role, see [
|
1337
|
-
#
|
1338
|
-
#
|
1354
|
+
# value for your role, see [Update the maximum session duration for a
|
1355
|
+
# role ][6] in the *IAM User Guide*. The maximum session duration limit
|
1356
|
+
# applies when you use the `AssumeRole*` API operations or the
|
1339
1357
|
# `assume-role*` CLI commands. However the limit does not apply when you
|
1340
1358
|
# use those operations to create a console URL. For more information,
|
1341
1359
|
# see [Using IAM Roles][7] in the *IAM User Guide*.
|
@@ -1413,35 +1431,26 @@ module Aws::STS
|
|
1413
1431
|
# instead use a GUID or a pairwise identifier, as [suggested in the OIDC
|
1414
1432
|
# specification][14].
|
1415
1433
|
#
|
1416
|
-
# For more information about how to use
|
1434
|
+
# For more information about how to use OIDC federation and the
|
1417
1435
|
# `AssumeRoleWithWebIdentity` API, see the following resources:
|
1418
1436
|
#
|
1419
1437
|
# * [Using Web Identity Federation API Operations for Mobile Apps][15]
|
1420
1438
|
# and [Federation Through a Web-based Identity Provider][16].
|
1421
1439
|
#
|
1422
|
-
# * [ Web Identity Federation Playground][17]. Walk through the process
|
1423
|
-
# of authenticating through Login with Amazon, Facebook, or Google,
|
1424
|
-
# getting temporary security credentials, and then using those
|
1425
|
-
# credentials to make a request to Amazon Web Services.
|
1426
|
-
#
|
1427
1440
|
# * [Amazon Web Services SDK for iOS Developer Guide][2] and [Amazon Web
|
1428
1441
|
# Services SDK for Android Developer Guide][3]. These toolkits contain
|
1429
1442
|
# sample apps that show how to invoke the identity providers. The
|
1430
1443
|
# toolkits then show how to use the information from these providers
|
1431
1444
|
# to get and use temporary security credentials.
|
1432
1445
|
#
|
1433
|
-
# * [Web Identity Federation with Mobile Applications][18]. This article
|
1434
|
-
# discusses web identity federation and shows an example of how to use
|
1435
|
-
# web identity federation to get access to content in Amazon S3.
|
1436
|
-
#
|
1437
1446
|
#
|
1438
1447
|
#
|
1439
1448
|
# [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html
|
1440
1449
|
# [2]: http://aws.amazon.com/sdkforios/
|
1441
1450
|
# [3]: http://aws.amazon.com/sdkforandroid/
|
1442
1451
|
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
1443
|
-
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1444
|
-
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1452
|
+
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_sts-comparison.html
|
1453
|
+
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-role-settings.html#id_roles_update-session-duration
|
1445
1454
|
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
|
1446
1455
|
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
1447
1456
|
# [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
@@ -1452,13 +1461,29 @@ module Aws::STS
|
|
1452
1461
|
# [14]: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
|
1453
1462
|
# [15]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html
|
1454
1463
|
# [16]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
|
1455
|
-
# [17]: https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/
|
1456
|
-
# [18]: http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications
|
1457
1464
|
#
|
1458
1465
|
# @option params [required, String] :role_arn
|
1459
1466
|
# The Amazon Resource Name (ARN) of the role that the caller is
|
1460
1467
|
# assuming.
|
1461
1468
|
#
|
1469
|
+
# <note markdown="1"> Additional considerations apply to Amazon Cognito identity pools that
|
1470
|
+
# assume [cross-account IAM roles][1]. The trust policies of these roles
|
1471
|
+
# must accept the `cognito-identity.amazonaws.com` service principal and
|
1472
|
+
# must contain the `cognito-identity.amazonaws.com:aud` condition key to
|
1473
|
+
# restrict role assumption to users from your intended identity pools. A
|
1474
|
+
# policy that trusts Amazon Cognito identity pools without this
|
1475
|
+
# condition creates a risk that a user from an unintended identity pool
|
1476
|
+
# can assume the role. For more information, see [ Trust policies for
|
1477
|
+
# IAM roles in Basic (Classic) authentication ][2] in the *Amazon
|
1478
|
+
# Cognito Developer Guide*.
|
1479
|
+
#
|
1480
|
+
# </note>
|
1481
|
+
#
|
1482
|
+
#
|
1483
|
+
#
|
1484
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html
|
1485
|
+
# [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html#trust-policies
|
1486
|
+
#
|
1462
1487
|
# @option params [required, String] :role_session_name
|
1463
1488
|
# An identifier for the assumed role session. Typically, you pass the
|
1464
1489
|
# name or identifier that is associated with the user who is using your
|
@@ -1467,18 +1492,30 @@ module Aws::STS
|
|
1467
1492
|
# is included as part of the ARN and assumed role ID in the
|
1468
1493
|
# `AssumedRoleUser` response element.
|
1469
1494
|
#
|
1495
|
+
# For security purposes, administrators can view this field in
|
1496
|
+
# [CloudTrail logs][1] to help identify who performed an action in
|
1497
|
+
# Amazon Web Services. Your administrator might require that you specify
|
1498
|
+
# your user name as the session name when you assume the role. For more
|
1499
|
+
# information, see [ `sts:RoleSessionName` ][2].
|
1500
|
+
#
|
1470
1501
|
# The regex used to validate this parameter is a string of characters
|
1471
1502
|
# consisting of upper- and lower-case alphanumeric characters with no
|
1472
1503
|
# spaces. You can also include underscores or any of the following
|
1473
1504
|
# characters: =,.@-
|
1474
1505
|
#
|
1506
|
+
#
|
1507
|
+
#
|
1508
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html#cloudtrail-integration_signin-tempcreds
|
1509
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_rolesessionname
|
1510
|
+
#
|
1475
1511
|
# @option params [required, String] :web_identity_token
|
1476
1512
|
# The OAuth 2.0 access token or OpenID Connect ID token that is provided
|
1477
1513
|
# by the identity provider. Your application must get this token by
|
1478
1514
|
# authenticating the user who is using your application with a web
|
1479
1515
|
# identity provider before the application makes an
|
1480
|
-
# `AssumeRoleWithWebIdentity` call.
|
1481
|
-
#
|
1516
|
+
# `AssumeRoleWithWebIdentity` call. Timestamps in the token must be
|
1517
|
+
# formatted as either an integer or a long integer. Only tokens with RSA
|
1518
|
+
# algorithms (RS256) are supported.
|
1482
1519
|
#
|
1483
1520
|
# @option params [String] :provider_id
|
1484
1521
|
# The fully qualified host component of the domain name of the OAuth 2.0
|
@@ -1547,6 +1584,9 @@ module Aws::STS
|
|
1547
1584
|
# the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
1548
1585
|
# characters.
|
1549
1586
|
#
|
1587
|
+
# For more information about role session permissions, see [Session
|
1588
|
+
# policies][1].
|
1589
|
+
#
|
1550
1590
|
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline session
|
1551
1591
|
# policy, managed policy ARNs, and session tags into a packed binary
|
1552
1592
|
# format that has a separate limit. Your request can fail for this limit
|
@@ -1667,6 +1707,123 @@ module Aws::STS
|
|
1667
1707
|
req.send_request(options)
|
1668
1708
|
end
|
1669
1709
|
|
1710
|
+
# Returns a set of short term credentials you can use to perform
|
1711
|
+
# privileged tasks in a member account.
|
1712
|
+
#
|
1713
|
+
# Before you can launch a privileged session, you must have enabled
|
1714
|
+
# centralized root access in your organization. For steps to enable this
|
1715
|
+
# feature, see [Centralize root access for member accounts][1] in the
|
1716
|
+
# *IAM User Guide*.
|
1717
|
+
#
|
1718
|
+
# <note markdown="1"> The global endpoint is not supported for AssumeRoot. You must send
|
1719
|
+
# this request to a Regional STS endpoint. For more information, see
|
1720
|
+
# [Endpoints][2].
|
1721
|
+
#
|
1722
|
+
# </note>
|
1723
|
+
#
|
1724
|
+
# You can track AssumeRoot in CloudTrail logs to determine what actions
|
1725
|
+
# were performed in a session. For more information, see [Track
|
1726
|
+
# privileged tasks in CloudTrail][3] in the *IAM User Guide*.
|
1727
|
+
#
|
1728
|
+
#
|
1729
|
+
#
|
1730
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-enable-root-access.html
|
1731
|
+
# [2]: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html#sts-endpoints
|
1732
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-track-privileged-tasks.html
|
1733
|
+
#
|
1734
|
+
# @option params [required, String] :target_principal
|
1735
|
+
# The member account principal ARN or account ID.
|
1736
|
+
#
|
1737
|
+
# @option params [required, Types::PolicyDescriptorType] :task_policy_arn
|
1738
|
+
# The identity based policy that scopes the session to the privileged
|
1739
|
+
# tasks that can be performed. You can use one of following Amazon Web
|
1740
|
+
# Services managed policies to scope root session actions. You can add
|
1741
|
+
# additional customer managed policies to further limit the permissions
|
1742
|
+
# for the root session.
|
1743
|
+
#
|
1744
|
+
# * [IAMAuditRootUserCredentials][1]
|
1745
|
+
#
|
1746
|
+
# * [IAMCreateRootUserPassword][2]
|
1747
|
+
#
|
1748
|
+
# * [IAMDeleteRootUserCredentials][3]
|
1749
|
+
#
|
1750
|
+
# * [S3UnlockBucketPolicy][4]
|
1751
|
+
#
|
1752
|
+
# * [SQSUnlockQueuePolicy][5]
|
1753
|
+
#
|
1754
|
+
#
|
1755
|
+
#
|
1756
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMAuditRootUserCredentials
|
1757
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMCreateRootUserPassword
|
1758
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMDeleteRootUserCredentials
|
1759
|
+
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-S3UnlockBucketPolicy
|
1760
|
+
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-SQSUnlockQueuePolicy
|
1761
|
+
#
|
1762
|
+
# @option params [Integer] :duration_seconds
|
1763
|
+
# The duration, in seconds, of the privileged session. The value can
|
1764
|
+
# range from 0 seconds up to the maximum session duration of 900 seconds
|
1765
|
+
# (15 minutes). If you specify a value higher than this setting, the
|
1766
|
+
# operation fails.
|
1767
|
+
#
|
1768
|
+
# By default, the value is set to `900` seconds.
|
1769
|
+
#
|
1770
|
+
# @return [Types::AssumeRootResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1771
|
+
#
|
1772
|
+
# * {Types::AssumeRootResponse#credentials #credentials} => Types::Credentials
|
1773
|
+
# * {Types::AssumeRootResponse#source_identity #source_identity} => String
|
1774
|
+
#
|
1775
|
+
#
|
1776
|
+
# @example Example: To launch a privileged session
|
1777
|
+
#
|
1778
|
+
# # The following command retrieves a set of short-term credentials you can use to unlock an S3 bucket for a member account
|
1779
|
+
# # by removing the bucket policy.
|
1780
|
+
#
|
1781
|
+
# resp = client.assume_root({
|
1782
|
+
# duration_seconds: 900,
|
1783
|
+
# target_principal: "111122223333",
|
1784
|
+
# task_policy_arn: {
|
1785
|
+
# arn: "arn:aws:iam::aws:policy/root-task/S3UnlockBucketPolicy",
|
1786
|
+
# },
|
1787
|
+
# })
|
1788
|
+
#
|
1789
|
+
# resp.to_h outputs the following:
|
1790
|
+
# {
|
1791
|
+
# credentials: {
|
1792
|
+
# access_key_id: "ASIAJEXAMPLEXEG2JICEA",
|
1793
|
+
# expiration: Time.parse("2024-11-15T00:05:07Z"),
|
1794
|
+
# secret_access_key: "9drTJvcXLB89EXAMPLELB8923FB892xMFI",
|
1795
|
+
# session_token: "AQoXdzELDDY//////////wEaoAK1wvxJY12r2IrDFT2IvAzTCn3zHoZ7YNtpiQLF0MqZye/qwjzP2iEXAMPLEbw/m3hsj8VBTkPORGvr9jM5sgP+w9IZWZnU+LWhmg+a5fDi2oTGUYcdg9uexQ4mtCHIHfi4citgqZTgco40Yqr4lIlo4V2b2Dyauk0eYFNebHtYlFVgAUj+7Indz3LU0aTWk1WKIjHmmMCIoTkyYp/k7kUG7moeEYKSitwQIi6Gjn+nyzM+PtoA3685ixzv0R7i5rjQi0YE0lf1oeie3bDiNHncmzosRM6SFiPzSvp6h/32xQuZsjcypmwsPSDtTPYcs0+YN/8BRi2/IcrxSpnWEXAMPLEXSDFTAQAM6Dl9zR0tXoybnlrZIwMLlMi1Kcgo5OytwU=",
|
1796
|
+
# },
|
1797
|
+
# source_identity: "Alice",
|
1798
|
+
# }
|
1799
|
+
#
|
1800
|
+
# @example Request syntax with placeholder values
|
1801
|
+
#
|
1802
|
+
# resp = client.assume_root({
|
1803
|
+
# target_principal: "TargetPrincipalType", # required
|
1804
|
+
# task_policy_arn: { # required
|
1805
|
+
# arn: "arnType",
|
1806
|
+
# },
|
1807
|
+
# duration_seconds: 1,
|
1808
|
+
# })
|
1809
|
+
#
|
1810
|
+
# @example Response structure
|
1811
|
+
#
|
1812
|
+
# resp.credentials.access_key_id #=> String
|
1813
|
+
# resp.credentials.secret_access_key #=> String
|
1814
|
+
# resp.credentials.session_token #=> String
|
1815
|
+
# resp.credentials.expiration #=> Time
|
1816
|
+
# resp.source_identity #=> String
|
1817
|
+
#
|
1818
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoot AWS API Documentation
|
1819
|
+
#
|
1820
|
+
# @overload assume_root(params = {})
|
1821
|
+
# @param [Hash] params ({})
|
1822
|
+
def assume_root(params = {}, options = {})
|
1823
|
+
req = build_request(:assume_root, params)
|
1824
|
+
req.send_request(options)
|
1825
|
+
end
|
1826
|
+
|
1670
1827
|
# Decodes additional information about the authorization status of a
|
1671
1828
|
# request from an encoded message returned in response to an Amazon Web
|
1672
1829
|
# Services request.
|
@@ -1905,8 +2062,8 @@ module Aws::STS
|
|
1905
2062
|
# usually in a server-based application. For a comparison of
|
1906
2063
|
# `GetFederationToken` with the other API operations that produce
|
1907
2064
|
# temporary credentials, see [Requesting Temporary Security
|
1908
|
-
# Credentials][1] and [
|
1909
|
-
#
|
2065
|
+
# Credentials][1] and [Compare STS credentials][2] in the *IAM User
|
2066
|
+
# Guide*.
|
1910
2067
|
#
|
1911
2068
|
# Although it is possible to call `GetFederationToken` using the
|
1912
2069
|
# security credentials of an Amazon Web Services account root user
|
@@ -2003,7 +2160,7 @@ module Aws::STS
|
|
2003
2160
|
#
|
2004
2161
|
#
|
2005
2162
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
2006
|
-
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
2163
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_sts-comparison.html
|
2007
2164
|
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials
|
2008
2165
|
# [4]: http://aws.amazon.com/cognito/
|
2009
2166
|
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
|
@@ -2255,8 +2412,8 @@ module Aws::STS
|
|
2255
2412
|
# An incorrect MFA code causes the API to return an access denied error.
|
2256
2413
|
# For a comparison of `GetSessionToken` with the other API operations
|
2257
2414
|
# that produce temporary credentials, see [Requesting Temporary Security
|
2258
|
-
# Credentials][1] and [
|
2259
|
-
#
|
2415
|
+
# Credentials][1] and [Compare STS credentials][2] in the *IAM User
|
2416
|
+
# Guide*.
|
2260
2417
|
#
|
2261
2418
|
# <note markdown="1"> No permissions are required for users to perform this operation. The
|
2262
2419
|
# purpose of the `sts:GetSessionToken` operation is to authenticate the
|
@@ -2311,7 +2468,7 @@ module Aws::STS
|
|
2311
2468
|
#
|
2312
2469
|
#
|
2313
2470
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
2314
|
-
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
2471
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_sts-comparison.html
|
2315
2472
|
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html
|
2316
2473
|
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials
|
2317
2474
|
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken
|
@@ -2416,7 +2573,7 @@ module Aws::STS
|
|
2416
2573
|
tracer: tracer
|
2417
2574
|
)
|
2418
2575
|
context[:gem_name] = 'aws-sdk-core'
|
2419
|
-
context[:gem_version] = '3.
|
2576
|
+
context[:gem_version] = '3.213.0'
|
2420
2577
|
Seahorse::Client::Request.new(handlers, context)
|
2421
2578
|
end
|
2422
2579
|
|
@@ -20,6 +20,8 @@ module Aws::STS
|
|
20
20
|
AssumeRoleWithSAMLResponse = Shapes::StructureShape.new(name: 'AssumeRoleWithSAMLResponse')
|
21
21
|
AssumeRoleWithWebIdentityRequest = Shapes::StructureShape.new(name: 'AssumeRoleWithWebIdentityRequest')
|
22
22
|
AssumeRoleWithWebIdentityResponse = Shapes::StructureShape.new(name: 'AssumeRoleWithWebIdentityResponse')
|
23
|
+
AssumeRootRequest = Shapes::StructureShape.new(name: 'AssumeRootRequest')
|
24
|
+
AssumeRootResponse = Shapes::StructureShape.new(name: 'AssumeRootResponse')
|
23
25
|
AssumedRoleUser = Shapes::StructureShape.new(name: 'AssumedRoleUser')
|
24
26
|
Audience = Shapes::StringShape.new(name: 'Audience')
|
25
27
|
Credentials = Shapes::StructureShape.new(name: 'Credentials')
|
@@ -47,10 +49,12 @@ module Aws::STS
|
|
47
49
|
ProvidedContext = Shapes::StructureShape.new(name: 'ProvidedContext')
|
48
50
|
ProvidedContextsListType = Shapes::ListShape.new(name: 'ProvidedContextsListType')
|
49
51
|
RegionDisabledException = Shapes::StructureShape.new(name: 'RegionDisabledException', error: {"code"=>"RegionDisabledException", "httpStatusCode"=>403, "senderFault"=>true})
|
52
|
+
RootDurationSecondsType = Shapes::IntegerShape.new(name: 'RootDurationSecondsType')
|
50
53
|
SAMLAssertionType = Shapes::StringShape.new(name: 'SAMLAssertionType')
|
51
54
|
Subject = Shapes::StringShape.new(name: 'Subject')
|
52
55
|
SubjectType = Shapes::StringShape.new(name: 'SubjectType')
|
53
56
|
Tag = Shapes::StructureShape.new(name: 'Tag')
|
57
|
+
TargetPrincipalType = Shapes::StringShape.new(name: 'TargetPrincipalType')
|
54
58
|
accessKeyIdType = Shapes::StringShape.new(name: 'accessKeyIdType')
|
55
59
|
accessKeySecretType = Shapes::StringShape.new(name: 'accessKeySecretType')
|
56
60
|
accountType = Shapes::StringShape.new(name: 'accountType')
|
@@ -148,6 +152,15 @@ module Aws::STS
|
|
148
152
|
AssumeRoleWithWebIdentityResponse.add_member(:source_identity, Shapes::ShapeRef.new(shape: sourceIdentityType, location_name: "SourceIdentity"))
|
149
153
|
AssumeRoleWithWebIdentityResponse.struct_class = Types::AssumeRoleWithWebIdentityResponse
|
150
154
|
|
155
|
+
AssumeRootRequest.add_member(:target_principal, Shapes::ShapeRef.new(shape: TargetPrincipalType, required: true, location_name: "TargetPrincipal"))
|
156
|
+
AssumeRootRequest.add_member(:task_policy_arn, Shapes::ShapeRef.new(shape: PolicyDescriptorType, required: true, location_name: "TaskPolicyArn"))
|
157
|
+
AssumeRootRequest.add_member(:duration_seconds, Shapes::ShapeRef.new(shape: RootDurationSecondsType, location_name: "DurationSeconds"))
|
158
|
+
AssumeRootRequest.struct_class = Types::AssumeRootRequest
|
159
|
+
|
160
|
+
AssumeRootResponse.add_member(:credentials, Shapes::ShapeRef.new(shape: Credentials, location_name: "Credentials"))
|
161
|
+
AssumeRootResponse.add_member(:source_identity, Shapes::ShapeRef.new(shape: sourceIdentityType, location_name: "SourceIdentity"))
|
162
|
+
AssumeRootResponse.struct_class = Types::AssumeRootResponse
|
163
|
+
|
151
164
|
AssumedRoleUser.add_member(:assumed_role_id, Shapes::ShapeRef.new(shape: assumedRoleIdType, required: true, location_name: "AssumedRoleId"))
|
152
165
|
AssumedRoleUser.add_member(:arn, Shapes::ShapeRef.new(shape: arnType, required: true, location_name: "Arn"))
|
153
166
|
AssumedRoleUser.struct_class = Types::AssumedRoleUser
|
@@ -308,6 +321,16 @@ module Aws::STS
|
|
308
321
|
o.errors << Shapes::ShapeRef.new(shape: RegionDisabledException)
|
309
322
|
end)
|
310
323
|
|
324
|
+
api.add_operation(:assume_root, Seahorse::Model::Operation.new.tap do |o|
|
325
|
+
o.name = "AssumeRoot"
|
326
|
+
o.http_method = "POST"
|
327
|
+
o.http_request_uri = "/"
|
328
|
+
o.input = Shapes::ShapeRef.new(shape: AssumeRootRequest)
|
329
|
+
o.output = Shapes::ShapeRef.new(shape: AssumeRootResponse)
|
330
|
+
o.errors << Shapes::ShapeRef.new(shape: RegionDisabledException)
|
331
|
+
o.errors << Shapes::ShapeRef.new(shape: ExpiredTokenException)
|
332
|
+
end)
|
333
|
+
|
311
334
|
api.add_operation(:decode_authorization_message, Seahorse::Model::Operation.new.tap do |o|
|
312
335
|
o.name = "DecodeAuthorizationMessage"
|
313
336
|
o.http_method = "POST"
|
data/lib/aws-sdk-sts/types.rb
CHANGED
@@ -26,10 +26,21 @@ module Aws::STS
|
|
26
26
|
# that use the temporary security credentials will expose the role
|
27
27
|
# session name to the external account in their CloudTrail logs.
|
28
28
|
#
|
29
|
+
# For security purposes, administrators can view this field in
|
30
|
+
# [CloudTrail logs][1] to help identify who performed an action in
|
31
|
+
# Amazon Web Services. Your administrator might require that you
|
32
|
+
# specify your user name as the session name when you assume the role.
|
33
|
+
# For more information, see [ `sts:RoleSessionName` ][2].
|
34
|
+
#
|
29
35
|
# The regex used to validate this parameter is a string of characters
|
30
36
|
# consisting of upper- and lower-case alphanumeric characters with no
|
31
37
|
# spaces. You can also include underscores or any of the following
|
32
38
|
# characters: =,.@-
|
39
|
+
#
|
40
|
+
#
|
41
|
+
#
|
42
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html#cloudtrail-integration_signin-tempcreds
|
43
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_rolesessionname
|
33
44
|
# @return [String]
|
34
45
|
#
|
35
46
|
# @!attribute [rw] policy_arns
|
@@ -101,6 +112,9 @@ module Aws::STS
|
|
101
112
|
#
|
102
113
|
# </note>
|
103
114
|
#
|
115
|
+
# For more information about role session permissions, see [Session
|
116
|
+
# policies][1].
|
117
|
+
#
|
104
118
|
#
|
105
119
|
#
|
106
120
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
@@ -125,8 +139,7 @@ module Aws::STS
|
|
125
139
|
# However, if you assume a role using role chaining and provide a
|
126
140
|
# `DurationSeconds` parameter value greater than one hour, the
|
127
141
|
# operation fails. To learn how to view the maximum value for your
|
128
|
-
# role, see [
|
129
|
-
# in the *IAM User Guide*.
|
142
|
+
# role, see [Update the maximum session duration for a role][1].
|
130
143
|
#
|
131
144
|
# By default, the value is set to `3600` seconds.
|
132
145
|
#
|
@@ -142,7 +155,7 @@ module Aws::STS
|
|
142
155
|
#
|
143
156
|
#
|
144
157
|
#
|
145
|
-
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
158
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-role-settings.html#id_roles_update-session-duration
|
146
159
|
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
|
147
160
|
# @return [Integer]
|
148
161
|
#
|
@@ -199,9 +212,8 @@ module Aws::STS
|
|
199
212
|
# passes to subsequent sessions in a role chain. For more information,
|
200
213
|
# see [Chaining Roles with Session Tags][1] in the *IAM User Guide*.
|
201
214
|
#
|
202
|
-
# This parameter is optional.
|
203
|
-
#
|
204
|
-
# affected.
|
215
|
+
# This parameter is optional. The transitive status of a session tag
|
216
|
+
# does not impact its packed binary size.
|
205
217
|
#
|
206
218
|
# If you choose not to specify a transitive tag key, then no tags are
|
207
219
|
# passed from this session to any subsequent sessions.
|
@@ -263,17 +275,18 @@ module Aws::STS
|
|
263
275
|
#
|
264
276
|
# @!attribute [rw] source_identity
|
265
277
|
# The source identity specified by the principal that is calling the
|
266
|
-
# `AssumeRole` operation.
|
278
|
+
# `AssumeRole` operation. The source identity value persists across
|
279
|
+
# [chained role][1] sessions.
|
267
280
|
#
|
268
281
|
# You can require users to specify a source identity when they assume
|
269
|
-
# a role. You do this by using the `sts:SourceIdentity`
|
270
|
-
# in a role trust policy. You can use source identity
|
271
|
-
# CloudTrail logs to determine who took actions with a
|
272
|
-
# use the `aws:SourceIdentity` condition key to further
|
273
|
-
# to Amazon Web Services resources based on the value
|
274
|
-
# identity. For more information about using source
|
275
|
-
# [Monitor and control actions taken with assumed
|
276
|
-
# *IAM User Guide*.
|
282
|
+
# a role. You do this by using the [ `sts:SourceIdentity` ][2]
|
283
|
+
# condition key in a role trust policy. You can use source identity
|
284
|
+
# information in CloudTrail logs to determine who took actions with a
|
285
|
+
# role. You can use the `aws:SourceIdentity` condition key to further
|
286
|
+
# control access to Amazon Web Services resources based on the value
|
287
|
+
# of source identity. For more information about using source
|
288
|
+
# identity, see [Monitor and control actions taken with assumed
|
289
|
+
# roles][3] in the *IAM User Guide*.
|
277
290
|
#
|
278
291
|
# The regex used to validate this parameter is a string of characters
|
279
292
|
# consisting of upper- and lower-case alphanumeric characters with no
|
@@ -284,7 +297,9 @@ module Aws::STS
|
|
284
297
|
#
|
285
298
|
#
|
286
299
|
#
|
287
|
-
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
300
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#iam-term-role-chaining
|
301
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceidentity
|
302
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
|
288
303
|
# @return [String]
|
289
304
|
#
|
290
305
|
# @!attribute [rw] provided_contexts
|
@@ -297,7 +312,7 @@ module Aws::STS
|
|
297
312
|
# context provider from which the trusted context assertion was
|
298
313
|
# generated.
|
299
314
|
#
|
300
|
-
# `[
|
315
|
+
# `[{"ProviderArn":"arn:aws:iam::aws:contextProvider/IdentityCenter","ContextAssertion":"trusted-context-assertion"}]`
|
301
316
|
# @return [Array<Types::ProvidedContext>]
|
302
317
|
#
|
303
318
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleRequest AWS API Documentation
|
@@ -465,6 +480,9 @@ module Aws::STS
|
|
465
480
|
# include the tab (\\u0009), linefeed (\\u000A), and carriage return
|
466
481
|
# (\\u000D) characters.
|
467
482
|
#
|
483
|
+
# For more information about role session permissions, see [Session
|
484
|
+
# policies][1].
|
485
|
+
#
|
468
486
|
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline
|
469
487
|
# session policy, managed policy ARNs, and session tags into a packed
|
470
488
|
# binary format that has a separate limit. Your request can fail for
|
@@ -600,6 +618,8 @@ module Aws::STS
|
|
600
618
|
#
|
601
619
|
# @!attribute [rw] source_identity
|
602
620
|
# The value in the `SourceIdentity` attribute in the SAML assertion.
|
621
|
+
# The source identity value persists across [chained role][1]
|
622
|
+
# sessions.
|
603
623
|
#
|
604
624
|
# You can require users to set a source identity value when they
|
605
625
|
# assume a role. You do this by using the `sts:SourceIdentity`
|
@@ -607,12 +627,12 @@ module Aws::STS
|
|
607
627
|
# taken with the role are associated with that user. After the source
|
608
628
|
# identity is set, the value cannot be changed. It is present in the
|
609
629
|
# request for all actions that are taken by the role and persists
|
610
|
-
# across [chained role][
|
630
|
+
# across [chained role][2] sessions. You can configure your SAML
|
611
631
|
# identity provider to use an attribute associated with your users,
|
612
632
|
# like user name or email, as the source identity when calling
|
613
633
|
# `AssumeRoleWithSAML`. You do this by adding an attribute to the SAML
|
614
634
|
# assertion. For more information about using source identity, see
|
615
|
-
# [Monitor and control actions taken with assumed roles][
|
635
|
+
# [Monitor and control actions taken with assumed roles][3] in the
|
616
636
|
# *IAM User Guide*.
|
617
637
|
#
|
618
638
|
# The regex used to validate this parameter is a string of characters
|
@@ -622,8 +642,9 @@ module Aws::STS
|
|
622
642
|
#
|
623
643
|
#
|
624
644
|
#
|
625
|
-
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
626
|
-
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
645
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#iam-term-role-chaining
|
646
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts
|
647
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
|
627
648
|
# @return [String]
|
628
649
|
#
|
629
650
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAMLResponse AWS API Documentation
|
@@ -645,6 +666,24 @@ module Aws::STS
|
|
645
666
|
# @!attribute [rw] role_arn
|
646
667
|
# The Amazon Resource Name (ARN) of the role that the caller is
|
647
668
|
# assuming.
|
669
|
+
#
|
670
|
+
# <note markdown="1"> Additional considerations apply to Amazon Cognito identity pools
|
671
|
+
# that assume [cross-account IAM roles][1]. The trust policies of
|
672
|
+
# these roles must accept the `cognito-identity.amazonaws.com` service
|
673
|
+
# principal and must contain the `cognito-identity.amazonaws.com:aud`
|
674
|
+
# condition key to restrict role assumption to users from your
|
675
|
+
# intended identity pools. A policy that trusts Amazon Cognito
|
676
|
+
# identity pools without this condition creates a risk that a user
|
677
|
+
# from an unintended identity pool can assume the role. For more
|
678
|
+
# information, see [ Trust policies for IAM roles in Basic (Classic)
|
679
|
+
# authentication ][2] in the *Amazon Cognito Developer Guide*.
|
680
|
+
#
|
681
|
+
# </note>
|
682
|
+
#
|
683
|
+
#
|
684
|
+
#
|
685
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html
|
686
|
+
# [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html#trust-policies
|
648
687
|
# @return [String]
|
649
688
|
#
|
650
689
|
# @!attribute [rw] role_session_name
|
@@ -655,10 +694,21 @@ module Aws::STS
|
|
655
694
|
# session name is included as part of the ARN and assumed role ID in
|
656
695
|
# the `AssumedRoleUser` response element.
|
657
696
|
#
|
697
|
+
# For security purposes, administrators can view this field in
|
698
|
+
# [CloudTrail logs][1] to help identify who performed an action in
|
699
|
+
# Amazon Web Services. Your administrator might require that you
|
700
|
+
# specify your user name as the session name when you assume the role.
|
701
|
+
# For more information, see [ `sts:RoleSessionName` ][2].
|
702
|
+
#
|
658
703
|
# The regex used to validate this parameter is a string of characters
|
659
704
|
# consisting of upper- and lower-case alphanumeric characters with no
|
660
705
|
# spaces. You can also include underscores or any of the following
|
661
706
|
# characters: =,.@-
|
707
|
+
#
|
708
|
+
#
|
709
|
+
#
|
710
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html#cloudtrail-integration_signin-tempcreds
|
711
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_rolesessionname
|
662
712
|
# @return [String]
|
663
713
|
#
|
664
714
|
# @!attribute [rw] web_identity_token
|
@@ -666,8 +716,9 @@ module Aws::STS
|
|
666
716
|
# provided by the identity provider. Your application must get this
|
667
717
|
# token by authenticating the user who is using your application with
|
668
718
|
# a web identity provider before the application makes an
|
669
|
-
# `AssumeRoleWithWebIdentity` call.
|
670
|
-
#
|
719
|
+
# `AssumeRoleWithWebIdentity` call. Timestamps in the token must be
|
720
|
+
# formatted as either an integer or a long integer. Only tokens with
|
721
|
+
# RSA algorithms (RS256) are supported.
|
671
722
|
# @return [String]
|
672
723
|
#
|
673
724
|
# @!attribute [rw] provider_id
|
@@ -741,6 +792,9 @@ module Aws::STS
|
|
741
792
|
# include the tab (\\u0009), linefeed (\\u000A), and carriage return
|
742
793
|
# (\\u000D) characters.
|
743
794
|
#
|
795
|
+
# For more information about role session permissions, see [Session
|
796
|
+
# policies][1].
|
797
|
+
#
|
744
798
|
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline
|
745
799
|
# session policy, managed policy ARNs, and session tags into a packed
|
746
800
|
# binary format that has a separate limit. Your request can fail for
|
@@ -881,7 +935,7 @@ module Aws::STS
|
|
881
935
|
#
|
882
936
|
#
|
883
937
|
#
|
884
|
-
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts
|
938
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts
|
885
939
|
# [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html
|
886
940
|
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
|
887
941
|
# @return [String]
|
@@ -900,6 +954,94 @@ module Aws::STS
|
|
900
954
|
include Aws::Structure
|
901
955
|
end
|
902
956
|
|
957
|
+
# @!attribute [rw] target_principal
|
958
|
+
# The member account principal ARN or account ID.
|
959
|
+
# @return [String]
|
960
|
+
#
|
961
|
+
# @!attribute [rw] task_policy_arn
|
962
|
+
# The identity based policy that scopes the session to the privileged
|
963
|
+
# tasks that can be performed. You can use one of following Amazon Web
|
964
|
+
# Services managed policies to scope root session actions. You can add
|
965
|
+
# additional customer managed policies to further limit the
|
966
|
+
# permissions for the root session.
|
967
|
+
#
|
968
|
+
# * [IAMAuditRootUserCredentials][1]
|
969
|
+
#
|
970
|
+
# * [IAMCreateRootUserPassword][2]
|
971
|
+
#
|
972
|
+
# * [IAMDeleteRootUserCredentials][3]
|
973
|
+
#
|
974
|
+
# * [S3UnlockBucketPolicy][4]
|
975
|
+
#
|
976
|
+
# * [SQSUnlockQueuePolicy][5]
|
977
|
+
#
|
978
|
+
#
|
979
|
+
#
|
980
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMAuditRootUserCredentials
|
981
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMCreateRootUserPassword
|
982
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMDeleteRootUserCredentials
|
983
|
+
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-S3UnlockBucketPolicy
|
984
|
+
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-SQSUnlockQueuePolicy
|
985
|
+
# @return [Types::PolicyDescriptorType]
|
986
|
+
#
|
987
|
+
# @!attribute [rw] duration_seconds
|
988
|
+
# The duration, in seconds, of the privileged session. The value can
|
989
|
+
# range from 0 seconds up to the maximum session duration of 900
|
990
|
+
# seconds (15 minutes). If you specify a value higher than this
|
991
|
+
# setting, the operation fails.
|
992
|
+
#
|
993
|
+
# By default, the value is set to `900` seconds.
|
994
|
+
# @return [Integer]
|
995
|
+
#
|
996
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRootRequest AWS API Documentation
|
997
|
+
#
|
998
|
+
class AssumeRootRequest < Struct.new(
|
999
|
+
:target_principal,
|
1000
|
+
:task_policy_arn,
|
1001
|
+
:duration_seconds)
|
1002
|
+
SENSITIVE = []
|
1003
|
+
include Aws::Structure
|
1004
|
+
end
|
1005
|
+
|
1006
|
+
# @!attribute [rw] credentials
|
1007
|
+
# The temporary security credentials, which include an access key ID,
|
1008
|
+
# a secret access key, and a security token.
|
1009
|
+
#
|
1010
|
+
# <note markdown="1"> The size of the security token that STS API operations return is not
|
1011
|
+
# fixed. We strongly recommend that you make no assumptions about the
|
1012
|
+
# maximum size.
|
1013
|
+
#
|
1014
|
+
# </note>
|
1015
|
+
# @return [Types::Credentials]
|
1016
|
+
#
|
1017
|
+
# @!attribute [rw] source_identity
|
1018
|
+
# The source identity specified by the principal that is calling the
|
1019
|
+
# `AssumeRoot` operation.
|
1020
|
+
#
|
1021
|
+
# You can use the `aws:SourceIdentity` condition key to control access
|
1022
|
+
# based on the value of source identity. For more information about
|
1023
|
+
# using source identity, see [Monitor and control actions taken with
|
1024
|
+
# assumed roles][1] in the *IAM User Guide*.
|
1025
|
+
#
|
1026
|
+
# The regex used to validate this parameter is a string of characters
|
1027
|
+
# consisting of upper- and lower-case alphanumeric characters with no
|
1028
|
+
# spaces. You can also include underscores or any of the following
|
1029
|
+
# characters: =,.@-
|
1030
|
+
#
|
1031
|
+
#
|
1032
|
+
#
|
1033
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
|
1034
|
+
# @return [String]
|
1035
|
+
#
|
1036
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRootResponse AWS API Documentation
|
1037
|
+
#
|
1038
|
+
class AssumeRootResponse < Struct.new(
|
1039
|
+
:credentials,
|
1040
|
+
:source_identity)
|
1041
|
+
SENSITIVE = []
|
1042
|
+
include Aws::Structure
|
1043
|
+
end
|
1044
|
+
|
903
1045
|
# The identifiers for the temporary security credentials that the
|
904
1046
|
# operation returns.
|
905
1047
|
#
|
@@ -1419,7 +1561,8 @@ module Aws::STS
|
|
1419
1561
|
|
1420
1562
|
# The error returned if the message passed to
|
1421
1563
|
# `DecodeAuthorizationMessage` was invalid. This can happen if the token
|
1422
|
-
# contains invalid characters, such as
|
1564
|
+
# contains invalid characters, such as line breaks, or if the message
|
1565
|
+
# has expired.
|
1423
1566
|
#
|
1424
1567
|
# @!attribute [rw] message
|
1425
1568
|
# @return [String]
|
@@ -1539,8 +1682,8 @@ module Aws::STS
|
|
1539
1682
|
# STS is not activated in the requested region for the account that is
|
1540
1683
|
# being asked to generate credentials. The account administrator must
|
1541
1684
|
# use the IAM console to activate STS in that region. For more
|
1542
|
-
# information, see [Activating and Deactivating Amazon Web
|
1543
|
-
#
|
1685
|
+
# information, see [Activating and Deactivating STS in an Amazon Web
|
1686
|
+
# Services Region][1] in the *IAM User Guide*.
|
1544
1687
|
#
|
1545
1688
|
#
|
1546
1689
|
#
|
data/lib/aws-sdk-sts.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: aws-sdk-core
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.
|
4
|
+
version: 3.213.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Amazon Web Services
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2024-
|
11
|
+
date: 2024-11-14 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: jmespath
|