aws-sdk-core 3.46.0 → 3.94.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (86) hide show
  1. checksums.yaml +5 -5
  2. data/VERSION +1 -1
  3. data/lib/aws-sdk-core.rb +7 -0
  4. data/lib/aws-sdk-core/arn.rb +77 -0
  5. data/lib/aws-sdk-core/arn_parser.rb +38 -0
  6. data/lib/aws-sdk-core/assume_role_web_identity_credentials.rb +102 -0
  7. data/lib/aws-sdk-core/async_client_stubs.rb +80 -0
  8. data/lib/aws-sdk-core/binary.rb +3 -0
  9. data/lib/aws-sdk-core/binary/decode_handler.rb +9 -1
  10. data/lib/aws-sdk-core/binary/encode_handler.rb +32 -0
  11. data/lib/aws-sdk-core/binary/event_builder.rb +122 -0
  12. data/lib/aws-sdk-core/binary/event_parser.rb +48 -18
  13. data/lib/aws-sdk-core/binary/event_stream_decoder.rb +5 -2
  14. data/lib/aws-sdk-core/binary/event_stream_encoder.rb +53 -0
  15. data/lib/aws-sdk-core/client_side_monitoring/publisher.rb +9 -1
  16. data/lib/aws-sdk-core/client_stubs.rb +10 -9
  17. data/lib/aws-sdk-core/credential_provider.rb +0 -31
  18. data/lib/aws-sdk-core/credential_provider_chain.rb +79 -39
  19. data/lib/aws-sdk-core/deprecations.rb +16 -10
  20. data/lib/aws-sdk-core/ecs_credentials.rb +12 -8
  21. data/lib/aws-sdk-core/endpoint_cache.rb +14 -11
  22. data/lib/aws-sdk-core/errors.rb +94 -6
  23. data/lib/aws-sdk-core/event_emitter.rb +42 -0
  24. data/lib/aws-sdk-core/instance_profile_credentials.rb +120 -38
  25. data/lib/aws-sdk-core/json.rb +13 -14
  26. data/lib/aws-sdk-core/json/error_handler.rb +19 -2
  27. data/lib/aws-sdk-core/json/handler.rb +19 -1
  28. data/lib/aws-sdk-core/log/formatter.rb +7 -1
  29. data/lib/aws-sdk-core/log/param_filter.rb +3 -3
  30. data/lib/aws-sdk-core/pageable_response.rb +34 -20
  31. data/lib/aws-sdk-core/param_validator.rb +11 -5
  32. data/lib/aws-sdk-core/plugins/client_metrics_plugin.rb +26 -1
  33. data/lib/aws-sdk-core/plugins/endpoint_discovery.rb +1 -1
  34. data/lib/aws-sdk-core/plugins/event_stream_configuration.rb +14 -0
  35. data/lib/aws-sdk-core/plugins/invocation_id.rb +33 -0
  36. data/lib/aws-sdk-core/plugins/regional_endpoint.rb +8 -1
  37. data/lib/aws-sdk-core/plugins/retries/client_rate_limiter.rb +137 -0
  38. data/lib/aws-sdk-core/plugins/retries/clock_skew.rb +98 -0
  39. data/lib/aws-sdk-core/plugins/retries/error_inspector.rb +142 -0
  40. data/lib/aws-sdk-core/plugins/retries/retry_quota.rb +57 -0
  41. data/lib/aws-sdk-core/plugins/retry_errors.rb +290 -106
  42. data/lib/aws-sdk-core/plugins/signature_v4.rb +13 -2
  43. data/lib/aws-sdk-core/plugins/stub_responses.rb +20 -7
  44. data/lib/aws-sdk-core/plugins/transfer_encoding.rb +51 -0
  45. data/lib/aws-sdk-core/plugins/user_agent.rb +4 -8
  46. data/lib/aws-sdk-core/process_credentials.rb +9 -3
  47. data/lib/aws-sdk-core/shared_config.rb +95 -125
  48. data/lib/aws-sdk-core/structure.rb +1 -2
  49. data/lib/aws-sdk-core/stubbing/protocols/rest.rb +19 -0
  50. data/lib/aws-sdk-core/stubbing/stub_data.rb +13 -4
  51. data/lib/aws-sdk-core/util.rb +4 -0
  52. data/lib/aws-sdk-core/waiters/waiter.rb +2 -2
  53. data/lib/aws-sdk-core/xml/error_handler.rb +26 -3
  54. data/lib/aws-sdk-sts.rb +7 -4
  55. data/lib/aws-sdk-sts/client.rb +1109 -459
  56. data/lib/aws-sdk-sts/client_api.rb +67 -0
  57. data/lib/aws-sdk-sts/customizations.rb +2 -0
  58. data/lib/aws-sdk-sts/errors.rb +150 -0
  59. data/lib/aws-sdk-sts/plugins/sts_regional_endpoints.rb +32 -0
  60. data/lib/aws-sdk-sts/presigner.rb +67 -0
  61. data/lib/aws-sdk-sts/resource.rb +1 -0
  62. data/lib/aws-sdk-sts/types.rb +736 -176
  63. data/lib/seahorse.rb +9 -0
  64. data/lib/seahorse/client/async_base.rb +50 -0
  65. data/lib/seahorse/client/async_response.rb +62 -0
  66. data/lib/seahorse/client/base.rb +4 -2
  67. data/lib/seahorse/client/configuration.rb +4 -2
  68. data/lib/seahorse/client/events.rb +1 -1
  69. data/lib/seahorse/client/h2/connection.rb +246 -0
  70. data/lib/seahorse/client/h2/handler.rb +151 -0
  71. data/lib/seahorse/client/handler_list_entry.rb +2 -2
  72. data/lib/seahorse/client/http/async_response.rb +42 -0
  73. data/lib/seahorse/client/http/response.rb +13 -8
  74. data/lib/seahorse/client/logging/formatter.rb +4 -2
  75. data/lib/seahorse/client/net_http/connection_pool.rb +19 -20
  76. data/lib/seahorse/client/net_http/handler.rb +7 -1
  77. data/lib/seahorse/client/net_http/patches.rb +7 -1
  78. data/lib/seahorse/client/networking_error.rb +28 -0
  79. data/lib/seahorse/client/plugin.rb +5 -4
  80. data/lib/seahorse/client/plugins/content_length.rb +5 -2
  81. data/lib/seahorse/client/plugins/h2.rb +64 -0
  82. data/lib/seahorse/client/response.rb +3 -5
  83. data/lib/seahorse/model/api.rb +4 -0
  84. data/lib/seahorse/model/operation.rb +4 -0
  85. data/lib/seahorse/model/shapes.rb +2 -2
  86. metadata +43 -10
@@ -29,8 +29,7 @@ module Aws
29
29
  def to_h(obj = self)
30
30
  case obj
31
31
  when Struct
32
- obj.members.each.with_object({}) do |member, hash|
33
- value = obj[member]
32
+ obj.each_pair.with_object({}) do |(member, value), hash|
34
33
  hash[member] = to_hash(value) unless value.nil?
35
34
  end
36
35
  when Hash
@@ -118,6 +118,25 @@ module Aws
118
118
 
119
119
  def encode_event(opts, rules, event_data, builder)
120
120
  event_ref = rules.shape.member(event_data.delete(:event_type))
121
+ explicit_payload = false
122
+ implicit_payload_members = {}
123
+ event_ref.shape.members.each do |name, ref|
124
+ if ref.eventpayload
125
+ explicit_payload = true
126
+ else
127
+ implicit_payload_members[name] = ref
128
+ end
129
+ end
130
+
131
+ if !explicit_payload && !implicit_payload_members.empty?
132
+ unless implicit_payload_members.size > 1
133
+ m_name, _ = implicit_payload_members.first
134
+ value = {}
135
+ value[m_name] = event_data[m_name]
136
+ opts[:payload] = StringIO.new(builder.new(event_ref).serialize(value))
137
+ end
138
+ end
139
+
121
140
  event_data.each do |k, v|
122
141
  member_ref = event_ref.shape.member(k)
123
142
  if member_ref.eventheader
@@ -20,17 +20,26 @@ module Aws
20
20
  def remove_paging_tokens(stub)
21
21
  if @pager
22
22
  @pager.instance_variable_get("@tokens").keys.each do |path|
23
- key = path.split(/\b/)[0]
24
- stub[key] = nil
23
+ if divide = (path[' || '] || path[' or '])
24
+ path = path.split(divide)[0]
25
+ end
26
+ parts = path.split(/\b/)
27
+ # if nested struct/expression, EmptyStub auto-pop "string"
28
+ # currently not support remove "string" for nested/expression
29
+ # as it requires reverse JMESPATH search
30
+ stub[parts[0]] = nil if parts.size == 1
25
31
  end
26
32
  if more_results = @pager.instance_variable_get('@more_results')
27
- stub[more_results] = false
33
+ parts = more_results.split(/\b/)
34
+ # if nested struct/expression, EmptyStub auto-pop false value
35
+ # no further work needed
36
+ stub[parts[0]] = false if parts.size == 1
28
37
  end
29
38
  end
30
39
  end
31
40
 
32
41
  def apply_data(data, stub)
33
- ParamValidator.new(@rules, validate_required:false).validate!(data)
42
+ ParamValidator.new(@rules, validate_required: false, input: false).validate!(data)
34
43
  DataApplicator.new(@rules).apply_data(data, stub)
35
44
  end
36
45
  end
@@ -52,6 +52,10 @@ module Aws
52
52
  end
53
53
  end
54
54
 
55
+ def monotonic_seconds
56
+ monotonic_milliseconds / 1000.0
57
+ end
58
+
55
59
  def str_2_bool(str)
56
60
  case str.to_s
57
61
  when "true" then true
@@ -50,7 +50,7 @@ module Aws
50
50
  #
51
51
  # @yieldparam [Integer] attempts The number of attempts made.
52
52
  def before_attempt(&block)
53
- @before_attempt << Proc.new
53
+ @before_attempt << block if block_given?
54
54
  end
55
55
 
56
56
  # Register a callback that is invoked after an attempt but before
@@ -81,7 +81,7 @@ module Aws
81
81
  # @yieldparam [Seahorse::Client::Response] response The response from
82
82
  # the previous polling attempts.
83
83
  def before_wait(&block)
84
- @before_wait << Proc.new
84
+ @before_wait << block if block_given?
85
85
  end
86
86
 
87
87
  # @option options [Client] :client
@@ -18,20 +18,43 @@ module Aws
18
18
  if body.empty?
19
19
  code = http_status_error_code(context)
20
20
  message = ''
21
+ data = EmptyStructure.new
21
22
  else
22
- code, message = extract_error(body, context)
23
+ code, message, data = extract_error(body, context)
23
24
  end
24
25
  errors_module = context.client.class.errors_module
25
- errors_module.error_class(code).new(context, message)
26
+ error_class = errors_module.error_class(code).new(context, message, data)
27
+ error_class
26
28
  end
27
29
 
28
30
  def extract_error(body, context)
31
+ code = error_code(body, context)
29
32
  [
30
- error_code(body, context),
33
+ code,
31
34
  error_message(body),
35
+ error_data(context, code)
32
36
  ]
33
37
  end
34
38
 
39
+ def error_data(context, code)
40
+ data = EmptyStructure.new
41
+ if error_rules = context.operation.errors
42
+ error_rules.each do |rule|
43
+ # for modeled shape with error trait
44
+ # match `code` in the error trait before
45
+ # match modeled shape name
46
+ error_shape_code = rule.shape['error']['code'] if rule.shape['error']
47
+ match = (code == error_shape_code || code == rule.shape.name)
48
+ if match && rule.shape.members.any?
49
+ data = Parser.new(rule).parse(context.http_response.body_contents)
50
+ end
51
+ end
52
+ end
53
+ data
54
+ rescue Xml::Parser::ParsingError
55
+ EmptyStructure.new
56
+ end
57
+
35
58
  def error_code(body, context)
36
59
  if matches = body.match(/<Code>(.+?)<\/Code>/)
37
60
  remove_prefix(unescape(matches[1]), context)
@@ -22,17 +22,20 @@ require_relative 'aws-sdk-sts/customizations'
22
22
  # methods each accept a hash of request parameters and return a response
23
23
  # structure.
24
24
  #
25
+ # sts = Aws::STS::Client.new
26
+ # resp = sts.assume_role(params)
27
+ #
25
28
  # See {Client} for more information.
26
29
  #
27
30
  # # Errors
28
31
  #
29
- # Errors returned from AWS Security Token Service all
30
- # extend {Errors::ServiceError}.
32
+ # Errors returned from AWS Security Token Service are defined in the
33
+ # {Errors} module and all extend {Errors::ServiceError}.
31
34
  #
32
35
  # begin
33
36
  # # do stuff
34
37
  # rescue Aws::STS::Errors::ServiceError
35
- # # rescues all service API errors
38
+ # # rescues all AWS Security Token Service API errors
36
39
  # end
37
40
  #
38
41
  # See {Errors} for more information.
@@ -40,6 +43,6 @@ require_relative 'aws-sdk-sts/customizations'
40
43
  # @service
41
44
  module Aws::STS
42
45
 
43
- GEM_VERSION = '3.46.0'
46
+ GEM_VERSION = '3.94.0'
44
47
 
45
48
  end
@@ -23,12 +23,26 @@ require 'aws-sdk-core/plugins/idempotency_token.rb'
23
23
  require 'aws-sdk-core/plugins/jsonvalue_converter.rb'
24
24
  require 'aws-sdk-core/plugins/client_metrics_plugin.rb'
25
25
  require 'aws-sdk-core/plugins/client_metrics_send_plugin.rb'
26
+ require 'aws-sdk-core/plugins/transfer_encoding.rb'
26
27
  require 'aws-sdk-core/plugins/signature_v4.rb'
27
28
  require 'aws-sdk-core/plugins/protocols/query.rb'
29
+ require 'aws-sdk-sts/plugins/sts_regional_endpoints.rb'
28
30
 
29
31
  Aws::Plugins::GlobalConfiguration.add_identifier(:sts)
30
32
 
31
33
  module Aws::STS
34
+ # An API client for STS. To construct a client, you need to configure a `:region` and `:credentials`.
35
+ #
36
+ # client = Aws::STS::Client.new(
37
+ # region: region_name,
38
+ # credentials: credentials,
39
+ # # ...
40
+ # )
41
+ #
42
+ # For details on configuring region and credentials see
43
+ # the [developer guide](/sdk-for-ruby/v3/developer-guide/setup-config.html).
44
+ #
45
+ # See {#initialize} for a full list of supported configuration options.
32
46
  class Client < Seahorse::Client::Base
33
47
 
34
48
  include Aws::ClientStubs
@@ -55,8 +69,10 @@ module Aws::STS
55
69
  add_plugin(Aws::Plugins::JsonvalueConverter)
56
70
  add_plugin(Aws::Plugins::ClientMetricsPlugin)
57
71
  add_plugin(Aws::Plugins::ClientMetricsSendPlugin)
72
+ add_plugin(Aws::Plugins::TransferEncoding)
58
73
  add_plugin(Aws::Plugins::SignatureV4)
59
74
  add_plugin(Aws::Plugins::Protocols::Query)
75
+ add_plugin(Aws::STS::Plugins::STSRegionalEndpoints)
60
76
 
61
77
  # @overload initialize(options)
62
78
  # @param [Hash] options
@@ -106,6 +122,12 @@ module Aws::STS
106
122
  # When set to `true`, a thread polling for endpoints will be running in
107
123
  # the background every 60 secs (default). Defaults to `false`.
108
124
  #
125
+ # @option options [Boolean] :adaptive_retry_wait_to_fill (true)
126
+ # Used only in `adaptive` retry mode. When true, the request will sleep
127
+ # until there is sufficent client side capacity to retry the request.
128
+ # When false, the request will raise a `RetryCapacityNotAvailableError` and will
129
+ # not retry instead of sleeping.
130
+ #
109
131
  # @option options [Boolean] :client_side_monitoring (false)
110
132
  # When `true`, client-side metrics will be collected for all API requests from
111
133
  # this client.
@@ -114,6 +136,10 @@ module Aws::STS
114
136
  # Allows you to provide an identifier for this client which will be attached to
115
137
  # all generated client side metrics. Defaults to an empty string.
116
138
  #
139
+ # @option options [String] :client_side_monitoring_host ("127.0.0.1")
140
+ # Allows you to specify the DNS hostname or IPv4 or IPv6 address that the client
141
+ # side monitoring agent is running on, where client metrics will be published via UDP.
142
+ #
117
143
  # @option options [Integer] :client_side_monitoring_port (31000)
118
144
  # Required for publishing client metrics. The port that the client side monitoring
119
145
  # agent is running on, where client metrics will be published via UDP.
@@ -126,6 +152,10 @@ module Aws::STS
126
152
  # When `true`, an attempt is made to coerce request parameters into
127
153
  # the required types.
128
154
  #
155
+ # @option options [Boolean] :correct_clock_skew (true)
156
+ # Used only in `standard` and adaptive retry modes. Specifies whether to apply
157
+ # a clock skew correction and retry requests with skewed client clocks.
158
+ #
129
159
  # @option options [Boolean] :disable_host_prefix_injection (false)
130
160
  # Set to true to disable SDK automatically adding host prefix
131
161
  # to default service endpoint when available.
@@ -160,15 +190,29 @@ module Aws::STS
160
190
  # The Logger instance to send log messages to. If this option
161
191
  # is not set, logging will be disabled.
162
192
  #
193
+ # @option options [Integer] :max_attempts (3)
194
+ # An integer representing the maximum number attempts that will be made for
195
+ # a single request, including the initial attempt. For example,
196
+ # setting this value to 5 will result in a request being retried up to
197
+ # 4 times. Used in `standard` and `adaptive` retry modes.
198
+ #
163
199
  # @option options [String] :profile ("default")
164
200
  # Used when loading credentials from the shared credentials file
165
201
  # at HOME/.aws/credentials. When not specified, 'default' is used.
166
202
  #
203
+ # @option options [Proc] :retry_backoff
204
+ # A proc or lambda used for backoff. Defaults to 2**retries * retry_base_delay.
205
+ # This option is only used in the `legacy` retry mode.
206
+ #
167
207
  # @option options [Float] :retry_base_delay (0.3)
168
- # The base delay in seconds used by the default backoff function.
208
+ # The base delay in seconds used by the default backoff function. This option
209
+ # is only used in the `legacy` retry mode.
169
210
  #
170
211
  # @option options [Symbol] :retry_jitter (:none)
171
- # A delay randomiser function used by the default backoff function. Some predefined functions can be referenced by name - :none, :equal, :full, otherwise a Proc that takes and returns a number.
212
+ # A delay randomiser function used by the default backoff function.
213
+ # Some predefined functions can be referenced by name - :none, :equal, :full,
214
+ # otherwise a Proc that takes and returns a number. This option is only used
215
+ # in the `legacy` retry mode.
172
216
  #
173
217
  # @see https://www.awsarchitectureblog.com/2015/03/backoff.html
174
218
  #
@@ -176,16 +220,40 @@ module Aws::STS
176
220
  # The maximum number of times to retry failed requests. Only
177
221
  # ~ 500 level server errors and certain ~ 400 level client errors
178
222
  # are retried. Generally, these are throttling errors, data
179
- # checksum errors, networking errors, timeout errors and auth
180
- # errors from expired credentials.
223
+ # checksum errors, networking errors, timeout errors, auth errors,
224
+ # endpoint discovery, and errors from expired credentials.
225
+ # This option is only used in the `legacy` retry mode.
181
226
  #
182
227
  # @option options [Integer] :retry_max_delay (0)
183
- # The maximum number of seconds to delay between retries (0 for no limit) used by the default backoff function.
228
+ # The maximum number of seconds to delay between retries (0 for no limit)
229
+ # used by the default backoff function. This option is only used in the
230
+ # `legacy` retry mode.
231
+ #
232
+ # @option options [String] :retry_mode ("legacy")
233
+ # Specifies which retry algorithm to use. Values are:
234
+ #
235
+ # * `legacy` - The pre-existing retry behavior. This is default value if
236
+ # no retry mode is provided.
237
+ #
238
+ # * `standard` - A standardized set of retry rules across the AWS SDKs.
239
+ # This includes support for retry quotas, which limit the number of
240
+ # unsuccessful retries a client can make.
241
+ #
242
+ # * `adaptive` - An experimental retry mode that includes all the
243
+ # functionality of `standard` mode along with automatic client side
244
+ # throttling. This is a provisional mode that may change behavior
245
+ # in the future.
246
+ #
184
247
  #
185
248
  # @option options [String] :secret_access_key
186
249
  #
187
250
  # @option options [String] :session_token
188
251
  #
252
+ # @option options [String] :sts_regional_endpoints ("regional")
253
+ # Passing in 'regional' to enable regional endpoint for STS for all supported
254
+ # regions (except 'aws-global'). Using 'legacy' mode will force all legacy
255
+ # regions to resolve to the STS global endpoint.
256
+ #
189
257
  # @option options [Boolean] :stub_responses (false)
190
258
  # Causes the client to return stubbed responses. By default
191
259
  # fake responses are generated and returned. You can specify
@@ -199,46 +267,78 @@ module Aws::STS
199
267
  # When `true`, request parameters are validated before
200
268
  # sending the request.
201
269
  #
270
+ # @option options [URI::HTTP,String] :http_proxy A proxy to send
271
+ # requests through. Formatted like 'http://proxy.com:123'.
272
+ #
273
+ # @option options [Float] :http_open_timeout (15) The number of
274
+ # seconds to wait when opening a HTTP session before raising a
275
+ # `Timeout::Error`.
276
+ #
277
+ # @option options [Integer] :http_read_timeout (60) The default
278
+ # number of seconds to wait for response data. This value can
279
+ # safely be set per-request on the session.
280
+ #
281
+ # @option options [Float] :http_idle_timeout (5) The number of
282
+ # seconds a connection is allowed to sit idle before it is
283
+ # considered stale. Stale connections are closed and removed
284
+ # from the pool before making a request.
285
+ #
286
+ # @option options [Float] :http_continue_timeout (1) The number of
287
+ # seconds to wait for a 100-continue response before sending the
288
+ # request body. This option has no effect unless the request has
289
+ # "Expect" header set to "100-continue". Defaults to `nil` which
290
+ # disables this behaviour. This value can safely be set per
291
+ # request on the session.
292
+ #
293
+ # @option options [Boolean] :http_wire_trace (false) When `true`,
294
+ # HTTP debug output will be sent to the `:logger`.
295
+ #
296
+ # @option options [Boolean] :ssl_verify_peer (true) When `true`,
297
+ # SSL peer certificates are verified when establishing a
298
+ # connection.
299
+ #
300
+ # @option options [String] :ssl_ca_bundle Full path to the SSL
301
+ # certificate authority bundle file that should be used when
302
+ # verifying peer certificates. If you do not pass
303
+ # `:ssl_ca_bundle` or `:ssl_ca_directory` the the system default
304
+ # will be used if available.
305
+ #
306
+ # @option options [String] :ssl_ca_directory Full path of the
307
+ # directory that contains the unbundled SSL certificate
308
+ # authority files for verifying peer certificates. If you do
309
+ # not pass `:ssl_ca_bundle` or `:ssl_ca_directory` the the
310
+ # system default will be used if available.
311
+ #
202
312
  def initialize(*args)
203
313
  super
204
314
  end
205
315
 
206
316
  # @!group API Operations
207
317
 
208
- # Returns a set of temporary security credentials (consisting of an
209
- # access key ID, a secret access key, and a security token) that you can
210
- # use to access AWS resources that you might not normally have access
211
- # to. Typically, you use `AssumeRole` for cross-account access or
212
- # federation. For a comparison of `AssumeRole` with the other APIs that
213
- # produce temporary credentials, see [Requesting Temporary Security
214
- # Credentials][1] and [Comparing the AWS STS APIs][2] in the *IAM User
215
- # Guide*.
216
- #
217
- # **Important:** You cannot call `AssumeRole` by using AWS root account
218
- # credentials; access is denied. You must use credentials for an IAM
219
- # user or an IAM role to call `AssumeRole`.
318
+ # Returns a set of temporary security credentials that you can use to
319
+ # access AWS resources that you might not normally have access to. These
320
+ # temporary credentials consist of an access key ID, a secret access
321
+ # key, and a security token. Typically, you use `AssumeRole` within your
322
+ # account or for cross-account access. For a comparison of `AssumeRole`
323
+ # with other API operations that produce temporary credentials, see
324
+ # [Requesting Temporary Security Credentials][1] and [Comparing the AWS
325
+ # STS API operations][2] in the *IAM User Guide*.
326
+ #
327
+ # You cannot use AWS account root user credentials to call `AssumeRole`.
328
+ # You must use credentials for an IAM user or an IAM role to call
329
+ # `AssumeRole`.
220
330
  #
221
331
  # For cross-account access, imagine that you own multiple accounts and
222
332
  # need to access resources in each account. You could create long-term
223
333
  # credentials in each account to access those resources. However,
224
334
  # managing all those credentials and remembering which one can access
225
335
  # which account can be time consuming. Instead, you can create one set
226
- # of long-term credentials in one account and then use temporary
227
- # security credentials to access all the other accounts by assuming
228
- # roles in those accounts. For more information about roles, see [IAM
229
- # Roles (Delegation and Federation)][3] in the *IAM User Guide*.
230
- #
231
- # For federation, you can, for example, grant single sign-on access to
232
- # the AWS Management Console. If you already have an identity and
233
- # authentication system in your corporate network, you don't have to
234
- # recreate user identities in AWS in order to grant those user
235
- # identities access to AWS. Instead, after a user has been
236
- # authenticated, you call `AssumeRole` (and specify the role with the
237
- # appropriate permissions) to get temporary security credentials for
238
- # that user. With those temporary security credentials, you construct a
239
- # sign-in URL that users can use to access the console. For more
240
- # information, see [Common Scenarios for Temporary Credentials][4] in
241
- # the *IAM User Guide*.
336
+ # of long-term credentials in one account. Then use temporary security
337
+ # credentials to access all the other accounts by assuming roles in
338
+ # those accounts. For more information about roles, see [IAM Roles][3]
339
+ # in the *IAM User Guide*.
340
+ #
341
+ # **Session Duration**
242
342
  #
243
343
  # By default, the temporary security credentials created by `AssumeRole`
244
344
  # last for one hour. However, you can use the optional `DurationSeconds`
@@ -246,85 +346,108 @@ module Aws::STS
246
346
  # value from 900 seconds (15 minutes) up to the maximum session duration
247
347
  # setting for the role. This setting can have a value from 1 hour to 12
248
348
  # hours. To learn how to view the maximum value for your role, see [View
249
- # the Maximum Session Duration Setting for a Role][5] in the *IAM User
349
+ # the Maximum Session Duration Setting for a Role][4] in the *IAM User
250
350
  # Guide*. The maximum session duration limit applies when you use the
251
- # `AssumeRole*` API operations or the `assume-role*` CLI operations but
252
- # does not apply when you use those operations to create a console URL.
253
- # For more information, see [Using IAM Roles][6] in the *IAM User
254
- # Guide*.
351
+ # `AssumeRole*` API operations or the `assume-role*` CLI commands.
352
+ # However the limit does not apply when you use those operations to
353
+ # create a console URL. For more information, see [Using IAM Roles][5]
354
+ # in the *IAM User Guide*.
355
+ #
356
+ # **Permissions**
255
357
  #
256
358
  # The temporary security credentials created by `AssumeRole` can be used
257
- # to make API calls to any AWS service with the following exception: you
258
- # cannot call the STS service's `GetFederationToken` or
259
- # `GetSessionToken` APIs.
260
- #
261
- # Optionally, you can pass an IAM access policy to this operation. If
262
- # you choose not to pass a policy, the temporary security credentials
263
- # that are returned by the operation have the permissions that are
264
- # defined in the access policy of the role that is being assumed. If you
265
- # pass a policy to this operation, the temporary security credentials
266
- # that are returned by the operation have the permissions that are
267
- # allowed by both the access policy of the role that is being assumed,
268
- # <i> <b>and</b> </i> the policy that you pass. This gives you a way to
269
- # further restrict the permissions for the resulting temporary security
270
- # credentials. You cannot use the passed policy to grant permissions
271
- # that are in excess of those allowed by the access policy of the role
272
- # that is being assumed. For more information, see [Permissions for
273
- # AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity][7] in
359
+ # to make API calls to any AWS service with the following exception: You
360
+ # cannot call the AWS STS `GetFederationToken` or `GetSessionToken` API
361
+ # operations.
362
+ #
363
+ # (Optional) You can pass inline or managed [session policies][6] to
364
+ # this operation. You can pass a single JSON policy document to use as
365
+ # an inline session policy. You can also specify up to 10 managed
366
+ # policies to use as managed session policies. The plain text that you
367
+ # use for both inline and managed session policies can't exceed 2,048
368
+ # characters. Passing policies to this operation returns new temporary
369
+ # credentials. The resulting session's permissions are the intersection
370
+ # of the role's identity-based policy and the session policies. You can
371
+ # use the role's temporary credentials in subsequent AWS API calls to
372
+ # access resources in the account that owns the role. You cannot use
373
+ # session policies to grant more permissions than those allowed by the
374
+ # identity-based policy of the role that is being assumed. For more
375
+ # information, see [Session Policies][6] in the *IAM User Guide*.
376
+ #
377
+ # To assume a role from a different account, your AWS account must be
378
+ # trusted by the role. The trust relationship is defined in the role's
379
+ # trust policy when the role is created. That trust policy states which
380
+ # accounts are allowed to delegate that access to users in the account.
381
+ #
382
+ # A user who wants to access a role in a different account must also
383
+ # have permissions that are delegated from the user account
384
+ # administrator. The administrator must attach a policy that allows the
385
+ # user to call `AssumeRole` for the ARN of the role in the other
386
+ # account. If the user is in the same account as the role, then you can
387
+ # do either of the following:
388
+ #
389
+ # * Attach a policy to the user (identical to the previous user in a
390
+ # different account).
391
+ #
392
+ # * Add the user as a principal directly in the role's trust policy.
393
+ #
394
+ # In this case, the trust policy acts as an IAM resource-based policy.
395
+ # Users in the same account as the role do not need explicit permission
396
+ # to assume the role. For more information about trust policies and
397
+ # resource-based policies, see [IAM Policies][7] in the *IAM User
398
+ # Guide*.
399
+ #
400
+ # **Tags**
401
+ #
402
+ # (Optional) You can pass tag key-value pairs to your session. These
403
+ # tags are called session tags. For more information about session tags,
404
+ # see [Passing Session Tags in STS][8] in the *IAM User Guide*.
405
+ #
406
+ # An administrator must grant you the permissions necessary to pass
407
+ # session tags. The administrator can also create granular permissions
408
+ # to allow you to pass only specific session tags. For more information,
409
+ # see [Tutorial: Using Tags for Attribute-Based Access Control][9] in
274
410
  # the *IAM User Guide*.
275
411
  #
276
- # To assume a role, your AWS account must be trusted by the role. The
277
- # trust relationship is defined in the role's trust policy when the
278
- # role is created. That trust policy states which accounts are allowed
279
- # to delegate access to this account's role.
280
- #
281
- # The user who wants to access the role must also have permissions
282
- # delegated from the role's administrator. If the user is in a
283
- # different account than the role, then the user's administrator must
284
- # attach a policy that allows the user to call AssumeRole on the ARN of
285
- # the role in the other account. If the user is in the same account as
286
- # the role, then you can either attach a policy to the user (identical
287
- # to the previous different account user), or you can add the user as a
288
- # principal directly in the role's trust policy. In this case, the
289
- # trust policy acts as the only resource-based policy in IAM, and users
290
- # in the same account as the role do not need explicit permission to
291
- # assume the role. For more information about trust policies and
292
- # resource-based policies, see [IAM Policies][8] in the *IAM User
293
- # Guide*.
412
+ # You can set the session tags as transitive. Transitive tags persist
413
+ # during role chaining. For more information, see [Chaining Roles with
414
+ # Session Tags][10] in the *IAM User Guide*.
294
415
  #
295
416
  # **Using MFA with AssumeRole**
296
417
  #
297
- # You can optionally include multi-factor authentication (MFA)
418
+ # (Optional) You can include multi-factor authentication (MFA)
298
419
  # information when you call `AssumeRole`. This is useful for
299
- # cross-account scenarios in which you want to make sure that the user
300
- # who is assuming the role has been authenticated using an AWS MFA
301
- # device. In that scenario, the trust policy of the role being assumed
302
- # includes a condition that tests for MFA authentication; if the caller
303
- # does not include valid MFA information, the request to assume the role
304
- # is denied. The condition in a trust policy that tests for MFA
305
- # authentication might look like the following example.
420
+ # cross-account scenarios to ensure that the user that assumes the role
421
+ # has been authenticated with an AWS MFA device. In that scenario, the
422
+ # trust policy of the role being assumed includes a condition that tests
423
+ # for MFA authentication. If the caller does not include valid MFA
424
+ # information, the request to assume the role is denied. The condition
425
+ # in a trust policy that tests for MFA authentication might look like
426
+ # the following example.
306
427
  #
307
428
  # `"Condition": \{"Bool": \{"aws:MultiFactorAuthPresent": true\}\}`
308
429
  #
309
- # For more information, see [Configuring MFA-Protected API Access][9] in
310
- # the *IAM User Guide* guide.
430
+ # For more information, see [Configuring MFA-Protected API Access][11]
431
+ # in the *IAM User Guide* guide.
311
432
  #
312
433
  # To use MFA with `AssumeRole`, you pass values for the `SerialNumber`
313
434
  # and `TokenCode` parameters. The `SerialNumber` value identifies the
314
435
  # user's hardware or virtual MFA device. The `TokenCode` is the
315
- # time-based one-time password (TOTP) that the MFA devices produces.
436
+ # time-based one-time password (TOTP) that the MFA device produces.
316
437
  #
317
438
  #
318
439
  #
319
- # [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
320
- # [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
321
- # [3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html
322
- # [4]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html#sts-introduction
323
- # [5]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
324
- # [6]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
325
- # [7]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
326
- # [8]: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
327
- # [9]: http://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html
440
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
441
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
442
+ # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
443
+ # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
444
+ # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
445
+ # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
446
+ # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
447
+ # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
448
+ # [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
449
+ # [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
450
+ # [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html
328
451
  #
329
452
  # @option params [required, String] :role_arn
330
453
  # The Amazon Resource Name (ARN) of the role to assume.
@@ -337,47 +460,82 @@ module Aws::STS
337
460
  # cross-account scenarios, the role session name is visible to, and can
338
461
  # be logged by the account that owns the role. The role session name is
339
462
  # also used in the ARN of the assumed role principal. This means that
340
- # subsequent cross-account API requests using the temporary security
463
+ # subsequent cross-account API requests that use the temporary security
341
464
  # credentials will expose the role session name to the external account
342
- # in their CloudTrail logs.
465
+ # in their AWS CloudTrail logs.
343
466
  #
344
467
  # The regex used to validate this parameter is a string of characters
345
468
  # consisting of upper- and lower-case alphanumeric characters with no
346
469
  # spaces. You can also include underscores or any of the following
347
470
  # characters: =,.@-
348
471
  #
349
- # @option params [String] :policy
350
- # An IAM policy in JSON format.
351
- #
352
- # This parameter is optional. If you pass a policy, the temporary
353
- # security credentials that are returned by the operation have the
354
- # permissions that are allowed by both (the intersection of) the access
355
- # policy of the role that is being assumed, *and* the policy that you
356
- # pass. This gives you a way to further restrict the permissions for the
357
- # resulting temporary security credentials. You cannot use the passed
358
- # policy to grant permissions that are in excess of those allowed by the
359
- # access policy of the role that is being assumed. For more information,
360
- # see [Permissions for AssumeRole, AssumeRoleWithSAML, and
361
- # AssumeRoleWithWebIdentity][1] in the *IAM User Guide*.
472
+ # @option params [Array<Types::PolicyDescriptorType>] :policy_arns
473
+ # The Amazon Resource Names (ARNs) of the IAM managed policies that you
474
+ # want to use as managed session policies. The policies must exist in
475
+ # the same account as the role.
362
476
  #
363
- # The format for this parameter, as described by its regex pattern, is a
364
- # string of characters up to 2048 characters in length. The characters
477
+ # This parameter is optional. You can provide up to 10 managed policy
478
+ # ARNs. However, the plain text that you use for both inline and managed
479
+ # session policies can't exceed 2,048 characters. For more information
480
+ # about ARNs, see [Amazon Resource Names (ARNs) and AWS Service
481
+ # Namespaces][1] in the AWS General Reference.
482
+ #
483
+ # <note markdown="1"> An AWS conversion compresses the passed session policies and session
484
+ # tags into a packed binary format that has a separate limit. Your
485
+ # request can fail for this limit even if your plain text meets the
486
+ # other requirements. The `PackedPolicySize` response element indicates
487
+ # by percentage how close the policies and tags for your request are to
488
+ # the upper size limit.
489
+ #
490
+ # </note>
491
+ #
492
+ # Passing policies to this operation returns new temporary credentials.
493
+ # The resulting session's permissions are the intersection of the
494
+ # role's identity-based policy and the session policies. You can use
495
+ # the role's temporary credentials in subsequent AWS API calls to
496
+ # access resources in the account that owns the role. You cannot use
497
+ # session policies to grant more permissions than those allowed by the
498
+ # identity-based policy of the role that is being assumed. For more
499
+ # information, see [Session Policies][2] in the *IAM User Guide*.
500
+ #
501
+ #
502
+ #
503
+ # [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
504
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
505
+ #
506
+ # @option params [String] :policy
507
+ # An IAM policy in JSON format that you want to use as an inline session
508
+ # policy.
509
+ #
510
+ # This parameter is optional. Passing policies to this operation returns
511
+ # new temporary credentials. The resulting session's permissions are
512
+ # the intersection of the role's identity-based policy and the session
513
+ # policies. You can use the role's temporary credentials in subsequent
514
+ # AWS API calls to access resources in the account that owns the role.
515
+ # You cannot use session policies to grant more permissions than those
516
+ # allowed by the identity-based policy of the role that is being
517
+ # assumed. For more information, see [Session Policies][1] in the *IAM
518
+ # User Guide*.
519
+ #
520
+ # The plain text that you use for both inline and managed session
521
+ # policies can't exceed 2,048 characters. The JSON policy characters
365
522
  # can be any ASCII character from the space character to the end of the
366
- # valid character list (\\u0020-\\u00FF). It can also include the tab
367
- # (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
523
+ # valid character list (\\u0020 through \\u00FF). It can also include
524
+ # the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
368
525
  # characters.
369
526
  #
370
- # <note markdown="1"> The policy plain text must be 2048 bytes or shorter. However, an
371
- # internal conversion compresses it into a packed binary format with a
372
- # separate limit. The PackedPolicySize response element indicates by
373
- # percentage how close to the upper size limit the policy is, with 100%
374
- # equaling the maximum allowed size.
527
+ # <note markdown="1"> An AWS conversion compresses the passed session policies and session
528
+ # tags into a packed binary format that has a separate limit. Your
529
+ # request can fail for this limit even if your plain text meets the
530
+ # other requirements. The `PackedPolicySize` response element indicates
531
+ # by percentage how close the policies and tags for your request are to
532
+ # the upper size limit.
375
533
  #
376
534
  # </note>
377
535
  #
378
536
  #
379
537
  #
380
- # [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
538
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
381
539
  #
382
540
  # @option params [Integer] :duration_seconds
383
541
  # The duration, in seconds, of the role session. The value can range
@@ -390,7 +548,7 @@ module Aws::STS
390
548
  # see [View the Maximum Session Duration Setting for a Role][1] in the
391
549
  # *IAM User Guide*.
392
550
  #
393
- # By default, the value is set to 3600 seconds.
551
+ # By default, the value is set to `3600` seconds.
394
552
  #
395
553
  # <note markdown="1"> The `DurationSeconds` parameter is separate from the duration of a
396
554
  # console session that you might request using the returned credentials.
@@ -404,29 +562,91 @@ module Aws::STS
404
562
  #
405
563
  #
406
564
  #
407
- # [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
408
- # [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
565
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
566
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
567
+ #
568
+ # @option params [Array<Types::Tag>] :tags
569
+ # A list of session tags that you want to pass. Each session tag
570
+ # consists of a key name and an associated value. For more information
571
+ # about session tags, see [Tagging AWS STS Sessions][1] in the *IAM User
572
+ # Guide*.
573
+ #
574
+ # This parameter is optional. You can pass up to 50 session tags. The
575
+ # plain text session tag keys can’t exceed 128 characters, and the
576
+ # values can’t exceed 256 characters. For these and additional limits,
577
+ # see [IAM and STS Character Limits][2] in the *IAM User Guide*.
578
+ #
579
+ # <note markdown="1"> An AWS conversion compresses the passed session policies and session
580
+ # tags into a packed binary format that has a separate limit. Your
581
+ # request can fail for this limit even if your plain text meets the
582
+ # other requirements. The `PackedPolicySize` response element indicates
583
+ # by percentage how close the policies and tags for your request are to
584
+ # the upper size limit.
585
+ #
586
+ # </note>
587
+ #
588
+ # You can pass a session tag with the same key as a tag that is already
589
+ # attached to the role. When you do, session tags override a role tag
590
+ # with the same key.
591
+ #
592
+ # Tag key–value pairs are not case sensitive, but case is preserved.
593
+ # This means that you cannot have separate `Department` and `department`
594
+ # tag keys. Assume that the role has the `Department`=`Marketing` tag
595
+ # and you pass the `department`=`engineering` session tag. `Department`
596
+ # and `department` are not saved as separate tags, and the session tag
597
+ # passed in the request takes precedence over the role tag.
598
+ #
599
+ # Additionally, if you used temporary credentials to perform this
600
+ # operation, the new session inherits any transitive session tags from
601
+ # the calling session. If you pass a session tag with the same key as an
602
+ # inherited tag, the operation fails. To view the inherited tags for a
603
+ # session, see the AWS CloudTrail logs. For more information, see
604
+ # [Viewing Session Tags in CloudTrail][3] in the *IAM User Guide*.
605
+ #
606
+ #
607
+ #
608
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
609
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
610
+ # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/session-tags.html#id_session-tags_ctlogs
611
+ #
612
+ # @option params [Array<String>] :transitive_tag_keys
613
+ # A list of keys for session tags that you want to set as transitive. If
614
+ # you set a tag key as transitive, the corresponding key and value
615
+ # passes to subsequent sessions in a role chain. For more information,
616
+ # see [Chaining Roles with Session Tags][1] in the *IAM User Guide*.
617
+ #
618
+ # This parameter is optional. When you set session tags as transitive,
619
+ # the session policy and session tags packed binary limit is not
620
+ # affected.
621
+ #
622
+ # If you choose not to specify a transitive tag key, then no tags are
623
+ # passed from this session to any subsequent sessions.
624
+ #
625
+ #
626
+ #
627
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
409
628
  #
410
629
  # @option params [String] :external_id
411
- # A unique identifier that is used by third parties when assuming roles
412
- # in their customers' accounts. For each role that the third party can
413
- # assume, they should instruct their customers to ensure the role's
414
- # trust policy checks for the external ID that the third party
415
- # generated. Each time the third party assumes the role, they should
416
- # pass the customer's external ID. The external ID is useful in order
417
- # to help third parties bind a role to the customer who created it. For
418
- # more information about the external ID, see [How to Use an External ID
419
- # When Granting Access to Your AWS Resources to a Third Party][1] in the
420
- # *IAM User Guide*.
630
+ # A unique identifier that might be required when you assume a role in
631
+ # another account. If the administrator of the account to which the role
632
+ # belongs provided you with an external ID, then provide that value in
633
+ # the `ExternalId` parameter. This value can be any string, such as a
634
+ # passphrase or account number. A cross-account role is usually set up
635
+ # to trust everyone in an account. Therefore, the administrator of the
636
+ # trusting account might send an external ID to the administrator of the
637
+ # trusted account. That way, only someone with the ID can assume the
638
+ # role, rather than everyone in the account. For more information about
639
+ # the external ID, see [How to Use an External ID When Granting Access
640
+ # to Your AWS Resources to a Third Party][1] in the *IAM User Guide*.
421
641
  #
422
- # The regex used to validated this parameter is a string of characters
642
+ # The regex used to validate this parameter is a string of characters
423
643
  # consisting of upper- and lower-case alphanumeric characters with no
424
644
  # spaces. You can also include underscores or any of the following
425
645
  # characters: =,.@:/-
426
646
  #
427
647
  #
428
648
  #
429
- # [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
649
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
430
650
  #
431
651
  # @option params [String] :serial_number
432
652
  # The identification number of the MFA device that is associated with
@@ -462,11 +682,28 @@ module Aws::STS
462
682
  # @example Example: To assume a role
463
683
  #
464
684
  # resp = client.assume_role({
465
- # duration_seconds: 3600,
466
685
  # external_id: "123ABC",
467
- # policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"*\"}]}",
686
+ # policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3:ListAllMyBuckets\",\"Resource\":\"*\"}]}",
468
687
  # role_arn: "arn:aws:iam::123456789012:role/demo",
469
- # role_session_name: "Bob",
688
+ # role_session_name: "testAssumeRoleSession",
689
+ # tags: [
690
+ # {
691
+ # key: "Project",
692
+ # value: "Unicorn",
693
+ # },
694
+ # {
695
+ # key: "Team",
696
+ # value: "Automation",
697
+ # },
698
+ # {
699
+ # key: "Cost-Center",
700
+ # value: "12345",
701
+ # },
702
+ # ],
703
+ # transitive_tag_keys: [
704
+ # "Project",
705
+ # "Cost-Center",
706
+ # ],
470
707
  # })
471
708
  #
472
709
  # resp.to_h outputs the following:
@@ -481,7 +718,7 @@ module Aws::STS
481
718
  # secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY",
482
719
  # session_token: "AQoDYXdzEPT//////////wEXAMPLEtc764bNrC9SAPBSM22wDOk4x4HIZ8j4FZTwdQWLWsKWHGBuFqwAeMicRXmxfpSPfIeoIYRqTflfKD8YUuwthAx7mSEI/qkPpKPi/kMcGdQrmGdeehM4IC1NtBmUpp2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU9HFvlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPPkUL64lIZbqBAz+scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr4rvx3iSIlTJabIQwj2ICCR/oLxBA==",
483
720
  # },
484
- # packed_policy_size: 6,
721
+ # packed_policy_size: 8,
485
722
  # }
486
723
  #
487
724
  # @example Request syntax with placeholder values
@@ -489,8 +726,20 @@ module Aws::STS
489
726
  # resp = client.assume_role({
490
727
  # role_arn: "arnType", # required
491
728
  # role_session_name: "roleSessionNameType", # required
729
+ # policy_arns: [
730
+ # {
731
+ # arn: "arnType",
732
+ # },
733
+ # ],
492
734
  # policy: "sessionPolicyDocumentType",
493
735
  # duration_seconds: 1,
736
+ # tags: [
737
+ # {
738
+ # key: "tagKeyType", # required
739
+ # value: "tagValueType", # required
740
+ # },
741
+ # ],
742
+ # transitive_tag_keys: ["tagKeyType"],
494
743
  # external_id: "externalIdType",
495
744
  # serial_number: "serialNumberType",
496
745
  # token_code: "tokenCodeType",
@@ -520,15 +769,17 @@ module Aws::STS
520
769
  # provides a mechanism for tying an enterprise identity store or
521
770
  # directory to role-based AWS access without user-specific credentials
522
771
  # or configuration. For a comparison of `AssumeRoleWithSAML` with the
523
- # other APIs that produce temporary credentials, see [Requesting
524
- # Temporary Security Credentials][1] and [Comparing the AWS STS APIs][2]
525
- # in the *IAM User Guide*.
772
+ # other API operations that produce temporary credentials, see
773
+ # [Requesting Temporary Security Credentials][1] and [Comparing the AWS
774
+ # STS API operations][2] in the *IAM User Guide*.
526
775
  #
527
776
  # The temporary security credentials returned by this operation consist
528
777
  # of an access key ID, a secret access key, and a security token.
529
778
  # Applications can use these temporary security credentials to sign
530
779
  # calls to AWS services.
531
780
  #
781
+ # **Session Duration**
782
+ #
532
783
  # By default, the temporary security credentials created by
533
784
  # `AssumeRoleWithSAML` last for one hour. However, you can use the
534
785
  # optional `DurationSeconds` parameter to specify the duration of your
@@ -541,37 +792,30 @@ module Aws::STS
541
792
  # for your role, see [View the Maximum Session Duration Setting for a
542
793
  # Role][3] in the *IAM User Guide*. The maximum session duration limit
543
794
  # applies when you use the `AssumeRole*` API operations or the
544
- # `assume-role*` CLI operations but does not apply when you use those
545
- # operations to create a console URL. For more information, see [Using
546
- # IAM Roles][4] in the *IAM User Guide*.
795
+ # `assume-role*` CLI commands. However the limit does not apply when you
796
+ # use those operations to create a console URL. For more information,
797
+ # see [Using IAM Roles][4] in the *IAM User Guide*.
798
+ #
799
+ # **Permissions**
547
800
  #
548
801
  # The temporary security credentials created by `AssumeRoleWithSAML` can
549
802
  # be used to make API calls to any AWS service with the following
550
- # exception: you cannot call the STS service's `GetFederationToken` or
551
- # `GetSessionToken` APIs.
552
- #
553
- # Optionally, you can pass an IAM access policy to this operation. If
554
- # you choose not to pass a policy, the temporary security credentials
555
- # that are returned by the operation have the permissions that are
556
- # defined in the access policy of the role that is being assumed. If you
557
- # pass a policy to this operation, the temporary security credentials
558
- # that are returned by the operation have the permissions that are
559
- # allowed by the intersection of both the access policy of the role that
560
- # is being assumed, <i> <b>and</b> </i> the policy that you pass. This
561
- # means that both policies must grant the permission for the action to
562
- # be allowed. This gives you a way to further restrict the permissions
563
- # for the resulting temporary security credentials. You cannot use the
564
- # passed policy to grant permissions that are in excess of those allowed
565
- # by the access policy of the role that is being assumed. For more
566
- # information, see [Permissions for AssumeRole, AssumeRoleWithSAML, and
567
- # AssumeRoleWithWebIdentity][5] in the *IAM User Guide*.
568
- #
569
- # Before your application can call `AssumeRoleWithSAML`, you must
570
- # configure your SAML identity provider (IdP) to issue the claims
571
- # required by AWS. Additionally, you must use AWS Identity and Access
572
- # Management (IAM) to create a SAML provider entity in your AWS account
573
- # that represents your identity provider, and create an IAM role that
574
- # specifies this SAML provider in its trust policy.
803
+ # exception: you cannot call the STS `GetFederationToken` or
804
+ # `GetSessionToken` API operations.
805
+ #
806
+ # (Optional) You can pass inline or managed [session policies][5] to
807
+ # this operation. You can pass a single JSON policy document to use as
808
+ # an inline session policy. You can also specify up to 10 managed
809
+ # policies to use as managed session policies. The plain text that you
810
+ # use for both inline and managed session policies can't exceed 2,048
811
+ # characters. Passing policies to this operation returns new temporary
812
+ # credentials. The resulting session's permissions are the intersection
813
+ # of the role's identity-based policy and the session policies. You can
814
+ # use the role's temporary credentials in subsequent AWS API calls to
815
+ # access resources in the account that owns the role. You cannot use
816
+ # session policies to grant more permissions than those allowed by the
817
+ # identity-based policy of the role that is being assumed. For more
818
+ # information, see [Session Policies][5] in the *IAM User Guide*.
575
819
  #
576
820
  # Calling `AssumeRoleWithSAML` does not require the use of AWS security
577
821
  # credentials. The identity of the caller is validated by using keys in
@@ -580,33 +824,82 @@ module Aws::STS
580
824
  #
581
825
  # Calling `AssumeRoleWithSAML` can result in an entry in your AWS
582
826
  # CloudTrail logs. The entry includes the value in the `NameID` element
583
- # of the SAML assertion. We recommend that you use a NameIDType that is
584
- # not associated with any personally identifiable information (PII). For
585
- # example, you could instead use the Persistent Identifier
827
+ # of the SAML assertion. We recommend that you use a `NameIDType` that
828
+ # is not associated with any personally identifiable information (PII).
829
+ # For example, you could instead use the persistent identifier
586
830
  # (`urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`).
587
831
  #
832
+ # **Tags**
833
+ #
834
+ # (Optional) You can configure your IdP to pass attributes into your
835
+ # SAML assertion as session tags. Each session tag consists of a key
836
+ # name and an associated value. For more information about session tags,
837
+ # see [Passing Session Tags in STS][6] in the *IAM User Guide*.
838
+ #
839
+ # You can pass up to 50 session tags. The plain text session tag keys
840
+ # can’t exceed 128 characters and the values can’t exceed 256
841
+ # characters. For these and additional limits, see [IAM and STS
842
+ # Character Limits][7] in the *IAM User Guide*.
843
+ #
844
+ # <note markdown="1"> An AWS conversion compresses the passed session policies and session
845
+ # tags into a packed binary format that has a separate limit. Your
846
+ # request can fail for this limit even if your plain text meets the
847
+ # other requirements. The `PackedPolicySize` response element indicates
848
+ # by percentage how close the policies and tags for your request are to
849
+ # the upper size limit.
850
+ #
851
+ # </note>
852
+ #
853
+ # You can pass a session tag with the same key as a tag that is attached
854
+ # to the role. When you do, session tags override the role's tags with
855
+ # the same key.
856
+ #
857
+ # An administrator must grant you the permissions necessary to pass
858
+ # session tags. The administrator can also create granular permissions
859
+ # to allow you to pass only specific session tags. For more information,
860
+ # see [Tutorial: Using Tags for Attribute-Based Access Control][8] in
861
+ # the *IAM User Guide*.
862
+ #
863
+ # You can set the session tags as transitive. Transitive tags persist
864
+ # during role chaining. For more information, see [Chaining Roles with
865
+ # Session Tags][9] in the *IAM User Guide*.
866
+ #
867
+ # **SAML Configuration**
868
+ #
869
+ # Before your application can call `AssumeRoleWithSAML`, you must
870
+ # configure your SAML identity provider (IdP) to issue the claims
871
+ # required by AWS. Additionally, you must use AWS Identity and Access
872
+ # Management (IAM) to create a SAML provider entity in your AWS account
873
+ # that represents your identity provider. You must also create an IAM
874
+ # role that specifies this SAML provider in its trust policy.
875
+ #
588
876
  # For more information, see the following resources:
589
877
  #
590
- # * [About SAML 2.0-based Federation][6] in the *IAM User Guide*.
878
+ # * [About SAML 2.0-based Federation][10] in the *IAM User Guide*.
591
879
  #
592
- # * [Creating SAML Identity Providers][7] in the *IAM User Guide*.
880
+ # * [Creating SAML Identity Providers][11] in the *IAM User Guide*.
593
881
  #
594
- # * [Configuring a Relying Party and Claims][8] in the *IAM User Guide*.
882
+ # * [Configuring a Relying Party and Claims][12] in the *IAM User
883
+ # Guide*.
595
884
  #
596
- # * [Creating a Role for SAML 2.0 Federation][9] in the *IAM User
885
+ # * [Creating a Role for SAML 2.0 Federation][13] in the *IAM User
597
886
  # Guide*.
598
887
  #
599
888
  #
600
889
  #
601
- # [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
602
- # [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
603
- # [3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
604
- # [4]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
605
- # [5]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
606
- # [6]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
607
- # [7]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html
608
- # [8]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html
609
- # [9]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html
890
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
891
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
892
+ # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
893
+ # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
894
+ # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
895
+ # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
896
+ # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
897
+ # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
898
+ # [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
899
+ # [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
900
+ # [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html
901
+ # [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html
902
+ # [13]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html
610
903
  #
611
904
  # @option params [required, String] :role_arn
612
905
  # The Amazon Resource Name (ARN) of the role that the caller is
@@ -620,44 +913,79 @@ module Aws::STS
620
913
  # The base-64 encoded SAML authentication response provided by the IdP.
621
914
  #
622
915
  # For more information, see [Configuring a Relying Party and Adding
623
- # Claims][1] in the *Using IAM* guide.
916
+ # Claims][1] in the *IAM User Guide*.
624
917
  #
625
918
  #
626
919
  #
627
- # [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html
920
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html
628
921
  #
629
- # @option params [String] :policy
630
- # An IAM policy in JSON format.
631
- #
632
- # The policy parameter is optional. If you pass a policy, the temporary
633
- # security credentials that are returned by the operation have the
634
- # permissions that are allowed by both the access policy of the role
635
- # that is being assumed, <i> <b>and</b> </i> the policy that you pass.
636
- # This gives you a way to further restrict the permissions for the
637
- # resulting temporary security credentials. You cannot use the passed
638
- # policy to grant permissions that are in excess of those allowed by the
639
- # access policy of the role that is being assumed. For more information,
640
- # [Permissions for AssumeRole, AssumeRoleWithSAML, and
641
- # AssumeRoleWithWebIdentity][1] in the *IAM User Guide*.
922
+ # @option params [Array<Types::PolicyDescriptorType>] :policy_arns
923
+ # The Amazon Resource Names (ARNs) of the IAM managed policies that you
924
+ # want to use as managed session policies. The policies must exist in
925
+ # the same account as the role.
642
926
  #
643
- # The format for this parameter, as described by its regex pattern, is a
644
- # string of characters up to 2048 characters in length. The characters
927
+ # This parameter is optional. You can provide up to 10 managed policy
928
+ # ARNs. However, the plain text that you use for both inline and managed
929
+ # session policies can't exceed 2,048 characters. For more information
930
+ # about ARNs, see [Amazon Resource Names (ARNs) and AWS Service
931
+ # Namespaces][1] in the AWS General Reference.
932
+ #
933
+ # <note markdown="1"> An AWS conversion compresses the passed session policies and session
934
+ # tags into a packed binary format that has a separate limit. Your
935
+ # request can fail for this limit even if your plain text meets the
936
+ # other requirements. The `PackedPolicySize` response element indicates
937
+ # by percentage how close the policies and tags for your request are to
938
+ # the upper size limit.
939
+ #
940
+ # </note>
941
+ #
942
+ # Passing policies to this operation returns new temporary credentials.
943
+ # The resulting session's permissions are the intersection of the
944
+ # role's identity-based policy and the session policies. You can use
945
+ # the role's temporary credentials in subsequent AWS API calls to
946
+ # access resources in the account that owns the role. You cannot use
947
+ # session policies to grant more permissions than those allowed by the
948
+ # identity-based policy of the role that is being assumed. For more
949
+ # information, see [Session Policies][2] in the *IAM User Guide*.
950
+ #
951
+ #
952
+ #
953
+ # [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
954
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
955
+ #
956
+ # @option params [String] :policy
957
+ # An IAM policy in JSON format that you want to use as an inline session
958
+ # policy.
959
+ #
960
+ # This parameter is optional. Passing policies to this operation returns
961
+ # new temporary credentials. The resulting session's permissions are
962
+ # the intersection of the role's identity-based policy and the session
963
+ # policies. You can use the role's temporary credentials in subsequent
964
+ # AWS API calls to access resources in the account that owns the role.
965
+ # You cannot use session policies to grant more permissions than those
966
+ # allowed by the identity-based policy of the role that is being
967
+ # assumed. For more information, see [Session Policies][1] in the *IAM
968
+ # User Guide*.
969
+ #
970
+ # The plain text that you use for both inline and managed session
971
+ # policies can't exceed 2,048 characters. The JSON policy characters
645
972
  # can be any ASCII character from the space character to the end of the
646
- # valid character list (\\u0020-\\u00FF). It can also include the tab
647
- # (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
973
+ # valid character list (\\u0020 through \\u00FF). It can also include
974
+ # the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
648
975
  # characters.
649
976
  #
650
- # <note markdown="1"> The policy plain text must be 2048 bytes or shorter. However, an
651
- # internal conversion compresses it into a packed binary format with a
652
- # separate limit. The PackedPolicySize response element indicates by
653
- # percentage how close to the upper size limit the policy is, with 100%
654
- # equaling the maximum allowed size.
977
+ # <note markdown="1"> An AWS conversion compresses the passed session policies and session
978
+ # tags into a packed binary format that has a separate limit. Your
979
+ # request can fail for this limit even if your plain text meets the
980
+ # other requirements. The `PackedPolicySize` response element indicates
981
+ # by percentage how close the policies and tags for your request are to
982
+ # the upper size limit.
655
983
  #
656
984
  # </note>
657
985
  #
658
986
  #
659
987
  #
660
- # [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
988
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
661
989
  #
662
990
  # @option params [Integer] :duration_seconds
663
991
  # The duration, in seconds, of the role session. Your role session lasts
@@ -673,7 +1001,7 @@ module Aws::STS
673
1001
  # maximum value for your role, see [View the Maximum Session Duration
674
1002
  # Setting for a Role][1] in the *IAM User Guide*.
675
1003
  #
676
- # By default, the value is set to 3600 seconds.
1004
+ # By default, the value is set to `3600` seconds.
677
1005
  #
678
1006
  # <note markdown="1"> The `DurationSeconds` parameter is separate from the duration of a
679
1007
  # console session that you might request using the returned credentials.
@@ -687,8 +1015,8 @@ module Aws::STS
687
1015
  #
688
1016
  #
689
1017
  #
690
- # [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
691
- # [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
1018
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
1019
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
692
1020
  #
693
1021
  # @return [Types::AssumeRoleWithSAMLResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
694
1022
  #
@@ -701,12 +1029,47 @@ module Aws::STS
701
1029
  # * {Types::AssumeRoleWithSAMLResponse#audience #audience} => String
702
1030
  # * {Types::AssumeRoleWithSAMLResponse#name_qualifier #name_qualifier} => String
703
1031
  #
1032
+ #
1033
+ # @example Example: To assume a role using a SAML assertion
1034
+ #
1035
+ # resp = client.assume_role_with_saml({
1036
+ # duration_seconds: 3600,
1037
+ # principal_arn: "arn:aws:iam::123456789012:saml-provider/SAML-test",
1038
+ # role_arn: "arn:aws:iam::123456789012:role/TestSaml",
1039
+ # saml_assertion: "VERYLONGENCODEDASSERTIONEXAMPLExzYW1sOkF1ZGllbmNlPmJsYW5rPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOlN1YmplY3Q+PHNhbWw6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6dHJhbnNpZW50Ij5TYW1sRXhhbXBsZTwvc2FtbDpOYW1lSUQ+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAxOS0xMS0wMVQyMDoyNTowNS4xNDVaIiBSZWNpcGllbnQ9Imh0dHBzOi8vc2lnbmluLmF3cy5hbWF6b24uY29tL3NhbWwiLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpBdXRoblN0YXRlbWVudCBBdXRoPD94bWwgdmpSZXNwb25zZT4=",
1040
+ # })
1041
+ #
1042
+ # resp.to_h outputs the following:
1043
+ # {
1044
+ # assumed_role_user: {
1045
+ # arn: "arn:aws:sts::123456789012:assumed-role/TestSaml",
1046
+ # assumed_role_id: "ARO456EXAMPLE789:TestSaml",
1047
+ # },
1048
+ # audience: "https://signin.aws.amazon.com/saml",
1049
+ # credentials: {
1050
+ # access_key_id: "ASIAV3ZUEFP6EXAMPLE",
1051
+ # expiration: Time.parse("2019-11-01T20:26:47Z"),
1052
+ # secret_access_key: "8P+SQvWIuLnKhh8d++jpw0nNmQRBZvNEXAMPLEKEY",
1053
+ # session_token: "IQoJb3JpZ2luX2VjEOz////////////////////wEXAMPLEtMSJHMEUCIDoKK3JH9uGQE1z0sINr5M4jk+Na8KHDcCYRVjJCZEvOAiEA3OvJGtw1EcViOleS2vhs8VdCKFJQWPQrmGdeehM4IC1NtBmUpp2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU9HFvlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPPkUL64lIZbqBAz+scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr4rvx3iSIlTJabIQwj2ICCR/oLxBA==",
1054
+ # },
1055
+ # issuer: "https://integ.example.com/idp/shibboleth",
1056
+ # name_qualifier: "SbdGOnUkh1i4+EXAMPLExL/jEvs=",
1057
+ # packed_policy_size: 6,
1058
+ # subject: "SamlExample",
1059
+ # subject_type: "transient",
1060
+ # }
1061
+ #
704
1062
  # @example Request syntax with placeholder values
705
1063
  #
706
1064
  # resp = client.assume_role_with_saml({
707
1065
  # role_arn: "arnType", # required
708
1066
  # principal_arn: "arnType", # required
709
1067
  # saml_assertion: "SAMLAssertionType", # required
1068
+ # policy_arns: [
1069
+ # {
1070
+ # arn: "arnType",
1071
+ # },
1072
+ # ],
710
1073
  # policy: "sessionPolicyDocumentType",
711
1074
  # duration_seconds: 1,
712
1075
  # })
@@ -737,16 +1100,17 @@ module Aws::STS
737
1100
 
738
1101
  # Returns a set of temporary security credentials for users who have
739
1102
  # been authenticated in a mobile or web application with a web identity
740
- # provider, such as Amazon Cognito, Login with Amazon, Facebook, Google,
741
- # or any OpenID Connect-compatible identity provider.
1103
+ # provider. Example providers include Amazon Cognito, Login with Amazon,
1104
+ # Facebook, Google, or any OpenID Connect-compatible identity provider.
742
1105
  #
743
1106
  # <note markdown="1"> For mobile applications, we recommend that you use Amazon Cognito. You
744
- # can use Amazon Cognito with the [AWS SDK for iOS][1] and the [AWS SDK
745
- # for Android][2] to uniquely identify a user and supply the user with a
746
- # consistent identity throughout the lifetime of an application.
1107
+ # can use Amazon Cognito with the [AWS SDK for iOS Developer Guide][1]
1108
+ # and the [AWS SDK for Android Developer Guide][2] to uniquely identify
1109
+ # a user. You can also supply the user with a consistent identity
1110
+ # throughout the lifetime of an application.
747
1111
  #
748
1112
  # To learn more about Amazon Cognito, see [Amazon Cognito Overview][3]
749
- # in the *AWS SDK for Android Developer Guide* guide and [Amazon Cognito
1113
+ # in *AWS SDK for Android Developer Guide* and [Amazon Cognito
750
1114
  # Overview][4] in the *AWS SDK for iOS Developer Guide*.
751
1115
  #
752
1116
  # </note>
@@ -755,18 +1119,20 @@ module Aws::STS
755
1119
  # security credentials. Therefore, you can distribute an application
756
1120
  # (for example, on mobile devices) that requests temporary security
757
1121
  # credentials without including long-term AWS credentials in the
758
- # application, and without deploying server-based proxy services that
759
- # use long-term AWS credentials. Instead, the identity of the caller is
760
- # validated by using a token from the web identity provider. For a
761
- # comparison of `AssumeRoleWithWebIdentity` with the other APIs that
762
- # produce temporary credentials, see [Requesting Temporary Security
763
- # Credentials][5] and [Comparing the AWS STS APIs][6] in the *IAM User
764
- # Guide*.
1122
+ # application. You also don't need to deploy server-based proxy
1123
+ # services that use long-term AWS credentials. Instead, the identity of
1124
+ # the caller is validated by using a token from the web identity
1125
+ # provider. For a comparison of `AssumeRoleWithWebIdentity` with the
1126
+ # other API operations that produce temporary credentials, see
1127
+ # [Requesting Temporary Security Credentials][5] and [Comparing the AWS
1128
+ # STS API operations][6] in the *IAM User Guide*.
765
1129
  #
766
1130
  # The temporary security credentials returned by this API consist of an
767
1131
  # access key ID, a secret access key, and a security token. Applications
768
1132
  # can use these temporary security credentials to sign calls to AWS
769
- # service APIs.
1133
+ # service API operations.
1134
+ #
1135
+ # **Session Duration**
770
1136
  #
771
1137
  # By default, the temporary security credentials created by
772
1138
  # `AssumeRoleWithWebIdentity` last for one hour. However, you can use
@@ -777,30 +1143,68 @@ module Aws::STS
777
1143
  # value for your role, see [View the Maximum Session Duration Setting
778
1144
  # for a Role][7] in the *IAM User Guide*. The maximum session duration
779
1145
  # limit applies when you use the `AssumeRole*` API operations or the
780
- # `assume-role*` CLI operations but does not apply when you use those
781
- # operations to create a console URL. For more information, see [Using
782
- # IAM Roles][8] in the *IAM User Guide*.
1146
+ # `assume-role*` CLI commands. However the limit does not apply when you
1147
+ # use those operations to create a console URL. For more information,
1148
+ # see [Using IAM Roles][8] in the *IAM User Guide*.
1149
+ #
1150
+ # **Permissions**
783
1151
  #
784
1152
  # The temporary security credentials created by
785
1153
  # `AssumeRoleWithWebIdentity` can be used to make API calls to any AWS
786
1154
  # service with the following exception: you cannot call the STS
787
- # service's `GetFederationToken` or `GetSessionToken` APIs.
788
- #
789
- # Optionally, you can pass an IAM access policy to this operation. If
790
- # you choose not to pass a policy, the temporary security credentials
791
- # that are returned by the operation have the permissions that are
792
- # defined in the access policy of the role that is being assumed. If you
793
- # pass a policy to this operation, the temporary security credentials
794
- # that are returned by the operation have the permissions that are
795
- # allowed by both the access policy of the role that is being assumed,
796
- # <i> <b>and</b> </i> the policy that you pass. This gives you a way to
797
- # further restrict the permissions for the resulting temporary security
798
- # credentials. You cannot use the passed policy to grant permissions
799
- # that are in excess of those allowed by the access policy of the role
800
- # that is being assumed. For more information, see [Permissions for
801
- # AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity][9] in
1155
+ # `GetFederationToken` or `GetSessionToken` API operations.
1156
+ #
1157
+ # (Optional) You can pass inline or managed [session policies][9] to
1158
+ # this operation. You can pass a single JSON policy document to use as
1159
+ # an inline session policy. You can also specify up to 10 managed
1160
+ # policies to use as managed session policies. The plain text that you
1161
+ # use for both inline and managed session policies can't exceed 2,048
1162
+ # characters. Passing policies to this operation returns new temporary
1163
+ # credentials. The resulting session's permissions are the intersection
1164
+ # of the role's identity-based policy and the session policies. You can
1165
+ # use the role's temporary credentials in subsequent AWS API calls to
1166
+ # access resources in the account that owns the role. You cannot use
1167
+ # session policies to grant more permissions than those allowed by the
1168
+ # identity-based policy of the role that is being assumed. For more
1169
+ # information, see [Session Policies][9] in the *IAM User Guide*.
1170
+ #
1171
+ # **Tags**
1172
+ #
1173
+ # (Optional) You can configure your IdP to pass attributes into your web
1174
+ # identity token as session tags. Each session tag consists of a key
1175
+ # name and an associated value. For more information about session tags,
1176
+ # see [Passing Session Tags in STS][10] in the *IAM User Guide*.
1177
+ #
1178
+ # You can pass up to 50 session tags. The plain text session tag keys
1179
+ # can’t exceed 128 characters and the values can’t exceed 256
1180
+ # characters. For these and additional limits, see [IAM and STS
1181
+ # Character Limits][11] in the *IAM User Guide*.
1182
+ #
1183
+ # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1184
+ # tags into a packed binary format that has a separate limit. Your
1185
+ # request can fail for this limit even if your plain text meets the
1186
+ # other requirements. The `PackedPolicySize` response element indicates
1187
+ # by percentage how close the policies and tags for your request are to
1188
+ # the upper size limit.
1189
+ #
1190
+ # </note>
1191
+ #
1192
+ # You can pass a session tag with the same key as a tag that is attached
1193
+ # to the role. When you do, the session tag overrides the role tag with
1194
+ # the same key.
1195
+ #
1196
+ # An administrator must grant you the permissions necessary to pass
1197
+ # session tags. The administrator can also create granular permissions
1198
+ # to allow you to pass only specific session tags. For more information,
1199
+ # see [Tutorial: Using Tags for Attribute-Based Access Control][12] in
802
1200
  # the *IAM User Guide*.
803
1201
  #
1202
+ # You can set the session tags as transitive. Transitive tags persist
1203
+ # during role chaining. For more information, see [Chaining Roles with
1204
+ # Session Tags][13] in the *IAM User Guide*.
1205
+ #
1206
+ # **Identities**
1207
+ #
804
1208
  # Before your application can call `AssumeRoleWithWebIdentity`, you must
805
1209
  # have an identity token from a supported identity provider and create a
806
1210
  # role that the application can assume. The role that your application
@@ -809,29 +1213,30 @@ module Aws::STS
809
1213
  # specified in the role's trust policy.
810
1214
  #
811
1215
  # Calling `AssumeRoleWithWebIdentity` can result in an entry in your AWS
812
- # CloudTrail logs. The entry includes the [Subject][10] of the provided
1216
+ # CloudTrail logs. The entry includes the [Subject][14] of the provided
813
1217
  # Web Identity Token. We recommend that you avoid using any personally
814
1218
  # identifiable information (PII) in this field. For example, you could
815
1219
  # instead use a GUID or a pairwise identifier, as [suggested in the OIDC
816
- # specification][11].
1220
+ # specification][15].
817
1221
  #
818
1222
  # For more information about how to use web identity federation and the
819
1223
  # `AssumeRoleWithWebIdentity` API, see the following resources:
820
1224
  #
821
- # * [Using Web Identity Federation APIs for Mobile Apps][12] and
822
- # [Federation Through a Web-based Identity Provider][13].
1225
+ # * [Using Web Identity Federation API Operations for Mobile Apps][16]
1226
+ # and [Federation Through a Web-based Identity Provider][17].
823
1227
  #
824
- # * [ Web Identity Federation Playground][14]. This interactive website
825
- # lets you walk through the process of authenticating via Login with
826
- # Amazon, Facebook, or Google, getting temporary security credentials,
827
- # and then using those credentials to make a request to AWS.
1228
+ # * [ Web Identity Federation Playground][18]. Walk through the process
1229
+ # of authenticating through Login with Amazon, Facebook, or Google,
1230
+ # getting temporary security credentials, and then using those
1231
+ # credentials to make a request to AWS.
828
1232
  #
829
- # * [AWS SDK for iOS][1] and [AWS SDK for Android][2]. These toolkits
830
- # contain sample apps that show how to invoke the identity providers,
831
- # and then how to use the information from these providers to get and
832
- # use temporary security credentials.
1233
+ # * [AWS SDK for iOS Developer Guide][1] and [AWS SDK for Android
1234
+ # Developer Guide][2]. These toolkits contain sample apps that show
1235
+ # how to invoke the identity providers. The toolkits then show how to
1236
+ # use the information from these providers to get and use temporary
1237
+ # security credentials.
833
1238
  #
834
- # * [Web Identity Federation with Mobile Applications][15]. This article
1239
+ # * [Web Identity Federation with Mobile Applications][19]. This article
835
1240
  # discusses web identity federation and shows an example of how to use
836
1241
  # web identity federation to get access to content in Amazon S3.
837
1242
  #
@@ -839,19 +1244,23 @@ module Aws::STS
839
1244
  #
840
1245
  # [1]: http://aws.amazon.com/sdkforios/
841
1246
  # [2]: http://aws.amazon.com/sdkforandroid/
842
- # [3]: http://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840
843
- # [4]: http://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664
844
- # [5]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
845
- # [6]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
846
- # [7]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
847
- # [8]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
848
- # [9]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
849
- # [10]: http://openid.net/specs/openid-connect-core-1_0.html#Claims
850
- # [11]: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
851
- # [12]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html
852
- # [13]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
853
- # [14]: https://web-identity-federation-playground.s3.amazonaws.com/index.html
854
- # [15]: http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications
1247
+ # [3]: https://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840
1248
+ # [4]: https://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664
1249
+ # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
1250
+ # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
1251
+ # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
1252
+ # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
1253
+ # [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
1254
+ # [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
1255
+ # [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
1256
+ # [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
1257
+ # [13]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
1258
+ # [14]: http://openid.net/specs/openid-connect-core-1_0.html#Claims
1259
+ # [15]: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
1260
+ # [16]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html
1261
+ # [17]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
1262
+ # [18]: https://web-identity-federation-playground.s3.amazonaws.com/index.html
1263
+ # [19]: http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications
855
1264
  #
856
1265
  # @option params [required, String] :role_arn
857
1266
  # The Amazon Resource Name (ARN) of the role that the caller is
@@ -888,38 +1297,73 @@ module Aws::STS
888
1297
  #
889
1298
  # Do not specify this value for OpenID Connect ID tokens.
890
1299
  #
891
- # @option params [String] :policy
892
- # An IAM policy in JSON format.
893
- #
894
- # The policy parameter is optional. If you pass a policy, the temporary
895
- # security credentials that are returned by the operation have the
896
- # permissions that are allowed by both the access policy of the role
897
- # that is being assumed, <i> <b>and</b> </i> the policy that you pass.
898
- # This gives you a way to further restrict the permissions for the
899
- # resulting temporary security credentials. You cannot use the passed
900
- # policy to grant permissions that are in excess of those allowed by the
901
- # access policy of the role that is being assumed. For more information,
902
- # see [Permissions for AssumeRoleWithWebIdentity][1] in the *IAM User
903
- # Guide*.
1300
+ # @option params [Array<Types::PolicyDescriptorType>] :policy_arns
1301
+ # The Amazon Resource Names (ARNs) of the IAM managed policies that you
1302
+ # want to use as managed session policies. The policies must exist in
1303
+ # the same account as the role.
904
1304
  #
905
- # The format for this parameter, as described by its regex pattern, is a
906
- # string of characters up to 2048 characters in length. The characters
1305
+ # This parameter is optional. You can provide up to 10 managed policy
1306
+ # ARNs. However, the plain text that you use for both inline and managed
1307
+ # session policies can't exceed 2,048 characters. For more information
1308
+ # about ARNs, see [Amazon Resource Names (ARNs) and AWS Service
1309
+ # Namespaces][1] in the AWS General Reference.
1310
+ #
1311
+ # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1312
+ # tags into a packed binary format that has a separate limit. Your
1313
+ # request can fail for this limit even if your plain text meets the
1314
+ # other requirements. The `PackedPolicySize` response element indicates
1315
+ # by percentage how close the policies and tags for your request are to
1316
+ # the upper size limit.
1317
+ #
1318
+ # </note>
1319
+ #
1320
+ # Passing policies to this operation returns new temporary credentials.
1321
+ # The resulting session's permissions are the intersection of the
1322
+ # role's identity-based policy and the session policies. You can use
1323
+ # the role's temporary credentials in subsequent AWS API calls to
1324
+ # access resources in the account that owns the role. You cannot use
1325
+ # session policies to grant more permissions than those allowed by the
1326
+ # identity-based policy of the role that is being assumed. For more
1327
+ # information, see [Session Policies][2] in the *IAM User Guide*.
1328
+ #
1329
+ #
1330
+ #
1331
+ # [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
1332
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
1333
+ #
1334
+ # @option params [String] :policy
1335
+ # An IAM policy in JSON format that you want to use as an inline session
1336
+ # policy.
1337
+ #
1338
+ # This parameter is optional. Passing policies to this operation returns
1339
+ # new temporary credentials. The resulting session's permissions are
1340
+ # the intersection of the role's identity-based policy and the session
1341
+ # policies. You can use the role's temporary credentials in subsequent
1342
+ # AWS API calls to access resources in the account that owns the role.
1343
+ # You cannot use session policies to grant more permissions than those
1344
+ # allowed by the identity-based policy of the role that is being
1345
+ # assumed. For more information, see [Session Policies][1] in the *IAM
1346
+ # User Guide*.
1347
+ #
1348
+ # The plain text that you use for both inline and managed session
1349
+ # policies can't exceed 2,048 characters. The JSON policy characters
907
1350
  # can be any ASCII character from the space character to the end of the
908
- # valid character list (\\u0020-\\u00FF). It can also include the tab
909
- # (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
1351
+ # valid character list (\\u0020 through \\u00FF). It can also include
1352
+ # the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
910
1353
  # characters.
911
1354
  #
912
- # <note markdown="1"> The policy plain text must be 2048 bytes or shorter. However, an
913
- # internal conversion compresses it into a packed binary format with a
914
- # separate limit. The PackedPolicySize response element indicates by
915
- # percentage how close to the upper size limit the policy is, with 100%
916
- # equaling the maximum allowed size.
1355
+ # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1356
+ # tags into a packed binary format that has a separate limit. Your
1357
+ # request can fail for this limit even if your plain text meets the
1358
+ # other requirements. The `PackedPolicySize` response element indicates
1359
+ # by percentage how close the policies and tags for your request are to
1360
+ # the upper size limit.
917
1361
  #
918
1362
  # </note>
919
1363
  #
920
1364
  #
921
1365
  #
922
- # [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
1366
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
923
1367
  #
924
1368
  # @option params [Integer] :duration_seconds
925
1369
  # The duration, in seconds, of the role session. The value can range
@@ -932,7 +1376,7 @@ module Aws::STS
932
1376
  # see [View the Maximum Session Duration Setting for a Role][1] in the
933
1377
  # *IAM User Guide*.
934
1378
  #
935
- # By default, the value is set to 3600 seconds.
1379
+ # By default, the value is set to `3600` seconds.
936
1380
  #
937
1381
  # <note markdown="1"> The `DurationSeconds` parameter is separate from the duration of a
938
1382
  # console session that you might request using the returned credentials.
@@ -946,8 +1390,8 @@ module Aws::STS
946
1390
  #
947
1391
  #
948
1392
  #
949
- # [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
950
- # [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
1393
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
1394
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
951
1395
  #
952
1396
  # @return [Types::AssumeRoleWithWebIdentityResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
953
1397
  #
@@ -963,6 +1407,7 @@ module Aws::STS
963
1407
  #
964
1408
  # resp = client.assume_role_with_web_identity({
965
1409
  # duration_seconds: 3600,
1410
+ # policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3:ListAllMyBuckets\",\"Resource\":\"*\"}]}",
966
1411
  # provider_id: "www.amazon.com",
967
1412
  # role_arn: "arn:aws:iam::123456789012:role/FederatedWebIdentityRole",
968
1413
  # role_session_name: "app1",
@@ -994,6 +1439,11 @@ module Aws::STS
994
1439
  # role_session_name: "roleSessionNameType", # required
995
1440
  # web_identity_token: "clientTokenType", # required
996
1441
  # provider_id: "urlType",
1442
+ # policy_arns: [
1443
+ # {
1444
+ # arn: "arnType",
1445
+ # },
1446
+ # ],
997
1447
  # policy: "sessionPolicyDocumentType",
998
1448
  # duration_seconds: 1,
999
1449
  # })
@@ -1024,21 +1474,22 @@ module Aws::STS
1024
1474
  # request from an encoded message returned in response to an AWS
1025
1475
  # request.
1026
1476
  #
1027
- # For example, if a user is not authorized to perform an action that he
1028
- # or she has requested, the request returns a
1477
+ # For example, if a user is not authorized to perform an operation that
1478
+ # he or she has requested, the request returns a
1029
1479
  # `Client.UnauthorizedOperation` response (an HTTP 403 response). Some
1030
- # AWS actions additionally return an encoded message that can provide
1480
+ # AWS operations additionally return an encoded message that can provide
1031
1481
  # details about this authorization failure.
1032
1482
  #
1033
- # <note markdown="1"> Only certain AWS actions return an encoded authorization message. The
1034
- # documentation for an individual action indicates whether that action
1035
- # returns an encoded message in addition to returning an HTTP code.
1483
+ # <note markdown="1"> Only certain AWS operations return an encoded authorization message.
1484
+ # The documentation for an individual operation indicates whether that
1485
+ # operation returns an encoded message in addition to returning an HTTP
1486
+ # code.
1036
1487
  #
1037
1488
  # </note>
1038
1489
  #
1039
1490
  # The message is encoded because the details of the authorization status
1040
1491
  # can constitute privileged information that the user who requested the
1041
- # action should not see. To decode an authorization status message, a
1492
+ # operation should not see. To decode an authorization status message, a
1042
1493
  # user must be granted permissions via an IAM policy to request the
1043
1494
  # `DecodeAuthorizationMessage` (`sts:DecodeAuthorizationMessage`)
1044
1495
  # action.
@@ -1059,7 +1510,7 @@ module Aws::STS
1059
1510
  #
1060
1511
  #
1061
1512
  #
1062
- # [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow
1513
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow
1063
1514
  #
1064
1515
  # @option params [required, String] :encoded_message
1065
1516
  # The encoded message that was returned with the response.
@@ -1099,8 +1550,82 @@ module Aws::STS
1099
1550
  req.send_request(options)
1100
1551
  end
1101
1552
 
1102
- # Returns details about the IAM identity whose credentials are used to
1103
- # call the API.
1553
+ # Returns the account identifier for the specified access key ID.
1554
+ #
1555
+ # Access keys consist of two parts: an access key ID (for example,
1556
+ # `AKIAIOSFODNN7EXAMPLE`) and a secret access key (for example,
1557
+ # `wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`). For more information
1558
+ # about access keys, see [Managing Access Keys for IAM Users][1] in the
1559
+ # *IAM User Guide*.
1560
+ #
1561
+ # When you pass an access key ID to this operation, it returns the ID of
1562
+ # the AWS account to which the keys belong. Access key IDs beginning
1563
+ # with `AKIA` are long-term credentials for an IAM user or the AWS
1564
+ # account root user. Access key IDs beginning with `ASIA` are temporary
1565
+ # credentials that are created using STS operations. If the account in
1566
+ # the response belongs to you, you can sign in as the root user and
1567
+ # review your root user access keys. Then, you can pull a [credentials
1568
+ # report][2] to learn which IAM user owns the keys. To learn who
1569
+ # requested the temporary credentials for an `ASIA` access key, view the
1570
+ # STS events in your [CloudTrail logs][3] in the *IAM User Guide*.
1571
+ #
1572
+ # This operation does not indicate the state of the access key. The key
1573
+ # might be active, inactive, or deleted. Active keys might not have
1574
+ # permissions to perform an operation. Providing a deleted access key
1575
+ # might return an error that the key doesn't exist.
1576
+ #
1577
+ #
1578
+ #
1579
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
1580
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html
1581
+ # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html
1582
+ #
1583
+ # @option params [required, String] :access_key_id
1584
+ # The identifier of an access key.
1585
+ #
1586
+ # This parameter allows (through its regex pattern) a string of
1587
+ # characters that can consist of any upper- or lowercase letter or
1588
+ # digit.
1589
+ #
1590
+ # @return [Types::GetAccessKeyInfoResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1591
+ #
1592
+ # * {Types::GetAccessKeyInfoResponse#account #account} => String
1593
+ #
1594
+ # @example Request syntax with placeholder values
1595
+ #
1596
+ # resp = client.get_access_key_info({
1597
+ # access_key_id: "accessKeyIdType", # required
1598
+ # })
1599
+ #
1600
+ # @example Response structure
1601
+ #
1602
+ # resp.account #=> String
1603
+ #
1604
+ # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetAccessKeyInfo AWS API Documentation
1605
+ #
1606
+ # @overload get_access_key_info(params = {})
1607
+ # @param [Hash] params ({})
1608
+ def get_access_key_info(params = {}, options = {})
1609
+ req = build_request(:get_access_key_info, params)
1610
+ req.send_request(options)
1611
+ end
1612
+
1613
+ # Returns details about the IAM user or role whose credentials are used
1614
+ # to call the operation.
1615
+ #
1616
+ # <note markdown="1"> No permissions are required to perform this operation. If an
1617
+ # administrator adds a policy to your IAM user or role that explicitly
1618
+ # denies access to the `sts:GetCallerIdentity` action, you can still
1619
+ # perform this operation. Permissions are not required because the same
1620
+ # information is returned when an IAM user or role is denied access. To
1621
+ # view an example response, see [I Am Not Authorized to Perform:
1622
+ # iam:DeleteVirtualMFADevice][1] in the *IAM User Guide*.
1623
+ #
1624
+ # </note>
1625
+ #
1626
+ #
1627
+ #
1628
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa
1104
1629
  #
1105
1630
  # @return [Types::GetCallerIdentityResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1106
1631
  #
@@ -1173,97 +1698,106 @@ module Aws::STS
1173
1698
  # access key ID, a secret access key, and a security token) for a
1174
1699
  # federated user. A typical use is in a proxy application that gets
1175
1700
  # temporary security credentials on behalf of distributed applications
1176
- # inside a corporate network. Because you must call the
1177
- # `GetFederationToken` action using the long-term security credentials
1178
- # of an IAM user, this call is appropriate in contexts where those
1179
- # credentials can be safely stored, usually in a server-based
1180
- # application. For a comparison of `GetFederationToken` with the other
1181
- # APIs that produce temporary credentials, see [Requesting Temporary
1182
- # Security Credentials][1] and [Comparing the AWS STS APIs][2] in the
1701
+ # inside a corporate network. You must call the `GetFederationToken`
1702
+ # operation using the long-term security credentials of an IAM user. As
1703
+ # a result, this call is appropriate in contexts where those credentials
1704
+ # can be safely stored, usually in a server-based application. For a
1705
+ # comparison of `GetFederationToken` with the other API operations that
1706
+ # produce temporary credentials, see [Requesting Temporary Security
1707
+ # Credentials][1] and [Comparing the AWS STS API operations][2] in the
1183
1708
  # *IAM User Guide*.
1184
1709
  #
1185
- # <note markdown="1"> If you are creating a mobile-based or browser-based app that can
1710
+ # <note markdown="1"> You can create a mobile-based or browser-based app that can
1186
1711
  # authenticate users using a web identity provider like Login with
1187
1712
  # Amazon, Facebook, Google, or an OpenID Connect-compatible identity
1188
- # provider, we recommend that you use [Amazon Cognito][3] or
1189
- # `AssumeRoleWithWebIdentity`. For more information, see [Federation
1190
- # Through a Web-based Identity Provider][4].
1713
+ # provider. In this case, we recommend that you use [Amazon Cognito][3]
1714
+ # or `AssumeRoleWithWebIdentity`. For more information, see [Federation
1715
+ # Through a Web-based Identity Provider][4] in the *IAM User Guide*.
1191
1716
  #
1192
1717
  # </note>
1193
1718
  #
1194
- # The `GetFederationToken` action must be called by using the long-term
1195
- # AWS security credentials of an IAM user. You can also call
1196
- # `GetFederationToken` using the security credentials of an AWS root
1197
- # account, but we do not recommended it. Instead, we recommend that you
1198
- # create an IAM user for the purpose of the proxy application and then
1199
- # attach a policy to the IAM user that limits federated users to only
1200
- # the actions and resources that they need access to. For more
1201
- # information, see [IAM Best Practices][5] in the *IAM User Guide*.
1202
- #
1203
- # The temporary security credentials that are obtained by using the
1204
- # long-term credentials of an IAM user are valid for the specified
1205
- # duration, from 900 seconds (15 minutes) up to a maximium of 129600
1206
- # seconds (36 hours). The default is 43200 seconds (12 hours). Temporary
1207
- # credentials that are obtained by using AWS root account credentials
1208
- # have a maximum duration of 3600 seconds (1 hour).
1209
- #
1210
- # The temporary security credentials created by `GetFederationToken` can
1211
- # be used to make API calls to any AWS service with the following
1212
- # exceptions:
1719
+ # You can also call `GetFederationToken` using the security credentials
1720
+ # of an AWS account root user, but we do not recommend it. Instead, we
1721
+ # recommend that you create an IAM user for the purpose of the proxy
1722
+ # application. Then attach a policy to the IAM user that limits
1723
+ # federated users to only the actions and resources that they need to
1724
+ # access. For more information, see [IAM Best Practices][5] in the *IAM
1725
+ # User Guide*.
1213
1726
  #
1214
- # * You cannot use these credentials to call any IAM APIs.
1727
+ # **Session duration**
1215
1728
  #
1216
- # * You cannot call any STS APIs except `GetCallerIdentity`.
1729
+ # The temporary credentials are valid for the specified duration, from
1730
+ # 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36
1731
+ # hours). The default session duration is 43,200 seconds (12 hours).
1732
+ # Temporary credentials that are obtained by using AWS account root user
1733
+ # credentials have a maximum duration of 3,600 seconds (1 hour).
1217
1734
  #
1218
1735
  # **Permissions**
1219
1736
  #
1220
- # The permissions for the temporary security credentials returned by
1221
- # `GetFederationToken` are determined by a combination of the following:
1222
- #
1223
- # * The policy or policies that are attached to the IAM user whose
1224
- # credentials are used to call `GetFederationToken`.
1225
- #
1226
- # * The policy that is passed as a parameter in the call.
1227
- #
1228
- # The passed policy is attached to the temporary security credentials
1229
- # that result from the `GetFederationToken` API call--that is, to the
1230
- # *federated user*. When the federated user makes an AWS request, AWS
1231
- # evaluates the policy attached to the federated user in combination
1232
- # with the policy or policies attached to the IAM user whose credentials
1233
- # were used to call `GetFederationToken`. AWS allows the federated
1234
- # user's request only when both the federated user <i> <b>and</b> </i>
1235
- # the IAM user are explicitly allowed to perform the requested action.
1236
- # The passed policy cannot grant more permissions than those that are
1237
- # defined in the IAM user policy.
1238
- #
1239
- # A typical use case is that the permissions of the IAM user whose
1240
- # credentials are used to call `GetFederationToken` are designed to
1241
- # allow access to all the actions and resources that any federated user
1242
- # will need. Then, for individual users, you pass a policy to the
1243
- # operation that scopes down the permissions to a level that's
1244
- # appropriate to that individual user, using a policy that allows only a
1245
- # subset of permissions that are granted to the IAM user.
1246
- #
1247
- # If you do not pass a policy, the resulting temporary security
1248
- # credentials have no effective permissions. The only exception is when
1249
- # the temporary security credentials are used to access a resource that
1250
- # has a resource-based policy that specifically allows the federated
1251
- # user to access the resource.
1252
- #
1253
- # For more information about how permissions work, see [Permissions for
1254
- # GetFederationToken][6]. For information about using
1737
+ # You can use the temporary credentials created by `GetFederationToken`
1738
+ # in any AWS service except the following:
1739
+ #
1740
+ # * You cannot call any IAM operations using the AWS CLI or the AWS API.
1741
+ #
1742
+ # * You cannot call any STS operations except `GetCallerIdentity`.
1743
+ #
1744
+ # You must pass an inline or managed [session policy][6] to this
1745
+ # operation. You can pass a single JSON policy document to use as an
1746
+ # inline session policy. You can also specify up to 10 managed policies
1747
+ # to use as managed session policies. The plain text that you use for
1748
+ # both inline and managed session policies can't exceed 2,048
1749
+ # characters.
1750
+ #
1751
+ # Though the session policy parameters are optional, if you do not pass
1752
+ # a policy, then the resulting federated user session has no
1753
+ # permissions. When you pass session policies, the session permissions
1754
+ # are the intersection of the IAM user policies and the session policies
1755
+ # that you pass. This gives you a way to further restrict the
1756
+ # permissions for a federated user. You cannot use session policies to
1757
+ # grant more permissions than those that are defined in the permissions
1758
+ # policy of the IAM user. For more information, see [Session
1759
+ # Policies][6] in the *IAM User Guide*. For information about using
1255
1760
  # `GetFederationToken` to create temporary security credentials, see
1256
1761
  # [GetFederationToken—Federation Through a Custom Identity Broker][7].
1257
1762
  #
1763
+ # You can use the credentials to access a resource that has a
1764
+ # resource-based policy. If that policy specifically references the
1765
+ # federated user session in the `Principal` element of the policy, the
1766
+ # session has the permissions allowed by the policy. These permissions
1767
+ # are granted in addition to the permissions granted by the session
1768
+ # policies.
1258
1769
  #
1770
+ # **Tags**
1771
+ #
1772
+ # (Optional) You can pass tag key-value pairs to your session. These are
1773
+ # called session tags. For more information about session tags, see
1774
+ # [Passing Session Tags in STS][8] in the *IAM User Guide*.
1775
+ #
1776
+ # An administrator must grant you the permissions necessary to pass
1777
+ # session tags. The administrator can also create granular permissions
1778
+ # to allow you to pass only specific session tags. For more information,
1779
+ # see [Tutorial: Using Tags for Attribute-Based Access Control][9] in
1780
+ # the *IAM User Guide*.
1259
1781
  #
1260
- # [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
1261
- # [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
1782
+ # Tag key–value pairs are not case sensitive, but case is preserved.
1783
+ # This means that you cannot have separate `Department` and `department`
1784
+ # tag keys. Assume that the user that you are federating has the
1785
+ # `Department`=`Marketing` tag and you pass the
1786
+ # `department`=`engineering` session tag. `Department` and `department`
1787
+ # are not saved as separate tags, and the session tag passed in the
1788
+ # request takes precedence over the user tag.
1789
+ #
1790
+ #
1791
+ #
1792
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
1793
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
1262
1794
  # [3]: http://aws.amazon.com/cognito/
1263
- # [4]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
1264
- # [5]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
1265
- # [6]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html
1266
- # [7]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken
1795
+ # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
1796
+ # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
1797
+ # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
1798
+ # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken
1799
+ # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
1800
+ # [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
1267
1801
  #
1268
1802
  # @option params [required, String] :name
1269
1803
  # The name of the federated user. The name is used as an identifier for
@@ -1277,53 +1811,143 @@ module Aws::STS
1277
1811
  # characters: =,.@-
1278
1812
  #
1279
1813
  # @option params [String] :policy
1280
- # An IAM policy in JSON format that is passed with the
1281
- # `GetFederationToken` call and evaluated along with the policy or
1282
- # policies that are attached to the IAM user whose credentials are used
1283
- # to call `GetFederationToken`. The passed policy is used to scope down
1284
- # the permissions that are available to the IAM user, by allowing only a
1285
- # subset of the permissions that are granted to the IAM user. The passed
1286
- # policy cannot grant more permissions than those granted to the IAM
1287
- # user. The final permissions for the federated user are the most
1288
- # restrictive set based on the intersection of the passed policy and the
1289
- # IAM user policy.
1290
- #
1291
- # If you do not pass a policy, the resulting temporary security
1292
- # credentials have no effective permissions. The only exception is when
1293
- # the temporary security credentials are used to access a resource that
1294
- # has a resource-based policy that specifically allows the federated
1295
- # user to access the resource.
1814
+ # An IAM policy in JSON format that you want to use as an inline session
1815
+ # policy.
1816
+ #
1817
+ # You must pass an inline or managed [session policy][1] to this
1818
+ # operation. You can pass a single JSON policy document to use as an
1819
+ # inline session policy. You can also specify up to 10 managed policies
1820
+ # to use as managed session policies.
1821
+ #
1822
+ # This parameter is optional. However, if you do not pass any session
1823
+ # policies, then the resulting federated user session has no
1824
+ # permissions.
1825
+ #
1826
+ # When you pass session policies, the session permissions are the
1827
+ # intersection of the IAM user policies and the session policies that
1828
+ # you pass. This gives you a way to further restrict the permissions for
1829
+ # a federated user. You cannot use session policies to grant more
1830
+ # permissions than those that are defined in the permissions policy of
1831
+ # the IAM user. For more information, see [Session Policies][1] in the
1832
+ # *IAM User Guide*.
1296
1833
  #
1297
- # The format for this parameter, as described by its regex pattern, is a
1298
- # string of characters up to 2048 characters in length. The characters
1834
+ # The resulting credentials can be used to access a resource that has a
1835
+ # resource-based policy. If that policy specifically references the
1836
+ # federated user session in the `Principal` element of the policy, the
1837
+ # session has the permissions allowed by the policy. These permissions
1838
+ # are granted in addition to the permissions that are granted by the
1839
+ # session policies.
1840
+ #
1841
+ # The plain text that you use for both inline and managed session
1842
+ # policies can't exceed 2,048 characters. The JSON policy characters
1299
1843
  # can be any ASCII character from the space character to the end of the
1300
- # valid character list (\\u0020-\\u00FF). It can also include the tab
1301
- # (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
1844
+ # valid character list (\\u0020 through \\u00FF). It can also include
1845
+ # the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
1302
1846
  # characters.
1303
1847
  #
1304
- # <note markdown="1"> The policy plain text must be 2048 bytes or shorter. However, an
1305
- # internal conversion compresses it into a packed binary format with a
1306
- # separate limit. The PackedPolicySize response element indicates by
1307
- # percentage how close to the upper size limit the policy is, with 100%
1308
- # equaling the maximum allowed size.
1848
+ # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1849
+ # tags into a packed binary format that has a separate limit. Your
1850
+ # request can fail for this limit even if your plain text meets the
1851
+ # other requirements. The `PackedPolicySize` response element indicates
1852
+ # by percentage how close the policies and tags for your request are to
1853
+ # the upper size limit.
1309
1854
  #
1310
1855
  # </note>
1311
1856
  #
1312
- # For more information about how permissions work, see [Permissions for
1313
- # GetFederationToken][1].
1314
1857
  #
1315
1858
  #
1859
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
1316
1860
  #
1317
- # [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html
1861
+ # @option params [Array<Types::PolicyDescriptorType>] :policy_arns
1862
+ # The Amazon Resource Names (ARNs) of the IAM managed policies that you
1863
+ # want to use as a managed session policy. The policies must exist in
1864
+ # the same account as the IAM user that is requesting federated access.
1865
+ #
1866
+ # You must pass an inline or managed [session policy][1] to this
1867
+ # operation. You can pass a single JSON policy document to use as an
1868
+ # inline session policy. You can also specify up to 10 managed policies
1869
+ # to use as managed session policies. The plain text that you use for
1870
+ # both inline and managed session policies can't exceed 2,048
1871
+ # characters. You can provide up to 10 managed policy ARNs. For more
1872
+ # information about ARNs, see [Amazon Resource Names (ARNs) and AWS
1873
+ # Service Namespaces][2] in the AWS General Reference.
1874
+ #
1875
+ # This parameter is optional. However, if you do not pass any session
1876
+ # policies, then the resulting federated user session has no
1877
+ # permissions.
1878
+ #
1879
+ # When you pass session policies, the session permissions are the
1880
+ # intersection of the IAM user policies and the session policies that
1881
+ # you pass. This gives you a way to further restrict the permissions for
1882
+ # a federated user. You cannot use session policies to grant more
1883
+ # permissions than those that are defined in the permissions policy of
1884
+ # the IAM user. For more information, see [Session Policies][1] in the
1885
+ # *IAM User Guide*.
1886
+ #
1887
+ # The resulting credentials can be used to access a resource that has a
1888
+ # resource-based policy. If that policy specifically references the
1889
+ # federated user session in the `Principal` element of the policy, the
1890
+ # session has the permissions allowed by the policy. These permissions
1891
+ # are granted in addition to the permissions that are granted by the
1892
+ # session policies.
1893
+ #
1894
+ # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1895
+ # tags into a packed binary format that has a separate limit. Your
1896
+ # request can fail for this limit even if your plain text meets the
1897
+ # other requirements. The `PackedPolicySize` response element indicates
1898
+ # by percentage how close the policies and tags for your request are to
1899
+ # the upper size limit.
1900
+ #
1901
+ # </note>
1902
+ #
1903
+ #
1904
+ #
1905
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
1906
+ # [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
1318
1907
  #
1319
1908
  # @option params [Integer] :duration_seconds
1320
1909
  # The duration, in seconds, that the session should last. Acceptable
1321
1910
  # durations for federation sessions range from 900 seconds (15 minutes)
1322
- # to 129600 seconds (36 hours), with 43200 seconds (12 hours) as the
1323
- # default. Sessions obtained using AWS account (root) credentials are
1324
- # restricted to a maximum of 3600 seconds (one hour). If the specified
1325
- # duration is longer than one hour, the session obtained by using AWS
1326
- # account (root) credentials defaults to one hour.
1911
+ # to 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the
1912
+ # default. Sessions obtained using AWS account root user credentials are
1913
+ # restricted to a maximum of 3,600 seconds (one hour). If the specified
1914
+ # duration is longer than one hour, the session obtained by using root
1915
+ # user credentials defaults to one hour.
1916
+ #
1917
+ # @option params [Array<Types::Tag>] :tags
1918
+ # A list of session tags. Each session tag consists of a key name and an
1919
+ # associated value. For more information about session tags, see
1920
+ # [Passing Session Tags in STS][1] in the *IAM User Guide*.
1921
+ #
1922
+ # This parameter is optional. You can pass up to 50 session tags. The
1923
+ # plain text session tag keys can’t exceed 128 characters and the values
1924
+ # can’t exceed 256 characters. For these and additional limits, see [IAM
1925
+ # and STS Character Limits][2] in the *IAM User Guide*.
1926
+ #
1927
+ # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1928
+ # tags into a packed binary format that has a separate limit. Your
1929
+ # request can fail for this limit even if your plain text meets the
1930
+ # other requirements. The `PackedPolicySize` response element indicates
1931
+ # by percentage how close the policies and tags for your request are to
1932
+ # the upper size limit.
1933
+ #
1934
+ # </note>
1935
+ #
1936
+ # You can pass a session tag with the same key as a tag that is already
1937
+ # attached to the user you are federating. When you do, session tags
1938
+ # override a user tag with the same key.
1939
+ #
1940
+ # Tag key–value pairs are not case sensitive, but case is preserved.
1941
+ # This means that you cannot have separate `Department` and `department`
1942
+ # tag keys. Assume that the role has the `Department`=`Marketing` tag
1943
+ # and you pass the `department`=`engineering` session tag. `Department`
1944
+ # and `department` are not saved as separate tags, and the session tag
1945
+ # passed in the request takes precedence over the role tag.
1946
+ #
1947
+ #
1948
+ #
1949
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
1950
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
1327
1951
  #
1328
1952
  # @return [Types::GetFederationTokenResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1329
1953
  #
@@ -1336,8 +1960,18 @@ module Aws::STS
1336
1960
  #
1337
1961
  # resp = client.get_federation_token({
1338
1962
  # duration_seconds: 3600,
1339
- # name: "Bob",
1340
- # policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"*\"}]}",
1963
+ # name: "testFedUserSession",
1964
+ # policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3:ListAllMyBuckets\",\"Resource\":\"*\"}]}",
1965
+ # tags: [
1966
+ # {
1967
+ # key: "Project",
1968
+ # value: "Pegasus",
1969
+ # },
1970
+ # {
1971
+ # key: "Cost-Center",
1972
+ # value: "98765",
1973
+ # },
1974
+ # ],
1341
1975
  # })
1342
1976
  #
1343
1977
  # resp.to_h outputs the following:
@@ -1352,7 +1986,7 @@ module Aws::STS
1352
1986
  # arn: "arn:aws:sts::123456789012:federated-user/Bob",
1353
1987
  # federated_user_id: "123456789012:Bob",
1354
1988
  # },
1355
- # packed_policy_size: 6,
1989
+ # packed_policy_size: 8,
1356
1990
  # }
1357
1991
  #
1358
1992
  # @example Request syntax with placeholder values
@@ -1360,7 +1994,18 @@ module Aws::STS
1360
1994
  # resp = client.get_federation_token({
1361
1995
  # name: "userNameType", # required
1362
1996
  # policy: "sessionPolicyDocumentType",
1997
+ # policy_arns: [
1998
+ # {
1999
+ # arn: "arnType",
2000
+ # },
2001
+ # ],
1363
2002
  # duration_seconds: 1,
2003
+ # tags: [
2004
+ # {
2005
+ # key: "tagKeyType", # required
2006
+ # value: "tagValueType", # required
2007
+ # },
2008
+ # ],
1364
2009
  # })
1365
2010
  #
1366
2011
  # @example Response structure
@@ -1385,50 +2030,55 @@ module Aws::STS
1385
2030
  # Returns a set of temporary credentials for an AWS account or IAM user.
1386
2031
  # The credentials consist of an access key ID, a secret access key, and
1387
2032
  # a security token. Typically, you use `GetSessionToken` if you want to
1388
- # use MFA to protect programmatic calls to specific AWS APIs like Amazon
1389
- # EC2 `StopInstances`. MFA-enabled IAM users would need to call
1390
- # `GetSessionToken` and submit an MFA code that is associated with their
1391
- # MFA device. Using the temporary security credentials that are returned
1392
- # from the call, IAM users can then make programmatic calls to APIs that
1393
- # require MFA authentication. If you do not supply a correct MFA code,
1394
- # then the API returns an access denied error. For a comparison of
1395
- # `GetSessionToken` with the other APIs that produce temporary
1396
- # credentials, see [Requesting Temporary Security Credentials][1] and
1397
- # [Comparing the AWS STS APIs][2] in the *IAM User Guide*.
1398
- #
1399
- # The `GetSessionToken` action must be called by using the long-term AWS
1400
- # security credentials of the AWS account or an IAM user. Credentials
1401
- # that are created by IAM users are valid for the duration that you
1402
- # specify, from 900 seconds (15 minutes) up to a maximum of 129600
1403
- # seconds (36 hours), with a default of 43200 seconds (12 hours);
1404
- # credentials that are created by using account credentials can range
1405
- # from 900 seconds (15 minutes) up to a maximum of 3600 seconds (1
1406
- # hour), with a default of 1 hour.
2033
+ # use MFA to protect programmatic calls to specific AWS API operations
2034
+ # like Amazon EC2 `StopInstances`. MFA-enabled IAM users would need to
2035
+ # call `GetSessionToken` and submit an MFA code that is associated with
2036
+ # their MFA device. Using the temporary security credentials that are
2037
+ # returned from the call, IAM users can then make programmatic calls to
2038
+ # API operations that require MFA authentication. If you do not supply a
2039
+ # correct MFA code, then the API returns an access denied error. For a
2040
+ # comparison of `GetSessionToken` with the other API operations that
2041
+ # produce temporary credentials, see [Requesting Temporary Security
2042
+ # Credentials][1] and [Comparing the AWS STS API operations][2] in the
2043
+ # *IAM User Guide*.
2044
+ #
2045
+ # **Session Duration**
2046
+ #
2047
+ # The `GetSessionToken` operation must be called by using the long-term
2048
+ # AWS security credentials of the AWS account root user or an IAM user.
2049
+ # Credentials that are created by IAM users are valid for the duration
2050
+ # that you specify. This duration can range from 900 seconds (15
2051
+ # minutes) up to a maximum of 129,600 seconds (36 hours), with a default
2052
+ # of 43,200 seconds (12 hours). Credentials based on account credentials
2053
+ # can range from 900 seconds (15 minutes) up to 3,600 seconds (1 hour),
2054
+ # with a default of 1 hour.
2055
+ #
2056
+ # **Permissions**
1407
2057
  #
1408
2058
  # The temporary security credentials created by `GetSessionToken` can be
1409
2059
  # used to make API calls to any AWS service with the following
1410
2060
  # exceptions:
1411
2061
  #
1412
- # * You cannot call any IAM APIs unless MFA authentication information
1413
- # is included in the request.
2062
+ # * You cannot call any IAM API operations unless MFA authentication
2063
+ # information is included in the request.
1414
2064
  #
1415
2065
  # * You cannot call any STS API *except* `AssumeRole` or
1416
2066
  # `GetCallerIdentity`.
1417
2067
  #
1418
- # <note markdown="1"> We recommend that you do not call `GetSessionToken` with root account
1419
- # credentials. Instead, follow our [best practices][3] by creating one
1420
- # or more IAM users, giving them the necessary permissions, and using
1421
- # IAM users for everyday interaction with AWS.
2068
+ # <note markdown="1"> We recommend that you do not call `GetSessionToken` with AWS account
2069
+ # root user credentials. Instead, follow our [best practices][3] by
2070
+ # creating one or more IAM users, giving them the necessary permissions,
2071
+ # and using IAM users for everyday interaction with AWS.
1422
2072
  #
1423
2073
  # </note>
1424
2074
  #
1425
- # The permissions associated with the temporary security credentials
1426
- # returned by `GetSessionToken` are based on the permissions associated
1427
- # with account or IAM user whose credentials are used to call the
1428
- # action. If `GetSessionToken` is called using root account credentials,
1429
- # the temporary credentials have root account permissions. Similarly, if
1430
- # `GetSessionToken` is called using the credentials of an IAM user, the
1431
- # temporary credentials have the same permissions as the IAM user.
2075
+ # The credentials that are returned by `GetSessionToken` are based on
2076
+ # permissions associated with the user whose credentials were used to
2077
+ # call the operation. If `GetSessionToken` is called using AWS account
2078
+ # root user credentials, the temporary credentials have root user
2079
+ # permissions. Similarly, if `GetSessionToken` is called using the
2080
+ # credentials of an IAM user, the temporary credentials have the same
2081
+ # permissions as the IAM user.
1432
2082
  #
1433
2083
  # For more information about using `GetSessionToken` to create temporary
1434
2084
  # credentials, go to [Temporary Credentials for Users in Untrusted
@@ -1436,18 +2086,18 @@ module Aws::STS
1436
2086
  #
1437
2087
  #
1438
2088
  #
1439
- # [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
1440
- # [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
1441
- # [3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users
1442
- # [4]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken
2089
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
2090
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
2091
+ # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users
2092
+ # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken
1443
2093
  #
1444
2094
  # @option params [Integer] :duration_seconds
1445
2095
  # The duration, in seconds, that the credentials should remain valid.
1446
2096
  # Acceptable durations for IAM user sessions range from 900 seconds (15
1447
- # minutes) to 129600 seconds (36 hours), with 43200 seconds (12 hours)
2097
+ # minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12 hours)
1448
2098
  # as the default. Sessions for AWS account owners are restricted to a
1449
- # maximum of 3600 seconds (one hour). If the duration is longer than one
1450
- # hour, the session for AWS account owners defaults to one hour.
2099
+ # maximum of 3,600 seconds (one hour). If the duration is longer than
2100
+ # one hour, the session for AWS account owners defaults to one hour.
1451
2101
  #
1452
2102
  # @option params [String] :serial_number
1453
2103
  # The identification number of the MFA device that is associated with
@@ -1459,7 +2109,7 @@ module Aws::STS
1459
2109
  # device for an IAM user by going to the AWS Management Console and
1460
2110
  # viewing the user's security credentials.
1461
2111
  #
1462
- # The regex used to validated this parameter is a string of characters
2112
+ # The regex used to validate this parameter is a string of characters
1463
2113
  # consisting of upper- and lower-case alphanumeric characters with no
1464
2114
  # spaces. You can also include underscores or any of the following
1465
2115
  # characters: =,.@:/-
@@ -1467,9 +2117,9 @@ module Aws::STS
1467
2117
  # @option params [String] :token_code
1468
2118
  # The value provided by the MFA device, if MFA is required. If any
1469
2119
  # policy requires the IAM user to submit an MFA code, specify this
1470
- # value. If MFA authentication is required, and the user does not
1471
- # provide a code when requesting a set of temporary security
1472
- # credentials, the user will receive an "access denied" response when
2120
+ # value. If MFA authentication is required, the user must provide a code
2121
+ # when requesting a set of temporary security credentials. A user who
2122
+ # fails to provide the code receives an "access denied" response when
1473
2123
  # requesting resources that require MFA authentication.
1474
2124
  #
1475
2125
  # The format for this parameter, as described by its regex pattern, is a
@@ -1535,7 +2185,7 @@ module Aws::STS
1535
2185
  params: params,
1536
2186
  config: config)
1537
2187
  context[:gem_name] = 'aws-sdk-core'
1538
- context[:gem_version] = '3.46.0'
2188
+ context[:gem_version] = '3.94.0'
1539
2189
  Seahorse::Client::Request.new(handlers, context)
1540
2190
  end
1541
2191