aws-sdk-core 3.50.0 → 3.51.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: d00808ae9ba43d63284f7ffd2573f1fd49a89d30
4
- data.tar.gz: 37e62e1a50ac55085d58cd7dd9346c15e8861faf
3
+ metadata.gz: bae23abccbe717b9ab14dd9177806e877d9536cf
4
+ data.tar.gz: c1f807ed12fdc2040c83049b053f5db6cecc4f5e
5
5
  SHA512:
6
- metadata.gz: 4dc0a4e73a7454ac9e7c871aa7212157c40224a3a1ddf4a8e0b01f719dd6451833c2df2ad1222de6a18f05a80991079d996c4cc77b0e1df1a45cbc0446f086e6
7
- data.tar.gz: 415989fbe8d6e4df04863a6a352f4f9d30efdf1b6d7e2a67dbadc3bb8ea872a0b768fa1b9296796ca3524f6e95c9d7cd1435e11c1e77e43dc52fd60af052a510
6
+ metadata.gz: 3b7b9f34e7a03085ea4c0177cf98165e73e4bb7d75c00324f802582c116af9a611d2a0138879470f3fb1a8313b484ee525a77e3d0ffee165000dae5eec6cd23e
7
+ data.tar.gz: c76c357125d112841a879b44bc5865e351b9dbf7f9de3e97a38fba0bd4e8b1fd2f725067ec6a47383b434702c8a652c4980191572527d87773ed44d1a62b0f5d
data/VERSION CHANGED
@@ -1 +1 @@
1
- 3.50.0
1
+ 3.51.0
@@ -40,6 +40,6 @@ require_relative 'aws-sdk-sts/customizations'
40
40
  # @service
41
41
  module Aws::STS
42
42
 
43
- GEM_VERSION = '3.50.0'
43
+ GEM_VERSION = '3.51.0'
44
44
 
45
45
  end
@@ -251,8 +251,8 @@ module Aws::STS
251
251
  # Returns a set of temporary security credentials that you can use to
252
252
  # access AWS resources that you might not normally have access to. These
253
253
  # temporary credentials consist of an access key ID, a secret access
254
- # key, and a security token. Typically, you use `AssumeRole` for
255
- # cross-account access or federation. For a comparison of `AssumeRole`
254
+ # key, and a security token. Typically, you use `AssumeRole` within your
255
+ # account or for cross-account access. For a comparison of `AssumeRole`
256
256
  # with other API operations that produce temporary credentials, see
257
257
  # [Requesting Temporary Security Credentials][1] and [Comparing the AWS
258
258
  # STS API operations][2] in the *IAM User Guide*.
@@ -266,21 +266,10 @@ module Aws::STS
266
266
  # credentials in each account to access those resources. However,
267
267
  # managing all those credentials and remembering which one can access
268
268
  # which account can be time consuming. Instead, you can create one set
269
- # of long-term credentials in one account and then use temporary
270
- # security credentials to access all the other accounts by assuming
271
- # roles in those accounts. For more information about roles, see [IAM
272
- # Roles (Delegation and Federation)][3] in the *IAM User Guide*.
273
- #
274
- # For federation, you can, for example, grant single sign-on access to
275
- # the AWS Management Console. If you already have an identity and
276
- # authentication system in your network, you don't have to recreate
277
- # identities in AWS in order to grant them access to AWS. Instead, after
278
- # a user has been authenticated, you call `AssumeRole` (and specify the
279
- # role with the appropriate permissions) to get temporary security
280
- # credentials for that user. With those temporary security credentials,
281
- # you construct a sign-in URL from which users can access the console.
282
- # For more information, see [Common Scenarios for Temporary
283
- # Credentials][4] in the *IAM User Guide*.
269
+ # of long-term credentials in one account. Then use temporary security
270
+ # credentials to access all the other accounts by assuming roles in
271
+ # those accounts. For more information about roles, see [IAM Roles][3]
272
+ # in the *IAM User Guide*.
284
273
  #
285
274
  # By default, the temporary security credentials created by `AssumeRole`
286
275
  # last for one hour. However, you can use the optional `DurationSeconds`
@@ -288,63 +277,67 @@ module Aws::STS
288
277
  # value from 900 seconds (15 minutes) up to the maximum session duration
289
278
  # setting for the role. This setting can have a value from 1 hour to 12
290
279
  # hours. To learn how to view the maximum value for your role, see [View
291
- # the Maximum Session Duration Setting for a Role][5] in the *IAM User
280
+ # the Maximum Session Duration Setting for a Role][4] in the *IAM User
292
281
  # Guide*. The maximum session duration limit applies when you use the
293
282
  # `AssumeRole*` API operations or the `assume-role*` CLI commands.
294
283
  # However the limit does not apply when you use those operations to
295
- # create a console URL. For more information, see [Using IAM Roles][6]
284
+ # create a console URL. For more information, see [Using IAM Roles][5]
296
285
  # in the *IAM User Guide*.
297
286
  #
298
287
  # The temporary security credentials created by `AssumeRole` can be used
299
288
  # to make API calls to any AWS service with the following exception: You
300
- # cannot call the AWS STS service's `GetFederationToken` or
301
- # `GetSessionToken` API operations.
302
- #
303
- # (Optional) You can pass an IAM permissions policy to this operation.
304
- # If you pass a policy to this operation, the resulting temporary
305
- # credentials have the permissions of the assumed role *and* the policy
306
- # that you pass. This gives you a way to further restrict the
307
- # permissions for the resulting temporary security credentials. You
308
- # cannot use the passed policy to grant permissions that are in excess
309
- # of those allowed by the permissions policy of the role that is being
310
- # assumed. For more information, see [ Permissions for AssumeRole,
311
- # AssumeRoleWithSAML, and AssumeRoleWithWebIdentity ][7] in the *IAM
289
+ # cannot call the AWS STS `GetFederationToken` or `GetSessionToken` API
290
+ # operations.
291
+ #
292
+ # (Optional) You can pass inline or managed [session policies][6] to
293
+ # this operation. You can pass a single JSON policy document to use as
294
+ # an inline session policy. You can also specify up to 10 managed
295
+ # policies to use as managed session policies. The plain text that you
296
+ # use for both inline and managed session policies shouldn't exceed
297
+ # 2048 characters. Passing policies to this operation returns new
298
+ # temporary credentials. The resulting session's permissions are the
299
+ # intersection of the role's identity-based policy and the session
300
+ # policies. You can use the role's temporary credentials in subsequent
301
+ # AWS API calls to access resources in the account that owns the role.
302
+ # You cannot use session policies to grant more permissions than those
303
+ # allowed by the identity-based policy of the role that is being
304
+ # assumed. For more information, see [Session Policies][7] in the *IAM
312
305
  # User Guide*.
313
306
  #
314
- # To assume a role, your AWS account must be trusted by the role. The
315
- # trust relationship is defined in the role's trust policy when the
316
- # role is created. That trust policy states which accounts are allowed
317
- # to delegate access to this account's role.
307
+ # To assume a role from a different account, your AWS account must be
308
+ # trusted by the role. The trust relationship is defined in the role's
309
+ # trust policy when the role is created. That trust policy states which
310
+ # accounts are allowed to delegate that access to users in the account.
318
311
  #
319
- # The user who wants to access the role must also have permissions
320
- # delegated from the role's administrator. If the user and the role are
321
- # in a different account, then the user's administrator must attach a
322
- # policy. That attached policy must allow the user to call `AssumeRole`
323
- # for the ARN of the role in the other account. If the user is in the
324
- # same account as the role, then you can do either of the following:
312
+ # A user who wants to access a role in a different account must also
313
+ # have permissions that are delegated from the user account
314
+ # administrator. The administrator must attach a policy that allows the
315
+ # user to call `AssumeRole` for the ARN of the role in the other
316
+ # account. If the user is in the same account as the role, then you can
317
+ # do either of the following:
325
318
  #
326
319
  # * Attach a policy to the user (identical to the previous user in a
327
- # different account)
320
+ # different account).
328
321
  #
329
322
  # * Add the user as a principal directly in the role's trust policy.
330
323
  #
331
- # In this case, the trust policy acts as the only resource-based policy
332
- # in IAM. Users in the same account as the role do not need explicit
333
- # permission to assume the role. For more information about trust
334
- # policies and resource-based policies, see [IAM Policies][8] in the
335
- # *IAM User Guide*.
324
+ # In this case, the trust policy acts as an IAM resource-based policy.
325
+ # Users in the same account as the role do not need explicit permission
326
+ # to assume the role. For more information about trust policies and
327
+ # resource-based policies, see [IAM Policies][8] in the *IAM User
328
+ # Guide*.
336
329
  #
337
330
  # **Using MFA with AssumeRole**
338
331
  #
339
332
  # (Optional) You can include multi-factor authentication (MFA)
340
333
  # information when you call `AssumeRole`. This is useful for
341
- # cross-account scenarios in which you want to make sure that the user
342
- # who is assuming the role has been authenticated using an AWS MFA
343
- # device. In that scenario, the trust policy of the role being assumed
344
- # includes a condition that tests for MFA authentication. If the caller
345
- # does not include valid MFA information, the request to assume the role
346
- # is denied. The condition in a trust policy that tests for MFA
347
- # authentication might look like the following example.
334
+ # cross-account scenarios to ensure that the user that assumes the role
335
+ # has been authenticated with an AWS MFA device. In that scenario, the
336
+ # trust policy of the role being assumed includes a condition that tests
337
+ # for MFA authentication. If the caller does not include valid MFA
338
+ # information, the request to assume the role is denied. The condition
339
+ # in a trust policy that tests for MFA authentication might look like
340
+ # the following example.
348
341
  #
349
342
  # `"Condition": \{"Bool": \{"aws:MultiFactorAuthPresent": true\}\}`
350
343
  #
@@ -360,11 +353,11 @@ module Aws::STS
360
353
  #
361
354
  # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
362
355
  # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
363
- # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html
364
- # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html#sts-introduction
365
- # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
366
- # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
367
- # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
356
+ # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
357
+ # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
358
+ # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
359
+ # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
360
+ # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session
368
361
  # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
369
362
  # [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html
370
363
  #
@@ -388,37 +381,73 @@ module Aws::STS
388
381
  # spaces. You can also include underscores or any of the following
389
382
  # characters: =,.@-
390
383
  #
391
- # @option params [String] :policy
392
- # An IAM policy in JSON format.
393
- #
394
- # This parameter is optional. If you pass a policy to this operation,
395
- # the resulting temporary credentials have the permissions of the
396
- # assumed role *and* the policy that you pass. This gives you a way to
397
- # further restrict the permissions for the resulting temporary security
398
- # credentials. You cannot use the passed policy to grant permissions
399
- # that are in excess of those allowed by the permissions policy of the
400
- # role that is being assumed. For more information, see [ Permissions
401
- # for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity ][1]
402
- # in the *IAM User Guide*.
384
+ # @option params [Array<Types::PolicyDescriptorType>] :policy_arns
385
+ # The Amazon Resource Names (ARNs) of the IAM managed policies that you
386
+ # want to use as managed session policies. The policies must exist in
387
+ # the same account as the role.
388
+ #
389
+ # This parameter is optional. You can provide up to 10 managed policy
390
+ # ARNs. However, the plain text that you use for both inline and managed
391
+ # session policies shouldn't exceed 2048 characters. For more
392
+ # information about ARNs, see [Amazon Resource Names (ARNs) and AWS
393
+ # Service Namespaces](general/latest/gr/aws-arns-and-namespaces.html) in
394
+ # the AWS General Reference.
395
+ #
396
+ # <note markdown="1"> The characters in this parameter count towards the 2048 character
397
+ # session policy guideline. However, an AWS conversion compresses the
398
+ # session policies into a packed binary format that has a separate
399
+ # limit. This is the enforced limit. The `PackedPolicySize` response
400
+ # element indicates by percentage how close the policy is to the upper
401
+ # size limit.
403
402
  #
404
- # The format for this parameter, as described by its regex pattern, is a
405
- # string of characters up to 2048 characters in length. The characters
403
+ # </note>
404
+ #
405
+ # Passing policies to this operation returns new temporary credentials.
406
+ # The resulting session's permissions are the intersection of the
407
+ # role's identity-based policy and the session policies. You can use
408
+ # the role's temporary credentials in subsequent AWS API calls to
409
+ # access resources in the account that owns the role. You cannot use
410
+ # session policies to grant more permissions than those allowed by the
411
+ # identity-based policy of the role that is being assumed. For more
412
+ # information, see [Session Policies][1] in the *IAM User Guide*.
413
+ #
414
+ #
415
+ #
416
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session
417
+ #
418
+ # @option params [String] :policy
419
+ # An IAM policy in JSON format that you want to use as an inline session
420
+ # policy.
421
+ #
422
+ # This parameter is optional. Passing policies to this operation returns
423
+ # new temporary credentials. The resulting session's permissions are
424
+ # the intersection of the role's identity-based policy and the session
425
+ # policies. You can use the role's temporary credentials in subsequent
426
+ # AWS API calls to access resources in the account that owns the role.
427
+ # You cannot use session policies to grant more permissions than those
428
+ # allowed by the identity-based policy of the role that is being
429
+ # assumed. For more information, see [Session Policies][1] in the *IAM
430
+ # User Guide*.
431
+ #
432
+ # The plain text that you use for both inline and managed session
433
+ # policies shouldn't exceed 2048 characters. The JSON policy characters
406
434
  # can be any ASCII character from the space character to the end of the
407
- # valid character list (\\u0020-\\u00FF). It can also include the tab
408
- # (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
435
+ # valid character list (\\u0020 through \\u00FF). It can also include
436
+ # the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
409
437
  # characters.
410
438
  #
411
- # <note markdown="1"> The policy plaintext must be 2048 bytes or shorter. However, an
412
- # internal conversion compresses it into a packed binary format with a
413
- # separate limit. The `PackedPolicySize` response element indicates by
414
- # percentage how close to the upper size limit the policy is, where 100
415
- # percent is the maximum allowed size.
439
+ # <note markdown="1"> The characters in this parameter count towards the 2048 character
440
+ # session policy guideline. However, an AWS conversion compresses the
441
+ # session policies into a packed binary format that has a separate
442
+ # limit. This is the enforced limit. The `PackedPolicySize` response
443
+ # element indicates by percentage how close the policy is to the upper
444
+ # size limit.
416
445
  #
417
446
  # </note>
418
447
  #
419
448
  #
420
449
  #
421
- # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
450
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session
422
451
  #
423
452
  # @option params [Integer] :duration_seconds
424
453
  # The duration, in seconds, of the role session. The value can range
@@ -453,8 +482,8 @@ module Aws::STS
453
482
  # another account. If the administrator of the account to which the role
454
483
  # belongs provided you with an external ID, then provide that value in
455
484
  # the `ExternalId` parameter. This value can be any string, such as a
456
- # passphrase or account number. Because a cross-account role is usually
457
- # set up to trust everyone in an account, the administrator of the
485
+ # passphrase or account number. A cross-account role is usually set up
486
+ # to trust everyone in an account. Therefore, the administrator of the
458
487
  # trusting account might send an external ID to the administrator of the
459
488
  # trusted account. That way, only someone with the ID can assume the
460
489
  # role, rather than everyone in the account. For more information about
@@ -506,7 +535,7 @@ module Aws::STS
506
535
  # resp = client.assume_role({
507
536
  # duration_seconds: 3600,
508
537
  # external_id: "123ABC",
509
- # policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"*\"}]}",
538
+ # policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3:ListAllMyBuckets\",\"Resource\":\"*\"}]}",
510
539
  # role_arn: "arn:aws:iam::123456789012:role/demo",
511
540
  # role_session_name: "Bob",
512
541
  # })
@@ -531,6 +560,11 @@ module Aws::STS
531
560
  # resp = client.assume_role({
532
561
  # role_arn: "arnType", # required
533
562
  # role_session_name: "roleSessionNameType", # required
563
+ # policy_arns: [
564
+ # {
565
+ # arn: "arnType",
566
+ # },
567
+ # ],
534
568
  # policy: "sessionPolicyDocumentType",
535
569
  # duration_seconds: 1,
536
570
  # external_id: "externalIdType",
@@ -589,18 +623,22 @@ module Aws::STS
589
623
  #
590
624
  # The temporary security credentials created by `AssumeRoleWithSAML` can
591
625
  # be used to make API calls to any AWS service with the following
592
- # exception: you cannot call the STS service's `GetFederationToken` or
626
+ # exception: you cannot call the STS `GetFederationToken` or
593
627
  # `GetSessionToken` API operations.
594
628
  #
595
- # Optionally, you can pass an IAM permissions policy to this operation.
596
- # If you pass a policy to this operation, the resulting temporary
597
- # credentials have the permissions of the assumed role *and* the policy
598
- # that you pass. This gives you a way to further restrict the
599
- # permissions for the resulting temporary security credentials. You
600
- # cannot use the passed policy to grant permissions that are in excess
601
- # of those allowed by the permissions policy of the role that is being
602
- # assumed. For more information, see [ Permissions for AssumeRole,
603
- # AssumeRoleWithSAML, and AssumeRoleWithWebIdentity ][5] in the *IAM
629
+ # (Optional) You can pass inline or managed [session policies][5] to
630
+ # this operation. You can pass a single JSON policy document to use as
631
+ # an inline session policy. You can also specify up to 10 managed
632
+ # policies to use as managed session policies. The plain text that you
633
+ # use for both inline and managed session policies shouldn't exceed
634
+ # 2048 characters. Passing policies to this operation returns new
635
+ # temporary credentials. The resulting session's permissions are the
636
+ # intersection of the role's identity-based policy and the session
637
+ # policies. You can use the role's temporary credentials in subsequent
638
+ # AWS API calls to access resources in the account that owns the role.
639
+ # You cannot use session policies to grant more permissions than those
640
+ # allowed by the identity-based policy of the role that is being
641
+ # assumed. For more information, see [Session Policies][6] in the *IAM
604
642
  # User Guide*.
605
643
  #
606
644
  # Before your application can call `AssumeRoleWithSAML`, you must
@@ -617,20 +655,20 @@ module Aws::STS
617
655
  #
618
656
  # Calling `AssumeRoleWithSAML` can result in an entry in your AWS
619
657
  # CloudTrail logs. The entry includes the value in the `NameID` element
620
- # of the SAML assertion. We recommend that you use a NameIDType that is
621
- # not associated with any personally identifiable information (PII). For
622
- # example, you could instead use the Persistent Identifier
658
+ # of the SAML assertion. We recommend that you use a `NameIDType` that
659
+ # is not associated with any personally identifiable information (PII).
660
+ # For example, you could instead use the Persistent Identifier
623
661
  # (`urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`).
624
662
  #
625
663
  # For more information, see the following resources:
626
664
  #
627
- # * [About SAML 2.0-based Federation][6] in the *IAM User Guide*.
665
+ # * [About SAML 2.0-based Federation][7] in the *IAM User Guide*.
628
666
  #
629
- # * [Creating SAML Identity Providers][7] in the *IAM User Guide*.
667
+ # * [Creating SAML Identity Providers][8] in the *IAM User Guide*.
630
668
  #
631
- # * [Configuring a Relying Party and Claims][8] in the *IAM User Guide*.
669
+ # * [Configuring a Relying Party and Claims][9] in the *IAM User Guide*.
632
670
  #
633
- # * [Creating a Role for SAML 2.0 Federation][9] in the *IAM User
671
+ # * [Creating a Role for SAML 2.0 Federation][10] in the *IAM User
634
672
  # Guide*.
635
673
  #
636
674
  #
@@ -639,11 +677,12 @@ module Aws::STS
639
677
  # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
640
678
  # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
641
679
  # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
642
- # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
643
- # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
644
- # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html
645
- # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html
646
- # [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html
680
+ # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
681
+ # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session
682
+ # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
683
+ # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html
684
+ # [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html
685
+ # [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html
647
686
  #
648
687
  # @option params [required, String] :role_arn
649
688
  # The Amazon Resource Name (ARN) of the role that the caller is
@@ -663,37 +702,73 @@ module Aws::STS
663
702
  #
664
703
  # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html
665
704
  #
666
- # @option params [String] :policy
667
- # An IAM policy in JSON format.
668
- #
669
- # The policy parameter is optional. If you pass a policy to this
670
- # operation, the resulting temporary credentials have the permissions of
671
- # the assumed role *and* the policy that you pass. This gives you a way
672
- # to further restrict the permissions for the resulting temporary
673
- # security credentials. You cannot use the passed policy to grant
674
- # permissions that are in excess of those allowed by the permissions
675
- # policy of the role that is being assumed. For more information, see [
676
- # Permissions for AssumeRole, AssumeRoleWithSAML, and
677
- # AssumeRoleWithWebIdentity ][1] in the *IAM User Guide*.
705
+ # @option params [Array<Types::PolicyDescriptorType>] :policy_arns
706
+ # The Amazon Resource Names (ARNs) of the IAM managed policies that you
707
+ # want to use as managed session policies. The policies must exist in
708
+ # the same account as the role.
709
+ #
710
+ # This parameter is optional. You can provide up to 10 managed policy
711
+ # ARNs. However, the plain text that you use for both inline and managed
712
+ # session policies shouldn't exceed 2048 characters. For more
713
+ # information about ARNs, see [Amazon Resource Names (ARNs) and AWS
714
+ # Service Namespaces](general/latest/gr/aws-arns-and-namespaces.html) in
715
+ # the AWS General Reference.
716
+ #
717
+ # <note markdown="1"> The characters in this parameter count towards the 2048 character
718
+ # session policy guideline. However, an AWS conversion compresses the
719
+ # session policies into a packed binary format that has a separate
720
+ # limit. This is the enforced limit. The `PackedPolicySize` response
721
+ # element indicates by percentage how close the policy is to the upper
722
+ # size limit.
678
723
  #
679
- # The format for this parameter, as described by its regex pattern, is a
680
- # string of characters up to 2048 characters in length. The characters
724
+ # </note>
725
+ #
726
+ # Passing policies to this operation returns new temporary credentials.
727
+ # The resulting session's permissions are the intersection of the
728
+ # role's identity-based policy and the session policies. You can use
729
+ # the role's temporary credentials in subsequent AWS API calls to
730
+ # access resources in the account that owns the role. You cannot use
731
+ # session policies to grant more permissions than those allowed by the
732
+ # identity-based policy of the role that is being assumed. For more
733
+ # information, see [Session Policies][1] in the *IAM User Guide*.
734
+ #
735
+ #
736
+ #
737
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session
738
+ #
739
+ # @option params [String] :policy
740
+ # An IAM policy in JSON format that you want to use as an inline session
741
+ # policy.
742
+ #
743
+ # This parameter is optional. Passing policies to this operation returns
744
+ # new temporary credentials. The resulting session's permissions are
745
+ # the intersection of the role's identity-based policy and the session
746
+ # policies. You can use the role's temporary credentials in subsequent
747
+ # AWS API calls to access resources in the account that owns the role.
748
+ # You cannot use session policies to grant more permissions than those
749
+ # allowed by the identity-based policy of the role that is being
750
+ # assumed. For more information, see [Session Policies][1] in the *IAM
751
+ # User Guide*.
752
+ #
753
+ # The plain text that you use for both inline and managed session
754
+ # policies shouldn't exceed 2048 characters. The JSON policy characters
681
755
  # can be any ASCII character from the space character to the end of the
682
- # valid character list (\\u0020-\\u00FF). It can also include the tab
683
- # (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
756
+ # valid character list (\\u0020 through \\u00FF). It can also include
757
+ # the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
684
758
  # characters.
685
759
  #
686
- # <note markdown="1"> The policy plaintext must be 2048 bytes or shorter. However, an
687
- # internal conversion compresses it into a packed binary format with a
688
- # separate limit. The `PackedPolicySize` response element indicates by
689
- # percentage how close to the upper size limit the policy is, where 100
690
- # percent is the maximum allowed size.
760
+ # <note markdown="1"> The characters in this parameter count towards the 2048 character
761
+ # session policy guideline. However, an AWS conversion compresses the
762
+ # session policies into a packed binary format that has a separate
763
+ # limit. This is the enforced limit. The `PackedPolicySize` response
764
+ # element indicates by percentage how close the policy is to the upper
765
+ # size limit.
691
766
  #
692
767
  # </note>
693
768
  #
694
769
  #
695
770
  #
696
- # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
771
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session
697
772
  #
698
773
  # @option params [Integer] :duration_seconds
699
774
  # The duration, in seconds, of the role session. Your role session lasts
@@ -743,6 +818,11 @@ module Aws::STS
743
818
  # role_arn: "arnType", # required
744
819
  # principal_arn: "arnType", # required
745
820
  # saml_assertion: "SAMLAssertionType", # required
821
+ # policy_arns: [
822
+ # {
823
+ # arn: "arnType",
824
+ # },
825
+ # ],
746
826
  # policy: "sessionPolicyDocumentType",
747
827
  # duration_seconds: 1,
748
828
  # })
@@ -783,7 +863,7 @@ module Aws::STS
783
863
  # throughout the lifetime of an application.
784
864
  #
785
865
  # To learn more about Amazon Cognito, see [Amazon Cognito Overview][3]
786
- # in the *AWS SDK for Android Developer Guide* guide and [Amazon Cognito
866
+ # in *AWS SDK for Android Developer Guide* and [Amazon Cognito
787
867
  # Overview][4] in the *AWS SDK for iOS Developer Guide*.
788
868
  #
789
869
  # </note>
@@ -821,17 +901,21 @@ module Aws::STS
821
901
  # The temporary security credentials created by
822
902
  # `AssumeRoleWithWebIdentity` can be used to make API calls to any AWS
823
903
  # service with the following exception: you cannot call the STS
824
- # service's `GetFederationToken` or `GetSessionToken` API operations.
825
- #
826
- # (Optional) You can pass an IAM permissions policy to this operation.
827
- # If you pass a policy to this operation, the resulting temporary
828
- # credentials have the permissions of the assumed role *and* the policy
829
- # that you pass. This gives you a way to further restrict the
830
- # permissions for the resulting temporary security credentials. You
831
- # cannot use the passed policy to grant permissions that are in excess
832
- # of those allowed by the permissions policy of the role that is being
833
- # assumed. For more information, see [ Permissions for AssumeRole,
834
- # AssumeRoleWithSAML, and AssumeRoleWithWebIdentity ][9] in the *IAM
904
+ # `GetFederationToken` or `GetSessionToken` API operations.
905
+ #
906
+ # (Optional) You can pass inline or managed [session policies][9] to
907
+ # this operation. You can pass a single JSON policy document to use as
908
+ # an inline session policy. You can also specify up to 10 managed
909
+ # policies to use as managed session policies. The plain text that you
910
+ # use for both inline and managed session policies shouldn't exceed
911
+ # 2048 characters. Passing policies to this operation returns new
912
+ # temporary credentials. The resulting session's permissions are the
913
+ # intersection of the role's identity-based policy and the session
914
+ # policies. You can use the role's temporary credentials in subsequent
915
+ # AWS API calls to access resources in the account that owns the role.
916
+ # You cannot use session policies to grant more permissions than those
917
+ # allowed by the identity-based policy of the role that is being
918
+ # assumed. For more information, see [Session Policies][10] in the *IAM
835
919
  # User Guide*.
836
920
  #
837
921
  # Before your application can call `AssumeRoleWithWebIdentity`, you must
@@ -842,19 +926,19 @@ module Aws::STS
842
926
  # specified in the role's trust policy.
843
927
  #
844
928
  # Calling `AssumeRoleWithWebIdentity` can result in an entry in your AWS
845
- # CloudTrail logs. The entry includes the [Subject][10] of the provided
929
+ # CloudTrail logs. The entry includes the [Subject][11] of the provided
846
930
  # Web Identity Token. We recommend that you avoid using any personally
847
931
  # identifiable information (PII) in this field. For example, you could
848
932
  # instead use a GUID or a pairwise identifier, as [suggested in the OIDC
849
- # specification][11].
933
+ # specification][12].
850
934
  #
851
935
  # For more information about how to use web identity federation and the
852
936
  # `AssumeRoleWithWebIdentity` API, see the following resources:
853
937
  #
854
- # * [Using Web Identity Federation API Operations for Mobile Apps][12]
855
- # and [Federation Through a Web-based Identity Provider][13].
938
+ # * [Using Web Identity Federation API Operations for Mobile Apps][13]
939
+ # and [Federation Through a Web-based Identity Provider][14].
856
940
  #
857
- # * [ Web Identity Federation Playground][14]. Walk through the process
941
+ # * [ Web Identity Federation Playground][15]. Walk through the process
858
942
  # of authenticating through Login with Amazon, Facebook, or Google,
859
943
  # getting temporary security credentials, and then using those
860
944
  # credentials to make a request to AWS.
@@ -865,7 +949,7 @@ module Aws::STS
865
949
  # information from these providers to get and use temporary security
866
950
  # credentials.
867
951
  #
868
- # * [Web Identity Federation with Mobile Applications][15]. This article
952
+ # * [Web Identity Federation with Mobile Applications][16]. This article
869
953
  # discusses web identity federation and shows an example of how to use
870
954
  # web identity federation to get access to content in Amazon S3.
871
955
  #
@@ -879,13 +963,14 @@ module Aws::STS
879
963
  # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
880
964
  # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
881
965
  # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
882
- # [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
883
- # [10]: http://openid.net/specs/openid-connect-core-1_0.html#Claims
884
- # [11]: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
885
- # [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html
886
- # [13]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
887
- # [14]: https://web-identity-federation-playground.s3.amazonaws.com/index.html
888
- # [15]: http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications
966
+ # [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
967
+ # [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session
968
+ # [11]: http://openid.net/specs/openid-connect-core-1_0.html#Claims
969
+ # [12]: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
970
+ # [13]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html
971
+ # [14]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
972
+ # [15]: https://web-identity-federation-playground.s3.amazonaws.com/index.html
973
+ # [16]: http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications
889
974
  #
890
975
  # @option params [required, String] :role_arn
891
976
  # The Amazon Resource Name (ARN) of the role that the caller is
@@ -922,37 +1007,73 @@ module Aws::STS
922
1007
  #
923
1008
  # Do not specify this value for OpenID Connect ID tokens.
924
1009
  #
925
- # @option params [String] :policy
926
- # An IAM policy in JSON format.
927
- #
928
- # The policy parameter is optional. If you pass a policy to this
929
- # operation, the resulting temporary credentials have the permissions of
930
- # the assumed role *and* the policy that you pass. This gives you a way
931
- # to further restrict the permissions for the resulting temporary
932
- # security credentials. You cannot use the passed policy to grant
933
- # permissions that are in excess of those allowed by the permissions
934
- # policy of the role that is being assumed. For more information, see [
935
- # Permissions for AssumeRole, AssumeRoleWithSAML, and
936
- # AssumeRoleWithWebIdentity ][1] in the *IAM User Guide*.
1010
+ # @option params [Array<Types::PolicyDescriptorType>] :policy_arns
1011
+ # The Amazon Resource Names (ARNs) of the IAM managed policies that you
1012
+ # want to use as managed session policies. The policies must exist in
1013
+ # the same account as the role.
1014
+ #
1015
+ # This parameter is optional. You can provide up to 10 managed policy
1016
+ # ARNs. However, the plain text that you use for both inline and managed
1017
+ # session policies shouldn't exceed 2048 characters. For more
1018
+ # information about ARNs, see [Amazon Resource Names (ARNs) and AWS
1019
+ # Service Namespaces](general/latest/gr/aws-arns-and-namespaces.html) in
1020
+ # the AWS General Reference.
1021
+ #
1022
+ # <note markdown="1"> The characters in this parameter count towards the 2048 character
1023
+ # session policy guideline. However, an AWS conversion compresses the
1024
+ # session policies into a packed binary format that has a separate
1025
+ # limit. This is the enforced limit. The `PackedPolicySize` response
1026
+ # element indicates by percentage how close the policy is to the upper
1027
+ # size limit.
937
1028
  #
938
- # The format for this parameter, as described by its regex pattern, is a
939
- # string of characters up to 2048 characters in length. The characters
1029
+ # </note>
1030
+ #
1031
+ # Passing policies to this operation returns new temporary credentials.
1032
+ # The resulting session's permissions are the intersection of the
1033
+ # role's identity-based policy and the session policies. You can use
1034
+ # the role's temporary credentials in subsequent AWS API calls to
1035
+ # access resources in the account that owns the role. You cannot use
1036
+ # session policies to grant more permissions than those allowed by the
1037
+ # identity-based policy of the role that is being assumed. For more
1038
+ # information, see [Session Policies][1] in the *IAM User Guide*.
1039
+ #
1040
+ #
1041
+ #
1042
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session
1043
+ #
1044
+ # @option params [String] :policy
1045
+ # An IAM policy in JSON format that you want to use as an inline session
1046
+ # policy.
1047
+ #
1048
+ # This parameter is optional. Passing policies to this operation returns
1049
+ # new temporary credentials. The resulting session's permissions are
1050
+ # the intersection of the role's identity-based policy and the session
1051
+ # policies. You can use the role's temporary credentials in subsequent
1052
+ # AWS API calls to access resources in the account that owns the role.
1053
+ # You cannot use session policies to grant more permissions than those
1054
+ # allowed by the identity-based policy of the role that is being
1055
+ # assumed. For more information, see [Session Policies][1] in the *IAM
1056
+ # User Guide*.
1057
+ #
1058
+ # The plain text that you use for both inline and managed session
1059
+ # policies shouldn't exceed 2048 characters. The JSON policy characters
940
1060
  # can be any ASCII character from the space character to the end of the
941
- # valid character list (\\u0020-\\u00FF). It can also include the tab
942
- # (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
1061
+ # valid character list (\\u0020 through \\u00FF). It can also include
1062
+ # the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
943
1063
  # characters.
944
1064
  #
945
- # <note markdown="1"> The policy plaintext must be 2048 bytes or shorter. However, an
946
- # internal conversion compresses it into a packed binary format with a
947
- # separate limit. The `PackedPolicySize` response element indicates by
948
- # percentage how close to the upper size limit the policy is, where 100
949
- # percent is the maximum allowed size.
1065
+ # <note markdown="1"> The characters in this parameter count towards the 2048 character
1066
+ # session policy guideline. However, an AWS conversion compresses the
1067
+ # session policies into a packed binary format that has a separate
1068
+ # limit. This is the enforced limit. The `PackedPolicySize` response
1069
+ # element indicates by percentage how close the policy is to the upper
1070
+ # size limit.
950
1071
  #
951
1072
  # </note>
952
1073
  #
953
1074
  #
954
1075
  #
955
- # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
1076
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session
956
1077
  #
957
1078
  # @option params [Integer] :duration_seconds
958
1079
  # The duration, in seconds, of the role session. The value can range
@@ -996,6 +1117,7 @@ module Aws::STS
996
1117
  #
997
1118
  # resp = client.assume_role_with_web_identity({
998
1119
  # duration_seconds: 3600,
1120
+ # policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3:ListAllMyBuckets\",\"Resource\":\"*\"}]}",
999
1121
  # provider_id: "www.amazon.com",
1000
1122
  # role_arn: "arn:aws:iam::123456789012:role/FederatedWebIdentityRole",
1001
1123
  # role_session_name: "app1",
@@ -1027,6 +1149,11 @@ module Aws::STS
1027
1149
  # role_session_name: "roleSessionNameType", # required
1028
1150
  # web_identity_token: "clientTokenType", # required
1029
1151
  # provider_id: "urlType",
1152
+ # policy_arns: [
1153
+ # {
1154
+ # arn: "arnType",
1155
+ # },
1156
+ # ],
1030
1157
  # policy: "sessionPolicyDocumentType",
1031
1158
  # duration_seconds: 1,
1032
1159
  # })
@@ -1249,18 +1376,27 @@ module Aws::STS
1249
1376
  #
1250
1377
  # **Permissions**
1251
1378
  #
1252
- # You must pass an IAM permissions policy to `GetFederationToken`. When
1253
- # you pass a policy to this operation, the resulting temporary
1254
- # credentials are defined by the intersection of your IAM user policies
1255
- # and the passed policy . The passed policy defines the permissions of
1256
- # the *federated user*. AWS allows the federated user's request only
1257
- # when both the attached policy and the IAM user policy explicitly allow
1258
- # the federated user to perform the requested action. The passed policy
1259
- # cannot grant more permissions than those that are defined in the IAM
1260
- # user policy. For more information about how permissions work, see
1261
- # [Permissions for GetFederationToken][6]. For information about using
1379
+ # You must pass an inline or managed [session policy][6] to this
1380
+ # operation. You can pass a single JSON policy document to use as an
1381
+ # inline session policy. You can also specify up to 10 managed policies
1382
+ # to use as managed session policies. The plain text that you use for
1383
+ # both inline and managed session policies shouldn't exceed 2048
1384
+ # characters.
1385
+ #
1386
+ # Though the session policy parameters are optional, if you do not pass
1387
+ # a policy, then the resulting federated user session has no
1388
+ # permissions. The only exception is when the credentials are used to
1389
+ # access a resource that has a resource-based policy that specifically
1390
+ # references the federated user session in the `Principal` element of
1391
+ # the policy. When you pass session policies, the session permissions
1392
+ # are the intersection of the IAM user policies and the session policies
1393
+ # that you pass. This gives you a way to further restrict the
1394
+ # permissions for a federated user. You cannot use session policies to
1395
+ # grant more permissions than those that are defined in the permissions
1396
+ # policy of the IAM user. For more information, see [Session
1397
+ # Policies][7] in the *IAM User Guide*. For information about using
1262
1398
  # `GetFederationToken` to create temporary security credentials, see
1263
- # [GetFederationToken—Federation Through a Custom Identity Broker][7].
1399
+ # [GetFederationToken—Federation Through a Custom Identity Broker][8].
1264
1400
  #
1265
1401
  #
1266
1402
  #
@@ -1269,8 +1405,9 @@ module Aws::STS
1269
1405
  # [3]: http://aws.amazon.com/cognito/
1270
1406
  # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
1271
1407
  # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
1272
- # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html
1273
- # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken
1408
+ # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
1409
+ # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session
1410
+ # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken
1274
1411
  #
1275
1412
  # @option params [required, String] :name
1276
1413
  # The name of the federated user. The name is used as an identifier for
@@ -1284,37 +1421,93 @@ module Aws::STS
1284
1421
  # characters: =,.@-
1285
1422
  #
1286
1423
  # @option params [String] :policy
1287
- # An IAM policy in JSON format. You must pass an IAM permissions policy
1288
- # to `GetFederationToken`. When you pass a policy to this operation, the
1289
- # resulting temporary credentials are defined by the intersection of
1290
- # your IAM user policies and the policy that you pass. The passed policy
1291
- # defines the permissions of the *federated user*. AWS allows the
1292
- # federated user's request only when both the attached policy and the
1293
- # IAM user policy explicitly allow the federated user to perform the
1294
- # requested action. The passed policy cannot grant more permissions than
1295
- # those that are defined in the IAM user policy.
1424
+ # An IAM policy in JSON format that you want to use as an inline session
1425
+ # policy.
1426
+ #
1427
+ # You must pass an inline or managed [session policy][1] to this
1428
+ # operation. You can pass a single JSON policy document to use as an
1429
+ # inline session policy. You can also specify up to 10 managed policies
1430
+ # to use as managed session policies.
1431
+ #
1432
+ # This parameter is optional. However, if you do not pass any session
1433
+ # policies, then the resulting federated user session has no
1434
+ # permissions. The only exception is when the credentials are used to
1435
+ # access a resource that has a resource-based policy that specifically
1436
+ # references the federated user session in the `Principal` element of
1437
+ # the policy.
1438
+ #
1439
+ # When you pass session policies, the session permissions are the
1440
+ # intersection of the IAM user policies and the session policies that
1441
+ # you pass. This gives you a way to further restrict the permissions for
1442
+ # a federated user. You cannot use session policies to grant more
1443
+ # permissions than those that are defined in the permissions policy of
1444
+ # the IAM user. For more information, see [Session Policies][2] in the
1445
+ # *IAM User Guide*.
1296
1446
  #
1297
- # The format for this parameter, as described by its regex pattern, is a
1298
- # string of characters up to 2048 characters in length. The characters
1447
+ # The plain text that you use for both inline and managed session
1448
+ # policies shouldn't exceed 2048 characters. The JSON policy characters
1299
1449
  # can be any ASCII character from the space character to the end of the
1300
- # valid character list (\\u0020-\\u00FF). It can also include the tab
1301
- # (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
1450
+ # valid character list (\\u0020 through \\u00FF). It can also include
1451
+ # the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
1302
1452
  # characters.
1303
1453
  #
1304
- # <note markdown="1"> The policy plaintext must be 2048 bytes or shorter. However, an
1305
- # internal conversion compresses it into a packed binary format with a
1306
- # separate limit. The `PackedPolicySize` response element indicates by
1307
- # percentage how close to the upper size limit the policy is, where 100
1308
- # percent is the maximum allowed size.
1454
+ # <note markdown="1"> The characters in this parameter count towards the 2048 character
1455
+ # session policy guideline. However, an AWS conversion compresses the
1456
+ # session policies into a packed binary format that has a separate
1457
+ # limit. This is the enforced limit. The `PackedPolicySize` response
1458
+ # element indicates by percentage how close the policy is to the upper
1459
+ # size limit.
1309
1460
  #
1310
1461
  # </note>
1311
1462
  #
1312
- # For more information about how permissions work, see [Permissions for
1313
- # GetFederationToken][1].
1463
+ #
1464
+ #
1465
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
1466
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session
1467
+ #
1468
+ # @option params [Array<Types::PolicyDescriptorType>] :policy_arns
1469
+ # The Amazon Resource Names (ARNs) of the IAM managed policies that you
1470
+ # want to use as a managed session policy. The policies must exist in
1471
+ # the same account as the IAM user that is requesting federated access.
1472
+ #
1473
+ # You must pass an inline or managed [session policy][1] to this
1474
+ # operation. You can pass a single JSON policy document to use as an
1475
+ # inline session policy. You can also specify up to 10 managed policies
1476
+ # to use as managed session policies. The plain text that you use for
1477
+ # both inline and managed session policies shouldn't exceed 2048
1478
+ # characters. You can provide up to 10 managed policy ARNs. For more
1479
+ # information about ARNs, see [Amazon Resource Names (ARNs) and AWS
1480
+ # Service Namespaces](general/latest/gr/aws-arns-and-namespaces.html) in
1481
+ # the AWS General Reference.
1482
+ #
1483
+ # This parameter is optional. However, if you do not pass any session
1484
+ # policies, then the resulting federated user session has no
1485
+ # permissions. The only exception is when the credentials are used to
1486
+ # access a resource that has a resource-based policy that specifically
1487
+ # references the federated user session in the `Principal` element of
1488
+ # the policy.
1489
+ #
1490
+ # When you pass session policies, the session permissions are the
1491
+ # intersection of the IAM user policies and the session policies that
1492
+ # you pass. This gives you a way to further restrict the permissions for
1493
+ # a federated user. You cannot use session policies to grant more
1494
+ # permissions than those that are defined in the permissions policy of
1495
+ # the IAM user. For more information, see [Session Policies][2] in the
1496
+ # *IAM User Guide*.
1497
+ #
1498
+ # <note markdown="1"> The characters in this parameter count towards the 2048 character
1499
+ # session policy guideline. However, an AWS conversion compresses the
1500
+ # session policies into a packed binary format that has a separate
1501
+ # limit. This is the enforced limit. The `PackedPolicySize` response
1502
+ # element indicates by percentage how close the policy is to the upper
1503
+ # size limit.
1504
+ #
1505
+ # </note>
1314
1506
  #
1315
1507
  #
1316
1508
  #
1317
- # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html
1509
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
1510
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session
1318
1511
  #
1319
1512
  # @option params [Integer] :duration_seconds
1320
1513
  # The duration, in seconds, that the session should last. Acceptable
@@ -1337,7 +1530,7 @@ module Aws::STS
1337
1530
  # resp = client.get_federation_token({
1338
1531
  # duration_seconds: 3600,
1339
1532
  # name: "Bob",
1340
- # policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"*\"}]}",
1533
+ # policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3:ListAllMyBuckets\",\"Resource\":\"*\"}]}",
1341
1534
  # })
1342
1535
  #
1343
1536
  # resp.to_h outputs the following:
@@ -1360,6 +1553,11 @@ module Aws::STS
1360
1553
  # resp = client.get_federation_token({
1361
1554
  # name: "userNameType", # required
1362
1555
  # policy: "sessionPolicyDocumentType",
1556
+ # policy_arns: [
1557
+ # {
1558
+ # arn: "arnType",
1559
+ # },
1560
+ # ],
1363
1561
  # duration_seconds: 1,
1364
1562
  # })
1365
1563
  #
@@ -1398,13 +1596,13 @@ module Aws::STS
1398
1596
  # *IAM User Guide*.
1399
1597
  #
1400
1598
  # The `GetSessionToken` operation must be called by using the long-term
1401
- # AWS security credentials of the AWS account or an IAM user.
1599
+ # AWS security credentials of the AWS account root user or an IAM user.
1402
1600
  # Credentials that are created by IAM users are valid for the duration
1403
1601
  # that you specify. This duration can range from 900 seconds (15
1404
1602
  # minutes) up to a maximum of 129,600 seconds (36 hours), with a default
1405
- # of 43,200 seconds (12 hours). Credentials that are created by using
1406
- # account credentials can range from 900 seconds (15 minutes) up to a
1407
- # maximum of 3,600 seconds (1 hour), with a default of 1 hour.
1603
+ # of 43,200 seconds (12 hours). Credentials based on account credentials
1604
+ # can range from 900 seconds (15 minutes) up to 3,600 seconds (1 hour),
1605
+ # with a default of 1 hour.
1408
1606
  #
1409
1607
  # The temporary security credentials created by `GetSessionToken` can be
1410
1608
  # used to make API calls to any AWS service with the following
@@ -1423,14 +1621,13 @@ module Aws::STS
1423
1621
  #
1424
1622
  # </note>
1425
1623
  #
1426
- # The permissions associated with the temporary security credentials
1427
- # returned by `GetSessionToken` are based on the permissions associated
1428
- # with account or IAM user whose credentials are used to call the
1429
- # operation. If `GetSessionToken` is called using AWS account root user
1430
- # credentials, the temporary credentials have root user permissions.
1431
- # Similarly, if `GetSessionToken` is called using the credentials of an
1432
- # IAM user, the temporary credentials have the same permissions as the
1433
- # IAM user.
1624
+ # The credentials that are returned by `GetSessionToken` are based on
1625
+ # permissions associated with the user whose credentials were used to
1626
+ # call the operation. If `GetSessionToken` is called using AWS account
1627
+ # root user credentials, the temporary credentials have root user
1628
+ # permissions. Similarly, if `GetSessionToken` is called using the
1629
+ # credentials of an IAM user, the temporary credentials have the same
1630
+ # permissions as the IAM user.
1434
1631
  #
1435
1632
  # For more information about using `GetSessionToken` to create temporary
1436
1633
  # credentials, go to [Temporary Credentials for Users in Untrusted
@@ -1537,7 +1734,7 @@ module Aws::STS
1537
1734
  params: params,
1538
1735
  config: config)
1539
1736
  context[:gem_name] = 'aws-sdk-core'
1540
- context[:gem_version] = '3.50.0'
1737
+ context[:gem_version] = '3.51.0'
1541
1738
  Seahorse::Client::Request.new(handlers, context)
1542
1739
  end
1543
1740