aws-sdk-core 3.50.0 → 3.51.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/VERSION +1 -1
- data/lib/aws-sdk-sts.rb +1 -1
- data/lib/aws-sdk-sts/client.rb +420 -223
- data/lib/aws-sdk-sts/client_api.rb +11 -0
- data/lib/aws-sdk-sts/types.rb +327 -115
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: bae23abccbe717b9ab14dd9177806e877d9536cf
|
4
|
+
data.tar.gz: c1f807ed12fdc2040c83049b053f5db6cecc4f5e
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 3b7b9f34e7a03085ea4c0177cf98165e73e4bb7d75c00324f802582c116af9a611d2a0138879470f3fb1a8313b484ee525a77e3d0ffee165000dae5eec6cd23e
|
7
|
+
data.tar.gz: c76c357125d112841a879b44bc5865e351b9dbf7f9de3e97a38fba0bd4e8b1fd2f725067ec6a47383b434702c8a652c4980191572527d87773ed44d1a62b0f5d
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
3.
|
1
|
+
3.51.0
|
data/lib/aws-sdk-sts.rb
CHANGED
data/lib/aws-sdk-sts/client.rb
CHANGED
@@ -251,8 +251,8 @@ module Aws::STS
|
|
251
251
|
# Returns a set of temporary security credentials that you can use to
|
252
252
|
# access AWS resources that you might not normally have access to. These
|
253
253
|
# temporary credentials consist of an access key ID, a secret access
|
254
|
-
# key, and a security token. Typically, you use `AssumeRole`
|
255
|
-
# cross-account access
|
254
|
+
# key, and a security token. Typically, you use `AssumeRole` within your
|
255
|
+
# account or for cross-account access. For a comparison of `AssumeRole`
|
256
256
|
# with other API operations that produce temporary credentials, see
|
257
257
|
# [Requesting Temporary Security Credentials][1] and [Comparing the AWS
|
258
258
|
# STS API operations][2] in the *IAM User Guide*.
|
@@ -266,21 +266,10 @@ module Aws::STS
|
|
266
266
|
# credentials in each account to access those resources. However,
|
267
267
|
# managing all those credentials and remembering which one can access
|
268
268
|
# which account can be time consuming. Instead, you can create one set
|
269
|
-
# of long-term credentials in one account
|
270
|
-
#
|
271
|
-
#
|
272
|
-
#
|
273
|
-
#
|
274
|
-
# For federation, you can, for example, grant single sign-on access to
|
275
|
-
# the AWS Management Console. If you already have an identity and
|
276
|
-
# authentication system in your network, you don't have to recreate
|
277
|
-
# identities in AWS in order to grant them access to AWS. Instead, after
|
278
|
-
# a user has been authenticated, you call `AssumeRole` (and specify the
|
279
|
-
# role with the appropriate permissions) to get temporary security
|
280
|
-
# credentials for that user. With those temporary security credentials,
|
281
|
-
# you construct a sign-in URL from which users can access the console.
|
282
|
-
# For more information, see [Common Scenarios for Temporary
|
283
|
-
# Credentials][4] in the *IAM User Guide*.
|
269
|
+
# of long-term credentials in one account. Then use temporary security
|
270
|
+
# credentials to access all the other accounts by assuming roles in
|
271
|
+
# those accounts. For more information about roles, see [IAM Roles][3]
|
272
|
+
# in the *IAM User Guide*.
|
284
273
|
#
|
285
274
|
# By default, the temporary security credentials created by `AssumeRole`
|
286
275
|
# last for one hour. However, you can use the optional `DurationSeconds`
|
@@ -288,63 +277,67 @@ module Aws::STS
|
|
288
277
|
# value from 900 seconds (15 minutes) up to the maximum session duration
|
289
278
|
# setting for the role. This setting can have a value from 1 hour to 12
|
290
279
|
# hours. To learn how to view the maximum value for your role, see [View
|
291
|
-
# the Maximum Session Duration Setting for a Role][
|
280
|
+
# the Maximum Session Duration Setting for a Role][4] in the *IAM User
|
292
281
|
# Guide*. The maximum session duration limit applies when you use the
|
293
282
|
# `AssumeRole*` API operations or the `assume-role*` CLI commands.
|
294
283
|
# However the limit does not apply when you use those operations to
|
295
|
-
# create a console URL. For more information, see [Using IAM Roles][
|
284
|
+
# create a console URL. For more information, see [Using IAM Roles][5]
|
296
285
|
# in the *IAM User Guide*.
|
297
286
|
#
|
298
287
|
# The temporary security credentials created by `AssumeRole` can be used
|
299
288
|
# to make API calls to any AWS service with the following exception: You
|
300
|
-
# cannot call the AWS STS
|
301
|
-
#
|
302
|
-
#
|
303
|
-
# (Optional) You can pass
|
304
|
-
#
|
305
|
-
#
|
306
|
-
#
|
307
|
-
#
|
308
|
-
#
|
309
|
-
#
|
310
|
-
#
|
311
|
-
#
|
289
|
+
# cannot call the AWS STS `GetFederationToken` or `GetSessionToken` API
|
290
|
+
# operations.
|
291
|
+
#
|
292
|
+
# (Optional) You can pass inline or managed [session policies][6] to
|
293
|
+
# this operation. You can pass a single JSON policy document to use as
|
294
|
+
# an inline session policy. You can also specify up to 10 managed
|
295
|
+
# policies to use as managed session policies. The plain text that you
|
296
|
+
# use for both inline and managed session policies shouldn't exceed
|
297
|
+
# 2048 characters. Passing policies to this operation returns new
|
298
|
+
# temporary credentials. The resulting session's permissions are the
|
299
|
+
# intersection of the role's identity-based policy and the session
|
300
|
+
# policies. You can use the role's temporary credentials in subsequent
|
301
|
+
# AWS API calls to access resources in the account that owns the role.
|
302
|
+
# You cannot use session policies to grant more permissions than those
|
303
|
+
# allowed by the identity-based policy of the role that is being
|
304
|
+
# assumed. For more information, see [Session Policies][7] in the *IAM
|
312
305
|
# User Guide*.
|
313
306
|
#
|
314
|
-
# To assume a role, your AWS account must be
|
315
|
-
# trust relationship is defined in the role's
|
316
|
-
# role is created. That trust policy states which
|
317
|
-
# to delegate access to
|
307
|
+
# To assume a role from a different account, your AWS account must be
|
308
|
+
# trusted by the role. The trust relationship is defined in the role's
|
309
|
+
# trust policy when the role is created. That trust policy states which
|
310
|
+
# accounts are allowed to delegate that access to users in the account.
|
318
311
|
#
|
319
|
-
#
|
320
|
-
#
|
321
|
-
#
|
322
|
-
#
|
323
|
-
#
|
324
|
-
#
|
312
|
+
# A user who wants to access a role in a different account must also
|
313
|
+
# have permissions that are delegated from the user account
|
314
|
+
# administrator. The administrator must attach a policy that allows the
|
315
|
+
# user to call `AssumeRole` for the ARN of the role in the other
|
316
|
+
# account. If the user is in the same account as the role, then you can
|
317
|
+
# do either of the following:
|
325
318
|
#
|
326
319
|
# * Attach a policy to the user (identical to the previous user in a
|
327
|
-
# different account)
|
320
|
+
# different account).
|
328
321
|
#
|
329
322
|
# * Add the user as a principal directly in the role's trust policy.
|
330
323
|
#
|
331
|
-
# In this case, the trust policy acts as
|
332
|
-
#
|
333
|
-
#
|
334
|
-
#
|
335
|
-
#
|
324
|
+
# In this case, the trust policy acts as an IAM resource-based policy.
|
325
|
+
# Users in the same account as the role do not need explicit permission
|
326
|
+
# to assume the role. For more information about trust policies and
|
327
|
+
# resource-based policies, see [IAM Policies][8] in the *IAM User
|
328
|
+
# Guide*.
|
336
329
|
#
|
337
330
|
# **Using MFA with AssumeRole**
|
338
331
|
#
|
339
332
|
# (Optional) You can include multi-factor authentication (MFA)
|
340
333
|
# information when you call `AssumeRole`. This is useful for
|
341
|
-
# cross-account scenarios
|
342
|
-
#
|
343
|
-
#
|
344
|
-
#
|
345
|
-
#
|
346
|
-
#
|
347
|
-
#
|
334
|
+
# cross-account scenarios to ensure that the user that assumes the role
|
335
|
+
# has been authenticated with an AWS MFA device. In that scenario, the
|
336
|
+
# trust policy of the role being assumed includes a condition that tests
|
337
|
+
# for MFA authentication. If the caller does not include valid MFA
|
338
|
+
# information, the request to assume the role is denied. The condition
|
339
|
+
# in a trust policy that tests for MFA authentication might look like
|
340
|
+
# the following example.
|
348
341
|
#
|
349
342
|
# `"Condition": \{"Bool": \{"aws:MultiFactorAuthPresent": true\}\}`
|
350
343
|
#
|
@@ -360,11 +353,11 @@ module Aws::STS
|
|
360
353
|
#
|
361
354
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
362
355
|
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
|
363
|
-
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
364
|
-
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
365
|
-
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
|
366
|
-
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
367
|
-
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
356
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
|
357
|
+
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
|
358
|
+
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
|
359
|
+
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
360
|
+
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session
|
368
361
|
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
|
369
362
|
# [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html
|
370
363
|
#
|
@@ -388,37 +381,73 @@ module Aws::STS
|
|
388
381
|
# spaces. You can also include underscores or any of the following
|
389
382
|
# characters: =,.@-
|
390
383
|
#
|
391
|
-
# @option params [
|
392
|
-
#
|
393
|
-
#
|
394
|
-
#
|
395
|
-
#
|
396
|
-
#
|
397
|
-
#
|
398
|
-
#
|
399
|
-
#
|
400
|
-
#
|
401
|
-
#
|
402
|
-
#
|
384
|
+
# @option params [Array<Types::PolicyDescriptorType>] :policy_arns
|
385
|
+
# The Amazon Resource Names (ARNs) of the IAM managed policies that you
|
386
|
+
# want to use as managed session policies. The policies must exist in
|
387
|
+
# the same account as the role.
|
388
|
+
#
|
389
|
+
# This parameter is optional. You can provide up to 10 managed policy
|
390
|
+
# ARNs. However, the plain text that you use for both inline and managed
|
391
|
+
# session policies shouldn't exceed 2048 characters. For more
|
392
|
+
# information about ARNs, see [Amazon Resource Names (ARNs) and AWS
|
393
|
+
# Service Namespaces](general/latest/gr/aws-arns-and-namespaces.html) in
|
394
|
+
# the AWS General Reference.
|
395
|
+
#
|
396
|
+
# <note markdown="1"> The characters in this parameter count towards the 2048 character
|
397
|
+
# session policy guideline. However, an AWS conversion compresses the
|
398
|
+
# session policies into a packed binary format that has a separate
|
399
|
+
# limit. This is the enforced limit. The `PackedPolicySize` response
|
400
|
+
# element indicates by percentage how close the policy is to the upper
|
401
|
+
# size limit.
|
403
402
|
#
|
404
|
-
#
|
405
|
-
#
|
403
|
+
# </note>
|
404
|
+
#
|
405
|
+
# Passing policies to this operation returns new temporary credentials.
|
406
|
+
# The resulting session's permissions are the intersection of the
|
407
|
+
# role's identity-based policy and the session policies. You can use
|
408
|
+
# the role's temporary credentials in subsequent AWS API calls to
|
409
|
+
# access resources in the account that owns the role. You cannot use
|
410
|
+
# session policies to grant more permissions than those allowed by the
|
411
|
+
# identity-based policy of the role that is being assumed. For more
|
412
|
+
# information, see [Session Policies][1] in the *IAM User Guide*.
|
413
|
+
#
|
414
|
+
#
|
415
|
+
#
|
416
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session
|
417
|
+
#
|
418
|
+
# @option params [String] :policy
|
419
|
+
# An IAM policy in JSON format that you want to use as an inline session
|
420
|
+
# policy.
|
421
|
+
#
|
422
|
+
# This parameter is optional. Passing policies to this operation returns
|
423
|
+
# new temporary credentials. The resulting session's permissions are
|
424
|
+
# the intersection of the role's identity-based policy and the session
|
425
|
+
# policies. You can use the role's temporary credentials in subsequent
|
426
|
+
# AWS API calls to access resources in the account that owns the role.
|
427
|
+
# You cannot use session policies to grant more permissions than those
|
428
|
+
# allowed by the identity-based policy of the role that is being
|
429
|
+
# assumed. For more information, see [Session Policies][1] in the *IAM
|
430
|
+
# User Guide*.
|
431
|
+
#
|
432
|
+
# The plain text that you use for both inline and managed session
|
433
|
+
# policies shouldn't exceed 2048 characters. The JSON policy characters
|
406
434
|
# can be any ASCII character from the space character to the end of the
|
407
|
-
# valid character list (\\u0020
|
408
|
-
# (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
435
|
+
# valid character list (\\u0020 through \\u00FF). It can also include
|
436
|
+
# the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
409
437
|
# characters.
|
410
438
|
#
|
411
|
-
# <note markdown="1"> The
|
412
|
-
#
|
413
|
-
#
|
414
|
-
#
|
415
|
-
#
|
439
|
+
# <note markdown="1"> The characters in this parameter count towards the 2048 character
|
440
|
+
# session policy guideline. However, an AWS conversion compresses the
|
441
|
+
# session policies into a packed binary format that has a separate
|
442
|
+
# limit. This is the enforced limit. The `PackedPolicySize` response
|
443
|
+
# element indicates by percentage how close the policy is to the upper
|
444
|
+
# size limit.
|
416
445
|
#
|
417
446
|
# </note>
|
418
447
|
#
|
419
448
|
#
|
420
449
|
#
|
421
|
-
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
450
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session
|
422
451
|
#
|
423
452
|
# @option params [Integer] :duration_seconds
|
424
453
|
# The duration, in seconds, of the role session. The value can range
|
@@ -453,8 +482,8 @@ module Aws::STS
|
|
453
482
|
# another account. If the administrator of the account to which the role
|
454
483
|
# belongs provided you with an external ID, then provide that value in
|
455
484
|
# the `ExternalId` parameter. This value can be any string, such as a
|
456
|
-
# passphrase or account number.
|
457
|
-
#
|
485
|
+
# passphrase or account number. A cross-account role is usually set up
|
486
|
+
# to trust everyone in an account. Therefore, the administrator of the
|
458
487
|
# trusting account might send an external ID to the administrator of the
|
459
488
|
# trusted account. That way, only someone with the ID can assume the
|
460
489
|
# role, rather than everyone in the account. For more information about
|
@@ -506,7 +535,7 @@ module Aws::STS
|
|
506
535
|
# resp = client.assume_role({
|
507
536
|
# duration_seconds: 3600,
|
508
537
|
# external_id: "123ABC",
|
509
|
-
# policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3
|
538
|
+
# policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3:ListAllMyBuckets\",\"Resource\":\"*\"}]}",
|
510
539
|
# role_arn: "arn:aws:iam::123456789012:role/demo",
|
511
540
|
# role_session_name: "Bob",
|
512
541
|
# })
|
@@ -531,6 +560,11 @@ module Aws::STS
|
|
531
560
|
# resp = client.assume_role({
|
532
561
|
# role_arn: "arnType", # required
|
533
562
|
# role_session_name: "roleSessionNameType", # required
|
563
|
+
# policy_arns: [
|
564
|
+
# {
|
565
|
+
# arn: "arnType",
|
566
|
+
# },
|
567
|
+
# ],
|
534
568
|
# policy: "sessionPolicyDocumentType",
|
535
569
|
# duration_seconds: 1,
|
536
570
|
# external_id: "externalIdType",
|
@@ -589,18 +623,22 @@ module Aws::STS
|
|
589
623
|
#
|
590
624
|
# The temporary security credentials created by `AssumeRoleWithSAML` can
|
591
625
|
# be used to make API calls to any AWS service with the following
|
592
|
-
# exception: you cannot call the STS
|
626
|
+
# exception: you cannot call the STS `GetFederationToken` or
|
593
627
|
# `GetSessionToken` API operations.
|
594
628
|
#
|
595
|
-
#
|
596
|
-
#
|
597
|
-
#
|
598
|
-
#
|
599
|
-
#
|
600
|
-
#
|
601
|
-
#
|
602
|
-
#
|
603
|
-
#
|
629
|
+
# (Optional) You can pass inline or managed [session policies][5] to
|
630
|
+
# this operation. You can pass a single JSON policy document to use as
|
631
|
+
# an inline session policy. You can also specify up to 10 managed
|
632
|
+
# policies to use as managed session policies. The plain text that you
|
633
|
+
# use for both inline and managed session policies shouldn't exceed
|
634
|
+
# 2048 characters. Passing policies to this operation returns new
|
635
|
+
# temporary credentials. The resulting session's permissions are the
|
636
|
+
# intersection of the role's identity-based policy and the session
|
637
|
+
# policies. You can use the role's temporary credentials in subsequent
|
638
|
+
# AWS API calls to access resources in the account that owns the role.
|
639
|
+
# You cannot use session policies to grant more permissions than those
|
640
|
+
# allowed by the identity-based policy of the role that is being
|
641
|
+
# assumed. For more information, see [Session Policies][6] in the *IAM
|
604
642
|
# User Guide*.
|
605
643
|
#
|
606
644
|
# Before your application can call `AssumeRoleWithSAML`, you must
|
@@ -617,20 +655,20 @@ module Aws::STS
|
|
617
655
|
#
|
618
656
|
# Calling `AssumeRoleWithSAML` can result in an entry in your AWS
|
619
657
|
# CloudTrail logs. The entry includes the value in the `NameID` element
|
620
|
-
# of the SAML assertion. We recommend that you use a NameIDType that
|
621
|
-
# not associated with any personally identifiable information (PII).
|
622
|
-
# example, you could instead use the Persistent Identifier
|
658
|
+
# of the SAML assertion. We recommend that you use a `NameIDType` that
|
659
|
+
# is not associated with any personally identifiable information (PII).
|
660
|
+
# For example, you could instead use the Persistent Identifier
|
623
661
|
# (`urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`).
|
624
662
|
#
|
625
663
|
# For more information, see the following resources:
|
626
664
|
#
|
627
|
-
# * [About SAML 2.0-based Federation][
|
665
|
+
# * [About SAML 2.0-based Federation][7] in the *IAM User Guide*.
|
628
666
|
#
|
629
|
-
# * [Creating SAML Identity Providers][
|
667
|
+
# * [Creating SAML Identity Providers][8] in the *IAM User Guide*.
|
630
668
|
#
|
631
|
-
# * [Configuring a Relying Party and Claims][
|
669
|
+
# * [Configuring a Relying Party and Claims][9] in the *IAM User Guide*.
|
632
670
|
#
|
633
|
-
# * [Creating a Role for SAML 2.0 Federation][
|
671
|
+
# * [Creating a Role for SAML 2.0 Federation][10] in the *IAM User
|
634
672
|
# Guide*.
|
635
673
|
#
|
636
674
|
#
|
@@ -639,11 +677,12 @@ module Aws::STS
|
|
639
677
|
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
|
640
678
|
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
|
641
679
|
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
|
642
|
-
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
643
|
-
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
644
|
-
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
645
|
-
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
646
|
-
# [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
680
|
+
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
681
|
+
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session
|
682
|
+
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
|
683
|
+
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html
|
684
|
+
# [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html
|
685
|
+
# [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html
|
647
686
|
#
|
648
687
|
# @option params [required, String] :role_arn
|
649
688
|
# The Amazon Resource Name (ARN) of the role that the caller is
|
@@ -663,37 +702,73 @@ module Aws::STS
|
|
663
702
|
#
|
664
703
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html
|
665
704
|
#
|
666
|
-
# @option params [
|
667
|
-
#
|
668
|
-
#
|
669
|
-
#
|
670
|
-
#
|
671
|
-
#
|
672
|
-
#
|
673
|
-
#
|
674
|
-
#
|
675
|
-
#
|
676
|
-
#
|
677
|
-
#
|
705
|
+
# @option params [Array<Types::PolicyDescriptorType>] :policy_arns
|
706
|
+
# The Amazon Resource Names (ARNs) of the IAM managed policies that you
|
707
|
+
# want to use as managed session policies. The policies must exist in
|
708
|
+
# the same account as the role.
|
709
|
+
#
|
710
|
+
# This parameter is optional. You can provide up to 10 managed policy
|
711
|
+
# ARNs. However, the plain text that you use for both inline and managed
|
712
|
+
# session policies shouldn't exceed 2048 characters. For more
|
713
|
+
# information about ARNs, see [Amazon Resource Names (ARNs) and AWS
|
714
|
+
# Service Namespaces](general/latest/gr/aws-arns-and-namespaces.html) in
|
715
|
+
# the AWS General Reference.
|
716
|
+
#
|
717
|
+
# <note markdown="1"> The characters in this parameter count towards the 2048 character
|
718
|
+
# session policy guideline. However, an AWS conversion compresses the
|
719
|
+
# session policies into a packed binary format that has a separate
|
720
|
+
# limit. This is the enforced limit. The `PackedPolicySize` response
|
721
|
+
# element indicates by percentage how close the policy is to the upper
|
722
|
+
# size limit.
|
678
723
|
#
|
679
|
-
#
|
680
|
-
#
|
724
|
+
# </note>
|
725
|
+
#
|
726
|
+
# Passing policies to this operation returns new temporary credentials.
|
727
|
+
# The resulting session's permissions are the intersection of the
|
728
|
+
# role's identity-based policy and the session policies. You can use
|
729
|
+
# the role's temporary credentials in subsequent AWS API calls to
|
730
|
+
# access resources in the account that owns the role. You cannot use
|
731
|
+
# session policies to grant more permissions than those allowed by the
|
732
|
+
# identity-based policy of the role that is being assumed. For more
|
733
|
+
# information, see [Session Policies][1] in the *IAM User Guide*.
|
734
|
+
#
|
735
|
+
#
|
736
|
+
#
|
737
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session
|
738
|
+
#
|
739
|
+
# @option params [String] :policy
|
740
|
+
# An IAM policy in JSON format that you want to use as an inline session
|
741
|
+
# policy.
|
742
|
+
#
|
743
|
+
# This parameter is optional. Passing policies to this operation returns
|
744
|
+
# new temporary credentials. The resulting session's permissions are
|
745
|
+
# the intersection of the role's identity-based policy and the session
|
746
|
+
# policies. You can use the role's temporary credentials in subsequent
|
747
|
+
# AWS API calls to access resources in the account that owns the role.
|
748
|
+
# You cannot use session policies to grant more permissions than those
|
749
|
+
# allowed by the identity-based policy of the role that is being
|
750
|
+
# assumed. For more information, see [Session Policies][1] in the *IAM
|
751
|
+
# User Guide*.
|
752
|
+
#
|
753
|
+
# The plain text that you use for both inline and managed session
|
754
|
+
# policies shouldn't exceed 2048 characters. The JSON policy characters
|
681
755
|
# can be any ASCII character from the space character to the end of the
|
682
|
-
# valid character list (\\u0020
|
683
|
-
# (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
756
|
+
# valid character list (\\u0020 through \\u00FF). It can also include
|
757
|
+
# the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
684
758
|
# characters.
|
685
759
|
#
|
686
|
-
# <note markdown="1"> The
|
687
|
-
#
|
688
|
-
#
|
689
|
-
#
|
690
|
-
#
|
760
|
+
# <note markdown="1"> The characters in this parameter count towards the 2048 character
|
761
|
+
# session policy guideline. However, an AWS conversion compresses the
|
762
|
+
# session policies into a packed binary format that has a separate
|
763
|
+
# limit. This is the enforced limit. The `PackedPolicySize` response
|
764
|
+
# element indicates by percentage how close the policy is to the upper
|
765
|
+
# size limit.
|
691
766
|
#
|
692
767
|
# </note>
|
693
768
|
#
|
694
769
|
#
|
695
770
|
#
|
696
|
-
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
771
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session
|
697
772
|
#
|
698
773
|
# @option params [Integer] :duration_seconds
|
699
774
|
# The duration, in seconds, of the role session. Your role session lasts
|
@@ -743,6 +818,11 @@ module Aws::STS
|
|
743
818
|
# role_arn: "arnType", # required
|
744
819
|
# principal_arn: "arnType", # required
|
745
820
|
# saml_assertion: "SAMLAssertionType", # required
|
821
|
+
# policy_arns: [
|
822
|
+
# {
|
823
|
+
# arn: "arnType",
|
824
|
+
# },
|
825
|
+
# ],
|
746
826
|
# policy: "sessionPolicyDocumentType",
|
747
827
|
# duration_seconds: 1,
|
748
828
|
# })
|
@@ -783,7 +863,7 @@ module Aws::STS
|
|
783
863
|
# throughout the lifetime of an application.
|
784
864
|
#
|
785
865
|
# To learn more about Amazon Cognito, see [Amazon Cognito Overview][3]
|
786
|
-
# in
|
866
|
+
# in *AWS SDK for Android Developer Guide* and [Amazon Cognito
|
787
867
|
# Overview][4] in the *AWS SDK for iOS Developer Guide*.
|
788
868
|
#
|
789
869
|
# </note>
|
@@ -821,17 +901,21 @@ module Aws::STS
|
|
821
901
|
# The temporary security credentials created by
|
822
902
|
# `AssumeRoleWithWebIdentity` can be used to make API calls to any AWS
|
823
903
|
# service with the following exception: you cannot call the STS
|
824
|
-
#
|
825
|
-
#
|
826
|
-
# (Optional) You can pass
|
827
|
-
#
|
828
|
-
#
|
829
|
-
#
|
830
|
-
#
|
831
|
-
#
|
832
|
-
#
|
833
|
-
#
|
834
|
-
#
|
904
|
+
# `GetFederationToken` or `GetSessionToken` API operations.
|
905
|
+
#
|
906
|
+
# (Optional) You can pass inline or managed [session policies][9] to
|
907
|
+
# this operation. You can pass a single JSON policy document to use as
|
908
|
+
# an inline session policy. You can also specify up to 10 managed
|
909
|
+
# policies to use as managed session policies. The plain text that you
|
910
|
+
# use for both inline and managed session policies shouldn't exceed
|
911
|
+
# 2048 characters. Passing policies to this operation returns new
|
912
|
+
# temporary credentials. The resulting session's permissions are the
|
913
|
+
# intersection of the role's identity-based policy and the session
|
914
|
+
# policies. You can use the role's temporary credentials in subsequent
|
915
|
+
# AWS API calls to access resources in the account that owns the role.
|
916
|
+
# You cannot use session policies to grant more permissions than those
|
917
|
+
# allowed by the identity-based policy of the role that is being
|
918
|
+
# assumed. For more information, see [Session Policies][10] in the *IAM
|
835
919
|
# User Guide*.
|
836
920
|
#
|
837
921
|
# Before your application can call `AssumeRoleWithWebIdentity`, you must
|
@@ -842,19 +926,19 @@ module Aws::STS
|
|
842
926
|
# specified in the role's trust policy.
|
843
927
|
#
|
844
928
|
# Calling `AssumeRoleWithWebIdentity` can result in an entry in your AWS
|
845
|
-
# CloudTrail logs. The entry includes the [Subject][
|
929
|
+
# CloudTrail logs. The entry includes the [Subject][11] of the provided
|
846
930
|
# Web Identity Token. We recommend that you avoid using any personally
|
847
931
|
# identifiable information (PII) in this field. For example, you could
|
848
932
|
# instead use a GUID or a pairwise identifier, as [suggested in the OIDC
|
849
|
-
# specification][
|
933
|
+
# specification][12].
|
850
934
|
#
|
851
935
|
# For more information about how to use web identity federation and the
|
852
936
|
# `AssumeRoleWithWebIdentity` API, see the following resources:
|
853
937
|
#
|
854
|
-
# * [Using Web Identity Federation API Operations for Mobile Apps][
|
855
|
-
# and [Federation Through a Web-based Identity Provider][
|
938
|
+
# * [Using Web Identity Federation API Operations for Mobile Apps][13]
|
939
|
+
# and [Federation Through a Web-based Identity Provider][14].
|
856
940
|
#
|
857
|
-
# * [ Web Identity Federation Playground][
|
941
|
+
# * [ Web Identity Federation Playground][15]. Walk through the process
|
858
942
|
# of authenticating through Login with Amazon, Facebook, or Google,
|
859
943
|
# getting temporary security credentials, and then using those
|
860
944
|
# credentials to make a request to AWS.
|
@@ -865,7 +949,7 @@ module Aws::STS
|
|
865
949
|
# information from these providers to get and use temporary security
|
866
950
|
# credentials.
|
867
951
|
#
|
868
|
-
# * [Web Identity Federation with Mobile Applications][
|
952
|
+
# * [Web Identity Federation with Mobile Applications][16]. This article
|
869
953
|
# discusses web identity federation and shows an example of how to use
|
870
954
|
# web identity federation to get access to content in Amazon S3.
|
871
955
|
#
|
@@ -879,13 +963,14 @@ module Aws::STS
|
|
879
963
|
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
|
880
964
|
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
|
881
965
|
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
|
882
|
-
# [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
883
|
-
# [10]:
|
884
|
-
# [11]: http://openid.net/specs/openid-connect-core-1_0.html#
|
885
|
-
# [12]:
|
886
|
-
# [13]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
887
|
-
# [14]: https://
|
888
|
-
# [15]:
|
966
|
+
# [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
967
|
+
# [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session
|
968
|
+
# [11]: http://openid.net/specs/openid-connect-core-1_0.html#Claims
|
969
|
+
# [12]: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
|
970
|
+
# [13]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html
|
971
|
+
# [14]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
|
972
|
+
# [15]: https://web-identity-federation-playground.s3.amazonaws.com/index.html
|
973
|
+
# [16]: http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications
|
889
974
|
#
|
890
975
|
# @option params [required, String] :role_arn
|
891
976
|
# The Amazon Resource Name (ARN) of the role that the caller is
|
@@ -922,37 +1007,73 @@ module Aws::STS
|
|
922
1007
|
#
|
923
1008
|
# Do not specify this value for OpenID Connect ID tokens.
|
924
1009
|
#
|
925
|
-
# @option params [
|
926
|
-
#
|
927
|
-
#
|
928
|
-
#
|
929
|
-
#
|
930
|
-
#
|
931
|
-
#
|
932
|
-
#
|
933
|
-
#
|
934
|
-
#
|
935
|
-
#
|
936
|
-
#
|
1010
|
+
# @option params [Array<Types::PolicyDescriptorType>] :policy_arns
|
1011
|
+
# The Amazon Resource Names (ARNs) of the IAM managed policies that you
|
1012
|
+
# want to use as managed session policies. The policies must exist in
|
1013
|
+
# the same account as the role.
|
1014
|
+
#
|
1015
|
+
# This parameter is optional. You can provide up to 10 managed policy
|
1016
|
+
# ARNs. However, the plain text that you use for both inline and managed
|
1017
|
+
# session policies shouldn't exceed 2048 characters. For more
|
1018
|
+
# information about ARNs, see [Amazon Resource Names (ARNs) and AWS
|
1019
|
+
# Service Namespaces](general/latest/gr/aws-arns-and-namespaces.html) in
|
1020
|
+
# the AWS General Reference.
|
1021
|
+
#
|
1022
|
+
# <note markdown="1"> The characters in this parameter count towards the 2048 character
|
1023
|
+
# session policy guideline. However, an AWS conversion compresses the
|
1024
|
+
# session policies into a packed binary format that has a separate
|
1025
|
+
# limit. This is the enforced limit. The `PackedPolicySize` response
|
1026
|
+
# element indicates by percentage how close the policy is to the upper
|
1027
|
+
# size limit.
|
937
1028
|
#
|
938
|
-
#
|
939
|
-
#
|
1029
|
+
# </note>
|
1030
|
+
#
|
1031
|
+
# Passing policies to this operation returns new temporary credentials.
|
1032
|
+
# The resulting session's permissions are the intersection of the
|
1033
|
+
# role's identity-based policy and the session policies. You can use
|
1034
|
+
# the role's temporary credentials in subsequent AWS API calls to
|
1035
|
+
# access resources in the account that owns the role. You cannot use
|
1036
|
+
# session policies to grant more permissions than those allowed by the
|
1037
|
+
# identity-based policy of the role that is being assumed. For more
|
1038
|
+
# information, see [Session Policies][1] in the *IAM User Guide*.
|
1039
|
+
#
|
1040
|
+
#
|
1041
|
+
#
|
1042
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session
|
1043
|
+
#
|
1044
|
+
# @option params [String] :policy
|
1045
|
+
# An IAM policy in JSON format that you want to use as an inline session
|
1046
|
+
# policy.
|
1047
|
+
#
|
1048
|
+
# This parameter is optional. Passing policies to this operation returns
|
1049
|
+
# new temporary credentials. The resulting session's permissions are
|
1050
|
+
# the intersection of the role's identity-based policy and the session
|
1051
|
+
# policies. You can use the role's temporary credentials in subsequent
|
1052
|
+
# AWS API calls to access resources in the account that owns the role.
|
1053
|
+
# You cannot use session policies to grant more permissions than those
|
1054
|
+
# allowed by the identity-based policy of the role that is being
|
1055
|
+
# assumed. For more information, see [Session Policies][1] in the *IAM
|
1056
|
+
# User Guide*.
|
1057
|
+
#
|
1058
|
+
# The plain text that you use for both inline and managed session
|
1059
|
+
# policies shouldn't exceed 2048 characters. The JSON policy characters
|
940
1060
|
# can be any ASCII character from the space character to the end of the
|
941
|
-
# valid character list (\\u0020
|
942
|
-
# (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
1061
|
+
# valid character list (\\u0020 through \\u00FF). It can also include
|
1062
|
+
# the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
943
1063
|
# characters.
|
944
1064
|
#
|
945
|
-
# <note markdown="1"> The
|
946
|
-
#
|
947
|
-
#
|
948
|
-
#
|
949
|
-
#
|
1065
|
+
# <note markdown="1"> The characters in this parameter count towards the 2048 character
|
1066
|
+
# session policy guideline. However, an AWS conversion compresses the
|
1067
|
+
# session policies into a packed binary format that has a separate
|
1068
|
+
# limit. This is the enforced limit. The `PackedPolicySize` response
|
1069
|
+
# element indicates by percentage how close the policy is to the upper
|
1070
|
+
# size limit.
|
950
1071
|
#
|
951
1072
|
# </note>
|
952
1073
|
#
|
953
1074
|
#
|
954
1075
|
#
|
955
|
-
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1076
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session
|
956
1077
|
#
|
957
1078
|
# @option params [Integer] :duration_seconds
|
958
1079
|
# The duration, in seconds, of the role session. The value can range
|
@@ -996,6 +1117,7 @@ module Aws::STS
|
|
996
1117
|
#
|
997
1118
|
# resp = client.assume_role_with_web_identity({
|
998
1119
|
# duration_seconds: 3600,
|
1120
|
+
# policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3:ListAllMyBuckets\",\"Resource\":\"*\"}]}",
|
999
1121
|
# provider_id: "www.amazon.com",
|
1000
1122
|
# role_arn: "arn:aws:iam::123456789012:role/FederatedWebIdentityRole",
|
1001
1123
|
# role_session_name: "app1",
|
@@ -1027,6 +1149,11 @@ module Aws::STS
|
|
1027
1149
|
# role_session_name: "roleSessionNameType", # required
|
1028
1150
|
# web_identity_token: "clientTokenType", # required
|
1029
1151
|
# provider_id: "urlType",
|
1152
|
+
# policy_arns: [
|
1153
|
+
# {
|
1154
|
+
# arn: "arnType",
|
1155
|
+
# },
|
1156
|
+
# ],
|
1030
1157
|
# policy: "sessionPolicyDocumentType",
|
1031
1158
|
# duration_seconds: 1,
|
1032
1159
|
# })
|
@@ -1249,18 +1376,27 @@ module Aws::STS
|
|
1249
1376
|
#
|
1250
1377
|
# **Permissions**
|
1251
1378
|
#
|
1252
|
-
# You must pass an
|
1253
|
-
#
|
1254
|
-
#
|
1255
|
-
#
|
1256
|
-
#
|
1257
|
-
#
|
1258
|
-
#
|
1259
|
-
#
|
1260
|
-
#
|
1261
|
-
#
|
1379
|
+
# You must pass an inline or managed [session policy][6] to this
|
1380
|
+
# operation. You can pass a single JSON policy document to use as an
|
1381
|
+
# inline session policy. You can also specify up to 10 managed policies
|
1382
|
+
# to use as managed session policies. The plain text that you use for
|
1383
|
+
# both inline and managed session policies shouldn't exceed 2048
|
1384
|
+
# characters.
|
1385
|
+
#
|
1386
|
+
# Though the session policy parameters are optional, if you do not pass
|
1387
|
+
# a policy, then the resulting federated user session has no
|
1388
|
+
# permissions. The only exception is when the credentials are used to
|
1389
|
+
# access a resource that has a resource-based policy that specifically
|
1390
|
+
# references the federated user session in the `Principal` element of
|
1391
|
+
# the policy. When you pass session policies, the session permissions
|
1392
|
+
# are the intersection of the IAM user policies and the session policies
|
1393
|
+
# that you pass. This gives you a way to further restrict the
|
1394
|
+
# permissions for a federated user. You cannot use session policies to
|
1395
|
+
# grant more permissions than those that are defined in the permissions
|
1396
|
+
# policy of the IAM user. For more information, see [Session
|
1397
|
+
# Policies][7] in the *IAM User Guide*. For information about using
|
1262
1398
|
# `GetFederationToken` to create temporary security credentials, see
|
1263
|
-
# [GetFederationToken—Federation Through a Custom Identity Broker][
|
1399
|
+
# [GetFederationToken—Federation Through a Custom Identity Broker][8].
|
1264
1400
|
#
|
1265
1401
|
#
|
1266
1402
|
#
|
@@ -1269,8 +1405,9 @@ module Aws::STS
|
|
1269
1405
|
# [3]: http://aws.amazon.com/cognito/
|
1270
1406
|
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
|
1271
1407
|
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
|
1272
|
-
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1273
|
-
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1408
|
+
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
1409
|
+
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session
|
1410
|
+
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken
|
1274
1411
|
#
|
1275
1412
|
# @option params [required, String] :name
|
1276
1413
|
# The name of the federated user. The name is used as an identifier for
|
@@ -1284,37 +1421,93 @@ module Aws::STS
|
|
1284
1421
|
# characters: =,.@-
|
1285
1422
|
#
|
1286
1423
|
# @option params [String] :policy
|
1287
|
-
# An IAM policy in JSON format
|
1288
|
-
#
|
1289
|
-
#
|
1290
|
-
#
|
1291
|
-
#
|
1292
|
-
#
|
1293
|
-
#
|
1294
|
-
#
|
1295
|
-
#
|
1424
|
+
# An IAM policy in JSON format that you want to use as an inline session
|
1425
|
+
# policy.
|
1426
|
+
#
|
1427
|
+
# You must pass an inline or managed [session policy][1] to this
|
1428
|
+
# operation. You can pass a single JSON policy document to use as an
|
1429
|
+
# inline session policy. You can also specify up to 10 managed policies
|
1430
|
+
# to use as managed session policies.
|
1431
|
+
#
|
1432
|
+
# This parameter is optional. However, if you do not pass any session
|
1433
|
+
# policies, then the resulting federated user session has no
|
1434
|
+
# permissions. The only exception is when the credentials are used to
|
1435
|
+
# access a resource that has a resource-based policy that specifically
|
1436
|
+
# references the federated user session in the `Principal` element of
|
1437
|
+
# the policy.
|
1438
|
+
#
|
1439
|
+
# When you pass session policies, the session permissions are the
|
1440
|
+
# intersection of the IAM user policies and the session policies that
|
1441
|
+
# you pass. This gives you a way to further restrict the permissions for
|
1442
|
+
# a federated user. You cannot use session policies to grant more
|
1443
|
+
# permissions than those that are defined in the permissions policy of
|
1444
|
+
# the IAM user. For more information, see [Session Policies][2] in the
|
1445
|
+
# *IAM User Guide*.
|
1296
1446
|
#
|
1297
|
-
# The
|
1298
|
-
#
|
1447
|
+
# The plain text that you use for both inline and managed session
|
1448
|
+
# policies shouldn't exceed 2048 characters. The JSON policy characters
|
1299
1449
|
# can be any ASCII character from the space character to the end of the
|
1300
|
-
# valid character list (\\u0020
|
1301
|
-
# (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
1450
|
+
# valid character list (\\u0020 through \\u00FF). It can also include
|
1451
|
+
# the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
1302
1452
|
# characters.
|
1303
1453
|
#
|
1304
|
-
# <note markdown="1"> The
|
1305
|
-
#
|
1306
|
-
#
|
1307
|
-
#
|
1308
|
-
#
|
1454
|
+
# <note markdown="1"> The characters in this parameter count towards the 2048 character
|
1455
|
+
# session policy guideline. However, an AWS conversion compresses the
|
1456
|
+
# session policies into a packed binary format that has a separate
|
1457
|
+
# limit. This is the enforced limit. The `PackedPolicySize` response
|
1458
|
+
# element indicates by percentage how close the policy is to the upper
|
1459
|
+
# size limit.
|
1309
1460
|
#
|
1310
1461
|
# </note>
|
1311
1462
|
#
|
1312
|
-
#
|
1313
|
-
#
|
1463
|
+
#
|
1464
|
+
#
|
1465
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
1466
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session
|
1467
|
+
#
|
1468
|
+
# @option params [Array<Types::PolicyDescriptorType>] :policy_arns
|
1469
|
+
# The Amazon Resource Names (ARNs) of the IAM managed policies that you
|
1470
|
+
# want to use as a managed session policy. The policies must exist in
|
1471
|
+
# the same account as the IAM user that is requesting federated access.
|
1472
|
+
#
|
1473
|
+
# You must pass an inline or managed [session policy][1] to this
|
1474
|
+
# operation. You can pass a single JSON policy document to use as an
|
1475
|
+
# inline session policy. You can also specify up to 10 managed policies
|
1476
|
+
# to use as managed session policies. The plain text that you use for
|
1477
|
+
# both inline and managed session policies shouldn't exceed 2048
|
1478
|
+
# characters. You can provide up to 10 managed policy ARNs. For more
|
1479
|
+
# information about ARNs, see [Amazon Resource Names (ARNs) and AWS
|
1480
|
+
# Service Namespaces](general/latest/gr/aws-arns-and-namespaces.html) in
|
1481
|
+
# the AWS General Reference.
|
1482
|
+
#
|
1483
|
+
# This parameter is optional. However, if you do not pass any session
|
1484
|
+
# policies, then the resulting federated user session has no
|
1485
|
+
# permissions. The only exception is when the credentials are used to
|
1486
|
+
# access a resource that has a resource-based policy that specifically
|
1487
|
+
# references the federated user session in the `Principal` element of
|
1488
|
+
# the policy.
|
1489
|
+
#
|
1490
|
+
# When you pass session policies, the session permissions are the
|
1491
|
+
# intersection of the IAM user policies and the session policies that
|
1492
|
+
# you pass. This gives you a way to further restrict the permissions for
|
1493
|
+
# a federated user. You cannot use session policies to grant more
|
1494
|
+
# permissions than those that are defined in the permissions policy of
|
1495
|
+
# the IAM user. For more information, see [Session Policies][2] in the
|
1496
|
+
# *IAM User Guide*.
|
1497
|
+
#
|
1498
|
+
# <note markdown="1"> The characters in this parameter count towards the 2048 character
|
1499
|
+
# session policy guideline. However, an AWS conversion compresses the
|
1500
|
+
# session policies into a packed binary format that has a separate
|
1501
|
+
# limit. This is the enforced limit. The `PackedPolicySize` response
|
1502
|
+
# element indicates by percentage how close the policy is to the upper
|
1503
|
+
# size limit.
|
1504
|
+
#
|
1505
|
+
# </note>
|
1314
1506
|
#
|
1315
1507
|
#
|
1316
1508
|
#
|
1317
|
-
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1509
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
1510
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session
|
1318
1511
|
#
|
1319
1512
|
# @option params [Integer] :duration_seconds
|
1320
1513
|
# The duration, in seconds, that the session should last. Acceptable
|
@@ -1337,7 +1530,7 @@ module Aws::STS
|
|
1337
1530
|
# resp = client.get_federation_token({
|
1338
1531
|
# duration_seconds: 3600,
|
1339
1532
|
# name: "Bob",
|
1340
|
-
# policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3
|
1533
|
+
# policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3:ListAllMyBuckets\",\"Resource\":\"*\"}]}",
|
1341
1534
|
# })
|
1342
1535
|
#
|
1343
1536
|
# resp.to_h outputs the following:
|
@@ -1360,6 +1553,11 @@ module Aws::STS
|
|
1360
1553
|
# resp = client.get_federation_token({
|
1361
1554
|
# name: "userNameType", # required
|
1362
1555
|
# policy: "sessionPolicyDocumentType",
|
1556
|
+
# policy_arns: [
|
1557
|
+
# {
|
1558
|
+
# arn: "arnType",
|
1559
|
+
# },
|
1560
|
+
# ],
|
1363
1561
|
# duration_seconds: 1,
|
1364
1562
|
# })
|
1365
1563
|
#
|
@@ -1398,13 +1596,13 @@ module Aws::STS
|
|
1398
1596
|
# *IAM User Guide*.
|
1399
1597
|
#
|
1400
1598
|
# The `GetSessionToken` operation must be called by using the long-term
|
1401
|
-
# AWS security credentials of the AWS account or an IAM user.
|
1599
|
+
# AWS security credentials of the AWS account root user or an IAM user.
|
1402
1600
|
# Credentials that are created by IAM users are valid for the duration
|
1403
1601
|
# that you specify. This duration can range from 900 seconds (15
|
1404
1602
|
# minutes) up to a maximum of 129,600 seconds (36 hours), with a default
|
1405
|
-
# of 43,200 seconds (12 hours). Credentials
|
1406
|
-
#
|
1407
|
-
#
|
1603
|
+
# of 43,200 seconds (12 hours). Credentials based on account credentials
|
1604
|
+
# can range from 900 seconds (15 minutes) up to 3,600 seconds (1 hour),
|
1605
|
+
# with a default of 1 hour.
|
1408
1606
|
#
|
1409
1607
|
# The temporary security credentials created by `GetSessionToken` can be
|
1410
1608
|
# used to make API calls to any AWS service with the following
|
@@ -1423,14 +1621,13 @@ module Aws::STS
|
|
1423
1621
|
#
|
1424
1622
|
# </note>
|
1425
1623
|
#
|
1426
|
-
# The
|
1427
|
-
#
|
1428
|
-
#
|
1429
|
-
#
|
1430
|
-
#
|
1431
|
-
#
|
1432
|
-
#
|
1433
|
-
# IAM user.
|
1624
|
+
# The credentials that are returned by `GetSessionToken` are based on
|
1625
|
+
# permissions associated with the user whose credentials were used to
|
1626
|
+
# call the operation. If `GetSessionToken` is called using AWS account
|
1627
|
+
# root user credentials, the temporary credentials have root user
|
1628
|
+
# permissions. Similarly, if `GetSessionToken` is called using the
|
1629
|
+
# credentials of an IAM user, the temporary credentials have the same
|
1630
|
+
# permissions as the IAM user.
|
1434
1631
|
#
|
1435
1632
|
# For more information about using `GetSessionToken` to create temporary
|
1436
1633
|
# credentials, go to [Temporary Credentials for Users in Untrusted
|
@@ -1537,7 +1734,7 @@ module Aws::STS
|
|
1537
1734
|
params: params,
|
1538
1735
|
config: config)
|
1539
1736
|
context[:gem_name] = 'aws-sdk-core'
|
1540
|
-
context[:gem_version] = '3.
|
1737
|
+
context[:gem_version] = '3.51.0'
|
1541
1738
|
Seahorse::Client::Request.new(handlers, context)
|
1542
1739
|
end
|
1543
1740
|
|