aws-sdk-core 3.50.0 → 3.51.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/VERSION +1 -1
- data/lib/aws-sdk-sts.rb +1 -1
- data/lib/aws-sdk-sts/client.rb +420 -223
- data/lib/aws-sdk-sts/client_api.rb +11 -0
- data/lib/aws-sdk-sts/types.rb +327 -115
- metadata +2 -2
@@ -38,6 +38,7 @@ module Aws::STS
|
|
38
38
|
MalformedPolicyDocumentException = Shapes::StructureShape.new(name: 'MalformedPolicyDocumentException')
|
39
39
|
NameQualifier = Shapes::StringShape.new(name: 'NameQualifier')
|
40
40
|
PackedPolicyTooLargeException = Shapes::StructureShape.new(name: 'PackedPolicyTooLargeException')
|
41
|
+
PolicyDescriptorType = Shapes::StructureShape.new(name: 'PolicyDescriptorType')
|
41
42
|
RegionDisabledException = Shapes::StructureShape.new(name: 'RegionDisabledException')
|
42
43
|
SAMLAssertionType = Shapes::StringShape.new(name: 'SAMLAssertionType')
|
43
44
|
Subject = Shapes::StringShape.new(name: 'Subject')
|
@@ -62,6 +63,7 @@ module Aws::STS
|
|
62
63
|
malformedPolicyDocumentMessage = Shapes::StringShape.new(name: 'malformedPolicyDocumentMessage')
|
63
64
|
nonNegativeIntegerType = Shapes::IntegerShape.new(name: 'nonNegativeIntegerType')
|
64
65
|
packedPolicyTooLargeMessage = Shapes::StringShape.new(name: 'packedPolicyTooLargeMessage')
|
66
|
+
policyDescriptorListType = Shapes::ListShape.new(name: 'policyDescriptorListType')
|
65
67
|
regionDisabledMessage = Shapes::StringShape.new(name: 'regionDisabledMessage')
|
66
68
|
roleDurationSecondsType = Shapes::IntegerShape.new(name: 'roleDurationSecondsType')
|
67
69
|
roleSessionNameType = Shapes::StringShape.new(name: 'roleSessionNameType')
|
@@ -76,6 +78,7 @@ module Aws::STS
|
|
76
78
|
|
77
79
|
AssumeRoleRequest.add_member(:role_arn, Shapes::ShapeRef.new(shape: arnType, required: true, location_name: "RoleArn"))
|
78
80
|
AssumeRoleRequest.add_member(:role_session_name, Shapes::ShapeRef.new(shape: roleSessionNameType, required: true, location_name: "RoleSessionName"))
|
81
|
+
AssumeRoleRequest.add_member(:policy_arns, Shapes::ShapeRef.new(shape: policyDescriptorListType, location_name: "PolicyArns"))
|
79
82
|
AssumeRoleRequest.add_member(:policy, Shapes::ShapeRef.new(shape: sessionPolicyDocumentType, location_name: "Policy"))
|
80
83
|
AssumeRoleRequest.add_member(:duration_seconds, Shapes::ShapeRef.new(shape: roleDurationSecondsType, location_name: "DurationSeconds"))
|
81
84
|
AssumeRoleRequest.add_member(:external_id, Shapes::ShapeRef.new(shape: externalIdType, location_name: "ExternalId"))
|
@@ -91,6 +94,7 @@ module Aws::STS
|
|
91
94
|
AssumeRoleWithSAMLRequest.add_member(:role_arn, Shapes::ShapeRef.new(shape: arnType, required: true, location_name: "RoleArn"))
|
92
95
|
AssumeRoleWithSAMLRequest.add_member(:principal_arn, Shapes::ShapeRef.new(shape: arnType, required: true, location_name: "PrincipalArn"))
|
93
96
|
AssumeRoleWithSAMLRequest.add_member(:saml_assertion, Shapes::ShapeRef.new(shape: SAMLAssertionType, required: true, location_name: "SAMLAssertion"))
|
97
|
+
AssumeRoleWithSAMLRequest.add_member(:policy_arns, Shapes::ShapeRef.new(shape: policyDescriptorListType, location_name: "PolicyArns"))
|
94
98
|
AssumeRoleWithSAMLRequest.add_member(:policy, Shapes::ShapeRef.new(shape: sessionPolicyDocumentType, location_name: "Policy"))
|
95
99
|
AssumeRoleWithSAMLRequest.add_member(:duration_seconds, Shapes::ShapeRef.new(shape: roleDurationSecondsType, location_name: "DurationSeconds"))
|
96
100
|
AssumeRoleWithSAMLRequest.struct_class = Types::AssumeRoleWithSAMLRequest
|
@@ -109,6 +113,7 @@ module Aws::STS
|
|
109
113
|
AssumeRoleWithWebIdentityRequest.add_member(:role_session_name, Shapes::ShapeRef.new(shape: roleSessionNameType, required: true, location_name: "RoleSessionName"))
|
110
114
|
AssumeRoleWithWebIdentityRequest.add_member(:web_identity_token, Shapes::ShapeRef.new(shape: clientTokenType, required: true, location_name: "WebIdentityToken"))
|
111
115
|
AssumeRoleWithWebIdentityRequest.add_member(:provider_id, Shapes::ShapeRef.new(shape: urlType, location_name: "ProviderId"))
|
116
|
+
AssumeRoleWithWebIdentityRequest.add_member(:policy_arns, Shapes::ShapeRef.new(shape: policyDescriptorListType, location_name: "PolicyArns"))
|
112
117
|
AssumeRoleWithWebIdentityRequest.add_member(:policy, Shapes::ShapeRef.new(shape: sessionPolicyDocumentType, location_name: "Policy"))
|
113
118
|
AssumeRoleWithWebIdentityRequest.add_member(:duration_seconds, Shapes::ShapeRef.new(shape: roleDurationSecondsType, location_name: "DurationSeconds"))
|
114
119
|
AssumeRoleWithWebIdentityRequest.struct_class = Types::AssumeRoleWithWebIdentityRequest
|
@@ -150,6 +155,7 @@ module Aws::STS
|
|
150
155
|
|
151
156
|
GetFederationTokenRequest.add_member(:name, Shapes::ShapeRef.new(shape: userNameType, required: true, location_name: "Name"))
|
152
157
|
GetFederationTokenRequest.add_member(:policy, Shapes::ShapeRef.new(shape: sessionPolicyDocumentType, location_name: "Policy"))
|
158
|
+
GetFederationTokenRequest.add_member(:policy_arns, Shapes::ShapeRef.new(shape: policyDescriptorListType, location_name: "PolicyArns"))
|
153
159
|
GetFederationTokenRequest.add_member(:duration_seconds, Shapes::ShapeRef.new(shape: durationSecondsType, location_name: "DurationSeconds"))
|
154
160
|
GetFederationTokenRequest.struct_class = Types::GetFederationTokenRequest
|
155
161
|
|
@@ -166,6 +172,11 @@ module Aws::STS
|
|
166
172
|
GetSessionTokenResponse.add_member(:credentials, Shapes::ShapeRef.new(shape: Credentials, location_name: "Credentials"))
|
167
173
|
GetSessionTokenResponse.struct_class = Types::GetSessionTokenResponse
|
168
174
|
|
175
|
+
PolicyDescriptorType.add_member(:arn, Shapes::ShapeRef.new(shape: arnType, location_name: "arn"))
|
176
|
+
PolicyDescriptorType.struct_class = Types::PolicyDescriptorType
|
177
|
+
|
178
|
+
policyDescriptorListType.member = Shapes::ShapeRef.new(shape: PolicyDescriptorType)
|
179
|
+
|
169
180
|
|
170
181
|
# @api private
|
171
182
|
API = Seahorse::Model::Api.new.tap do |api|
|
data/lib/aws-sdk-sts/types.rb
CHANGED
@@ -14,6 +14,11 @@ module Aws::STS
|
|
14
14
|
# {
|
15
15
|
# role_arn: "arnType", # required
|
16
16
|
# role_session_name: "roleSessionNameType", # required
|
17
|
+
# policy_arns: [
|
18
|
+
# {
|
19
|
+
# arn: "arnType",
|
20
|
+
# },
|
21
|
+
# ],
|
17
22
|
# policy: "sessionPolicyDocumentType",
|
18
23
|
# duration_seconds: 1,
|
19
24
|
# external_id: "externalIdType",
|
@@ -43,37 +48,75 @@ module Aws::STS
|
|
43
48
|
# characters: =,.@-
|
44
49
|
# @return [String]
|
45
50
|
#
|
46
|
-
# @!attribute [rw]
|
47
|
-
#
|
48
|
-
#
|
49
|
-
#
|
50
|
-
#
|
51
|
-
#
|
52
|
-
#
|
53
|
-
#
|
54
|
-
#
|
55
|
-
#
|
56
|
-
#
|
57
|
-
#
|
51
|
+
# @!attribute [rw] policy_arns
|
52
|
+
# The Amazon Resource Names (ARNs) of the IAM managed policies that
|
53
|
+
# you want to use as managed session policies. The policies must exist
|
54
|
+
# in the same account as the role.
|
55
|
+
#
|
56
|
+
# This parameter is optional. You can provide up to 10 managed policy
|
57
|
+
# ARNs. However, the plain text that you use for both inline and
|
58
|
+
# managed session policies shouldn't exceed 2048 characters. For more
|
59
|
+
# information about ARNs, see [Amazon Resource Names (ARNs) and AWS
|
60
|
+
# Service Namespaces](general/latest/gr/aws-arns-and-namespaces.html)
|
61
|
+
# in the AWS General Reference.
|
62
|
+
#
|
63
|
+
# <note markdown="1"> The characters in this parameter count towards the 2048 character
|
64
|
+
# session policy guideline. However, an AWS conversion compresses the
|
65
|
+
# session policies into a packed binary format that has a separate
|
66
|
+
# limit. This is the enforced limit. The `PackedPolicySize` response
|
67
|
+
# element indicates by percentage how close the policy is to the upper
|
68
|
+
# size limit.
|
58
69
|
#
|
59
|
-
#
|
60
|
-
#
|
70
|
+
# </note>
|
71
|
+
#
|
72
|
+
# Passing policies to this operation returns new temporary
|
73
|
+
# credentials. The resulting session's permissions are the
|
74
|
+
# intersection of the role's identity-based policy and the session
|
75
|
+
# policies. You can use the role's temporary credentials in
|
76
|
+
# subsequent AWS API calls to access resources in the account that
|
77
|
+
# owns the role. You cannot use session policies to grant more
|
78
|
+
# permissions than those allowed by the identity-based policy of the
|
79
|
+
# role that is being assumed. For more information, see [Session
|
80
|
+
# Policies][1] in the *IAM User Guide*.
|
81
|
+
#
|
82
|
+
#
|
83
|
+
#
|
84
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session
|
85
|
+
# @return [Array<Types::PolicyDescriptorType>]
|
86
|
+
#
|
87
|
+
# @!attribute [rw] policy
|
88
|
+
# An IAM policy in JSON format that you want to use as an inline
|
89
|
+
# session policy.
|
90
|
+
#
|
91
|
+
# This parameter is optional. Passing policies to this operation
|
92
|
+
# returns new temporary credentials. The resulting session's
|
93
|
+
# permissions are the intersection of the role's identity-based
|
94
|
+
# policy and the session policies. You can use the role's temporary
|
95
|
+
# credentials in subsequent AWS API calls to access resources in the
|
96
|
+
# account that owns the role. You cannot use session policies to grant
|
97
|
+
# more permissions than those allowed by the identity-based policy of
|
98
|
+
# the role that is being assumed. For more information, see [Session
|
99
|
+
# Policies][1] in the *IAM User Guide*.
|
100
|
+
#
|
101
|
+
# The plain text that you use for both inline and managed session
|
102
|
+
# policies shouldn't exceed 2048 characters. The JSON policy
|
61
103
|
# characters can be any ASCII character from the space character to
|
62
|
-
# the end of the valid character list (\\u0020
|
63
|
-
# include the tab (\\u0009), linefeed (\\u000A), and carriage
|
64
|
-
# (\\u000D) characters.
|
104
|
+
# the end of the valid character list (\\u0020 through \\u00FF). It
|
105
|
+
# can also include the tab (\\u0009), linefeed (\\u000A), and carriage
|
106
|
+
# return (\\u000D) characters.
|
65
107
|
#
|
66
|
-
# <note markdown="1"> The
|
67
|
-
#
|
68
|
-
#
|
69
|
-
#
|
70
|
-
#
|
108
|
+
# <note markdown="1"> The characters in this parameter count towards the 2048 character
|
109
|
+
# session policy guideline. However, an AWS conversion compresses the
|
110
|
+
# session policies into a packed binary format that has a separate
|
111
|
+
# limit. This is the enforced limit. The `PackedPolicySize` response
|
112
|
+
# element indicates by percentage how close the policy is to the upper
|
113
|
+
# size limit.
|
71
114
|
#
|
72
115
|
# </note>
|
73
116
|
#
|
74
117
|
#
|
75
118
|
#
|
76
|
-
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
119
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session
|
77
120
|
# @return [String]
|
78
121
|
#
|
79
122
|
# @!attribute [rw] duration_seconds
|
@@ -110,14 +153,14 @@ module Aws::STS
|
|
110
153
|
# another account. If the administrator of the account to which the
|
111
154
|
# role belongs provided you with an external ID, then provide that
|
112
155
|
# value in the `ExternalId` parameter. This value can be any string,
|
113
|
-
# such as a passphrase or account number.
|
114
|
-
#
|
115
|
-
# of the trusting account might send an external ID to
|
116
|
-
# administrator of the trusted account. That way, only someone
|
117
|
-
# the ID can assume the role, rather than everyone in the
|
118
|
-
# more information about the external ID, see [How to Use
|
119
|
-
# ID When Granting Access to Your AWS Resources to a Third
|
120
|
-
# in the *IAM User Guide*.
|
156
|
+
# such as a passphrase or account number. A cross-account role is
|
157
|
+
# usually set up to trust everyone in an account. Therefore, the
|
158
|
+
# administrator of the trusting account might send an external ID to
|
159
|
+
# the administrator of the trusted account. That way, only someone
|
160
|
+
# with the ID can assume the role, rather than everyone in the
|
161
|
+
# account. For more information about the external ID, see [How to Use
|
162
|
+
# an External ID When Granting Access to Your AWS Resources to a Third
|
163
|
+
# Party][1] in the *IAM User Guide*.
|
121
164
|
#
|
122
165
|
# The regex used to validate this parameter is a string of characters
|
123
166
|
# consisting of upper- and lower-case alphanumeric characters with no
|
@@ -160,6 +203,7 @@ module Aws::STS
|
|
160
203
|
class AssumeRoleRequest < Struct.new(
|
161
204
|
:role_arn,
|
162
205
|
:role_session_name,
|
206
|
+
:policy_arns,
|
163
207
|
:policy,
|
164
208
|
:duration_seconds,
|
165
209
|
:external_id,
|
@@ -177,9 +221,7 @@ module Aws::STS
|
|
177
221
|
#
|
178
222
|
# <note markdown="1"> The size of the security token that STS API operations return is not
|
179
223
|
# fixed. We strongly recommend that you make no assumptions about the
|
180
|
-
# maximum size.
|
181
|
-
# bytes, but that can vary. Also, future updates to AWS might require
|
182
|
-
# larger sizes.
|
224
|
+
# maximum size.
|
183
225
|
#
|
184
226
|
# </note>
|
185
227
|
# @return [Types::Credentials]
|
@@ -215,6 +257,11 @@ module Aws::STS
|
|
215
257
|
# role_arn: "arnType", # required
|
216
258
|
# principal_arn: "arnType", # required
|
217
259
|
# saml_assertion: "SAMLAssertionType", # required
|
260
|
+
# policy_arns: [
|
261
|
+
# {
|
262
|
+
# arn: "arnType",
|
263
|
+
# },
|
264
|
+
# ],
|
218
265
|
# policy: "sessionPolicyDocumentType",
|
219
266
|
# duration_seconds: 1,
|
220
267
|
# }
|
@@ -241,37 +288,75 @@ module Aws::STS
|
|
241
288
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html
|
242
289
|
# @return [String]
|
243
290
|
#
|
244
|
-
# @!attribute [rw]
|
245
|
-
#
|
246
|
-
#
|
247
|
-
#
|
248
|
-
#
|
249
|
-
#
|
250
|
-
#
|
251
|
-
#
|
252
|
-
#
|
253
|
-
#
|
254
|
-
#
|
255
|
-
#
|
291
|
+
# @!attribute [rw] policy_arns
|
292
|
+
# The Amazon Resource Names (ARNs) of the IAM managed policies that
|
293
|
+
# you want to use as managed session policies. The policies must exist
|
294
|
+
# in the same account as the role.
|
295
|
+
#
|
296
|
+
# This parameter is optional. You can provide up to 10 managed policy
|
297
|
+
# ARNs. However, the plain text that you use for both inline and
|
298
|
+
# managed session policies shouldn't exceed 2048 characters. For more
|
299
|
+
# information about ARNs, see [Amazon Resource Names (ARNs) and AWS
|
300
|
+
# Service Namespaces](general/latest/gr/aws-arns-and-namespaces.html)
|
301
|
+
# in the AWS General Reference.
|
302
|
+
#
|
303
|
+
# <note markdown="1"> The characters in this parameter count towards the 2048 character
|
304
|
+
# session policy guideline. However, an AWS conversion compresses the
|
305
|
+
# session policies into a packed binary format that has a separate
|
306
|
+
# limit. This is the enforced limit. The `PackedPolicySize` response
|
307
|
+
# element indicates by percentage how close the policy is to the upper
|
308
|
+
# size limit.
|
256
309
|
#
|
257
|
-
#
|
258
|
-
#
|
310
|
+
# </note>
|
311
|
+
#
|
312
|
+
# Passing policies to this operation returns new temporary
|
313
|
+
# credentials. The resulting session's permissions are the
|
314
|
+
# intersection of the role's identity-based policy and the session
|
315
|
+
# policies. You can use the role's temporary credentials in
|
316
|
+
# subsequent AWS API calls to access resources in the account that
|
317
|
+
# owns the role. You cannot use session policies to grant more
|
318
|
+
# permissions than those allowed by the identity-based policy of the
|
319
|
+
# role that is being assumed. For more information, see [Session
|
320
|
+
# Policies][1] in the *IAM User Guide*.
|
321
|
+
#
|
322
|
+
#
|
323
|
+
#
|
324
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session
|
325
|
+
# @return [Array<Types::PolicyDescriptorType>]
|
326
|
+
#
|
327
|
+
# @!attribute [rw] policy
|
328
|
+
# An IAM policy in JSON format that you want to use as an inline
|
329
|
+
# session policy.
|
330
|
+
#
|
331
|
+
# This parameter is optional. Passing policies to this operation
|
332
|
+
# returns new temporary credentials. The resulting session's
|
333
|
+
# permissions are the intersection of the role's identity-based
|
334
|
+
# policy and the session policies. You can use the role's temporary
|
335
|
+
# credentials in subsequent AWS API calls to access resources in the
|
336
|
+
# account that owns the role. You cannot use session policies to grant
|
337
|
+
# more permissions than those allowed by the identity-based policy of
|
338
|
+
# the role that is being assumed. For more information, see [Session
|
339
|
+
# Policies][1] in the *IAM User Guide*.
|
340
|
+
#
|
341
|
+
# The plain text that you use for both inline and managed session
|
342
|
+
# policies shouldn't exceed 2048 characters. The JSON policy
|
259
343
|
# characters can be any ASCII character from the space character to
|
260
|
-
# the end of the valid character list (\\u0020
|
261
|
-
# include the tab (\\u0009), linefeed (\\u000A), and carriage
|
262
|
-
# (\\u000D) characters.
|
344
|
+
# the end of the valid character list (\\u0020 through \\u00FF). It
|
345
|
+
# can also include the tab (\\u0009), linefeed (\\u000A), and carriage
|
346
|
+
# return (\\u000D) characters.
|
263
347
|
#
|
264
|
-
# <note markdown="1"> The
|
265
|
-
#
|
266
|
-
#
|
267
|
-
#
|
268
|
-
#
|
348
|
+
# <note markdown="1"> The characters in this parameter count towards the 2048 character
|
349
|
+
# session policy guideline. However, an AWS conversion compresses the
|
350
|
+
# session policies into a packed binary format that has a separate
|
351
|
+
# limit. This is the enforced limit. The `PackedPolicySize` response
|
352
|
+
# element indicates by percentage how close the policy is to the upper
|
353
|
+
# size limit.
|
269
354
|
#
|
270
355
|
# </note>
|
271
356
|
#
|
272
357
|
#
|
273
358
|
#
|
274
|
-
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
359
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session
|
275
360
|
# @return [String]
|
276
361
|
#
|
277
362
|
# @!attribute [rw] duration_seconds
|
@@ -313,6 +398,7 @@ module Aws::STS
|
|
313
398
|
:role_arn,
|
314
399
|
:principal_arn,
|
315
400
|
:saml_assertion,
|
401
|
+
:policy_arns,
|
316
402
|
:policy,
|
317
403
|
:duration_seconds)
|
318
404
|
include Aws::Structure
|
@@ -328,9 +414,7 @@ module Aws::STS
|
|
328
414
|
#
|
329
415
|
# <note markdown="1"> The size of the security token that STS API operations return is not
|
330
416
|
# fixed. We strongly recommend that you make no assumptions about the
|
331
|
-
# maximum size.
|
332
|
-
# bytes, but that can vary. Also, future updates to AWS might require
|
333
|
-
# larger sizes.
|
417
|
+
# maximum size.
|
334
418
|
#
|
335
419
|
# </note>
|
336
420
|
# @return [Types::Credentials]
|
@@ -407,6 +491,11 @@ module Aws::STS
|
|
407
491
|
# role_session_name: "roleSessionNameType", # required
|
408
492
|
# web_identity_token: "clientTokenType", # required
|
409
493
|
# provider_id: "urlType",
|
494
|
+
# policy_arns: [
|
495
|
+
# {
|
496
|
+
# arn: "arnType",
|
497
|
+
# },
|
498
|
+
# ],
|
410
499
|
# policy: "sessionPolicyDocumentType",
|
411
500
|
# duration_seconds: 1,
|
412
501
|
# }
|
@@ -450,37 +539,75 @@ module Aws::STS
|
|
450
539
|
# Do not specify this value for OpenID Connect ID tokens.
|
451
540
|
# @return [String]
|
452
541
|
#
|
453
|
-
# @!attribute [rw]
|
454
|
-
#
|
455
|
-
#
|
456
|
-
#
|
457
|
-
#
|
458
|
-
#
|
459
|
-
#
|
460
|
-
#
|
461
|
-
#
|
462
|
-
#
|
463
|
-
#
|
464
|
-
#
|
542
|
+
# @!attribute [rw] policy_arns
|
543
|
+
# The Amazon Resource Names (ARNs) of the IAM managed policies that
|
544
|
+
# you want to use as managed session policies. The policies must exist
|
545
|
+
# in the same account as the role.
|
546
|
+
#
|
547
|
+
# This parameter is optional. You can provide up to 10 managed policy
|
548
|
+
# ARNs. However, the plain text that you use for both inline and
|
549
|
+
# managed session policies shouldn't exceed 2048 characters. For more
|
550
|
+
# information about ARNs, see [Amazon Resource Names (ARNs) and AWS
|
551
|
+
# Service Namespaces](general/latest/gr/aws-arns-and-namespaces.html)
|
552
|
+
# in the AWS General Reference.
|
553
|
+
#
|
554
|
+
# <note markdown="1"> The characters in this parameter count towards the 2048 character
|
555
|
+
# session policy guideline. However, an AWS conversion compresses the
|
556
|
+
# session policies into a packed binary format that has a separate
|
557
|
+
# limit. This is the enforced limit. The `PackedPolicySize` response
|
558
|
+
# element indicates by percentage how close the policy is to the upper
|
559
|
+
# size limit.
|
465
560
|
#
|
466
|
-
#
|
467
|
-
#
|
561
|
+
# </note>
|
562
|
+
#
|
563
|
+
# Passing policies to this operation returns new temporary
|
564
|
+
# credentials. The resulting session's permissions are the
|
565
|
+
# intersection of the role's identity-based policy and the session
|
566
|
+
# policies. You can use the role's temporary credentials in
|
567
|
+
# subsequent AWS API calls to access resources in the account that
|
568
|
+
# owns the role. You cannot use session policies to grant more
|
569
|
+
# permissions than those allowed by the identity-based policy of the
|
570
|
+
# role that is being assumed. For more information, see [Session
|
571
|
+
# Policies][1] in the *IAM User Guide*.
|
572
|
+
#
|
573
|
+
#
|
574
|
+
#
|
575
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session
|
576
|
+
# @return [Array<Types::PolicyDescriptorType>]
|
577
|
+
#
|
578
|
+
# @!attribute [rw] policy
|
579
|
+
# An IAM policy in JSON format that you want to use as an inline
|
580
|
+
# session policy.
|
581
|
+
#
|
582
|
+
# This parameter is optional. Passing policies to this operation
|
583
|
+
# returns new temporary credentials. The resulting session's
|
584
|
+
# permissions are the intersection of the role's identity-based
|
585
|
+
# policy and the session policies. You can use the role's temporary
|
586
|
+
# credentials in subsequent AWS API calls to access resources in the
|
587
|
+
# account that owns the role. You cannot use session policies to grant
|
588
|
+
# more permissions than those allowed by the identity-based policy of
|
589
|
+
# the role that is being assumed. For more information, see [Session
|
590
|
+
# Policies][1] in the *IAM User Guide*.
|
591
|
+
#
|
592
|
+
# The plain text that you use for both inline and managed session
|
593
|
+
# policies shouldn't exceed 2048 characters. The JSON policy
|
468
594
|
# characters can be any ASCII character from the space character to
|
469
|
-
# the end of the valid character list (\\u0020
|
470
|
-
# include the tab (\\u0009), linefeed (\\u000A), and carriage
|
471
|
-
# (\\u000D) characters.
|
595
|
+
# the end of the valid character list (\\u0020 through \\u00FF). It
|
596
|
+
# can also include the tab (\\u0009), linefeed (\\u000A), and carriage
|
597
|
+
# return (\\u000D) characters.
|
472
598
|
#
|
473
|
-
# <note markdown="1"> The
|
474
|
-
#
|
475
|
-
#
|
476
|
-
#
|
477
|
-
#
|
599
|
+
# <note markdown="1"> The characters in this parameter count towards the 2048 character
|
600
|
+
# session policy guideline. However, an AWS conversion compresses the
|
601
|
+
# session policies into a packed binary format that has a separate
|
602
|
+
# limit. This is the enforced limit. The `PackedPolicySize` response
|
603
|
+
# element indicates by percentage how close the policy is to the upper
|
604
|
+
# size limit.
|
478
605
|
#
|
479
606
|
# </note>
|
480
607
|
#
|
481
608
|
#
|
482
609
|
#
|
483
|
-
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
610
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session
|
484
611
|
# @return [String]
|
485
612
|
#
|
486
613
|
# @!attribute [rw] duration_seconds
|
@@ -519,6 +646,7 @@ module Aws::STS
|
|
519
646
|
:role_session_name,
|
520
647
|
:web_identity_token,
|
521
648
|
:provider_id,
|
649
|
+
:policy_arns,
|
522
650
|
:policy,
|
523
651
|
:duration_seconds)
|
524
652
|
include Aws::Structure
|
@@ -534,9 +662,7 @@ module Aws::STS
|
|
534
662
|
#
|
535
663
|
# <note markdown="1"> The size of the security token that STS API operations return is not
|
536
664
|
# fixed. We strongly recommend that you make no assumptions about the
|
537
|
-
# maximum size.
|
538
|
-
# bytes, but that can vary. Also, future updates to AWS might require
|
539
|
-
# larger sizes.
|
665
|
+
# maximum size.
|
540
666
|
#
|
541
667
|
# </note>
|
542
668
|
# @return [Types::Credentials]
|
@@ -753,6 +879,11 @@ module Aws::STS
|
|
753
879
|
# {
|
754
880
|
# name: "userNameType", # required
|
755
881
|
# policy: "sessionPolicyDocumentType",
|
882
|
+
# policy_arns: [
|
883
|
+
# {
|
884
|
+
# arn: "arnType",
|
885
|
+
# },
|
886
|
+
# ],
|
756
887
|
# duration_seconds: 1,
|
757
888
|
# }
|
758
889
|
#
|
@@ -769,39 +900,98 @@ module Aws::STS
|
|
769
900
|
# @return [String]
|
770
901
|
#
|
771
902
|
# @!attribute [rw] policy
|
772
|
-
# An IAM policy in JSON format
|
773
|
-
#
|
774
|
-
#
|
775
|
-
#
|
776
|
-
#
|
777
|
-
#
|
778
|
-
#
|
779
|
-
#
|
780
|
-
#
|
903
|
+
# An IAM policy in JSON format that you want to use as an inline
|
904
|
+
# session policy.
|
905
|
+
#
|
906
|
+
# You must pass an inline or managed [session policy][1] to this
|
907
|
+
# operation. You can pass a single JSON policy document to use as an
|
908
|
+
# inline session policy. You can also specify up to 10 managed
|
909
|
+
# policies to use as managed session policies.
|
910
|
+
#
|
911
|
+
# This parameter is optional. However, if you do not pass any session
|
912
|
+
# policies, then the resulting federated user session has no
|
913
|
+
# permissions. The only exception is when the credentials are used to
|
914
|
+
# access a resource that has a resource-based policy that specifically
|
915
|
+
# references the federated user session in the `Principal` element of
|
916
|
+
# the policy.
|
917
|
+
#
|
918
|
+
# When you pass session policies, the session permissions are the
|
919
|
+
# intersection of the IAM user policies and the session policies that
|
920
|
+
# you pass. This gives you a way to further restrict the permissions
|
921
|
+
# for a federated user. You cannot use session policies to grant more
|
922
|
+
# permissions than those that are defined in the permissions policy of
|
923
|
+
# the IAM user. For more information, see [Session Policies][2] in the
|
924
|
+
# *IAM User Guide*.
|
781
925
|
#
|
782
|
-
# The
|
783
|
-
#
|
926
|
+
# The plain text that you use for both inline and managed session
|
927
|
+
# policies shouldn't exceed 2048 characters. The JSON policy
|
784
928
|
# characters can be any ASCII character from the space character to
|
785
|
-
# the end of the valid character list (\\u0020
|
786
|
-
# include the tab (\\u0009), linefeed (\\u000A), and carriage
|
787
|
-
# (\\u000D) characters.
|
929
|
+
# the end of the valid character list (\\u0020 through \\u00FF). It
|
930
|
+
# can also include the tab (\\u0009), linefeed (\\u000A), and carriage
|
931
|
+
# return (\\u000D) characters.
|
788
932
|
#
|
789
|
-
# <note markdown="1"> The
|
790
|
-
#
|
791
|
-
#
|
792
|
-
#
|
793
|
-
#
|
933
|
+
# <note markdown="1"> The characters in this parameter count towards the 2048 character
|
934
|
+
# session policy guideline. However, an AWS conversion compresses the
|
935
|
+
# session policies into a packed binary format that has a separate
|
936
|
+
# limit. This is the enforced limit. The `PackedPolicySize` response
|
937
|
+
# element indicates by percentage how close the policy is to the upper
|
938
|
+
# size limit.
|
794
939
|
#
|
795
940
|
# </note>
|
796
941
|
#
|
797
|
-
# For more information about how permissions work, see [Permissions
|
798
|
-
# for GetFederationToken][1].
|
799
|
-
#
|
800
942
|
#
|
801
943
|
#
|
802
|
-
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
944
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
945
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session
|
803
946
|
# @return [String]
|
804
947
|
#
|
948
|
+
# @!attribute [rw] policy_arns
|
949
|
+
# The Amazon Resource Names (ARNs) of the IAM managed policies that
|
950
|
+
# you want to use as a managed session policy. The policies must exist
|
951
|
+
# in the same account as the IAM user that is requesting federated
|
952
|
+
# access.
|
953
|
+
#
|
954
|
+
# You must pass an inline or managed [session policy][1] to this
|
955
|
+
# operation. You can pass a single JSON policy document to use as an
|
956
|
+
# inline session policy. You can also specify up to 10 managed
|
957
|
+
# policies to use as managed session policies. The plain text that you
|
958
|
+
# use for both inline and managed session policies shouldn't exceed
|
959
|
+
# 2048 characters. You can provide up to 10 managed policy ARNs. For
|
960
|
+
# more information about ARNs, see [Amazon Resource Names (ARNs) and
|
961
|
+
# AWS Service
|
962
|
+
# Namespaces](general/latest/gr/aws-arns-and-namespaces.html) in the
|
963
|
+
# AWS General Reference.
|
964
|
+
#
|
965
|
+
# This parameter is optional. However, if you do not pass any session
|
966
|
+
# policies, then the resulting federated user session has no
|
967
|
+
# permissions. The only exception is when the credentials are used to
|
968
|
+
# access a resource that has a resource-based policy that specifically
|
969
|
+
# references the federated user session in the `Principal` element of
|
970
|
+
# the policy.
|
971
|
+
#
|
972
|
+
# When you pass session policies, the session permissions are the
|
973
|
+
# intersection of the IAM user policies and the session policies that
|
974
|
+
# you pass. This gives you a way to further restrict the permissions
|
975
|
+
# for a federated user. You cannot use session policies to grant more
|
976
|
+
# permissions than those that are defined in the permissions policy of
|
977
|
+
# the IAM user. For more information, see [Session Policies][2] in the
|
978
|
+
# *IAM User Guide*.
|
979
|
+
#
|
980
|
+
# <note markdown="1"> The characters in this parameter count towards the 2048 character
|
981
|
+
# session policy guideline. However, an AWS conversion compresses the
|
982
|
+
# session policies into a packed binary format that has a separate
|
983
|
+
# limit. This is the enforced limit. The `PackedPolicySize` response
|
984
|
+
# element indicates by percentage how close the policy is to the upper
|
985
|
+
# size limit.
|
986
|
+
#
|
987
|
+
# </note>
|
988
|
+
#
|
989
|
+
#
|
990
|
+
#
|
991
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
992
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session
|
993
|
+
# @return [Array<Types::PolicyDescriptorType>]
|
994
|
+
#
|
805
995
|
# @!attribute [rw] duration_seconds
|
806
996
|
# The duration, in seconds, that the session should last. Acceptable
|
807
997
|
# durations for federation sessions range from 900 seconds (15
|
@@ -817,6 +1007,7 @@ module Aws::STS
|
|
817
1007
|
class GetFederationTokenRequest < Struct.new(
|
818
1008
|
:name,
|
819
1009
|
:policy,
|
1010
|
+
:policy_arns,
|
820
1011
|
:duration_seconds)
|
821
1012
|
include Aws::Structure
|
822
1013
|
end
|
@@ -831,9 +1022,7 @@ module Aws::STS
|
|
831
1022
|
#
|
832
1023
|
# <note markdown="1"> The size of the security token that STS API operations return is not
|
833
1024
|
# fixed. We strongly recommend that you make no assumptions about the
|
834
|
-
# maximum size.
|
835
|
-
# bytes, but that can vary. Also, future updates to AWS might require
|
836
|
-
# larger sizes.
|
1025
|
+
# maximum size.
|
837
1026
|
#
|
838
1027
|
# </note>
|
839
1028
|
# @return [Types::Credentials]
|
@@ -926,9 +1115,7 @@ module Aws::STS
|
|
926
1115
|
#
|
927
1116
|
# <note markdown="1"> The size of the security token that STS API operations return is not
|
928
1117
|
# fixed. We strongly recommend that you make no assumptions about the
|
929
|
-
# maximum size.
|
930
|
-
# bytes, but that can vary. Also, future updates to AWS might require
|
931
|
-
# larger sizes.
|
1118
|
+
# maximum size.
|
932
1119
|
#
|
933
1120
|
# </note>
|
934
1121
|
# @return [Types::Credentials]
|
@@ -940,5 +1127,30 @@ module Aws::STS
|
|
940
1127
|
include Aws::Structure
|
941
1128
|
end
|
942
1129
|
|
1130
|
+
# A reference to the IAM managed policy that is passed as a session
|
1131
|
+
# policy for a role session or a federated user session.
|
1132
|
+
#
|
1133
|
+
# @note When making an API call, you may pass PolicyDescriptorType
|
1134
|
+
# data as a hash:
|
1135
|
+
#
|
1136
|
+
# {
|
1137
|
+
# arn: "arnType",
|
1138
|
+
# }
|
1139
|
+
#
|
1140
|
+
# @!attribute [rw] arn
|
1141
|
+
# The Amazon Resource Name (ARN) of the IAM managed policy to use as a
|
1142
|
+
# session policy for the role. For more information about ARNs, see
|
1143
|
+
# [Amazon Resource Names (ARNs) and AWS Service
|
1144
|
+
# Namespaces](general/latest/gr/aws-arns-and-namespaces.html) in the
|
1145
|
+
# *AWS General Reference*.
|
1146
|
+
# @return [String]
|
1147
|
+
#
|
1148
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/PolicyDescriptorType AWS API Documentation
|
1149
|
+
#
|
1150
|
+
class PolicyDescriptorType < Struct.new(
|
1151
|
+
:arn)
|
1152
|
+
include Aws::Structure
|
1153
|
+
end
|
1154
|
+
|
943
1155
|
end
|
944
1156
|
end
|