aws-sdk-core 3.80.0 → 3.81.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -45,6 +45,7 @@ module Aws::STS
45
45
  SAMLAssertionType = Shapes::StringShape.new(name: 'SAMLAssertionType')
46
46
  Subject = Shapes::StringShape.new(name: 'Subject')
47
47
  SubjectType = Shapes::StringShape.new(name: 'SubjectType')
48
+ Tag = Shapes::StructureShape.new(name: 'Tag')
48
49
  accessKeyIdType = Shapes::StringShape.new(name: 'accessKeyIdType')
49
50
  accessKeySecretType = Shapes::StringShape.new(name: 'accessKeySecretType')
50
51
  accountType = Shapes::StringShape.new(name: 'accountType')
@@ -71,6 +72,10 @@ module Aws::STS
71
72
  roleSessionNameType = Shapes::StringShape.new(name: 'roleSessionNameType')
72
73
  serialNumberType = Shapes::StringShape.new(name: 'serialNumberType')
73
74
  sessionPolicyDocumentType = Shapes::StringShape.new(name: 'sessionPolicyDocumentType')
75
+ tagKeyListType = Shapes::ListShape.new(name: 'tagKeyListType')
76
+ tagKeyType = Shapes::StringShape.new(name: 'tagKeyType')
77
+ tagListType = Shapes::ListShape.new(name: 'tagListType')
78
+ tagValueType = Shapes::StringShape.new(name: 'tagValueType')
74
79
  tokenCodeType = Shapes::StringShape.new(name: 'tokenCodeType')
75
80
  tokenType = Shapes::StringShape.new(name: 'tokenType')
76
81
  urlType = Shapes::StringShape.new(name: 'urlType')
@@ -83,6 +88,8 @@ module Aws::STS
83
88
  AssumeRoleRequest.add_member(:policy_arns, Shapes::ShapeRef.new(shape: policyDescriptorListType, location_name: "PolicyArns"))
84
89
  AssumeRoleRequest.add_member(:policy, Shapes::ShapeRef.new(shape: sessionPolicyDocumentType, location_name: "Policy"))
85
90
  AssumeRoleRequest.add_member(:duration_seconds, Shapes::ShapeRef.new(shape: roleDurationSecondsType, location_name: "DurationSeconds"))
91
+ AssumeRoleRequest.add_member(:tags, Shapes::ShapeRef.new(shape: tagListType, location_name: "Tags"))
92
+ AssumeRoleRequest.add_member(:transitive_tag_keys, Shapes::ShapeRef.new(shape: tagKeyListType, location_name: "TransitiveTagKeys"))
86
93
  AssumeRoleRequest.add_member(:external_id, Shapes::ShapeRef.new(shape: externalIdType, location_name: "ExternalId"))
87
94
  AssumeRoleRequest.add_member(:serial_number, Shapes::ShapeRef.new(shape: serialNumberType, location_name: "SerialNumber"))
88
95
  AssumeRoleRequest.add_member(:token_code, Shapes::ShapeRef.new(shape: tokenCodeType, location_name: "TokenCode"))
@@ -168,6 +175,7 @@ module Aws::STS
168
175
  GetFederationTokenRequest.add_member(:policy, Shapes::ShapeRef.new(shape: sessionPolicyDocumentType, location_name: "Policy"))
169
176
  GetFederationTokenRequest.add_member(:policy_arns, Shapes::ShapeRef.new(shape: policyDescriptorListType, location_name: "PolicyArns"))
170
177
  GetFederationTokenRequest.add_member(:duration_seconds, Shapes::ShapeRef.new(shape: durationSecondsType, location_name: "DurationSeconds"))
178
+ GetFederationTokenRequest.add_member(:tags, Shapes::ShapeRef.new(shape: tagListType, location_name: "Tags"))
171
179
  GetFederationTokenRequest.struct_class = Types::GetFederationTokenRequest
172
180
 
173
181
  GetFederationTokenResponse.add_member(:credentials, Shapes::ShapeRef.new(shape: Credentials, location_name: "Credentials"))
@@ -207,8 +215,16 @@ module Aws::STS
207
215
  RegionDisabledException.add_member(:message, Shapes::ShapeRef.new(shape: regionDisabledMessage, location_name: "message"))
208
216
  RegionDisabledException.struct_class = Types::RegionDisabledException
209
217
 
218
+ Tag.add_member(:key, Shapes::ShapeRef.new(shape: tagKeyType, required: true, location_name: "Key"))
219
+ Tag.add_member(:value, Shapes::ShapeRef.new(shape: tagValueType, required: true, location_name: "Value"))
220
+ Tag.struct_class = Types::Tag
221
+
210
222
  policyDescriptorListType.member = Shapes::ShapeRef.new(shape: PolicyDescriptorType)
211
223
 
224
+ tagKeyListType.member = Shapes::ShapeRef.new(shape: tagKeyType)
225
+
226
+ tagListType.member = Shapes::ShapeRef.new(shape: Tag)
227
+
212
228
 
213
229
  # @api private
214
230
  API = Seahorse::Model::Api.new.tap do |api|
@@ -21,6 +21,13 @@ module Aws::STS
21
21
  # ],
22
22
  # policy: "sessionPolicyDocumentType",
23
23
  # duration_seconds: 1,
24
+ # tags: [
25
+ # {
26
+ # key: "tagKeyType", # required
27
+ # value: "tagValueType", # required
28
+ # },
29
+ # ],
30
+ # transitive_tag_keys: ["tagKeyType"],
24
31
  # external_id: "externalIdType",
25
32
  # serial_number: "serialNumberType",
26
33
  # token_code: "tokenCodeType",
@@ -55,16 +62,16 @@ module Aws::STS
55
62
  #
56
63
  # This parameter is optional. You can provide up to 10 managed policy
57
64
  # ARNs. However, the plain text that you use for both inline and
58
- # managed session policies shouldn't exceed 2048 characters. For more
65
+ # managed session policies can't exceed 2,048 characters. For more
59
66
  # information about ARNs, see [Amazon Resource Names (ARNs) and AWS
60
67
  # Service Namespaces][1] in the AWS General Reference.
61
68
  #
62
- # <note markdown="1"> The characters in this parameter count towards the 2048 character
63
- # session policy guideline. However, an AWS conversion compresses the
64
- # session policies into a packed binary format that has a separate
65
- # limit. This is the enforced limit. The `PackedPolicySize` response
66
- # element indicates by percentage how close the policy is to the upper
67
- # size limit.
69
+ # <note markdown="1"> An AWS conversion compresses the passed session policies and session
70
+ # tags into a packed binary format that has a separate limit. Your
71
+ # request can fail for this limit even if your plain text meets the
72
+ # other requirements. The `PackedPolicySize` response element
73
+ # indicates by percentage how close the policies and tags for your
74
+ # request are to the upper size limit.
68
75
  #
69
76
  # </note>
70
77
  #
@@ -99,18 +106,18 @@ module Aws::STS
99
106
  # Policies][1] in the *IAM User Guide*.
100
107
  #
101
108
  # The plain text that you use for both inline and managed session
102
- # policies shouldn't exceed 2048 characters. The JSON policy
103
- # characters can be any ASCII character from the space character to
104
- # the end of the valid character list (\\u0020 through \\u00FF). It
105
- # can also include the tab (\\u0009), linefeed (\\u000A), and carriage
106
- # return (\\u000D) characters.
107
- #
108
- # <note markdown="1"> The characters in this parameter count towards the 2048 character
109
- # session policy guideline. However, an AWS conversion compresses the
110
- # session policies into a packed binary format that has a separate
111
- # limit. This is the enforced limit. The `PackedPolicySize` response
112
- # element indicates by percentage how close the policy is to the upper
113
- # size limit.
109
+ # policies can't exceed 2,048 characters. The JSON policy characters
110
+ # can be any ASCII character from the space character to the end of
111
+ # the valid character list (\\u0020 through \\u00FF). It can also
112
+ # include the tab (\\u0009), linefeed (\\u000A), and carriage return
113
+ # (\\u000D) characters.
114
+ #
115
+ # <note markdown="1"> An AWS conversion compresses the passed session policies and session
116
+ # tags into a packed binary format that has a separate limit. Your
117
+ # request can fail for this limit even if your plain text meets the
118
+ # other requirements. The `PackedPolicySize` response element
119
+ # indicates by percentage how close the policies and tags for your
120
+ # request are to the upper size limit.
114
121
  #
115
122
  # </note>
116
123
  #
@@ -148,6 +155,70 @@ module Aws::STS
148
155
  # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
149
156
  # @return [Integer]
150
157
  #
158
+ # @!attribute [rw] tags
159
+ # A list of session tags that you want to pass. Each session tag
160
+ # consists of a key name and an associated value. For more information
161
+ # about session tags, see [Tagging AWS STS Sessions][1] in the *IAM
162
+ # User Guide*.
163
+ #
164
+ # This parameter is optional. You can pass up to 50 session tags. The
165
+ # plain text session tag keys can’t exceed 128 characters, and the
166
+ # values can’t exceed 256 characters. For these and additional limits,
167
+ # see [IAM and STS Character Limits][2] in the *IAM User Guide*.
168
+ #
169
+ # <note markdown="1"> An AWS conversion compresses the passed session policies and session
170
+ # tags into a packed binary format that has a separate limit. Your
171
+ # request can fail for this limit even if your plain text meets the
172
+ # other requirements. The `PackedPolicySize` response element
173
+ # indicates by percentage how close the policies and tags for your
174
+ # request are to the upper size limit.
175
+ #
176
+ # </note>
177
+ #
178
+ # You can pass a session tag with the same key as a tag that is
179
+ # already attached to the role. When you do, session tags override a
180
+ # role tag with the same key.
181
+ #
182
+ # Tag key–value pairs are not case sensitive, but case is preserved.
183
+ # This means that you cannot have separate `Department` and
184
+ # `department` tag keys. Assume that the role has the
185
+ # `Department`=`Marketing` tag and you pass the
186
+ # `department`=`engineering` session tag. `Department` and
187
+ # `department` are not saved as separate tags, and the session tag
188
+ # passed in the request takes precedence over the role tag.
189
+ #
190
+ # Additionally, if you used temporary credentials to perform this
191
+ # operation, the new session inherits any transitive session tags from
192
+ # the calling session. If you pass a session tag with the same key as
193
+ # an inherited tag, the operation fails. To view the inherited tags
194
+ # for a session, see the AWS CloudTrail logs. For more information,
195
+ # see [Viewing Session Tags in CloudTrail][3] in the *IAM User Guide*.
196
+ #
197
+ #
198
+ #
199
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
200
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
201
+ # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/session-tags.html#id_session-tags_ctlogs
202
+ # @return [Array<Types::Tag>]
203
+ #
204
+ # @!attribute [rw] transitive_tag_keys
205
+ # A list of keys for session tags that you want to set as transitive.
206
+ # If you set a tag key as transitive, the corresponding key and value
207
+ # passes to subsequent sessions in a role chain. For more information,
208
+ # see [Chaining Roles with Session Tags][1] in the *IAM User Guide*.
209
+ #
210
+ # This parameter is optional. When you set session tags as transitive,
211
+ # the session policy and session tags packed binary limit is not
212
+ # affected.
213
+ #
214
+ # If you choose not to specify a transitive tag key, then no tags are
215
+ # passed from this session to any subsequent sessions.
216
+ #
217
+ #
218
+ #
219
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
220
+ # @return [Array<String>]
221
+ #
151
222
  # @!attribute [rw] external_id
152
223
  # A unique identifier that might be required when you assume a role in
153
224
  # another account. If the administrator of the account to which the
@@ -206,6 +277,8 @@ module Aws::STS
206
277
  :policy_arns,
207
278
  :policy,
208
279
  :duration_seconds,
280
+ :tags,
281
+ :transitive_tag_keys,
209
282
  :external_id,
210
283
  :serial_number,
211
284
  :token_code)
@@ -236,9 +309,10 @@ module Aws::STS
236
309
  # @return [Types::AssumedRoleUser]
237
310
  #
238
311
  # @!attribute [rw] packed_policy_size
239
- # A percentage value that indicates the size of the policy in packed
240
- # form. The service rejects any policy with a packed size greater than
241
- # 100 percent, which means the policy exceeded the allowed space.
312
+ # A percentage value that indicates the packed size of the session
313
+ # policies and session tags combined passed in the request. The
314
+ # request fails if the packed size is greater than 100 percent, which
315
+ # means the policies and tags exceeded the allowed space.
242
316
  # @return [Integer]
243
317
  #
244
318
  # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleResponse AWS API Documentation
@@ -295,16 +369,16 @@ module Aws::STS
295
369
  #
296
370
  # This parameter is optional. You can provide up to 10 managed policy
297
371
  # ARNs. However, the plain text that you use for both inline and
298
- # managed session policies shouldn't exceed 2048 characters. For more
372
+ # managed session policies can't exceed 2,048 characters. For more
299
373
  # information about ARNs, see [Amazon Resource Names (ARNs) and AWS
300
374
  # Service Namespaces][1] in the AWS General Reference.
301
375
  #
302
- # <note markdown="1"> The characters in this parameter count towards the 2048 character
303
- # session policy guideline. However, an AWS conversion compresses the
304
- # session policies into a packed binary format that has a separate
305
- # limit. This is the enforced limit. The `PackedPolicySize` response
306
- # element indicates by percentage how close the policy is to the upper
307
- # size limit.
376
+ # <note markdown="1"> An AWS conversion compresses the passed session policies and session
377
+ # tags into a packed binary format that has a separate limit. Your
378
+ # request can fail for this limit even if your plain text meets the
379
+ # other requirements. The `PackedPolicySize` response element
380
+ # indicates by percentage how close the policies and tags for your
381
+ # request are to the upper size limit.
308
382
  #
309
383
  # </note>
310
384
  #
@@ -339,18 +413,18 @@ module Aws::STS
339
413
  # Policies][1] in the *IAM User Guide*.
340
414
  #
341
415
  # The plain text that you use for both inline and managed session
342
- # policies shouldn't exceed 2048 characters. The JSON policy
343
- # characters can be any ASCII character from the space character to
344
- # the end of the valid character list (\\u0020 through \\u00FF). It
345
- # can also include the tab (\\u0009), linefeed (\\u000A), and carriage
346
- # return (\\u000D) characters.
347
- #
348
- # <note markdown="1"> The characters in this parameter count towards the 2048 character
349
- # session policy guideline. However, an AWS conversion compresses the
350
- # session policies into a packed binary format that has a separate
351
- # limit. This is the enforced limit. The `PackedPolicySize` response
352
- # element indicates by percentage how close the policy is to the upper
353
- # size limit.
416
+ # policies can't exceed 2,048 characters. The JSON policy characters
417
+ # can be any ASCII character from the space character to the end of
418
+ # the valid character list (\\u0020 through \\u00FF). It can also
419
+ # include the tab (\\u0009), linefeed (\\u000A), and carriage return
420
+ # (\\u000D) characters.
421
+ #
422
+ # <note markdown="1"> An AWS conversion compresses the passed session policies and session
423
+ # tags into a packed binary format that has a separate limit. Your
424
+ # request can fail for this limit even if your plain text meets the
425
+ # other requirements. The `PackedPolicySize` response element
426
+ # indicates by percentage how close the policies and tags for your
427
+ # request are to the upper size limit.
354
428
  #
355
429
  # </note>
356
430
  #
@@ -425,9 +499,10 @@ module Aws::STS
425
499
  # @return [Types::AssumedRoleUser]
426
500
  #
427
501
  # @!attribute [rw] packed_policy_size
428
- # A percentage value that indicates the size of the policy in packed
429
- # form. The service rejects any policy with a packed size greater than
430
- # 100 percent, which means the policy exceeded the allowed space.
502
+ # A percentage value that indicates the packed size of the session
503
+ # policies and session tags combined passed in the request. The
504
+ # request fails if the packed size is greater than 100 percent, which
505
+ # means the policies and tags exceeded the allowed space.
431
506
  # @return [Integer]
432
507
  #
433
508
  # @!attribute [rw] subject
@@ -546,16 +621,16 @@ module Aws::STS
546
621
  #
547
622
  # This parameter is optional. You can provide up to 10 managed policy
548
623
  # ARNs. However, the plain text that you use for both inline and
549
- # managed session policies shouldn't exceed 2048 characters. For more
624
+ # managed session policies can't exceed 2,048 characters. For more
550
625
  # information about ARNs, see [Amazon Resource Names (ARNs) and AWS
551
626
  # Service Namespaces][1] in the AWS General Reference.
552
627
  #
553
- # <note markdown="1"> The characters in this parameter count towards the 2048 character
554
- # session policy guideline. However, an AWS conversion compresses the
555
- # session policies into a packed binary format that has a separate
556
- # limit. This is the enforced limit. The `PackedPolicySize` response
557
- # element indicates by percentage how close the policy is to the upper
558
- # size limit.
628
+ # <note markdown="1"> An AWS conversion compresses the passed session policies and session
629
+ # tags into a packed binary format that has a separate limit. Your
630
+ # request can fail for this limit even if your plain text meets the
631
+ # other requirements. The `PackedPolicySize` response element
632
+ # indicates by percentage how close the policies and tags for your
633
+ # request are to the upper size limit.
559
634
  #
560
635
  # </note>
561
636
  #
@@ -590,18 +665,18 @@ module Aws::STS
590
665
  # Policies][1] in the *IAM User Guide*.
591
666
  #
592
667
  # The plain text that you use for both inline and managed session
593
- # policies shouldn't exceed 2048 characters. The JSON policy
594
- # characters can be any ASCII character from the space character to
595
- # the end of the valid character list (\\u0020 through \\u00FF). It
596
- # can also include the tab (\\u0009), linefeed (\\u000A), and carriage
597
- # return (\\u000D) characters.
598
- #
599
- # <note markdown="1"> The characters in this parameter count towards the 2048 character
600
- # session policy guideline. However, an AWS conversion compresses the
601
- # session policies into a packed binary format that has a separate
602
- # limit. This is the enforced limit. The `PackedPolicySize` response
603
- # element indicates by percentage how close the policy is to the upper
604
- # size limit.
668
+ # policies can't exceed 2,048 characters. The JSON policy characters
669
+ # can be any ASCII character from the space character to the end of
670
+ # the valid character list (\\u0020 through \\u00FF). It can also
671
+ # include the tab (\\u0009), linefeed (\\u000A), and carriage return
672
+ # (\\u000D) characters.
673
+ #
674
+ # <note markdown="1"> An AWS conversion compresses the passed session policies and session
675
+ # tags into a packed binary format that has a separate limit. Your
676
+ # request can fail for this limit even if your plain text meets the
677
+ # other requirements. The `PackedPolicySize` response element
678
+ # indicates by percentage how close the policies and tags for your
679
+ # request are to the upper size limit.
605
680
  #
606
681
  # </note>
607
682
  #
@@ -687,9 +762,10 @@ module Aws::STS
687
762
  # @return [Types::AssumedRoleUser]
688
763
  #
689
764
  # @!attribute [rw] packed_policy_size
690
- # A percentage value that indicates the size of the policy in packed
691
- # form. The service rejects any policy with a packed size greater than
692
- # 100 percent, which means the policy exceeded the allowed space.
765
+ # A percentage value that indicates the packed size of the session
766
+ # policies and session tags combined passed in the request. The
767
+ # request fails if the packed size is greater than 100 percent, which
768
+ # means the policies and tags exceeded the allowed space.
693
769
  # @return [Integer]
694
770
  #
695
771
  # @!attribute [rw] provider
@@ -730,7 +806,8 @@ module Aws::STS
730
806
  # @!attribute [rw] arn
731
807
  # The ARN of the temporary security credentials that are returned from
732
808
  # the AssumeRole action. For more information about ARNs and how to
733
- # use them in policies, see [IAM Identifiers][1] in *Using IAM*.
809
+ # use them in policies, see [IAM Identifiers][1] in the *IAM User
810
+ # Guide*.
734
811
  #
735
812
  #
736
813
  #
@@ -833,7 +910,7 @@ module Aws::STS
833
910
  # @!attribute [rw] arn
834
911
  # The ARN that specifies the federated user that is associated with
835
912
  # the credentials. For more information about ARNs and how to use them
836
- # in policies, see [IAM Identifiers][1] in *Using IAM*.
913
+ # in policies, see [IAM Identifiers][1] in the *IAM User Guide*.
837
914
  #
838
915
  #
839
916
  #
@@ -859,7 +936,7 @@ module Aws::STS
859
936
  # The identifier of an access key.
860
937
  #
861
938
  # This parameter allows (through its regex pattern) a string of
862
- # characters that can consist of any upper- or lowercased letter or
939
+ # characters that can consist of any upper- or lowercase letter or
863
940
  # digit.
864
941
  # @return [String]
865
942
  #
@@ -932,6 +1009,12 @@ module Aws::STS
932
1009
  # },
933
1010
  # ],
934
1011
  # duration_seconds: 1,
1012
+ # tags: [
1013
+ # {
1014
+ # key: "tagKeyType", # required
1015
+ # value: "tagValueType", # required
1016
+ # },
1017
+ # ],
935
1018
  # }
936
1019
  #
937
1020
  # @!attribute [rw] name
@@ -957,10 +1040,7 @@ module Aws::STS
957
1040
  #
958
1041
  # This parameter is optional. However, if you do not pass any session
959
1042
  # policies, then the resulting federated user session has no
960
- # permissions. The only exception is when the credentials are used to
961
- # access a resource that has a resource-based policy that specifically
962
- # references the federated user session in the `Principal` element of
963
- # the policy.
1043
+ # permissions.
964
1044
  #
965
1045
  # When you pass session policies, the session permissions are the
966
1046
  # intersection of the IAM user policies and the session policies that
@@ -970,19 +1050,26 @@ module Aws::STS
970
1050
  # the IAM user. For more information, see [Session Policies][1] in the
971
1051
  # *IAM User Guide*.
972
1052
  #
1053
+ # The resulting credentials can be used to access a resource that has
1054
+ # a resource-based policy. If that policy specifically references the
1055
+ # federated user session in the `Principal` element of the policy, the
1056
+ # session has the permissions allowed by the policy. These permissions
1057
+ # are granted in addition to the permissions that are granted by the
1058
+ # session policies.
1059
+ #
973
1060
  # The plain text that you use for both inline and managed session
974
- # policies shouldn't exceed 2048 characters. The JSON policy
975
- # characters can be any ASCII character from the space character to
976
- # the end of the valid character list (\\u0020 through \\u00FF). It
977
- # can also include the tab (\\u0009), linefeed (\\u000A), and carriage
978
- # return (\\u000D) characters.
979
- #
980
- # <note markdown="1"> The characters in this parameter count towards the 2048 character
981
- # session policy guideline. However, an AWS conversion compresses the
982
- # session policies into a packed binary format that has a separate
983
- # limit. This is the enforced limit. The `PackedPolicySize` response
984
- # element indicates by percentage how close the policy is to the upper
985
- # size limit.
1061
+ # policies can't exceed 2,048 characters. The JSON policy characters
1062
+ # can be any ASCII character from the space character to the end of
1063
+ # the valid character list (\\u0020 through \\u00FF). It can also
1064
+ # include the tab (\\u0009), linefeed (\\u000A), and carriage return
1065
+ # (\\u000D) characters.
1066
+ #
1067
+ # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1068
+ # tags into a packed binary format that has a separate limit. Your
1069
+ # request can fail for this limit even if your plain text meets the
1070
+ # other requirements. The `PackedPolicySize` response element
1071
+ # indicates by percentage how close the policies and tags for your
1072
+ # request are to the upper size limit.
986
1073
  #
987
1074
  # </note>
988
1075
  #
@@ -1001,17 +1088,14 @@ module Aws::STS
1001
1088
  # operation. You can pass a single JSON policy document to use as an
1002
1089
  # inline session policy. You can also specify up to 10 managed
1003
1090
  # policies to use as managed session policies. The plain text that you
1004
- # use for both inline and managed session policies shouldn't exceed
1005
- # 2048 characters. You can provide up to 10 managed policy ARNs. For
1006
- # more information about ARNs, see [Amazon Resource Names (ARNs) and
1007
- # AWS Service Namespaces][2] in the AWS General Reference.
1091
+ # use for both inline and managed session policies can't exceed 2,048
1092
+ # characters. You can provide up to 10 managed policy ARNs. For more
1093
+ # information about ARNs, see [Amazon Resource Names (ARNs) and AWS
1094
+ # Service Namespaces][2] in the AWS General Reference.
1008
1095
  #
1009
1096
  # This parameter is optional. However, if you do not pass any session
1010
1097
  # policies, then the resulting federated user session has no
1011
- # permissions. The only exception is when the credentials are used to
1012
- # access a resource that has a resource-based policy that specifically
1013
- # references the federated user session in the `Principal` element of
1014
- # the policy.
1098
+ # permissions.
1015
1099
  #
1016
1100
  # When you pass session policies, the session permissions are the
1017
1101
  # intersection of the IAM user policies and the session policies that
@@ -1021,12 +1105,19 @@ module Aws::STS
1021
1105
  # the IAM user. For more information, see [Session Policies][1] in the
1022
1106
  # *IAM User Guide*.
1023
1107
  #
1024
- # <note markdown="1"> The characters in this parameter count towards the 2048 character
1025
- # session policy guideline. However, an AWS conversion compresses the
1026
- # session policies into a packed binary format that has a separate
1027
- # limit. This is the enforced limit. The `PackedPolicySize` response
1028
- # element indicates by percentage how close the policy is to the upper
1029
- # size limit.
1108
+ # The resulting credentials can be used to access a resource that has
1109
+ # a resource-based policy. If that policy specifically references the
1110
+ # federated user session in the `Principal` element of the policy, the
1111
+ # session has the permissions allowed by the policy. These permissions
1112
+ # are granted in addition to the permissions that are granted by the
1113
+ # session policies.
1114
+ #
1115
+ # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1116
+ # tags into a packed binary format that has a separate limit. Your
1117
+ # request can fail for this limit even if your plain text meets the
1118
+ # other requirements. The `PackedPolicySize` response element
1119
+ # indicates by percentage how close the policies and tags for your
1120
+ # request are to the upper size limit.
1030
1121
  #
1031
1122
  # </note>
1032
1123
  #
@@ -1046,13 +1137,51 @@ module Aws::STS
1046
1137
  # obtained by using root user credentials defaults to one hour.
1047
1138
  # @return [Integer]
1048
1139
  #
1140
+ # @!attribute [rw] tags
1141
+ # A list of session tags. Each session tag consists of a key name and
1142
+ # an associated value. For more information about session tags, see
1143
+ # [Passing Session Tags in STS][1] in the *IAM User Guide*.
1144
+ #
1145
+ # This parameter is optional. You can pass up to 50 session tags. The
1146
+ # plain text session tag keys can’t exceed 128 characters and the
1147
+ # values can’t exceed 256 characters. For these and additional limits,
1148
+ # see [IAM and STS Character Limits][2] in the *IAM User Guide*.
1149
+ #
1150
+ # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1151
+ # tags into a packed binary format that has a separate limit. Your
1152
+ # request can fail for this limit even if your plain text meets the
1153
+ # other requirements. The `PackedPolicySize` response element
1154
+ # indicates by percentage how close the policies and tags for your
1155
+ # request are to the upper size limit.
1156
+ #
1157
+ # </note>
1158
+ #
1159
+ # You can pass a session tag with the same key as a tag that is
1160
+ # already attached to the user you are federating. When you do,
1161
+ # session tags override a user tag with the same key.
1162
+ #
1163
+ # Tag key–value pairs are not case sensitive, but case is preserved.
1164
+ # This means that you cannot have separate `Department` and
1165
+ # `department` tag keys. Assume that the role has the
1166
+ # `Department`=`Marketing` tag and you pass the
1167
+ # `department`=`engineering` session tag. `Department` and
1168
+ # `department` are not saved as separate tags, and the session tag
1169
+ # passed in the request takes precedence over the role tag.
1170
+ #
1171
+ #
1172
+ #
1173
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
1174
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
1175
+ # @return [Array<Types::Tag>]
1176
+ #
1049
1177
  # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationTokenRequest AWS API Documentation
1050
1178
  #
1051
1179
  class GetFederationTokenRequest < Struct.new(
1052
1180
  :name,
1053
1181
  :policy,
1054
1182
  :policy_arns,
1055
- :duration_seconds)
1183
+ :duration_seconds,
1184
+ :tags)
1056
1185
  include Aws::Structure
1057
1186
  end
1058
1187
 
@@ -1079,9 +1208,10 @@ module Aws::STS
1079
1208
  # @return [Types::FederatedUser]
1080
1209
  #
1081
1210
  # @!attribute [rw] packed_policy_size
1082
- # A percentage value indicating the size of the policy in packed form.
1083
- # The service rejects policies for which the packed size is greater
1084
- # than 100 percent of the allowed value.
1211
+ # A percentage value that indicates the packed size of the session
1212
+ # policies and session tags combined passed in the request. The
1213
+ # request fails if the packed size is greater than 100 percent, which
1214
+ # means the policies and tags exceeded the allowed space.
1085
1215
  # @return [Integer]
1086
1216
  #
1087
1217
  # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationTokenResponse AWS API Documentation
@@ -1171,12 +1301,12 @@ module Aws::STS
1171
1301
  include Aws::Structure
1172
1302
  end
1173
1303
 
1174
- # The request could not be fulfilled because the non-AWS identity
1175
- # provider (IDP) that was asked to verify the incoming identity token
1176
- # could not be reached. This is often a transient error caused by
1177
- # network conditions. Retry the request a limited number of times so
1178
- # that you don't exceed the request rate. If the error persists, the
1179
- # non-AWS identity provider might be down or not responding.
1304
+ # The request could not be fulfilled because the identity provider (IDP)
1305
+ # that was asked to verify the incoming identity token could not be
1306
+ # reached. This is often a transient error caused by network conditions.
1307
+ # Retry the request a limited number of times so that you don't exceed
1308
+ # the request rate. If the error persists, the identity provider might
1309
+ # be down or not responding.
1180
1310
  #
1181
1311
  # @!attribute [rw] message
1182
1312
  # @return [String]
@@ -1205,7 +1335,7 @@ module Aws::STS
1205
1335
  include Aws::Structure
1206
1336
  end
1207
1337
 
1208
- # This error is returned if the message passed to
1338
+ # The error returned if the message passed to
1209
1339
  # `DecodeAuthorizationMessage` was invalid. This can happen if the token
1210
1340
  # contains invalid characters, such as linebreaks.
1211
1341
  #
@@ -1246,9 +1376,22 @@ module Aws::STS
1246
1376
  include Aws::Structure
1247
1377
  end
1248
1378
 
1249
- # The request was rejected because the policy document was too large.
1250
- # The error message describes how big the policy document is, in packed
1251
- # form, as a percentage of what the API allows.
1379
+ # The request was rejected because the total packed size of the session
1380
+ # policies and session tags combined was too large. An AWS conversion
1381
+ # compresses the session policy document, session policy ARNs, and
1382
+ # session tags into a packed binary format that has a separate limit.
1383
+ # The error message indicates by percentage how close the policies and
1384
+ # tags are to the upper size limit. For more information, see [Passing
1385
+ # Session Tags in STS][1] in the *IAM User Guide*.
1386
+ #
1387
+ # You could receive this error even though you meet other defined
1388
+ # session policy and session tag limits. For more information, see [IAM
1389
+ # and STS Entity Character Limits][2] in the *IAM User Guide*.
1390
+ #
1391
+ #
1392
+ #
1393
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
1394
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html
1252
1395
  #
1253
1396
  # @!attribute [rw] message
1254
1397
  # @return [String]
@@ -1308,5 +1451,54 @@ module Aws::STS
1308
1451
  include Aws::Structure
1309
1452
  end
1310
1453
 
1454
+ # You can pass custom key-value pair attributes when you assume a role
1455
+ # or federate a user. These are called session tags. You can then use
1456
+ # the session tags to control access to resources. For more information,
1457
+ # see [Tagging AWS STS Sessions][1] in the *IAM User Guide*.
1458
+ #
1459
+ #
1460
+ #
1461
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
1462
+ #
1463
+ # @note When making an API call, you may pass Tag
1464
+ # data as a hash:
1465
+ #
1466
+ # {
1467
+ # key: "tagKeyType", # required
1468
+ # value: "tagValueType", # required
1469
+ # }
1470
+ #
1471
+ # @!attribute [rw] key
1472
+ # The key for a session tag.
1473
+ #
1474
+ # You can pass up to 50 session tags. The plain text session tag keys
1475
+ # can’t exceed 128 characters. For these and additional limits, see
1476
+ # [IAM and STS Character Limits][1] in the *IAM User Guide*.
1477
+ #
1478
+ #
1479
+ #
1480
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
1481
+ # @return [String]
1482
+ #
1483
+ # @!attribute [rw] value
1484
+ # The value for a session tag.
1485
+ #
1486
+ # You can pass up to 50 session tags. The plain text session tag
1487
+ # values can’t exceed 256 characters. For these and additional limits,
1488
+ # see [IAM and STS Character Limits][1] in the *IAM User Guide*.
1489
+ #
1490
+ #
1491
+ #
1492
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
1493
+ # @return [String]
1494
+ #
1495
+ # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/Tag AWS API Documentation
1496
+ #
1497
+ class Tag < Struct.new(
1498
+ :key,
1499
+ :value)
1500
+ include Aws::Structure
1501
+ end
1502
+
1311
1503
  end
1312
1504
  end