aws-sdk-core 3.113.1 → 3.114.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-sso.rb +1 -1
- data/lib/aws-sdk-sso/client.rb +1 -1
- data/lib/aws-sdk-sts.rb +1 -1
- data/lib/aws-sdk-sts/client.rb +220 -143
- data/lib/aws-sdk-sts/client_api.rb +5 -0
- data/lib/aws-sdk-sts/types.rb +164 -43
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 05c92208568d6da15a22a13751f95250f41f75aee075c229041d9e5143508541
|
4
|
+
data.tar.gz: 117caabce8194db97c873fd92597cbfcd1628f35f218233c7dd45d745e0796af
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: c02e113926180f3a3fc82788b1017501ca7ff1e247dbaded8d3ea78cd35d3f5e4fb2c2e546e8327b1060d61824feab5750f820a04a3ae4d406c82c3ca25ad905
|
7
|
+
data.tar.gz: e6eca7b1d0823f668bcff24331006def2d46ff43672da88612472e4ec2474f1bba1b0dc410f6e4a6897017f21cf7e4a452614a4657228d5246d3fba3895703a7
|
data/CHANGELOG.md
CHANGED
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
3.
|
1
|
+
3.114.0
|
data/lib/aws-sdk-sso.rb
CHANGED
data/lib/aws-sdk-sso/client.rb
CHANGED
data/lib/aws-sdk-sts.rb
CHANGED
data/lib/aws-sdk-sts/client.rb
CHANGED
@@ -343,35 +343,6 @@ module Aws::STS
|
|
343
343
|
# [Requesting Temporary Security Credentials][1] and [Comparing the AWS
|
344
344
|
# STS API operations][2] in the *IAM User Guide*.
|
345
345
|
#
|
346
|
-
# You cannot use AWS account root user credentials to call `AssumeRole`.
|
347
|
-
# You must use credentials for an IAM user or an IAM role to call
|
348
|
-
# `AssumeRole`.
|
349
|
-
#
|
350
|
-
# For cross-account access, imagine that you own multiple accounts and
|
351
|
-
# need to access resources in each account. You could create long-term
|
352
|
-
# credentials in each account to access those resources. However,
|
353
|
-
# managing all those credentials and remembering which one can access
|
354
|
-
# which account can be time consuming. Instead, you can create one set
|
355
|
-
# of long-term credentials in one account. Then use temporary security
|
356
|
-
# credentials to access all the other accounts by assuming roles in
|
357
|
-
# those accounts. For more information about roles, see [IAM Roles][3]
|
358
|
-
# in the *IAM User Guide*.
|
359
|
-
#
|
360
|
-
# **Session Duration**
|
361
|
-
#
|
362
|
-
# By default, the temporary security credentials created by `AssumeRole`
|
363
|
-
# last for one hour. However, you can use the optional `DurationSeconds`
|
364
|
-
# parameter to specify the duration of your session. You can provide a
|
365
|
-
# value from 900 seconds (15 minutes) up to the maximum session duration
|
366
|
-
# setting for the role. This setting can have a value from 1 hour to 12
|
367
|
-
# hours. To learn how to view the maximum value for your role, see [View
|
368
|
-
# the Maximum Session Duration Setting for a Role][4] in the *IAM User
|
369
|
-
# Guide*. The maximum session duration limit applies when you use the
|
370
|
-
# `AssumeRole*` API operations or the `assume-role*` CLI commands.
|
371
|
-
# However the limit does not apply when you use those operations to
|
372
|
-
# create a console URL. For more information, see [Using IAM Roles][5]
|
373
|
-
# in the *IAM User Guide*.
|
374
|
-
#
|
375
346
|
# **Permissions**
|
376
347
|
#
|
377
348
|
# The temporary security credentials created by `AssumeRole` can be used
|
@@ -379,10 +350,10 @@ module Aws::STS
|
|
379
350
|
# cannot call the AWS STS `GetFederationToken` or `GetSessionToken` API
|
380
351
|
# operations.
|
381
352
|
#
|
382
|
-
# (Optional) You can pass inline or managed [session policies][
|
353
|
+
# (Optional) You can pass inline or managed [session policies][3] to
|
383
354
|
# this operation. You can pass a single JSON policy document to use as
|
384
355
|
# an inline session policy. You can also specify up to 10 managed
|
385
|
-
# policies to use as managed session policies. The
|
356
|
+
# policies to use as managed session policies. The plaintext that you
|
386
357
|
# use for both inline and managed session policies can't exceed 2,048
|
387
358
|
# characters. Passing policies to this operation returns new temporary
|
388
359
|
# credentials. The resulting session's permissions are the intersection
|
@@ -391,7 +362,7 @@ module Aws::STS
|
|
391
362
|
# access resources in the account that owns the role. You cannot use
|
392
363
|
# session policies to grant more permissions than those allowed by the
|
393
364
|
# identity-based policy of the role that is being assumed. For more
|
394
|
-
# information, see [Session Policies][
|
365
|
+
# information, see [Session Policies][3] in the *IAM User Guide*.
|
395
366
|
#
|
396
367
|
# To assume a role from a different account, your AWS account must be
|
397
368
|
# trusted by the role. The trust relationship is defined in the role's
|
@@ -413,24 +384,24 @@ module Aws::STS
|
|
413
384
|
# In this case, the trust policy acts as an IAM resource-based policy.
|
414
385
|
# Users in the same account as the role do not need explicit permission
|
415
386
|
# to assume the role. For more information about trust policies and
|
416
|
-
# resource-based policies, see [IAM Policies][
|
387
|
+
# resource-based policies, see [IAM Policies][4] in the *IAM User
|
417
388
|
# Guide*.
|
418
389
|
#
|
419
390
|
# **Tags**
|
420
391
|
#
|
421
392
|
# (Optional) You can pass tag key-value pairs to your session. These
|
422
393
|
# tags are called session tags. For more information about session tags,
|
423
|
-
# see [Passing Session Tags in STS][
|
394
|
+
# see [Passing Session Tags in STS][5] in the *IAM User Guide*.
|
424
395
|
#
|
425
396
|
# An administrator must grant you the permissions necessary to pass
|
426
397
|
# session tags. The administrator can also create granular permissions
|
427
398
|
# to allow you to pass only specific session tags. For more information,
|
428
|
-
# see [Tutorial: Using Tags for Attribute-Based Access Control][
|
399
|
+
# see [Tutorial: Using Tags for Attribute-Based Access Control][6] in
|
429
400
|
# the *IAM User Guide*.
|
430
401
|
#
|
431
402
|
# You can set the session tags as transitive. Transitive tags persist
|
432
403
|
# during role chaining. For more information, see [Chaining Roles with
|
433
|
-
# Session Tags][
|
404
|
+
# Session Tags][7] in the *IAM User Guide*.
|
434
405
|
#
|
435
406
|
# **Using MFA with AssumeRole**
|
436
407
|
#
|
@@ -446,8 +417,8 @@ module Aws::STS
|
|
446
417
|
#
|
447
418
|
# `"Condition": \{"Bool": \{"aws:MultiFactorAuthPresent": true\}\}`
|
448
419
|
#
|
449
|
-
# For more information, see [Configuring MFA-Protected API Access][
|
450
|
-
#
|
420
|
+
# For more information, see [Configuring MFA-Protected API Access][8] in
|
421
|
+
# the *IAM User Guide* guide.
|
451
422
|
#
|
452
423
|
# To use MFA with `AssumeRole`, you pass values for the `SerialNumber`
|
453
424
|
# and `TokenCode` parameters. The `SerialNumber` value identifies the
|
@@ -458,15 +429,12 @@ module Aws::STS
|
|
458
429
|
#
|
459
430
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
460
431
|
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
|
461
|
-
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
462
|
-
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
463
|
-
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
464
|
-
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
465
|
-
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
466
|
-
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
467
|
-
# [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
|
468
|
-
# [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
|
469
|
-
# [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html
|
432
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
433
|
+
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
|
434
|
+
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
435
|
+
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
|
436
|
+
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
|
437
|
+
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html
|
470
438
|
#
|
471
439
|
# @option params [required, String] :role_arn
|
472
440
|
# The Amazon Resource Name (ARN) of the role to assume.
|
@@ -494,17 +462,17 @@ module Aws::STS
|
|
494
462
|
# the same account as the role.
|
495
463
|
#
|
496
464
|
# This parameter is optional. You can provide up to 10 managed policy
|
497
|
-
# ARNs. However, the
|
465
|
+
# ARNs. However, the plaintext that you use for both inline and managed
|
498
466
|
# session policies can't exceed 2,048 characters. For more information
|
499
467
|
# about ARNs, see [Amazon Resource Names (ARNs) and AWS Service
|
500
468
|
# Namespaces][1] in the AWS General Reference.
|
501
469
|
#
|
502
470
|
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
503
471
|
# tags into a packed binary format that has a separate limit. Your
|
504
|
-
# request can fail for this limit even if your
|
505
|
-
#
|
506
|
-
#
|
507
|
-
#
|
472
|
+
# request can fail for this limit even if your plaintext meets the other
|
473
|
+
# requirements. The `PackedPolicySize` response element indicates by
|
474
|
+
# percentage how close the policies and tags for your request are to the
|
475
|
+
# upper size limit.
|
508
476
|
#
|
509
477
|
# </note>
|
510
478
|
#
|
@@ -536,7 +504,7 @@ module Aws::STS
|
|
536
504
|
# assumed. For more information, see [Session Policies][1] in the *IAM
|
537
505
|
# User Guide*.
|
538
506
|
#
|
539
|
-
# The
|
507
|
+
# The plaintext that you use for both inline and managed session
|
540
508
|
# policies can't exceed 2,048 characters. The JSON policy characters
|
541
509
|
# can be any ASCII character from the space character to the end of the
|
542
510
|
# valid character list (\\u0020 through \\u00FF). It can also include
|
@@ -545,10 +513,10 @@ module Aws::STS
|
|
545
513
|
#
|
546
514
|
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
547
515
|
# tags into a packed binary format that has a separate limit. Your
|
548
|
-
# request can fail for this limit even if your
|
549
|
-
#
|
550
|
-
#
|
551
|
-
#
|
516
|
+
# request can fail for this limit even if your plaintext meets the other
|
517
|
+
# requirements. The `PackedPolicySize` response element indicates by
|
518
|
+
# percentage how close the policies and tags for your request are to the
|
519
|
+
# upper size limit.
|
552
520
|
#
|
553
521
|
# </note>
|
554
522
|
#
|
@@ -557,15 +525,16 @@ module Aws::STS
|
|
557
525
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
558
526
|
#
|
559
527
|
# @option params [Integer] :duration_seconds
|
560
|
-
# The duration, in seconds, of the role session. The value can
|
561
|
-
# from 900 seconds (15 minutes) up to the maximum session
|
562
|
-
#
|
563
|
-
#
|
564
|
-
#
|
565
|
-
#
|
566
|
-
#
|
567
|
-
#
|
568
|
-
#
|
528
|
+
# The duration, in seconds, of the role session. The value specified can
|
529
|
+
# can range from 900 seconds (15 minutes) up to the maximum session
|
530
|
+
# duration that is set for the role. The maximum session duration
|
531
|
+
# setting can have a value from 1 hour to 12 hours. If you specify a
|
532
|
+
# value higher than this setting or the administrator setting (whichever
|
533
|
+
# is lower), the operation fails. For example, if you specify a session
|
534
|
+
# duration of 12 hours, but your administrator set the maximum session
|
535
|
+
# duration to 6 hours, your operation fails. To learn how to view the
|
536
|
+
# maximum value for your role, see [View the Maximum Session Duration
|
537
|
+
# Setting for a Role][1] in the *IAM User Guide*.
|
569
538
|
#
|
570
539
|
# By default, the value is set to `3600` seconds.
|
571
540
|
#
|
@@ -591,16 +560,16 @@ module Aws::STS
|
|
591
560
|
# Guide*.
|
592
561
|
#
|
593
562
|
# This parameter is optional. You can pass up to 50 session tags. The
|
594
|
-
#
|
595
|
-
#
|
596
|
-
#
|
563
|
+
# plaintext session tag keys can’t exceed 128 characters, and the values
|
564
|
+
# can’t exceed 256 characters. For these and additional limits, see [IAM
|
565
|
+
# and STS Character Limits][2] in the *IAM User Guide*.
|
597
566
|
#
|
598
567
|
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
599
568
|
# tags into a packed binary format that has a separate limit. Your
|
600
|
-
# request can fail for this limit even if your
|
601
|
-
#
|
602
|
-
#
|
603
|
-
#
|
569
|
+
# request can fail for this limit even if your plaintext meets the other
|
570
|
+
# requirements. The `PackedPolicySize` response element indicates by
|
571
|
+
# percentage how close the policies and tags for your request are to the
|
572
|
+
# upper size limit.
|
604
573
|
#
|
605
574
|
# </note>
|
606
575
|
#
|
@@ -683,7 +652,7 @@ module Aws::STS
|
|
683
652
|
#
|
684
653
|
# @option params [String] :token_code
|
685
654
|
# The value provided by the MFA device, if the trust policy of the role
|
686
|
-
# being assumed requires MFA (
|
655
|
+
# being assumed requires MFA. (In other words, if the policy includes a
|
687
656
|
# condition that tests for MFA). If the role being assumed requires MFA
|
688
657
|
# and if the `TokenCode` value is missing or expired, the `AssumeRole`
|
689
658
|
# call returns an "access denied" error.
|
@@ -691,11 +660,35 @@ module Aws::STS
|
|
691
660
|
# The format for this parameter, as described by its regex pattern, is a
|
692
661
|
# sequence of six numeric digits.
|
693
662
|
#
|
663
|
+
# @option params [String] :source_identity
|
664
|
+
# The source identity specified by the principal that is calling the
|
665
|
+
# `AssumeRole` operation.
|
666
|
+
#
|
667
|
+
# You can require users to specify a source identity when they assume a
|
668
|
+
# role. You do this by using the `sts:SourceIdentity` condition key in a
|
669
|
+
# role trust policy. You can use source identity information in AWS
|
670
|
+
# CloudTrail logs to determine who took actions with a role. You can use
|
671
|
+
# the `aws:SourceIdentity` condition key to further control access to
|
672
|
+
# AWS resources based on the value of source identity. For more
|
673
|
+
# information about using source identity, see [Monitor and control
|
674
|
+
# actions taken with assumed roles][1] in the *IAM User Guide*.
|
675
|
+
#
|
676
|
+
# The regex used to validate this parameter is a string of characters
|
677
|
+
# consisting of upper- and lower-case alphanumeric characters with no
|
678
|
+
# spaces. You can also include underscores or any of the following
|
679
|
+
# characters: =,.@-. You cannot use a value that begins with the text
|
680
|
+
# `aws:`. This prefix is reserved for AWS internal use.
|
681
|
+
#
|
682
|
+
#
|
683
|
+
#
|
684
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
|
685
|
+
#
|
694
686
|
# @return [Types::AssumeRoleResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
695
687
|
#
|
696
688
|
# * {Types::AssumeRoleResponse#credentials #credentials} => Types::Credentials
|
697
689
|
# * {Types::AssumeRoleResponse#assumed_role_user #assumed_role_user} => Types::AssumedRoleUser
|
698
690
|
# * {Types::AssumeRoleResponse#packed_policy_size #packed_policy_size} => Integer
|
691
|
+
# * {Types::AssumeRoleResponse#source_identity #source_identity} => String
|
699
692
|
#
|
700
693
|
#
|
701
694
|
# @example Example: To assume a role
|
@@ -762,6 +755,7 @@ module Aws::STS
|
|
762
755
|
# external_id: "externalIdType",
|
763
756
|
# serial_number: "serialNumberType",
|
764
757
|
# token_code: "tokenCodeType",
|
758
|
+
# source_identity: "sourceIdentityType",
|
765
759
|
# })
|
766
760
|
#
|
767
761
|
# @example Response structure
|
@@ -773,6 +767,7 @@ module Aws::STS
|
|
773
767
|
# resp.assumed_role_user.assumed_role_id #=> String
|
774
768
|
# resp.assumed_role_user.arn #=> String
|
775
769
|
# resp.packed_policy_size #=> Integer
|
770
|
+
# resp.source_identity #=> String
|
776
771
|
#
|
777
772
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRole AWS API Documentation
|
778
773
|
#
|
@@ -815,6 +810,17 @@ module Aws::STS
|
|
815
810
|
# use those operations to create a console URL. For more information,
|
816
811
|
# see [Using IAM Roles][4] in the *IAM User Guide*.
|
817
812
|
#
|
813
|
+
# <note markdown="1"> [Role chaining][5] limits your AWS CLI or AWS API role session to a
|
814
|
+
# maximum of one hour. When you use the `AssumeRole` API operation to
|
815
|
+
# assume a role, you can specify the duration of your role session with
|
816
|
+
# the `DurationSeconds` parameter. You can specify a parameter value of
|
817
|
+
# up to 43200 seconds (12 hours), depending on the maximum session
|
818
|
+
# duration setting for your role. However, if you assume a role using
|
819
|
+
# role chaining and provide a `DurationSeconds` parameter value greater
|
820
|
+
# than one hour, the operation fails.
|
821
|
+
#
|
822
|
+
# </note>
|
823
|
+
#
|
818
824
|
# **Permissions**
|
819
825
|
#
|
820
826
|
# The temporary security credentials created by `AssumeRoleWithSAML` can
|
@@ -822,10 +828,10 @@ module Aws::STS
|
|
822
828
|
# exception: you cannot call the STS `GetFederationToken` or
|
823
829
|
# `GetSessionToken` API operations.
|
824
830
|
#
|
825
|
-
# (Optional) You can pass inline or managed [session policies][
|
831
|
+
# (Optional) You can pass inline or managed [session policies][6] to
|
826
832
|
# this operation. You can pass a single JSON policy document to use as
|
827
833
|
# an inline session policy. You can also specify up to 10 managed
|
828
|
-
# policies to use as managed session policies. The
|
834
|
+
# policies to use as managed session policies. The plaintext that you
|
829
835
|
# use for both inline and managed session policies can't exceed 2,048
|
830
836
|
# characters. Passing policies to this operation returns new temporary
|
831
837
|
# credentials. The resulting session's permissions are the intersection
|
@@ -834,7 +840,7 @@ module Aws::STS
|
|
834
840
|
# access resources in the account that owns the role. You cannot use
|
835
841
|
# session policies to grant more permissions than those allowed by the
|
836
842
|
# identity-based policy of the role that is being assumed. For more
|
837
|
-
# information, see [Session Policies][
|
843
|
+
# information, see [Session Policies][6] in the *IAM User Guide*.
|
838
844
|
#
|
839
845
|
# Calling `AssumeRoleWithSAML` does not require the use of AWS security
|
840
846
|
# credentials. The identity of the caller is validated by using keys in
|
@@ -853,19 +859,19 @@ module Aws::STS
|
|
853
859
|
# (Optional) You can configure your IdP to pass attributes into your
|
854
860
|
# SAML assertion as session tags. Each session tag consists of a key
|
855
861
|
# name and an associated value. For more information about session tags,
|
856
|
-
# see [Passing Session Tags in STS][
|
862
|
+
# see [Passing Session Tags in STS][7] in the *IAM User Guide*.
|
857
863
|
#
|
858
|
-
# You can pass up to 50 session tags. The
|
864
|
+
# You can pass up to 50 session tags. The plaintext session tag keys
|
859
865
|
# can’t exceed 128 characters and the values can’t exceed 256
|
860
866
|
# characters. For these and additional limits, see [IAM and STS
|
861
|
-
# Character Limits][
|
867
|
+
# Character Limits][8] in the *IAM User Guide*.
|
862
868
|
#
|
863
869
|
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
864
870
|
# tags into a packed binary format that has a separate limit. Your
|
865
|
-
# request can fail for this limit even if your
|
866
|
-
#
|
867
|
-
#
|
868
|
-
#
|
871
|
+
# request can fail for this limit even if your plaintext meets the other
|
872
|
+
# requirements. The `PackedPolicySize` response element indicates by
|
873
|
+
# percentage how close the policies and tags for your request are to the
|
874
|
+
# upper size limit.
|
869
875
|
#
|
870
876
|
# </note>
|
871
877
|
#
|
@@ -876,12 +882,12 @@ module Aws::STS
|
|
876
882
|
# An administrator must grant you the permissions necessary to pass
|
877
883
|
# session tags. The administrator can also create granular permissions
|
878
884
|
# to allow you to pass only specific session tags. For more information,
|
879
|
-
# see [Tutorial: Using Tags for Attribute-Based Access Control][
|
885
|
+
# see [Tutorial: Using Tags for Attribute-Based Access Control][9] in
|
880
886
|
# the *IAM User Guide*.
|
881
887
|
#
|
882
888
|
# You can set the session tags as transitive. Transitive tags persist
|
883
889
|
# during role chaining. For more information, see [Chaining Roles with
|
884
|
-
# Session Tags][
|
890
|
+
# Session Tags][10] in the *IAM User Guide*.
|
885
891
|
#
|
886
892
|
# **SAML Configuration**
|
887
893
|
#
|
@@ -894,14 +900,14 @@ module Aws::STS
|
|
894
900
|
#
|
895
901
|
# For more information, see the following resources:
|
896
902
|
#
|
897
|
-
# * [About SAML 2.0-based Federation][
|
903
|
+
# * [About SAML 2.0-based Federation][11] in the *IAM User Guide*.
|
898
904
|
#
|
899
|
-
# * [Creating SAML Identity Providers][
|
905
|
+
# * [Creating SAML Identity Providers][12] in the *IAM User Guide*.
|
900
906
|
#
|
901
|
-
# * [Configuring a Relying Party and Claims][
|
907
|
+
# * [Configuring a Relying Party and Claims][13] in the *IAM User
|
902
908
|
# Guide*.
|
903
909
|
#
|
904
|
-
# * [Creating a Role for SAML 2.0 Federation][
|
910
|
+
# * [Creating a Role for SAML 2.0 Federation][14] in the *IAM User
|
905
911
|
# Guide*.
|
906
912
|
#
|
907
913
|
#
|
@@ -910,15 +916,16 @@ module Aws::STS
|
|
910
916
|
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
|
911
917
|
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
|
912
918
|
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
|
913
|
-
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
914
|
-
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
915
|
-
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
916
|
-
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
917
|
-
# [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
918
|
-
# [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
919
|
-
# [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
920
|
-
# [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
921
|
-
# [13]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
919
|
+
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining
|
920
|
+
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
921
|
+
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
922
|
+
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
|
923
|
+
# [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
|
924
|
+
# [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
|
925
|
+
# [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
|
926
|
+
# [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html
|
927
|
+
# [13]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html
|
928
|
+
# [14]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html
|
922
929
|
#
|
923
930
|
# @option params [required, String] :role_arn
|
924
931
|
# The Amazon Resource Name (ARN) of the role that the caller is
|
@@ -929,7 +936,7 @@ module Aws::STS
|
|
929
936
|
# describes the IdP.
|
930
937
|
#
|
931
938
|
# @option params [required, String] :saml_assertion
|
932
|
-
# The
|
939
|
+
# The base64 encoded SAML authentication response provided by the IdP.
|
933
940
|
#
|
934
941
|
# For more information, see [Configuring a Relying Party and Adding
|
935
942
|
# Claims][1] in the *IAM User Guide*.
|
@@ -944,17 +951,17 @@ module Aws::STS
|
|
944
951
|
# the same account as the role.
|
945
952
|
#
|
946
953
|
# This parameter is optional. You can provide up to 10 managed policy
|
947
|
-
# ARNs. However, the
|
954
|
+
# ARNs. However, the plaintext that you use for both inline and managed
|
948
955
|
# session policies can't exceed 2,048 characters. For more information
|
949
956
|
# about ARNs, see [Amazon Resource Names (ARNs) and AWS Service
|
950
957
|
# Namespaces][1] in the AWS General Reference.
|
951
958
|
#
|
952
959
|
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
953
960
|
# tags into a packed binary format that has a separate limit. Your
|
954
|
-
# request can fail for this limit even if your
|
955
|
-
#
|
956
|
-
#
|
957
|
-
#
|
961
|
+
# request can fail for this limit even if your plaintext meets the other
|
962
|
+
# requirements. The `PackedPolicySize` response element indicates by
|
963
|
+
# percentage how close the policies and tags for your request are to the
|
964
|
+
# upper size limit.
|
958
965
|
#
|
959
966
|
# </note>
|
960
967
|
#
|
@@ -986,7 +993,7 @@ module Aws::STS
|
|
986
993
|
# assumed. For more information, see [Session Policies][1] in the *IAM
|
987
994
|
# User Guide*.
|
988
995
|
#
|
989
|
-
# The
|
996
|
+
# The plaintext that you use for both inline and managed session
|
990
997
|
# policies can't exceed 2,048 characters. The JSON policy characters
|
991
998
|
# can be any ASCII character from the space character to the end of the
|
992
999
|
# valid character list (\\u0020 through \\u00FF). It can also include
|
@@ -995,10 +1002,10 @@ module Aws::STS
|
|
995
1002
|
#
|
996
1003
|
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
997
1004
|
# tags into a packed binary format that has a separate limit. Your
|
998
|
-
# request can fail for this limit even if your
|
999
|
-
#
|
1000
|
-
#
|
1001
|
-
#
|
1005
|
+
# request can fail for this limit even if your plaintext meets the other
|
1006
|
+
# requirements. The `PackedPolicySize` response element indicates by
|
1007
|
+
# percentage how close the policies and tags for your request are to the
|
1008
|
+
# upper size limit.
|
1002
1009
|
#
|
1003
1010
|
# </note>
|
1004
1011
|
#
|
@@ -1047,6 +1054,7 @@ module Aws::STS
|
|
1047
1054
|
# * {Types::AssumeRoleWithSAMLResponse#issuer #issuer} => String
|
1048
1055
|
# * {Types::AssumeRoleWithSAMLResponse#audience #audience} => String
|
1049
1056
|
# * {Types::AssumeRoleWithSAMLResponse#name_qualifier #name_qualifier} => String
|
1057
|
+
# * {Types::AssumeRoleWithSAMLResponse#source_identity #source_identity} => String
|
1050
1058
|
#
|
1051
1059
|
#
|
1052
1060
|
# @example Example: To assume a role using a SAML assertion
|
@@ -1107,6 +1115,7 @@ module Aws::STS
|
|
1107
1115
|
# resp.issuer #=> String
|
1108
1116
|
# resp.audience #=> String
|
1109
1117
|
# resp.name_qualifier #=> String
|
1118
|
+
# resp.source_identity #=> String
|
1110
1119
|
#
|
1111
1120
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAML AWS API Documentation
|
1112
1121
|
#
|
@@ -1176,7 +1185,7 @@ module Aws::STS
|
|
1176
1185
|
# (Optional) You can pass inline or managed [session policies][9] to
|
1177
1186
|
# this operation. You can pass a single JSON policy document to use as
|
1178
1187
|
# an inline session policy. You can also specify up to 10 managed
|
1179
|
-
# policies to use as managed session policies. The
|
1188
|
+
# policies to use as managed session policies. The plaintext that you
|
1180
1189
|
# use for both inline and managed session policies can't exceed 2,048
|
1181
1190
|
# characters. Passing policies to this operation returns new temporary
|
1182
1191
|
# credentials. The resulting session's permissions are the intersection
|
@@ -1194,17 +1203,17 @@ module Aws::STS
|
|
1194
1203
|
# name and an associated value. For more information about session tags,
|
1195
1204
|
# see [Passing Session Tags in STS][10] in the *IAM User Guide*.
|
1196
1205
|
#
|
1197
|
-
# You can pass up to 50 session tags. The
|
1206
|
+
# You can pass up to 50 session tags. The plaintext session tag keys
|
1198
1207
|
# can’t exceed 128 characters and the values can’t exceed 256
|
1199
1208
|
# characters. For these and additional limits, see [IAM and STS
|
1200
1209
|
# Character Limits][11] in the *IAM User Guide*.
|
1201
1210
|
#
|
1202
1211
|
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
1203
1212
|
# tags into a packed binary format that has a separate limit. Your
|
1204
|
-
# request can fail for this limit even if your
|
1205
|
-
#
|
1206
|
-
#
|
1207
|
-
#
|
1213
|
+
# request can fail for this limit even if your plaintext meets the other
|
1214
|
+
# requirements. The `PackedPolicySize` response element indicates by
|
1215
|
+
# percentage how close the policies and tags for your request are to the
|
1216
|
+
# upper size limit.
|
1208
1217
|
#
|
1209
1218
|
# </note>
|
1210
1219
|
#
|
@@ -1233,7 +1242,7 @@ module Aws::STS
|
|
1233
1242
|
#
|
1234
1243
|
# Calling `AssumeRoleWithWebIdentity` can result in an entry in your AWS
|
1235
1244
|
# CloudTrail logs. The entry includes the [Subject][14] of the provided
|
1236
|
-
#
|
1245
|
+
# web identity token. We recommend that you avoid using any personally
|
1237
1246
|
# identifiable information (PII) in this field. For example, you could
|
1238
1247
|
# instead use a GUID or a pairwise identifier, as [suggested in the OIDC
|
1239
1248
|
# specification][15].
|
@@ -1322,17 +1331,17 @@ module Aws::STS
|
|
1322
1331
|
# the same account as the role.
|
1323
1332
|
#
|
1324
1333
|
# This parameter is optional. You can provide up to 10 managed policy
|
1325
|
-
# ARNs. However, the
|
1334
|
+
# ARNs. However, the plaintext that you use for both inline and managed
|
1326
1335
|
# session policies can't exceed 2,048 characters. For more information
|
1327
1336
|
# about ARNs, see [Amazon Resource Names (ARNs) and AWS Service
|
1328
1337
|
# Namespaces][1] in the AWS General Reference.
|
1329
1338
|
#
|
1330
1339
|
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
1331
1340
|
# tags into a packed binary format that has a separate limit. Your
|
1332
|
-
# request can fail for this limit even if your
|
1333
|
-
#
|
1334
|
-
#
|
1335
|
-
#
|
1341
|
+
# request can fail for this limit even if your plaintext meets the other
|
1342
|
+
# requirements. The `PackedPolicySize` response element indicates by
|
1343
|
+
# percentage how close the policies and tags for your request are to the
|
1344
|
+
# upper size limit.
|
1336
1345
|
#
|
1337
1346
|
# </note>
|
1338
1347
|
#
|
@@ -1364,7 +1373,7 @@ module Aws::STS
|
|
1364
1373
|
# assumed. For more information, see [Session Policies][1] in the *IAM
|
1365
1374
|
# User Guide*.
|
1366
1375
|
#
|
1367
|
-
# The
|
1376
|
+
# The plaintext that you use for both inline and managed session
|
1368
1377
|
# policies can't exceed 2,048 characters. The JSON policy characters
|
1369
1378
|
# can be any ASCII character from the space character to the end of the
|
1370
1379
|
# valid character list (\\u0020 through \\u00FF). It can also include
|
@@ -1373,10 +1382,10 @@ module Aws::STS
|
|
1373
1382
|
#
|
1374
1383
|
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
1375
1384
|
# tags into a packed binary format that has a separate limit. Your
|
1376
|
-
# request can fail for this limit even if your
|
1377
|
-
#
|
1378
|
-
#
|
1379
|
-
#
|
1385
|
+
# request can fail for this limit even if your plaintext meets the other
|
1386
|
+
# requirements. The `PackedPolicySize` response element indicates by
|
1387
|
+
# percentage how close the policies and tags for your request are to the
|
1388
|
+
# upper size limit.
|
1380
1389
|
#
|
1381
1390
|
# </note>
|
1382
1391
|
#
|
@@ -1420,6 +1429,7 @@ module Aws::STS
|
|
1420
1429
|
# * {Types::AssumeRoleWithWebIdentityResponse#packed_policy_size #packed_policy_size} => Integer
|
1421
1430
|
# * {Types::AssumeRoleWithWebIdentityResponse#provider #provider} => String
|
1422
1431
|
# * {Types::AssumeRoleWithWebIdentityResponse#audience #audience} => String
|
1432
|
+
# * {Types::AssumeRoleWithWebIdentityResponse#source_identity #source_identity} => String
|
1423
1433
|
#
|
1424
1434
|
#
|
1425
1435
|
# @example Example: To assume a role as an OpenID Connect-federated user
|
@@ -1479,6 +1489,7 @@ module Aws::STS
|
|
1479
1489
|
# resp.packed_policy_size #=> Integer
|
1480
1490
|
# resp.provider #=> String
|
1481
1491
|
# resp.audience #=> String
|
1492
|
+
# resp.source_identity #=> String
|
1482
1493
|
#
|
1483
1494
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentity AWS API Documentation
|
1484
1495
|
#
|
@@ -1763,6 +1774,72 @@ module Aws::STS
|
|
1763
1774
|
# You must pass an inline or managed [session policy][6] to this
|
1764
1775
|
# operation. You can pass a single JSON policy document to use as an
|
1765
1776
|
# inline session policy. You can also specify up to 10 managed policies
|
1777
|
+
# to use as managed session policies. The plaintext that you use for
|
1778
|
+
# both inline and managed session policies can't exceed 2,048
|
1779
|
+
# characters.
|
1780
|
+
#
|
1781
|
+
# Though the session policy parameters are optional, if you do not pass
|
1782
|
+
# a policy, then the resulting federated user session has no
|
1783
|
+
# permissions. When you pass session policies, the session permissions
|
1784
|
+
# are the intersection of the IAM user policies and the session policies
|
1785
|
+
# that you pass. This gives you a way to further restrict the
|
1786
|
+
# permissions for a federated user. You cannot use session policies to
|
1787
|
+
# grant more permissions than those that are defined in the permissions
|
1788
|
+
# policy of the IAM user. For more information, see [Session
|
1789
|
+
# Policies][6] in the *IAM User Guide*. For information about using
|
1790
|
+
# `GetFederationToken` to create temporary security credentials, see
|
1791
|
+
# [GetFederationToken—Federation Through a Custom Identity Broker][7].
|
1792
|
+
#
|
1793
|
+
# You can use the credentials to access a resource that has a
|
1794
|
+
# resource-based policy. If that policy specifically references the
|
1795
|
+
# federated user session in the `Principal` element of the policy, the
|
1796
|
+
# session has the permissions allowed by the policy. These permissions
|
1797
|
+
# are granted in addition to the permissions granted by the session
|
1798
|
+
# policies.
|
1799
|
+
#
|
1800
|
+
# **Tags**
|
1801
|
+
#
|
1802
|
+
# (Optional) You can pass tag key-value pairs to your session. These are
|
1803
|
+
# called session tags. For more information about session tags, see
|
1804
|
+
# [Passing Session Tags in STS][8] in the *IAM User Guide*.
|
1805
|
+
#
|
1806
|
+
# <note markdown="1"> You can create a mobile-based or browser-based app that can
|
1807
|
+
# authenticate users using a web identity provider like Login with
|
1808
|
+
# Amazon, Facebook, Google, or an OpenID Connect-compatible identity
|
1809
|
+
# provider. In this case, we recommend that you use [Amazon Cognito][3]
|
1810
|
+
# or `AssumeRoleWithWebIdentity`. For more information, see [Federation
|
1811
|
+
# Through a Web-based Identity Provider][4] in the *IAM User Guide*.
|
1812
|
+
#
|
1813
|
+
# </note>
|
1814
|
+
#
|
1815
|
+
# You can also call `GetFederationToken` using the security credentials
|
1816
|
+
# of an AWS account root user, but we do not recommend it. Instead, we
|
1817
|
+
# recommend that you create an IAM user for the purpose of the proxy
|
1818
|
+
# application. Then attach a policy to the IAM user that limits
|
1819
|
+
# federated users to only the actions and resources that they need to
|
1820
|
+
# access. For more information, see [IAM Best Practices][5] in the *IAM
|
1821
|
+
# User Guide*.
|
1822
|
+
#
|
1823
|
+
# **Session duration**
|
1824
|
+
#
|
1825
|
+
# The temporary credentials are valid for the specified duration, from
|
1826
|
+
# 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36
|
1827
|
+
# hours). The default session duration is 43,200 seconds (12 hours).
|
1828
|
+
# Temporary credentials that are obtained by using AWS account root user
|
1829
|
+
# credentials have a maximum duration of 3,600 seconds (1 hour).
|
1830
|
+
#
|
1831
|
+
# **Permissions**
|
1832
|
+
#
|
1833
|
+
# You can use the temporary credentials created by `GetFederationToken`
|
1834
|
+
# in any AWS service except the following:
|
1835
|
+
#
|
1836
|
+
# * You cannot call any IAM operations using the AWS CLI or the AWS API.
|
1837
|
+
#
|
1838
|
+
# * You cannot call any STS operations except `GetCallerIdentity`.
|
1839
|
+
#
|
1840
|
+
# You must pass an inline or managed [session policy][6] to this
|
1841
|
+
# operation. You can pass a single JSON policy document to use as an
|
1842
|
+
# inline session policy. You can also specify up to 10 managed policies
|
1766
1843
|
# to use as managed session policies. The plain text that you use for
|
1767
1844
|
# both inline and managed session policies can't exceed 2,048
|
1768
1845
|
# characters.
|
@@ -1857,7 +1934,7 @@ module Aws::STS
|
|
1857
1934
|
# are granted in addition to the permissions that are granted by the
|
1858
1935
|
# session policies.
|
1859
1936
|
#
|
1860
|
-
# The
|
1937
|
+
# The plaintext that you use for both inline and managed session
|
1861
1938
|
# policies can't exceed 2,048 characters. The JSON policy characters
|
1862
1939
|
# can be any ASCII character from the space character to the end of the
|
1863
1940
|
# valid character list (\\u0020 through \\u00FF). It can also include
|
@@ -1866,10 +1943,10 @@ module Aws::STS
|
|
1866
1943
|
#
|
1867
1944
|
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
1868
1945
|
# tags into a packed binary format that has a separate limit. Your
|
1869
|
-
# request can fail for this limit even if your
|
1870
|
-
#
|
1871
|
-
#
|
1872
|
-
#
|
1946
|
+
# request can fail for this limit even if your plaintext meets the other
|
1947
|
+
# requirements. The `PackedPolicySize` response element indicates by
|
1948
|
+
# percentage how close the policies and tags for your request are to the
|
1949
|
+
# upper size limit.
|
1873
1950
|
#
|
1874
1951
|
# </note>
|
1875
1952
|
#
|
@@ -1885,7 +1962,7 @@ module Aws::STS
|
|
1885
1962
|
# You must pass an inline or managed [session policy][1] to this
|
1886
1963
|
# operation. You can pass a single JSON policy document to use as an
|
1887
1964
|
# inline session policy. You can also specify up to 10 managed policies
|
1888
|
-
# to use as managed session policies. The
|
1965
|
+
# to use as managed session policies. The plaintext that you use for
|
1889
1966
|
# both inline and managed session policies can't exceed 2,048
|
1890
1967
|
# characters. You can provide up to 10 managed policy ARNs. For more
|
1891
1968
|
# information about ARNs, see [Amazon Resource Names (ARNs) and AWS
|
@@ -1912,10 +1989,10 @@ module Aws::STS
|
|
1912
1989
|
#
|
1913
1990
|
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
1914
1991
|
# tags into a packed binary format that has a separate limit. Your
|
1915
|
-
# request can fail for this limit even if your
|
1916
|
-
#
|
1917
|
-
#
|
1918
|
-
#
|
1992
|
+
# request can fail for this limit even if your plaintext meets the other
|
1993
|
+
# requirements. The `PackedPolicySize` response element indicates by
|
1994
|
+
# percentage how close the policies and tags for your request are to the
|
1995
|
+
# upper size limit.
|
1919
1996
|
#
|
1920
1997
|
# </note>
|
1921
1998
|
#
|
@@ -1939,16 +2016,16 @@ module Aws::STS
|
|
1939
2016
|
# [Passing Session Tags in STS][1] in the *IAM User Guide*.
|
1940
2017
|
#
|
1941
2018
|
# This parameter is optional. You can pass up to 50 session tags. The
|
1942
|
-
#
|
2019
|
+
# plaintext session tag keys can’t exceed 128 characters and the values
|
1943
2020
|
# can’t exceed 256 characters. For these and additional limits, see [IAM
|
1944
2021
|
# and STS Character Limits][2] in the *IAM User Guide*.
|
1945
2022
|
#
|
1946
2023
|
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
1947
2024
|
# tags into a packed binary format that has a separate limit. Your
|
1948
|
-
# request can fail for this limit even if your
|
1949
|
-
#
|
1950
|
-
#
|
1951
|
-
#
|
2025
|
+
# request can fail for this limit even if your plaintext meets the other
|
2026
|
+
# requirements. The `PackedPolicySize` response element indicates by
|
2027
|
+
# percentage how close the policies and tags for your request are to the
|
2028
|
+
# upper size limit.
|
1952
2029
|
#
|
1953
2030
|
# </note>
|
1954
2031
|
#
|
@@ -2204,7 +2281,7 @@ module Aws::STS
|
|
2204
2281
|
params: params,
|
2205
2282
|
config: config)
|
2206
2283
|
context[:gem_name] = 'aws-sdk-core'
|
2207
|
-
context[:gem_version] = '3.
|
2284
|
+
context[:gem_version] = '3.114.0'
|
2208
2285
|
Seahorse::Client::Request.new(handlers, context)
|
2209
2286
|
end
|
2210
2287
|
|
@@ -74,6 +74,7 @@ module Aws::STS
|
|
74
74
|
roleSessionNameType = Shapes::StringShape.new(name: 'roleSessionNameType')
|
75
75
|
serialNumberType = Shapes::StringShape.new(name: 'serialNumberType')
|
76
76
|
sessionPolicyDocumentType = Shapes::StringShape.new(name: 'sessionPolicyDocumentType')
|
77
|
+
sourceIdentityType = Shapes::StringShape.new(name: 'sourceIdentityType')
|
77
78
|
tagKeyListType = Shapes::ListShape.new(name: 'tagKeyListType')
|
78
79
|
tagKeyType = Shapes::StringShape.new(name: 'tagKeyType')
|
79
80
|
tagListType = Shapes::ListShape.new(name: 'tagListType')
|
@@ -95,11 +96,13 @@ module Aws::STS
|
|
95
96
|
AssumeRoleRequest.add_member(:external_id, Shapes::ShapeRef.new(shape: externalIdType, location_name: "ExternalId"))
|
96
97
|
AssumeRoleRequest.add_member(:serial_number, Shapes::ShapeRef.new(shape: serialNumberType, location_name: "SerialNumber"))
|
97
98
|
AssumeRoleRequest.add_member(:token_code, Shapes::ShapeRef.new(shape: tokenCodeType, location_name: "TokenCode"))
|
99
|
+
AssumeRoleRequest.add_member(:source_identity, Shapes::ShapeRef.new(shape: sourceIdentityType, location_name: "SourceIdentity"))
|
98
100
|
AssumeRoleRequest.struct_class = Types::AssumeRoleRequest
|
99
101
|
|
100
102
|
AssumeRoleResponse.add_member(:credentials, Shapes::ShapeRef.new(shape: Credentials, location_name: "Credentials"))
|
101
103
|
AssumeRoleResponse.add_member(:assumed_role_user, Shapes::ShapeRef.new(shape: AssumedRoleUser, location_name: "AssumedRoleUser"))
|
102
104
|
AssumeRoleResponse.add_member(:packed_policy_size, Shapes::ShapeRef.new(shape: nonNegativeIntegerType, location_name: "PackedPolicySize"))
|
105
|
+
AssumeRoleResponse.add_member(:source_identity, Shapes::ShapeRef.new(shape: sourceIdentityType, location_name: "SourceIdentity"))
|
103
106
|
AssumeRoleResponse.struct_class = Types::AssumeRoleResponse
|
104
107
|
|
105
108
|
AssumeRoleWithSAMLRequest.add_member(:role_arn, Shapes::ShapeRef.new(shape: arnType, required: true, location_name: "RoleArn"))
|
@@ -118,6 +121,7 @@ module Aws::STS
|
|
118
121
|
AssumeRoleWithSAMLResponse.add_member(:issuer, Shapes::ShapeRef.new(shape: Issuer, location_name: "Issuer"))
|
119
122
|
AssumeRoleWithSAMLResponse.add_member(:audience, Shapes::ShapeRef.new(shape: Audience, location_name: "Audience"))
|
120
123
|
AssumeRoleWithSAMLResponse.add_member(:name_qualifier, Shapes::ShapeRef.new(shape: NameQualifier, location_name: "NameQualifier"))
|
124
|
+
AssumeRoleWithSAMLResponse.add_member(:source_identity, Shapes::ShapeRef.new(shape: sourceIdentityType, location_name: "SourceIdentity"))
|
121
125
|
AssumeRoleWithSAMLResponse.struct_class = Types::AssumeRoleWithSAMLResponse
|
122
126
|
|
123
127
|
AssumeRoleWithWebIdentityRequest.add_member(:role_arn, Shapes::ShapeRef.new(shape: arnType, required: true, location_name: "RoleArn"))
|
@@ -135,6 +139,7 @@ module Aws::STS
|
|
135
139
|
AssumeRoleWithWebIdentityResponse.add_member(:packed_policy_size, Shapes::ShapeRef.new(shape: nonNegativeIntegerType, location_name: "PackedPolicySize"))
|
136
140
|
AssumeRoleWithWebIdentityResponse.add_member(:provider, Shapes::ShapeRef.new(shape: Issuer, location_name: "Provider"))
|
137
141
|
AssumeRoleWithWebIdentityResponse.add_member(:audience, Shapes::ShapeRef.new(shape: Audience, location_name: "Audience"))
|
142
|
+
AssumeRoleWithWebIdentityResponse.add_member(:source_identity, Shapes::ShapeRef.new(shape: sourceIdentityType, location_name: "SourceIdentity"))
|
138
143
|
AssumeRoleWithWebIdentityResponse.struct_class = Types::AssumeRoleWithWebIdentityResponse
|
139
144
|
|
140
145
|
AssumedRoleUser.add_member(:assumed_role_id, Shapes::ShapeRef.new(shape: assumedRoleIdType, required: true, location_name: "AssumedRoleId"))
|
data/lib/aws-sdk-sts/types.rb
CHANGED
@@ -33,6 +33,7 @@ module Aws::STS
|
|
33
33
|
# external_id: "externalIdType",
|
34
34
|
# serial_number: "serialNumberType",
|
35
35
|
# token_code: "tokenCodeType",
|
36
|
+
# source_identity: "sourceIdentityType",
|
36
37
|
# }
|
37
38
|
#
|
38
39
|
# @!attribute [rw] role_arn
|
@@ -63,14 +64,14 @@ module Aws::STS
|
|
63
64
|
# in the same account as the role.
|
64
65
|
#
|
65
66
|
# This parameter is optional. You can provide up to 10 managed policy
|
66
|
-
# ARNs. However, the
|
67
|
+
# ARNs. However, the plaintext that you use for both inline and
|
67
68
|
# managed session policies can't exceed 2,048 characters. For more
|
68
69
|
# information about ARNs, see [Amazon Resource Names (ARNs) and AWS
|
69
70
|
# Service Namespaces][1] in the AWS General Reference.
|
70
71
|
#
|
71
72
|
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
72
73
|
# tags into a packed binary format that has a separate limit. Your
|
73
|
-
# request can fail for this limit even if your
|
74
|
+
# request can fail for this limit even if your plaintext meets the
|
74
75
|
# other requirements. The `PackedPolicySize` response element
|
75
76
|
# indicates by percentage how close the policies and tags for your
|
76
77
|
# request are to the upper size limit.
|
@@ -107,7 +108,7 @@ module Aws::STS
|
|
107
108
|
# the role that is being assumed. For more information, see [Session
|
108
109
|
# Policies][1] in the *IAM User Guide*.
|
109
110
|
#
|
110
|
-
# The
|
111
|
+
# The plaintext that you use for both inline and managed session
|
111
112
|
# policies can't exceed 2,048 characters. The JSON policy characters
|
112
113
|
# can be any ASCII character from the space character to the end of
|
113
114
|
# the valid character list (\\u0020 through \\u00FF). It can also
|
@@ -116,7 +117,7 @@ module Aws::STS
|
|
116
117
|
#
|
117
118
|
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
118
119
|
# tags into a packed binary format that has a separate limit. Your
|
119
|
-
# request can fail for this limit even if your
|
120
|
+
# request can fail for this limit even if your plaintext meets the
|
120
121
|
# other requirements. The `PackedPolicySize` response element
|
121
122
|
# indicates by percentage how close the policies and tags for your
|
122
123
|
# request are to the upper size limit.
|
@@ -129,15 +130,17 @@ module Aws::STS
|
|
129
130
|
# @return [String]
|
130
131
|
#
|
131
132
|
# @!attribute [rw] duration_seconds
|
132
|
-
# The duration, in seconds, of the role session. The value
|
133
|
-
# from 900 seconds (15 minutes) up to the maximum
|
134
|
-
#
|
135
|
-
#
|
136
|
-
#
|
137
|
-
#
|
138
|
-
#
|
139
|
-
#
|
140
|
-
#
|
133
|
+
# The duration, in seconds, of the role session. The value specified
|
134
|
+
# can can range from 900 seconds (15 minutes) up to the maximum
|
135
|
+
# session duration that is set for the role. The maximum session
|
136
|
+
# duration setting can have a value from 1 hour to 12 hours. If you
|
137
|
+
# specify a value higher than this setting or the administrator
|
138
|
+
# setting (whichever is lower), the operation fails. For example, if
|
139
|
+
# you specify a session duration of 12 hours, but your administrator
|
140
|
+
# set the maximum session duration to 6 hours, your operation fails.
|
141
|
+
# To learn how to view the maximum value for your role, see [View the
|
142
|
+
# Maximum Session Duration Setting for a Role][1] in the *IAM User
|
143
|
+
# Guide*.
|
141
144
|
#
|
142
145
|
# By default, the value is set to `3600` seconds.
|
143
146
|
#
|
@@ -164,13 +167,13 @@ module Aws::STS
|
|
164
167
|
# User Guide*.
|
165
168
|
#
|
166
169
|
# This parameter is optional. You can pass up to 50 session tags. The
|
167
|
-
#
|
170
|
+
# plaintext session tag keys can’t exceed 128 characters, and the
|
168
171
|
# values can’t exceed 256 characters. For these and additional limits,
|
169
172
|
# see [IAM and STS Character Limits][2] in the *IAM User Guide*.
|
170
173
|
#
|
171
174
|
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
172
175
|
# tags into a packed binary format that has a separate limit. Your
|
173
|
-
# request can fail for this limit even if your
|
176
|
+
# request can fail for this limit even if your plaintext meets the
|
174
177
|
# other requirements. The `PackedPolicySize` response element
|
175
178
|
# indicates by percentage how close the policies and tags for your
|
176
179
|
# request are to the upper size limit.
|
@@ -262,15 +265,40 @@ module Aws::STS
|
|
262
265
|
#
|
263
266
|
# @!attribute [rw] token_code
|
264
267
|
# The value provided by the MFA device, if the trust policy of the
|
265
|
-
# role being assumed requires MFA (
|
266
|
-
# condition that tests for MFA). If the role being assumed
|
267
|
-
# MFA and if the `TokenCode` value is missing or expired, the
|
268
|
+
# role being assumed requires MFA. (In other words, if the policy
|
269
|
+
# includes a condition that tests for MFA). If the role being assumed
|
270
|
+
# requires MFA and if the `TokenCode` value is missing or expired, the
|
268
271
|
# `AssumeRole` call returns an "access denied" error.
|
269
272
|
#
|
270
273
|
# The format for this parameter, as described by its regex pattern, is
|
271
274
|
# a sequence of six numeric digits.
|
272
275
|
# @return [String]
|
273
276
|
#
|
277
|
+
# @!attribute [rw] source_identity
|
278
|
+
# The source identity specified by the principal that is calling the
|
279
|
+
# `AssumeRole` operation.
|
280
|
+
#
|
281
|
+
# You can require users to specify a source identity when they assume
|
282
|
+
# a role. You do this by using the `sts:SourceIdentity` condition key
|
283
|
+
# in a role trust policy. You can use source identity information in
|
284
|
+
# AWS CloudTrail logs to determine who took actions with a role. You
|
285
|
+
# can use the `aws:SourceIdentity` condition key to further control
|
286
|
+
# access to AWS resources based on the value of source identity. For
|
287
|
+
# more information about using source identity, see [Monitor and
|
288
|
+
# control actions taken with assumed roles][1] in the *IAM User
|
289
|
+
# Guide*.
|
290
|
+
#
|
291
|
+
# The regex used to validate this parameter is a string of characters
|
292
|
+
# consisting of upper- and lower-case alphanumeric characters with no
|
293
|
+
# spaces. You can also include underscores or any of the following
|
294
|
+
# characters: =,.@-. You cannot use a value that begins with the text
|
295
|
+
# `aws:`. This prefix is reserved for AWS internal use.
|
296
|
+
#
|
297
|
+
#
|
298
|
+
#
|
299
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
|
300
|
+
# @return [String]
|
301
|
+
#
|
274
302
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleRequest AWS API Documentation
|
275
303
|
#
|
276
304
|
class AssumeRoleRequest < Struct.new(
|
@@ -283,7 +311,8 @@ module Aws::STS
|
|
283
311
|
:transitive_tag_keys,
|
284
312
|
:external_id,
|
285
313
|
:serial_number,
|
286
|
-
:token_code
|
314
|
+
:token_code,
|
315
|
+
:source_identity)
|
287
316
|
SENSITIVE = []
|
288
317
|
include Aws::Structure
|
289
318
|
end
|
@@ -318,12 +347,37 @@ module Aws::STS
|
|
318
347
|
# means the policies and tags exceeded the allowed space.
|
319
348
|
# @return [Integer]
|
320
349
|
#
|
350
|
+
# @!attribute [rw] source_identity
|
351
|
+
# The source identity specified by the principal that is calling the
|
352
|
+
# `AssumeRole` operation.
|
353
|
+
#
|
354
|
+
# You can require users to specify a source identity when they assume
|
355
|
+
# a role. You do this by using the `sts:SourceIdentity` condition key
|
356
|
+
# in a role trust policy. You can use source identity information in
|
357
|
+
# AWS CloudTrail logs to determine who took actions with a role. You
|
358
|
+
# can use the `aws:SourceIdentity` condition key to further control
|
359
|
+
# access to AWS resources based on the value of source identity. For
|
360
|
+
# more information about using source identity, see [Monitor and
|
361
|
+
# control actions taken with assumed roles][1] in the *IAM User
|
362
|
+
# Guide*.
|
363
|
+
#
|
364
|
+
# The regex used to validate this parameter is a string of characters
|
365
|
+
# consisting of upper- and lower-case alphanumeric characters with no
|
366
|
+
# spaces. You can also include underscores or any of the following
|
367
|
+
# characters: =,.@-
|
368
|
+
#
|
369
|
+
#
|
370
|
+
#
|
371
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
|
372
|
+
# @return [String]
|
373
|
+
#
|
321
374
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleResponse AWS API Documentation
|
322
375
|
#
|
323
376
|
class AssumeRoleResponse < Struct.new(
|
324
377
|
:credentials,
|
325
378
|
:assumed_role_user,
|
326
|
-
:packed_policy_size
|
379
|
+
:packed_policy_size,
|
380
|
+
:source_identity)
|
327
381
|
SENSITIVE = []
|
328
382
|
include Aws::Structure
|
329
383
|
end
|
@@ -355,8 +409,7 @@ module Aws::STS
|
|
355
409
|
# @return [String]
|
356
410
|
#
|
357
411
|
# @!attribute [rw] saml_assertion
|
358
|
-
# The
|
359
|
-
# IdP.
|
412
|
+
# The base64 encoded SAML authentication response provided by the IdP.
|
360
413
|
#
|
361
414
|
# For more information, see [Configuring a Relying Party and Adding
|
362
415
|
# Claims][1] in the *IAM User Guide*.
|
@@ -372,14 +425,14 @@ module Aws::STS
|
|
372
425
|
# in the same account as the role.
|
373
426
|
#
|
374
427
|
# This parameter is optional. You can provide up to 10 managed policy
|
375
|
-
# ARNs. However, the
|
428
|
+
# ARNs. However, the plaintext that you use for both inline and
|
376
429
|
# managed session policies can't exceed 2,048 characters. For more
|
377
430
|
# information about ARNs, see [Amazon Resource Names (ARNs) and AWS
|
378
431
|
# Service Namespaces][1] in the AWS General Reference.
|
379
432
|
#
|
380
433
|
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
381
434
|
# tags into a packed binary format that has a separate limit. Your
|
382
|
-
# request can fail for this limit even if your
|
435
|
+
# request can fail for this limit even if your plaintext meets the
|
383
436
|
# other requirements. The `PackedPolicySize` response element
|
384
437
|
# indicates by percentage how close the policies and tags for your
|
385
438
|
# request are to the upper size limit.
|
@@ -416,7 +469,7 @@ module Aws::STS
|
|
416
469
|
# the role that is being assumed. For more information, see [Session
|
417
470
|
# Policies][1] in the *IAM User Guide*.
|
418
471
|
#
|
419
|
-
# The
|
472
|
+
# The plaintext that you use for both inline and managed session
|
420
473
|
# policies can't exceed 2,048 characters. The JSON policy characters
|
421
474
|
# can be any ASCII character from the space character to the end of
|
422
475
|
# the valid character list (\\u0020 through \\u00FF). It can also
|
@@ -425,7 +478,7 @@ module Aws::STS
|
|
425
478
|
#
|
426
479
|
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
427
480
|
# tags into a packed binary format that has a separate limit. Your
|
428
|
-
# request can fail for this limit even if your
|
481
|
+
# request can fail for this limit even if your plaintext meets the
|
429
482
|
# other requirements. The `PackedPolicySize` response element
|
430
483
|
# indicates by percentage how close the policies and tags for your
|
431
484
|
# request are to the upper size limit.
|
@@ -537,11 +590,17 @@ module Aws::STS
|
|
537
590
|
# @return [String]
|
538
591
|
#
|
539
592
|
# @!attribute [rw] name_qualifier
|
540
|
-
# A hash value based on the concatenation of the
|
541
|
-
#
|
542
|
-
#
|
543
|
-
#
|
544
|
-
#
|
593
|
+
# A hash value based on the concatenation of the following:
|
594
|
+
#
|
595
|
+
# * The `Issuer` response value.
|
596
|
+
#
|
597
|
+
# * The AWS account ID.
|
598
|
+
#
|
599
|
+
# * The friendly name (the last part of the ARN) of the SAML provider
|
600
|
+
# in IAM.
|
601
|
+
#
|
602
|
+
# The combination of `NameQualifier` and `Subject` can be used to
|
603
|
+
# uniquely identify a federated user.
|
545
604
|
#
|
546
605
|
# The following pseudocode shows how the hash value is calculated:
|
547
606
|
#
|
@@ -549,6 +608,34 @@ module Aws::STS
|
|
549
608
|
# "/MySAMLIdP" ) )`
|
550
609
|
# @return [String]
|
551
610
|
#
|
611
|
+
# @!attribute [rw] source_identity
|
612
|
+
# The value in the `SourceIdentity` attribute in the SAML assertion.
|
613
|
+
#
|
614
|
+
# You can require users to set a source identity value when they
|
615
|
+
# assume a role. You do this by using the `sts:SourceIdentity`
|
616
|
+
# condition key in a role trust policy. That way, actions that are
|
617
|
+
# taken with the role are associated with that user. After the source
|
618
|
+
# identity is set, the value cannot be changed. It is present in the
|
619
|
+
# request for all actions that are taken by the role and persists
|
620
|
+
# across [chained role][1] sessions. You can configure your SAML
|
621
|
+
# identity provider to use an attribute associated with your users,
|
622
|
+
# like user name or email, as the source identity when calling
|
623
|
+
# `AssumeRoleWithSAML`. You do this by adding an attribute to the SAML
|
624
|
+
# assertion. For more information about using source identity, see
|
625
|
+
# [Monitor and control actions taken with assumed roles][2] in the
|
626
|
+
# *IAM User Guide*.
|
627
|
+
#
|
628
|
+
# The regex used to validate this parameter is a string of characters
|
629
|
+
# consisting of upper- and lower-case alphanumeric characters with no
|
630
|
+
# spaces. You can also include underscores or any of the following
|
631
|
+
# characters: =,.@-
|
632
|
+
#
|
633
|
+
#
|
634
|
+
#
|
635
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining
|
636
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
|
637
|
+
# @return [String]
|
638
|
+
#
|
552
639
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAMLResponse AWS API Documentation
|
553
640
|
#
|
554
641
|
class AssumeRoleWithSAMLResponse < Struct.new(
|
@@ -559,7 +646,8 @@ module Aws::STS
|
|
559
646
|
:subject_type,
|
560
647
|
:issuer,
|
561
648
|
:audience,
|
562
|
-
:name_qualifier
|
649
|
+
:name_qualifier,
|
650
|
+
:source_identity)
|
563
651
|
SENSITIVE = []
|
564
652
|
include Aws::Structure
|
565
653
|
end
|
@@ -626,14 +714,14 @@ module Aws::STS
|
|
626
714
|
# in the same account as the role.
|
627
715
|
#
|
628
716
|
# This parameter is optional. You can provide up to 10 managed policy
|
629
|
-
# ARNs. However, the
|
717
|
+
# ARNs. However, the plaintext that you use for both inline and
|
630
718
|
# managed session policies can't exceed 2,048 characters. For more
|
631
719
|
# information about ARNs, see [Amazon Resource Names (ARNs) and AWS
|
632
720
|
# Service Namespaces][1] in the AWS General Reference.
|
633
721
|
#
|
634
722
|
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
635
723
|
# tags into a packed binary format that has a separate limit. Your
|
636
|
-
# request can fail for this limit even if your
|
724
|
+
# request can fail for this limit even if your plaintext meets the
|
637
725
|
# other requirements. The `PackedPolicySize` response element
|
638
726
|
# indicates by percentage how close the policies and tags for your
|
639
727
|
# request are to the upper size limit.
|
@@ -670,7 +758,7 @@ module Aws::STS
|
|
670
758
|
# the role that is being assumed. For more information, see [Session
|
671
759
|
# Policies][1] in the *IAM User Guide*.
|
672
760
|
#
|
673
|
-
# The
|
761
|
+
# The plaintext that you use for both inline and managed session
|
674
762
|
# policies can't exceed 2,048 characters. The JSON policy characters
|
675
763
|
# can be any ASCII character from the space character to the end of
|
676
764
|
# the valid character list (\\u0020 through \\u00FF). It can also
|
@@ -679,7 +767,7 @@ module Aws::STS
|
|
679
767
|
#
|
680
768
|
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
681
769
|
# tags into a packed binary format that has a separate limit. Your
|
682
|
-
# request can fail for this limit even if your
|
770
|
+
# request can fail for this limit even if your plaintext meets the
|
683
771
|
# other requirements. The `PackedPolicySize` response element
|
684
772
|
# indicates by percentage how close the policies and tags for your
|
685
773
|
# request are to the upper size limit.
|
@@ -789,6 +877,38 @@ module Aws::STS
|
|
789
877
|
# application that requested the web identity token.
|
790
878
|
# @return [String]
|
791
879
|
#
|
880
|
+
# @!attribute [rw] source_identity
|
881
|
+
# The value of the source identity that is returned in the JSON web
|
882
|
+
# token (JWT) from the identity provider.
|
883
|
+
#
|
884
|
+
# You can require users to set a source identity value when they
|
885
|
+
# assume a role. You do this by using the `sts:SourceIdentity`
|
886
|
+
# condition key in a role trust policy. That way, actions that are
|
887
|
+
# taken with the role are associated with that user. After the source
|
888
|
+
# identity is set, the value cannot be changed. It is present in the
|
889
|
+
# request for all actions that are taken by the role and persists
|
890
|
+
# across [chained role][1] sessions. You can configure your identity
|
891
|
+
# provider to use an attribute associated with your users, like user
|
892
|
+
# name or email, as the source identity when calling
|
893
|
+
# `AssumeRoleWithWebIdentity`. You do this by adding a claim to the
|
894
|
+
# JSON web token. To learn more about OIDC tokens and claims, see
|
895
|
+
# [Using Tokens with User Pools][2] in the *Amazon Cognito Developer
|
896
|
+
# Guide*. For more information about using source identity, see
|
897
|
+
# [Monitor and control actions taken with assumed roles][3] in the
|
898
|
+
# *IAM User Guide*.
|
899
|
+
#
|
900
|
+
# The regex used to validate this parameter is a string of characters
|
901
|
+
# consisting of upper- and lower-case alphanumeric characters with no
|
902
|
+
# spaces. You can also include underscores or any of the following
|
903
|
+
# characters: =,.@-
|
904
|
+
#
|
905
|
+
#
|
906
|
+
#
|
907
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining
|
908
|
+
# [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html
|
909
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
|
910
|
+
# @return [String]
|
911
|
+
#
|
792
912
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentityResponse AWS API Documentation
|
793
913
|
#
|
794
914
|
class AssumeRoleWithWebIdentityResponse < Struct.new(
|
@@ -797,7 +917,8 @@ module Aws::STS
|
|
797
917
|
:assumed_role_user,
|
798
918
|
:packed_policy_size,
|
799
919
|
:provider,
|
800
|
-
:audience
|
920
|
+
:audience,
|
921
|
+
:source_identity)
|
801
922
|
SENSITIVE = []
|
802
923
|
include Aws::Structure
|
803
924
|
end
|
@@ -1074,7 +1195,7 @@ module Aws::STS
|
|
1074
1195
|
# are granted in addition to the permissions that are granted by the
|
1075
1196
|
# session policies.
|
1076
1197
|
#
|
1077
|
-
# The
|
1198
|
+
# The plaintext that you use for both inline and managed session
|
1078
1199
|
# policies can't exceed 2,048 characters. The JSON policy characters
|
1079
1200
|
# can be any ASCII character from the space character to the end of
|
1080
1201
|
# the valid character list (\\u0020 through \\u00FF). It can also
|
@@ -1083,7 +1204,7 @@ module Aws::STS
|
|
1083
1204
|
#
|
1084
1205
|
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
1085
1206
|
# tags into a packed binary format that has a separate limit. Your
|
1086
|
-
# request can fail for this limit even if your
|
1207
|
+
# request can fail for this limit even if your plaintext meets the
|
1087
1208
|
# other requirements. The `PackedPolicySize` response element
|
1088
1209
|
# indicates by percentage how close the policies and tags for your
|
1089
1210
|
# request are to the upper size limit.
|
@@ -1104,7 +1225,7 @@ module Aws::STS
|
|
1104
1225
|
# You must pass an inline or managed [session policy][1] to this
|
1105
1226
|
# operation. You can pass a single JSON policy document to use as an
|
1106
1227
|
# inline session policy. You can also specify up to 10 managed
|
1107
|
-
# policies to use as managed session policies. The
|
1228
|
+
# policies to use as managed session policies. The plaintext that you
|
1108
1229
|
# use for both inline and managed session policies can't exceed 2,048
|
1109
1230
|
# characters. You can provide up to 10 managed policy ARNs. For more
|
1110
1231
|
# information about ARNs, see [Amazon Resource Names (ARNs) and AWS
|
@@ -1131,7 +1252,7 @@ module Aws::STS
|
|
1131
1252
|
#
|
1132
1253
|
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
1133
1254
|
# tags into a packed binary format that has a separate limit. Your
|
1134
|
-
# request can fail for this limit even if your
|
1255
|
+
# request can fail for this limit even if your plaintext meets the
|
1135
1256
|
# other requirements. The `PackedPolicySize` response element
|
1136
1257
|
# indicates by percentage how close the policies and tags for your
|
1137
1258
|
# request are to the upper size limit.
|
@@ -1160,13 +1281,13 @@ module Aws::STS
|
|
1160
1281
|
# [Passing Session Tags in STS][1] in the *IAM User Guide*.
|
1161
1282
|
#
|
1162
1283
|
# This parameter is optional. You can pass up to 50 session tags. The
|
1163
|
-
#
|
1284
|
+
# plaintext session tag keys can’t exceed 128 characters and the
|
1164
1285
|
# values can’t exceed 256 characters. For these and additional limits,
|
1165
1286
|
# see [IAM and STS Character Limits][2] in the *IAM User Guide*.
|
1166
1287
|
#
|
1167
1288
|
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
1168
1289
|
# tags into a packed binary format that has a separate limit. Your
|
1169
|
-
# request can fail for this limit even if your
|
1290
|
+
# request can fail for this limit even if your plaintext meets the
|
1170
1291
|
# other requirements. The `PackedPolicySize` response element
|
1171
1292
|
# indicates by percentage how close the policies and tags for your
|
1172
1293
|
# request are to the upper size limit.
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: aws-sdk-core
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.
|
4
|
+
version: 3.114.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Amazon Web Services
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-
|
11
|
+
date: 2021-04-13 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: jmespath
|