aws-sdk-core 3.113.1 → 3.114.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 22a9b79629fe96dba0c2ab281d0b976827e8681b72736c5344491b5988a2835f
4
- data.tar.gz: 556f267c1016e41cabd38213669d478c6b27291262e66dd6455c2fed5f087a61
3
+ metadata.gz: 05c92208568d6da15a22a13751f95250f41f75aee075c229041d9e5143508541
4
+ data.tar.gz: 117caabce8194db97c873fd92597cbfcd1628f35f218233c7dd45d745e0796af
5
5
  SHA512:
6
- metadata.gz: bea46ccd2d82d78a1be079e887a4cb2721a50eca0e3111b8ed86e7f4ea45e1b35a2d0fdff80b99088b04a53c16e26c5fd7b4072e8ff75efb4509d129ff8ffc07
7
- data.tar.gz: bcae08d043d43dfdd0f31aa1e6b29cfd6b5eee9da2c00d6a2ddad56f93cb57bc33cd1f121b694528cab2498ade089c1b685bafab716fd40eec9612ca8ae9effe
6
+ metadata.gz: c02e113926180f3a3fc82788b1017501ca7ff1e247dbaded8d3ea78cd35d3f5e4fb2c2e546e8327b1060d61824feab5750f820a04a3ae4d406c82c3ca25ad905
7
+ data.tar.gz: e6eca7b1d0823f668bcff24331006def2d46ff43672da88612472e4ec2474f1bba1b0dc410f6e4a6897017f21cf7e4a452614a4657228d5246d3fba3895703a7
data/CHANGELOG.md CHANGED
@@ -1,6 +1,11 @@
1
1
  Unreleased Changes
2
2
  ------------------
3
3
 
4
+ 3.114.0 (2021-04-13)
5
+ ------------------
6
+
7
+ * Feature - Updated Aws::STS::Client with the latest API changes.
8
+
4
9
  3.113.1 (2021-03-29)
5
10
  ------------------
6
11
 
data/VERSION CHANGED
@@ -1 +1 @@
1
- 3.113.1
1
+ 3.114.0
data/lib/aws-sdk-sso.rb CHANGED
@@ -50,6 +50,6 @@ require_relative 'aws-sdk-sso/customizations'
50
50
  # @!group service
51
51
  module Aws::SSO
52
52
 
53
- GEM_VERSION = '3.113.1'
53
+ GEM_VERSION = '3.114.0'
54
54
 
55
55
  end
@@ -523,7 +523,7 @@ module Aws::SSO
523
523
  params: params,
524
524
  config: config)
525
525
  context[:gem_name] = 'aws-sdk-core'
526
- context[:gem_version] = '3.113.1'
526
+ context[:gem_version] = '3.114.0'
527
527
  Seahorse::Client::Request.new(handlers, context)
528
528
  end
529
529
 
data/lib/aws-sdk-sts.rb CHANGED
@@ -50,6 +50,6 @@ require_relative 'aws-sdk-sts/customizations'
50
50
  # @!group service
51
51
  module Aws::STS
52
52
 
53
- GEM_VERSION = '3.113.1'
53
+ GEM_VERSION = '3.114.0'
54
54
 
55
55
  end
@@ -343,35 +343,6 @@ module Aws::STS
343
343
  # [Requesting Temporary Security Credentials][1] and [Comparing the AWS
344
344
  # STS API operations][2] in the *IAM User Guide*.
345
345
  #
346
- # You cannot use AWS account root user credentials to call `AssumeRole`.
347
- # You must use credentials for an IAM user or an IAM role to call
348
- # `AssumeRole`.
349
- #
350
- # For cross-account access, imagine that you own multiple accounts and
351
- # need to access resources in each account. You could create long-term
352
- # credentials in each account to access those resources. However,
353
- # managing all those credentials and remembering which one can access
354
- # which account can be time consuming. Instead, you can create one set
355
- # of long-term credentials in one account. Then use temporary security
356
- # credentials to access all the other accounts by assuming roles in
357
- # those accounts. For more information about roles, see [IAM Roles][3]
358
- # in the *IAM User Guide*.
359
- #
360
- # **Session Duration**
361
- #
362
- # By default, the temporary security credentials created by `AssumeRole`
363
- # last for one hour. However, you can use the optional `DurationSeconds`
364
- # parameter to specify the duration of your session. You can provide a
365
- # value from 900 seconds (15 minutes) up to the maximum session duration
366
- # setting for the role. This setting can have a value from 1 hour to 12
367
- # hours. To learn how to view the maximum value for your role, see [View
368
- # the Maximum Session Duration Setting for a Role][4] in the *IAM User
369
- # Guide*. The maximum session duration limit applies when you use the
370
- # `AssumeRole*` API operations or the `assume-role*` CLI commands.
371
- # However the limit does not apply when you use those operations to
372
- # create a console URL. For more information, see [Using IAM Roles][5]
373
- # in the *IAM User Guide*.
374
- #
375
346
  # **Permissions**
376
347
  #
377
348
  # The temporary security credentials created by `AssumeRole` can be used
@@ -379,10 +350,10 @@ module Aws::STS
379
350
  # cannot call the AWS STS `GetFederationToken` or `GetSessionToken` API
380
351
  # operations.
381
352
  #
382
- # (Optional) You can pass inline or managed [session policies][6] to
353
+ # (Optional) You can pass inline or managed [session policies][3] to
383
354
  # this operation. You can pass a single JSON policy document to use as
384
355
  # an inline session policy. You can also specify up to 10 managed
385
- # policies to use as managed session policies. The plain text that you
356
+ # policies to use as managed session policies. The plaintext that you
386
357
  # use for both inline and managed session policies can't exceed 2,048
387
358
  # characters. Passing policies to this operation returns new temporary
388
359
  # credentials. The resulting session's permissions are the intersection
@@ -391,7 +362,7 @@ module Aws::STS
391
362
  # access resources in the account that owns the role. You cannot use
392
363
  # session policies to grant more permissions than those allowed by the
393
364
  # identity-based policy of the role that is being assumed. For more
394
- # information, see [Session Policies][6] in the *IAM User Guide*.
365
+ # information, see [Session Policies][3] in the *IAM User Guide*.
395
366
  #
396
367
  # To assume a role from a different account, your AWS account must be
397
368
  # trusted by the role. The trust relationship is defined in the role's
@@ -413,24 +384,24 @@ module Aws::STS
413
384
  # In this case, the trust policy acts as an IAM resource-based policy.
414
385
  # Users in the same account as the role do not need explicit permission
415
386
  # to assume the role. For more information about trust policies and
416
- # resource-based policies, see [IAM Policies][7] in the *IAM User
387
+ # resource-based policies, see [IAM Policies][4] in the *IAM User
417
388
  # Guide*.
418
389
  #
419
390
  # **Tags**
420
391
  #
421
392
  # (Optional) You can pass tag key-value pairs to your session. These
422
393
  # tags are called session tags. For more information about session tags,
423
- # see [Passing Session Tags in STS][8] in the *IAM User Guide*.
394
+ # see [Passing Session Tags in STS][5] in the *IAM User Guide*.
424
395
  #
425
396
  # An administrator must grant you the permissions necessary to pass
426
397
  # session tags. The administrator can also create granular permissions
427
398
  # to allow you to pass only specific session tags. For more information,
428
- # see [Tutorial: Using Tags for Attribute-Based Access Control][9] in
399
+ # see [Tutorial: Using Tags for Attribute-Based Access Control][6] in
429
400
  # the *IAM User Guide*.
430
401
  #
431
402
  # You can set the session tags as transitive. Transitive tags persist
432
403
  # during role chaining. For more information, see [Chaining Roles with
433
- # Session Tags][10] in the *IAM User Guide*.
404
+ # Session Tags][7] in the *IAM User Guide*.
434
405
  #
435
406
  # **Using MFA with AssumeRole**
436
407
  #
@@ -446,8 +417,8 @@ module Aws::STS
446
417
  #
447
418
  # `"Condition": \{"Bool": \{"aws:MultiFactorAuthPresent": true\}\}`
448
419
  #
449
- # For more information, see [Configuring MFA-Protected API Access][11]
450
- # in the *IAM User Guide* guide.
420
+ # For more information, see [Configuring MFA-Protected API Access][8] in
421
+ # the *IAM User Guide* guide.
451
422
  #
452
423
  # To use MFA with `AssumeRole`, you pass values for the `SerialNumber`
453
424
  # and `TokenCode` parameters. The `SerialNumber` value identifies the
@@ -458,15 +429,12 @@ module Aws::STS
458
429
  #
459
430
  # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
460
431
  # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
461
- # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
462
- # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
463
- # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
464
- # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
465
- # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
466
- # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
467
- # [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
468
- # [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
469
- # [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html
432
+ # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
433
+ # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
434
+ # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
435
+ # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
436
+ # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
437
+ # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html
470
438
  #
471
439
  # @option params [required, String] :role_arn
472
440
  # The Amazon Resource Name (ARN) of the role to assume.
@@ -494,17 +462,17 @@ module Aws::STS
494
462
  # the same account as the role.
495
463
  #
496
464
  # This parameter is optional. You can provide up to 10 managed policy
497
- # ARNs. However, the plain text that you use for both inline and managed
465
+ # ARNs. However, the plaintext that you use for both inline and managed
498
466
  # session policies can't exceed 2,048 characters. For more information
499
467
  # about ARNs, see [Amazon Resource Names (ARNs) and AWS Service
500
468
  # Namespaces][1] in the AWS General Reference.
501
469
  #
502
470
  # <note markdown="1"> An AWS conversion compresses the passed session policies and session
503
471
  # tags into a packed binary format that has a separate limit. Your
504
- # request can fail for this limit even if your plain text meets the
505
- # other requirements. The `PackedPolicySize` response element indicates
506
- # by percentage how close the policies and tags for your request are to
507
- # the upper size limit.
472
+ # request can fail for this limit even if your plaintext meets the other
473
+ # requirements. The `PackedPolicySize` response element indicates by
474
+ # percentage how close the policies and tags for your request are to the
475
+ # upper size limit.
508
476
  #
509
477
  # </note>
510
478
  #
@@ -536,7 +504,7 @@ module Aws::STS
536
504
  # assumed. For more information, see [Session Policies][1] in the *IAM
537
505
  # User Guide*.
538
506
  #
539
- # The plain text that you use for both inline and managed session
507
+ # The plaintext that you use for both inline and managed session
540
508
  # policies can't exceed 2,048 characters. The JSON policy characters
541
509
  # can be any ASCII character from the space character to the end of the
542
510
  # valid character list (\\u0020 through \\u00FF). It can also include
@@ -545,10 +513,10 @@ module Aws::STS
545
513
  #
546
514
  # <note markdown="1"> An AWS conversion compresses the passed session policies and session
547
515
  # tags into a packed binary format that has a separate limit. Your
548
- # request can fail for this limit even if your plain text meets the
549
- # other requirements. The `PackedPolicySize` response element indicates
550
- # by percentage how close the policies and tags for your request are to
551
- # the upper size limit.
516
+ # request can fail for this limit even if your plaintext meets the other
517
+ # requirements. The `PackedPolicySize` response element indicates by
518
+ # percentage how close the policies and tags for your request are to the
519
+ # upper size limit.
552
520
  #
553
521
  # </note>
554
522
  #
@@ -557,15 +525,16 @@ module Aws::STS
557
525
  # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
558
526
  #
559
527
  # @option params [Integer] :duration_seconds
560
- # The duration, in seconds, of the role session. The value can range
561
- # from 900 seconds (15 minutes) up to the maximum session duration
562
- # setting for the role. This setting can have a value from 1 hour to 12
563
- # hours. If you specify a value higher than this setting, the operation
564
- # fails. For example, if you specify a session duration of 12 hours, but
565
- # your administrator set the maximum session duration to 6 hours, your
566
- # operation fails. To learn how to view the maximum value for your role,
567
- # see [View the Maximum Session Duration Setting for a Role][1] in the
568
- # *IAM User Guide*.
528
+ # The duration, in seconds, of the role session. The value specified can
529
+ # can range from 900 seconds (15 minutes) up to the maximum session
530
+ # duration that is set for the role. The maximum session duration
531
+ # setting can have a value from 1 hour to 12 hours. If you specify a
532
+ # value higher than this setting or the administrator setting (whichever
533
+ # is lower), the operation fails. For example, if you specify a session
534
+ # duration of 12 hours, but your administrator set the maximum session
535
+ # duration to 6 hours, your operation fails. To learn how to view the
536
+ # maximum value for your role, see [View the Maximum Session Duration
537
+ # Setting for a Role][1] in the *IAM User Guide*.
569
538
  #
570
539
  # By default, the value is set to `3600` seconds.
571
540
  #
@@ -591,16 +560,16 @@ module Aws::STS
591
560
  # Guide*.
592
561
  #
593
562
  # This parameter is optional. You can pass up to 50 session tags. The
594
- # plain text session tag keys can’t exceed 128 characters, and the
595
- # values can’t exceed 256 characters. For these and additional limits,
596
- # see [IAM and STS Character Limits][2] in the *IAM User Guide*.
563
+ # plaintext session tag keys can’t exceed 128 characters, and the values
564
+ # can’t exceed 256 characters. For these and additional limits, see [IAM
565
+ # and STS Character Limits][2] in the *IAM User Guide*.
597
566
  #
598
567
  # <note markdown="1"> An AWS conversion compresses the passed session policies and session
599
568
  # tags into a packed binary format that has a separate limit. Your
600
- # request can fail for this limit even if your plain text meets the
601
- # other requirements. The `PackedPolicySize` response element indicates
602
- # by percentage how close the policies and tags for your request are to
603
- # the upper size limit.
569
+ # request can fail for this limit even if your plaintext meets the other
570
+ # requirements. The `PackedPolicySize` response element indicates by
571
+ # percentage how close the policies and tags for your request are to the
572
+ # upper size limit.
604
573
  #
605
574
  # </note>
606
575
  #
@@ -683,7 +652,7 @@ module Aws::STS
683
652
  #
684
653
  # @option params [String] :token_code
685
654
  # The value provided by the MFA device, if the trust policy of the role
686
- # being assumed requires MFA (that is, if the policy includes a
655
+ # being assumed requires MFA. (In other words, if the policy includes a
687
656
  # condition that tests for MFA). If the role being assumed requires MFA
688
657
  # and if the `TokenCode` value is missing or expired, the `AssumeRole`
689
658
  # call returns an "access denied" error.
@@ -691,11 +660,35 @@ module Aws::STS
691
660
  # The format for this parameter, as described by its regex pattern, is a
692
661
  # sequence of six numeric digits.
693
662
  #
663
+ # @option params [String] :source_identity
664
+ # The source identity specified by the principal that is calling the
665
+ # `AssumeRole` operation.
666
+ #
667
+ # You can require users to specify a source identity when they assume a
668
+ # role. You do this by using the `sts:SourceIdentity` condition key in a
669
+ # role trust policy. You can use source identity information in AWS
670
+ # CloudTrail logs to determine who took actions with a role. You can use
671
+ # the `aws:SourceIdentity` condition key to further control access to
672
+ # AWS resources based on the value of source identity. For more
673
+ # information about using source identity, see [Monitor and control
674
+ # actions taken with assumed roles][1] in the *IAM User Guide*.
675
+ #
676
+ # The regex used to validate this parameter is a string of characters
677
+ # consisting of upper- and lower-case alphanumeric characters with no
678
+ # spaces. You can also include underscores or any of the following
679
+ # characters: =,.@-. You cannot use a value that begins with the text
680
+ # `aws:`. This prefix is reserved for AWS internal use.
681
+ #
682
+ #
683
+ #
684
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
685
+ #
694
686
  # @return [Types::AssumeRoleResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
695
687
  #
696
688
  # * {Types::AssumeRoleResponse#credentials #credentials} => Types::Credentials
697
689
  # * {Types::AssumeRoleResponse#assumed_role_user #assumed_role_user} => Types::AssumedRoleUser
698
690
  # * {Types::AssumeRoleResponse#packed_policy_size #packed_policy_size} => Integer
691
+ # * {Types::AssumeRoleResponse#source_identity #source_identity} => String
699
692
  #
700
693
  #
701
694
  # @example Example: To assume a role
@@ -762,6 +755,7 @@ module Aws::STS
762
755
  # external_id: "externalIdType",
763
756
  # serial_number: "serialNumberType",
764
757
  # token_code: "tokenCodeType",
758
+ # source_identity: "sourceIdentityType",
765
759
  # })
766
760
  #
767
761
  # @example Response structure
@@ -773,6 +767,7 @@ module Aws::STS
773
767
  # resp.assumed_role_user.assumed_role_id #=> String
774
768
  # resp.assumed_role_user.arn #=> String
775
769
  # resp.packed_policy_size #=> Integer
770
+ # resp.source_identity #=> String
776
771
  #
777
772
  # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRole AWS API Documentation
778
773
  #
@@ -815,6 +810,17 @@ module Aws::STS
815
810
  # use those operations to create a console URL. For more information,
816
811
  # see [Using IAM Roles][4] in the *IAM User Guide*.
817
812
  #
813
+ # <note markdown="1"> [Role chaining][5] limits your AWS CLI or AWS API role session to a
814
+ # maximum of one hour. When you use the `AssumeRole` API operation to
815
+ # assume a role, you can specify the duration of your role session with
816
+ # the `DurationSeconds` parameter. You can specify a parameter value of
817
+ # up to 43200 seconds (12 hours), depending on the maximum session
818
+ # duration setting for your role. However, if you assume a role using
819
+ # role chaining and provide a `DurationSeconds` parameter value greater
820
+ # than one hour, the operation fails.
821
+ #
822
+ # </note>
823
+ #
818
824
  # **Permissions**
819
825
  #
820
826
  # The temporary security credentials created by `AssumeRoleWithSAML` can
@@ -822,10 +828,10 @@ module Aws::STS
822
828
  # exception: you cannot call the STS `GetFederationToken` or
823
829
  # `GetSessionToken` API operations.
824
830
  #
825
- # (Optional) You can pass inline or managed [session policies][5] to
831
+ # (Optional) You can pass inline or managed [session policies][6] to
826
832
  # this operation. You can pass a single JSON policy document to use as
827
833
  # an inline session policy. You can also specify up to 10 managed
828
- # policies to use as managed session policies. The plain text that you
834
+ # policies to use as managed session policies. The plaintext that you
829
835
  # use for both inline and managed session policies can't exceed 2,048
830
836
  # characters. Passing policies to this operation returns new temporary
831
837
  # credentials. The resulting session's permissions are the intersection
@@ -834,7 +840,7 @@ module Aws::STS
834
840
  # access resources in the account that owns the role. You cannot use
835
841
  # session policies to grant more permissions than those allowed by the
836
842
  # identity-based policy of the role that is being assumed. For more
837
- # information, see [Session Policies][5] in the *IAM User Guide*.
843
+ # information, see [Session Policies][6] in the *IAM User Guide*.
838
844
  #
839
845
  # Calling `AssumeRoleWithSAML` does not require the use of AWS security
840
846
  # credentials. The identity of the caller is validated by using keys in
@@ -853,19 +859,19 @@ module Aws::STS
853
859
  # (Optional) You can configure your IdP to pass attributes into your
854
860
  # SAML assertion as session tags. Each session tag consists of a key
855
861
  # name and an associated value. For more information about session tags,
856
- # see [Passing Session Tags in STS][6] in the *IAM User Guide*.
862
+ # see [Passing Session Tags in STS][7] in the *IAM User Guide*.
857
863
  #
858
- # You can pass up to 50 session tags. The plain text session tag keys
864
+ # You can pass up to 50 session tags. The plaintext session tag keys
859
865
  # can’t exceed 128 characters and the values can’t exceed 256
860
866
  # characters. For these and additional limits, see [IAM and STS
861
- # Character Limits][7] in the *IAM User Guide*.
867
+ # Character Limits][8] in the *IAM User Guide*.
862
868
  #
863
869
  # <note markdown="1"> An AWS conversion compresses the passed session policies and session
864
870
  # tags into a packed binary format that has a separate limit. Your
865
- # request can fail for this limit even if your plain text meets the
866
- # other requirements. The `PackedPolicySize` response element indicates
867
- # by percentage how close the policies and tags for your request are to
868
- # the upper size limit.
871
+ # request can fail for this limit even if your plaintext meets the other
872
+ # requirements. The `PackedPolicySize` response element indicates by
873
+ # percentage how close the policies and tags for your request are to the
874
+ # upper size limit.
869
875
  #
870
876
  # </note>
871
877
  #
@@ -876,12 +882,12 @@ module Aws::STS
876
882
  # An administrator must grant you the permissions necessary to pass
877
883
  # session tags. The administrator can also create granular permissions
878
884
  # to allow you to pass only specific session tags. For more information,
879
- # see [Tutorial: Using Tags for Attribute-Based Access Control][8] in
885
+ # see [Tutorial: Using Tags for Attribute-Based Access Control][9] in
880
886
  # the *IAM User Guide*.
881
887
  #
882
888
  # You can set the session tags as transitive. Transitive tags persist
883
889
  # during role chaining. For more information, see [Chaining Roles with
884
- # Session Tags][9] in the *IAM User Guide*.
890
+ # Session Tags][10] in the *IAM User Guide*.
885
891
  #
886
892
  # **SAML Configuration**
887
893
  #
@@ -894,14 +900,14 @@ module Aws::STS
894
900
  #
895
901
  # For more information, see the following resources:
896
902
  #
897
- # * [About SAML 2.0-based Federation][10] in the *IAM User Guide*.
903
+ # * [About SAML 2.0-based Federation][11] in the *IAM User Guide*.
898
904
  #
899
- # * [Creating SAML Identity Providers][11] in the *IAM User Guide*.
905
+ # * [Creating SAML Identity Providers][12] in the *IAM User Guide*.
900
906
  #
901
- # * [Configuring a Relying Party and Claims][12] in the *IAM User
907
+ # * [Configuring a Relying Party and Claims][13] in the *IAM User
902
908
  # Guide*.
903
909
  #
904
- # * [Creating a Role for SAML 2.0 Federation][13] in the *IAM User
910
+ # * [Creating a Role for SAML 2.0 Federation][14] in the *IAM User
905
911
  # Guide*.
906
912
  #
907
913
  #
@@ -910,15 +916,16 @@ module Aws::STS
910
916
  # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
911
917
  # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
912
918
  # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
913
- # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
914
- # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
915
- # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
916
- # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
917
- # [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
918
- # [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
919
- # [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html
920
- # [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html
921
- # [13]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html
919
+ # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining
920
+ # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
921
+ # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
922
+ # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
923
+ # [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
924
+ # [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
925
+ # [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
926
+ # [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html
927
+ # [13]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html
928
+ # [14]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html
922
929
  #
923
930
  # @option params [required, String] :role_arn
924
931
  # The Amazon Resource Name (ARN) of the role that the caller is
@@ -929,7 +936,7 @@ module Aws::STS
929
936
  # describes the IdP.
930
937
  #
931
938
  # @option params [required, String] :saml_assertion
932
- # The base-64 encoded SAML authentication response provided by the IdP.
939
+ # The base64 encoded SAML authentication response provided by the IdP.
933
940
  #
934
941
  # For more information, see [Configuring a Relying Party and Adding
935
942
  # Claims][1] in the *IAM User Guide*.
@@ -944,17 +951,17 @@ module Aws::STS
944
951
  # the same account as the role.
945
952
  #
946
953
  # This parameter is optional. You can provide up to 10 managed policy
947
- # ARNs. However, the plain text that you use for both inline and managed
954
+ # ARNs. However, the plaintext that you use for both inline and managed
948
955
  # session policies can't exceed 2,048 characters. For more information
949
956
  # about ARNs, see [Amazon Resource Names (ARNs) and AWS Service
950
957
  # Namespaces][1] in the AWS General Reference.
951
958
  #
952
959
  # <note markdown="1"> An AWS conversion compresses the passed session policies and session
953
960
  # tags into a packed binary format that has a separate limit. Your
954
- # request can fail for this limit even if your plain text meets the
955
- # other requirements. The `PackedPolicySize` response element indicates
956
- # by percentage how close the policies and tags for your request are to
957
- # the upper size limit.
961
+ # request can fail for this limit even if your plaintext meets the other
962
+ # requirements. The `PackedPolicySize` response element indicates by
963
+ # percentage how close the policies and tags for your request are to the
964
+ # upper size limit.
958
965
  #
959
966
  # </note>
960
967
  #
@@ -986,7 +993,7 @@ module Aws::STS
986
993
  # assumed. For more information, see [Session Policies][1] in the *IAM
987
994
  # User Guide*.
988
995
  #
989
- # The plain text that you use for both inline and managed session
996
+ # The plaintext that you use for both inline and managed session
990
997
  # policies can't exceed 2,048 characters. The JSON policy characters
991
998
  # can be any ASCII character from the space character to the end of the
992
999
  # valid character list (\\u0020 through \\u00FF). It can also include
@@ -995,10 +1002,10 @@ module Aws::STS
995
1002
  #
996
1003
  # <note markdown="1"> An AWS conversion compresses the passed session policies and session
997
1004
  # tags into a packed binary format that has a separate limit. Your
998
- # request can fail for this limit even if your plain text meets the
999
- # other requirements. The `PackedPolicySize` response element indicates
1000
- # by percentage how close the policies and tags for your request are to
1001
- # the upper size limit.
1005
+ # request can fail for this limit even if your plaintext meets the other
1006
+ # requirements. The `PackedPolicySize` response element indicates by
1007
+ # percentage how close the policies and tags for your request are to the
1008
+ # upper size limit.
1002
1009
  #
1003
1010
  # </note>
1004
1011
  #
@@ -1047,6 +1054,7 @@ module Aws::STS
1047
1054
  # * {Types::AssumeRoleWithSAMLResponse#issuer #issuer} => String
1048
1055
  # * {Types::AssumeRoleWithSAMLResponse#audience #audience} => String
1049
1056
  # * {Types::AssumeRoleWithSAMLResponse#name_qualifier #name_qualifier} => String
1057
+ # * {Types::AssumeRoleWithSAMLResponse#source_identity #source_identity} => String
1050
1058
  #
1051
1059
  #
1052
1060
  # @example Example: To assume a role using a SAML assertion
@@ -1107,6 +1115,7 @@ module Aws::STS
1107
1115
  # resp.issuer #=> String
1108
1116
  # resp.audience #=> String
1109
1117
  # resp.name_qualifier #=> String
1118
+ # resp.source_identity #=> String
1110
1119
  #
1111
1120
  # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAML AWS API Documentation
1112
1121
  #
@@ -1176,7 +1185,7 @@ module Aws::STS
1176
1185
  # (Optional) You can pass inline or managed [session policies][9] to
1177
1186
  # this operation. You can pass a single JSON policy document to use as
1178
1187
  # an inline session policy. You can also specify up to 10 managed
1179
- # policies to use as managed session policies. The plain text that you
1188
+ # policies to use as managed session policies. The plaintext that you
1180
1189
  # use for both inline and managed session policies can't exceed 2,048
1181
1190
  # characters. Passing policies to this operation returns new temporary
1182
1191
  # credentials. The resulting session's permissions are the intersection
@@ -1194,17 +1203,17 @@ module Aws::STS
1194
1203
  # name and an associated value. For more information about session tags,
1195
1204
  # see [Passing Session Tags in STS][10] in the *IAM User Guide*.
1196
1205
  #
1197
- # You can pass up to 50 session tags. The plain text session tag keys
1206
+ # You can pass up to 50 session tags. The plaintext session tag keys
1198
1207
  # can’t exceed 128 characters and the values can’t exceed 256
1199
1208
  # characters. For these and additional limits, see [IAM and STS
1200
1209
  # Character Limits][11] in the *IAM User Guide*.
1201
1210
  #
1202
1211
  # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1203
1212
  # tags into a packed binary format that has a separate limit. Your
1204
- # request can fail for this limit even if your plain text meets the
1205
- # other requirements. The `PackedPolicySize` response element indicates
1206
- # by percentage how close the policies and tags for your request are to
1207
- # the upper size limit.
1213
+ # request can fail for this limit even if your plaintext meets the other
1214
+ # requirements. The `PackedPolicySize` response element indicates by
1215
+ # percentage how close the policies and tags for your request are to the
1216
+ # upper size limit.
1208
1217
  #
1209
1218
  # </note>
1210
1219
  #
@@ -1233,7 +1242,7 @@ module Aws::STS
1233
1242
  #
1234
1243
  # Calling `AssumeRoleWithWebIdentity` can result in an entry in your AWS
1235
1244
  # CloudTrail logs. The entry includes the [Subject][14] of the provided
1236
- # Web Identity Token. We recommend that you avoid using any personally
1245
+ # web identity token. We recommend that you avoid using any personally
1237
1246
  # identifiable information (PII) in this field. For example, you could
1238
1247
  # instead use a GUID or a pairwise identifier, as [suggested in the OIDC
1239
1248
  # specification][15].
@@ -1322,17 +1331,17 @@ module Aws::STS
1322
1331
  # the same account as the role.
1323
1332
  #
1324
1333
  # This parameter is optional. You can provide up to 10 managed policy
1325
- # ARNs. However, the plain text that you use for both inline and managed
1334
+ # ARNs. However, the plaintext that you use for both inline and managed
1326
1335
  # session policies can't exceed 2,048 characters. For more information
1327
1336
  # about ARNs, see [Amazon Resource Names (ARNs) and AWS Service
1328
1337
  # Namespaces][1] in the AWS General Reference.
1329
1338
  #
1330
1339
  # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1331
1340
  # tags into a packed binary format that has a separate limit. Your
1332
- # request can fail for this limit even if your plain text meets the
1333
- # other requirements. The `PackedPolicySize` response element indicates
1334
- # by percentage how close the policies and tags for your request are to
1335
- # the upper size limit.
1341
+ # request can fail for this limit even if your plaintext meets the other
1342
+ # requirements. The `PackedPolicySize` response element indicates by
1343
+ # percentage how close the policies and tags for your request are to the
1344
+ # upper size limit.
1336
1345
  #
1337
1346
  # </note>
1338
1347
  #
@@ -1364,7 +1373,7 @@ module Aws::STS
1364
1373
  # assumed. For more information, see [Session Policies][1] in the *IAM
1365
1374
  # User Guide*.
1366
1375
  #
1367
- # The plain text that you use for both inline and managed session
1376
+ # The plaintext that you use for both inline and managed session
1368
1377
  # policies can't exceed 2,048 characters. The JSON policy characters
1369
1378
  # can be any ASCII character from the space character to the end of the
1370
1379
  # valid character list (\\u0020 through \\u00FF). It can also include
@@ -1373,10 +1382,10 @@ module Aws::STS
1373
1382
  #
1374
1383
  # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1375
1384
  # tags into a packed binary format that has a separate limit. Your
1376
- # request can fail for this limit even if your plain text meets the
1377
- # other requirements. The `PackedPolicySize` response element indicates
1378
- # by percentage how close the policies and tags for your request are to
1379
- # the upper size limit.
1385
+ # request can fail for this limit even if your plaintext meets the other
1386
+ # requirements. The `PackedPolicySize` response element indicates by
1387
+ # percentage how close the policies and tags for your request are to the
1388
+ # upper size limit.
1380
1389
  #
1381
1390
  # </note>
1382
1391
  #
@@ -1420,6 +1429,7 @@ module Aws::STS
1420
1429
  # * {Types::AssumeRoleWithWebIdentityResponse#packed_policy_size #packed_policy_size} => Integer
1421
1430
  # * {Types::AssumeRoleWithWebIdentityResponse#provider #provider} => String
1422
1431
  # * {Types::AssumeRoleWithWebIdentityResponse#audience #audience} => String
1432
+ # * {Types::AssumeRoleWithWebIdentityResponse#source_identity #source_identity} => String
1423
1433
  #
1424
1434
  #
1425
1435
  # @example Example: To assume a role as an OpenID Connect-federated user
@@ -1479,6 +1489,7 @@ module Aws::STS
1479
1489
  # resp.packed_policy_size #=> Integer
1480
1490
  # resp.provider #=> String
1481
1491
  # resp.audience #=> String
1492
+ # resp.source_identity #=> String
1482
1493
  #
1483
1494
  # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentity AWS API Documentation
1484
1495
  #
@@ -1763,6 +1774,72 @@ module Aws::STS
1763
1774
  # You must pass an inline or managed [session policy][6] to this
1764
1775
  # operation. You can pass a single JSON policy document to use as an
1765
1776
  # inline session policy. You can also specify up to 10 managed policies
1777
+ # to use as managed session policies. The plaintext that you use for
1778
+ # both inline and managed session policies can't exceed 2,048
1779
+ # characters.
1780
+ #
1781
+ # Though the session policy parameters are optional, if you do not pass
1782
+ # a policy, then the resulting federated user session has no
1783
+ # permissions. When you pass session policies, the session permissions
1784
+ # are the intersection of the IAM user policies and the session policies
1785
+ # that you pass. This gives you a way to further restrict the
1786
+ # permissions for a federated user. You cannot use session policies to
1787
+ # grant more permissions than those that are defined in the permissions
1788
+ # policy of the IAM user. For more information, see [Session
1789
+ # Policies][6] in the *IAM User Guide*. For information about using
1790
+ # `GetFederationToken` to create temporary security credentials, see
1791
+ # [GetFederationToken—Federation Through a Custom Identity Broker][7].
1792
+ #
1793
+ # You can use the credentials to access a resource that has a
1794
+ # resource-based policy. If that policy specifically references the
1795
+ # federated user session in the `Principal` element of the policy, the
1796
+ # session has the permissions allowed by the policy. These permissions
1797
+ # are granted in addition to the permissions granted by the session
1798
+ # policies.
1799
+ #
1800
+ # **Tags**
1801
+ #
1802
+ # (Optional) You can pass tag key-value pairs to your session. These are
1803
+ # called session tags. For more information about session tags, see
1804
+ # [Passing Session Tags in STS][8] in the *IAM User Guide*.
1805
+ #
1806
+ # <note markdown="1"> You can create a mobile-based or browser-based app that can
1807
+ # authenticate users using a web identity provider like Login with
1808
+ # Amazon, Facebook, Google, or an OpenID Connect-compatible identity
1809
+ # provider. In this case, we recommend that you use [Amazon Cognito][3]
1810
+ # or `AssumeRoleWithWebIdentity`. For more information, see [Federation
1811
+ # Through a Web-based Identity Provider][4] in the *IAM User Guide*.
1812
+ #
1813
+ # </note>
1814
+ #
1815
+ # You can also call `GetFederationToken` using the security credentials
1816
+ # of an AWS account root user, but we do not recommend it. Instead, we
1817
+ # recommend that you create an IAM user for the purpose of the proxy
1818
+ # application. Then attach a policy to the IAM user that limits
1819
+ # federated users to only the actions and resources that they need to
1820
+ # access. For more information, see [IAM Best Practices][5] in the *IAM
1821
+ # User Guide*.
1822
+ #
1823
+ # **Session duration**
1824
+ #
1825
+ # The temporary credentials are valid for the specified duration, from
1826
+ # 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36
1827
+ # hours). The default session duration is 43,200 seconds (12 hours).
1828
+ # Temporary credentials that are obtained by using AWS account root user
1829
+ # credentials have a maximum duration of 3,600 seconds (1 hour).
1830
+ #
1831
+ # **Permissions**
1832
+ #
1833
+ # You can use the temporary credentials created by `GetFederationToken`
1834
+ # in any AWS service except the following:
1835
+ #
1836
+ # * You cannot call any IAM operations using the AWS CLI or the AWS API.
1837
+ #
1838
+ # * You cannot call any STS operations except `GetCallerIdentity`.
1839
+ #
1840
+ # You must pass an inline or managed [session policy][6] to this
1841
+ # operation. You can pass a single JSON policy document to use as an
1842
+ # inline session policy. You can also specify up to 10 managed policies
1766
1843
  # to use as managed session policies. The plain text that you use for
1767
1844
  # both inline and managed session policies can't exceed 2,048
1768
1845
  # characters.
@@ -1857,7 +1934,7 @@ module Aws::STS
1857
1934
  # are granted in addition to the permissions that are granted by the
1858
1935
  # session policies.
1859
1936
  #
1860
- # The plain text that you use for both inline and managed session
1937
+ # The plaintext that you use for both inline and managed session
1861
1938
  # policies can't exceed 2,048 characters. The JSON policy characters
1862
1939
  # can be any ASCII character from the space character to the end of the
1863
1940
  # valid character list (\\u0020 through \\u00FF). It can also include
@@ -1866,10 +1943,10 @@ module Aws::STS
1866
1943
  #
1867
1944
  # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1868
1945
  # tags into a packed binary format that has a separate limit. Your
1869
- # request can fail for this limit even if your plain text meets the
1870
- # other requirements. The `PackedPolicySize` response element indicates
1871
- # by percentage how close the policies and tags for your request are to
1872
- # the upper size limit.
1946
+ # request can fail for this limit even if your plaintext meets the other
1947
+ # requirements. The `PackedPolicySize` response element indicates by
1948
+ # percentage how close the policies and tags for your request are to the
1949
+ # upper size limit.
1873
1950
  #
1874
1951
  # </note>
1875
1952
  #
@@ -1885,7 +1962,7 @@ module Aws::STS
1885
1962
  # You must pass an inline or managed [session policy][1] to this
1886
1963
  # operation. You can pass a single JSON policy document to use as an
1887
1964
  # inline session policy. You can also specify up to 10 managed policies
1888
- # to use as managed session policies. The plain text that you use for
1965
+ # to use as managed session policies. The plaintext that you use for
1889
1966
  # both inline and managed session policies can't exceed 2,048
1890
1967
  # characters. You can provide up to 10 managed policy ARNs. For more
1891
1968
  # information about ARNs, see [Amazon Resource Names (ARNs) and AWS
@@ -1912,10 +1989,10 @@ module Aws::STS
1912
1989
  #
1913
1990
  # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1914
1991
  # tags into a packed binary format that has a separate limit. Your
1915
- # request can fail for this limit even if your plain text meets the
1916
- # other requirements. The `PackedPolicySize` response element indicates
1917
- # by percentage how close the policies and tags for your request are to
1918
- # the upper size limit.
1992
+ # request can fail for this limit even if your plaintext meets the other
1993
+ # requirements. The `PackedPolicySize` response element indicates by
1994
+ # percentage how close the policies and tags for your request are to the
1995
+ # upper size limit.
1919
1996
  #
1920
1997
  # </note>
1921
1998
  #
@@ -1939,16 +2016,16 @@ module Aws::STS
1939
2016
  # [Passing Session Tags in STS][1] in the *IAM User Guide*.
1940
2017
  #
1941
2018
  # This parameter is optional. You can pass up to 50 session tags. The
1942
- # plain text session tag keys can’t exceed 128 characters and the values
2019
+ # plaintext session tag keys can’t exceed 128 characters and the values
1943
2020
  # can’t exceed 256 characters. For these and additional limits, see [IAM
1944
2021
  # and STS Character Limits][2] in the *IAM User Guide*.
1945
2022
  #
1946
2023
  # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1947
2024
  # tags into a packed binary format that has a separate limit. Your
1948
- # request can fail for this limit even if your plain text meets the
1949
- # other requirements. The `PackedPolicySize` response element indicates
1950
- # by percentage how close the policies and tags for your request are to
1951
- # the upper size limit.
2025
+ # request can fail for this limit even if your plaintext meets the other
2026
+ # requirements. The `PackedPolicySize` response element indicates by
2027
+ # percentage how close the policies and tags for your request are to the
2028
+ # upper size limit.
1952
2029
  #
1953
2030
  # </note>
1954
2031
  #
@@ -2204,7 +2281,7 @@ module Aws::STS
2204
2281
  params: params,
2205
2282
  config: config)
2206
2283
  context[:gem_name] = 'aws-sdk-core'
2207
- context[:gem_version] = '3.113.1'
2284
+ context[:gem_version] = '3.114.0'
2208
2285
  Seahorse::Client::Request.new(handlers, context)
2209
2286
  end
2210
2287
 
@@ -74,6 +74,7 @@ module Aws::STS
74
74
  roleSessionNameType = Shapes::StringShape.new(name: 'roleSessionNameType')
75
75
  serialNumberType = Shapes::StringShape.new(name: 'serialNumberType')
76
76
  sessionPolicyDocumentType = Shapes::StringShape.new(name: 'sessionPolicyDocumentType')
77
+ sourceIdentityType = Shapes::StringShape.new(name: 'sourceIdentityType')
77
78
  tagKeyListType = Shapes::ListShape.new(name: 'tagKeyListType')
78
79
  tagKeyType = Shapes::StringShape.new(name: 'tagKeyType')
79
80
  tagListType = Shapes::ListShape.new(name: 'tagListType')
@@ -95,11 +96,13 @@ module Aws::STS
95
96
  AssumeRoleRequest.add_member(:external_id, Shapes::ShapeRef.new(shape: externalIdType, location_name: "ExternalId"))
96
97
  AssumeRoleRequest.add_member(:serial_number, Shapes::ShapeRef.new(shape: serialNumberType, location_name: "SerialNumber"))
97
98
  AssumeRoleRequest.add_member(:token_code, Shapes::ShapeRef.new(shape: tokenCodeType, location_name: "TokenCode"))
99
+ AssumeRoleRequest.add_member(:source_identity, Shapes::ShapeRef.new(shape: sourceIdentityType, location_name: "SourceIdentity"))
98
100
  AssumeRoleRequest.struct_class = Types::AssumeRoleRequest
99
101
 
100
102
  AssumeRoleResponse.add_member(:credentials, Shapes::ShapeRef.new(shape: Credentials, location_name: "Credentials"))
101
103
  AssumeRoleResponse.add_member(:assumed_role_user, Shapes::ShapeRef.new(shape: AssumedRoleUser, location_name: "AssumedRoleUser"))
102
104
  AssumeRoleResponse.add_member(:packed_policy_size, Shapes::ShapeRef.new(shape: nonNegativeIntegerType, location_name: "PackedPolicySize"))
105
+ AssumeRoleResponse.add_member(:source_identity, Shapes::ShapeRef.new(shape: sourceIdentityType, location_name: "SourceIdentity"))
103
106
  AssumeRoleResponse.struct_class = Types::AssumeRoleResponse
104
107
 
105
108
  AssumeRoleWithSAMLRequest.add_member(:role_arn, Shapes::ShapeRef.new(shape: arnType, required: true, location_name: "RoleArn"))
@@ -118,6 +121,7 @@ module Aws::STS
118
121
  AssumeRoleWithSAMLResponse.add_member(:issuer, Shapes::ShapeRef.new(shape: Issuer, location_name: "Issuer"))
119
122
  AssumeRoleWithSAMLResponse.add_member(:audience, Shapes::ShapeRef.new(shape: Audience, location_name: "Audience"))
120
123
  AssumeRoleWithSAMLResponse.add_member(:name_qualifier, Shapes::ShapeRef.new(shape: NameQualifier, location_name: "NameQualifier"))
124
+ AssumeRoleWithSAMLResponse.add_member(:source_identity, Shapes::ShapeRef.new(shape: sourceIdentityType, location_name: "SourceIdentity"))
121
125
  AssumeRoleWithSAMLResponse.struct_class = Types::AssumeRoleWithSAMLResponse
122
126
 
123
127
  AssumeRoleWithWebIdentityRequest.add_member(:role_arn, Shapes::ShapeRef.new(shape: arnType, required: true, location_name: "RoleArn"))
@@ -135,6 +139,7 @@ module Aws::STS
135
139
  AssumeRoleWithWebIdentityResponse.add_member(:packed_policy_size, Shapes::ShapeRef.new(shape: nonNegativeIntegerType, location_name: "PackedPolicySize"))
136
140
  AssumeRoleWithWebIdentityResponse.add_member(:provider, Shapes::ShapeRef.new(shape: Issuer, location_name: "Provider"))
137
141
  AssumeRoleWithWebIdentityResponse.add_member(:audience, Shapes::ShapeRef.new(shape: Audience, location_name: "Audience"))
142
+ AssumeRoleWithWebIdentityResponse.add_member(:source_identity, Shapes::ShapeRef.new(shape: sourceIdentityType, location_name: "SourceIdentity"))
138
143
  AssumeRoleWithWebIdentityResponse.struct_class = Types::AssumeRoleWithWebIdentityResponse
139
144
 
140
145
  AssumedRoleUser.add_member(:assumed_role_id, Shapes::ShapeRef.new(shape: assumedRoleIdType, required: true, location_name: "AssumedRoleId"))
@@ -33,6 +33,7 @@ module Aws::STS
33
33
  # external_id: "externalIdType",
34
34
  # serial_number: "serialNumberType",
35
35
  # token_code: "tokenCodeType",
36
+ # source_identity: "sourceIdentityType",
36
37
  # }
37
38
  #
38
39
  # @!attribute [rw] role_arn
@@ -63,14 +64,14 @@ module Aws::STS
63
64
  # in the same account as the role.
64
65
  #
65
66
  # This parameter is optional. You can provide up to 10 managed policy
66
- # ARNs. However, the plain text that you use for both inline and
67
+ # ARNs. However, the plaintext that you use for both inline and
67
68
  # managed session policies can't exceed 2,048 characters. For more
68
69
  # information about ARNs, see [Amazon Resource Names (ARNs) and AWS
69
70
  # Service Namespaces][1] in the AWS General Reference.
70
71
  #
71
72
  # <note markdown="1"> An AWS conversion compresses the passed session policies and session
72
73
  # tags into a packed binary format that has a separate limit. Your
73
- # request can fail for this limit even if your plain text meets the
74
+ # request can fail for this limit even if your plaintext meets the
74
75
  # other requirements. The `PackedPolicySize` response element
75
76
  # indicates by percentage how close the policies and tags for your
76
77
  # request are to the upper size limit.
@@ -107,7 +108,7 @@ module Aws::STS
107
108
  # the role that is being assumed. For more information, see [Session
108
109
  # Policies][1] in the *IAM User Guide*.
109
110
  #
110
- # The plain text that you use for both inline and managed session
111
+ # The plaintext that you use for both inline and managed session
111
112
  # policies can't exceed 2,048 characters. The JSON policy characters
112
113
  # can be any ASCII character from the space character to the end of
113
114
  # the valid character list (\\u0020 through \\u00FF). It can also
@@ -116,7 +117,7 @@ module Aws::STS
116
117
  #
117
118
  # <note markdown="1"> An AWS conversion compresses the passed session policies and session
118
119
  # tags into a packed binary format that has a separate limit. Your
119
- # request can fail for this limit even if your plain text meets the
120
+ # request can fail for this limit even if your plaintext meets the
120
121
  # other requirements. The `PackedPolicySize` response element
121
122
  # indicates by percentage how close the policies and tags for your
122
123
  # request are to the upper size limit.
@@ -129,15 +130,17 @@ module Aws::STS
129
130
  # @return [String]
130
131
  #
131
132
  # @!attribute [rw] duration_seconds
132
- # The duration, in seconds, of the role session. The value can range
133
- # from 900 seconds (15 minutes) up to the maximum session duration
134
- # setting for the role. This setting can have a value from 1 hour to
135
- # 12 hours. If you specify a value higher than this setting, the
136
- # operation fails. For example, if you specify a session duration of
137
- # 12 hours, but your administrator set the maximum session duration to
138
- # 6 hours, your operation fails. To learn how to view the maximum
139
- # value for your role, see [View the Maximum Session Duration Setting
140
- # for a Role][1] in the *IAM User Guide*.
133
+ # The duration, in seconds, of the role session. The value specified
134
+ # can can range from 900 seconds (15 minutes) up to the maximum
135
+ # session duration that is set for the role. The maximum session
136
+ # duration setting can have a value from 1 hour to 12 hours. If you
137
+ # specify a value higher than this setting or the administrator
138
+ # setting (whichever is lower), the operation fails. For example, if
139
+ # you specify a session duration of 12 hours, but your administrator
140
+ # set the maximum session duration to 6 hours, your operation fails.
141
+ # To learn how to view the maximum value for your role, see [View the
142
+ # Maximum Session Duration Setting for a Role][1] in the *IAM User
143
+ # Guide*.
141
144
  #
142
145
  # By default, the value is set to `3600` seconds.
143
146
  #
@@ -164,13 +167,13 @@ module Aws::STS
164
167
  # User Guide*.
165
168
  #
166
169
  # This parameter is optional. You can pass up to 50 session tags. The
167
- # plain text session tag keys can’t exceed 128 characters, and the
170
+ # plaintext session tag keys can’t exceed 128 characters, and the
168
171
  # values can’t exceed 256 characters. For these and additional limits,
169
172
  # see [IAM and STS Character Limits][2] in the *IAM User Guide*.
170
173
  #
171
174
  # <note markdown="1"> An AWS conversion compresses the passed session policies and session
172
175
  # tags into a packed binary format that has a separate limit. Your
173
- # request can fail for this limit even if your plain text meets the
176
+ # request can fail for this limit even if your plaintext meets the
174
177
  # other requirements. The `PackedPolicySize` response element
175
178
  # indicates by percentage how close the policies and tags for your
176
179
  # request are to the upper size limit.
@@ -262,15 +265,40 @@ module Aws::STS
262
265
  #
263
266
  # @!attribute [rw] token_code
264
267
  # The value provided by the MFA device, if the trust policy of the
265
- # role being assumed requires MFA (that is, if the policy includes a
266
- # condition that tests for MFA). If the role being assumed requires
267
- # MFA and if the `TokenCode` value is missing or expired, the
268
+ # role being assumed requires MFA. (In other words, if the policy
269
+ # includes a condition that tests for MFA). If the role being assumed
270
+ # requires MFA and if the `TokenCode` value is missing or expired, the
268
271
  # `AssumeRole` call returns an "access denied" error.
269
272
  #
270
273
  # The format for this parameter, as described by its regex pattern, is
271
274
  # a sequence of six numeric digits.
272
275
  # @return [String]
273
276
  #
277
+ # @!attribute [rw] source_identity
278
+ # The source identity specified by the principal that is calling the
279
+ # `AssumeRole` operation.
280
+ #
281
+ # You can require users to specify a source identity when they assume
282
+ # a role. You do this by using the `sts:SourceIdentity` condition key
283
+ # in a role trust policy. You can use source identity information in
284
+ # AWS CloudTrail logs to determine who took actions with a role. You
285
+ # can use the `aws:SourceIdentity` condition key to further control
286
+ # access to AWS resources based on the value of source identity. For
287
+ # more information about using source identity, see [Monitor and
288
+ # control actions taken with assumed roles][1] in the *IAM User
289
+ # Guide*.
290
+ #
291
+ # The regex used to validate this parameter is a string of characters
292
+ # consisting of upper- and lower-case alphanumeric characters with no
293
+ # spaces. You can also include underscores or any of the following
294
+ # characters: =,.@-. You cannot use a value that begins with the text
295
+ # `aws:`. This prefix is reserved for AWS internal use.
296
+ #
297
+ #
298
+ #
299
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
300
+ # @return [String]
301
+ #
274
302
  # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleRequest AWS API Documentation
275
303
  #
276
304
  class AssumeRoleRequest < Struct.new(
@@ -283,7 +311,8 @@ module Aws::STS
283
311
  :transitive_tag_keys,
284
312
  :external_id,
285
313
  :serial_number,
286
- :token_code)
314
+ :token_code,
315
+ :source_identity)
287
316
  SENSITIVE = []
288
317
  include Aws::Structure
289
318
  end
@@ -318,12 +347,37 @@ module Aws::STS
318
347
  # means the policies and tags exceeded the allowed space.
319
348
  # @return [Integer]
320
349
  #
350
+ # @!attribute [rw] source_identity
351
+ # The source identity specified by the principal that is calling the
352
+ # `AssumeRole` operation.
353
+ #
354
+ # You can require users to specify a source identity when they assume
355
+ # a role. You do this by using the `sts:SourceIdentity` condition key
356
+ # in a role trust policy. You can use source identity information in
357
+ # AWS CloudTrail logs to determine who took actions with a role. You
358
+ # can use the `aws:SourceIdentity` condition key to further control
359
+ # access to AWS resources based on the value of source identity. For
360
+ # more information about using source identity, see [Monitor and
361
+ # control actions taken with assumed roles][1] in the *IAM User
362
+ # Guide*.
363
+ #
364
+ # The regex used to validate this parameter is a string of characters
365
+ # consisting of upper- and lower-case alphanumeric characters with no
366
+ # spaces. You can also include underscores or any of the following
367
+ # characters: =,.@-
368
+ #
369
+ #
370
+ #
371
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
372
+ # @return [String]
373
+ #
321
374
  # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleResponse AWS API Documentation
322
375
  #
323
376
  class AssumeRoleResponse < Struct.new(
324
377
  :credentials,
325
378
  :assumed_role_user,
326
- :packed_policy_size)
379
+ :packed_policy_size,
380
+ :source_identity)
327
381
  SENSITIVE = []
328
382
  include Aws::Structure
329
383
  end
@@ -355,8 +409,7 @@ module Aws::STS
355
409
  # @return [String]
356
410
  #
357
411
  # @!attribute [rw] saml_assertion
358
- # The base-64 encoded SAML authentication response provided by the
359
- # IdP.
412
+ # The base64 encoded SAML authentication response provided by the IdP.
360
413
  #
361
414
  # For more information, see [Configuring a Relying Party and Adding
362
415
  # Claims][1] in the *IAM User Guide*.
@@ -372,14 +425,14 @@ module Aws::STS
372
425
  # in the same account as the role.
373
426
  #
374
427
  # This parameter is optional. You can provide up to 10 managed policy
375
- # ARNs. However, the plain text that you use for both inline and
428
+ # ARNs. However, the plaintext that you use for both inline and
376
429
  # managed session policies can't exceed 2,048 characters. For more
377
430
  # information about ARNs, see [Amazon Resource Names (ARNs) and AWS
378
431
  # Service Namespaces][1] in the AWS General Reference.
379
432
  #
380
433
  # <note markdown="1"> An AWS conversion compresses the passed session policies and session
381
434
  # tags into a packed binary format that has a separate limit. Your
382
- # request can fail for this limit even if your plain text meets the
435
+ # request can fail for this limit even if your plaintext meets the
383
436
  # other requirements. The `PackedPolicySize` response element
384
437
  # indicates by percentage how close the policies and tags for your
385
438
  # request are to the upper size limit.
@@ -416,7 +469,7 @@ module Aws::STS
416
469
  # the role that is being assumed. For more information, see [Session
417
470
  # Policies][1] in the *IAM User Guide*.
418
471
  #
419
- # The plain text that you use for both inline and managed session
472
+ # The plaintext that you use for both inline and managed session
420
473
  # policies can't exceed 2,048 characters. The JSON policy characters
421
474
  # can be any ASCII character from the space character to the end of
422
475
  # the valid character list (\\u0020 through \\u00FF). It can also
@@ -425,7 +478,7 @@ module Aws::STS
425
478
  #
426
479
  # <note markdown="1"> An AWS conversion compresses the passed session policies and session
427
480
  # tags into a packed binary format that has a separate limit. Your
428
- # request can fail for this limit even if your plain text meets the
481
+ # request can fail for this limit even if your plaintext meets the
429
482
  # other requirements. The `PackedPolicySize` response element
430
483
  # indicates by percentage how close the policies and tags for your
431
484
  # request are to the upper size limit.
@@ -537,11 +590,17 @@ module Aws::STS
537
590
  # @return [String]
538
591
  #
539
592
  # @!attribute [rw] name_qualifier
540
- # A hash value based on the concatenation of the `Issuer` response
541
- # value, the AWS account ID, and the friendly name (the last part of
542
- # the ARN) of the SAML provider in IAM. The combination of
543
- # `NameQualifier` and `Subject` can be used to uniquely identify a
544
- # federated user.
593
+ # A hash value based on the concatenation of the following:
594
+ #
595
+ # * The `Issuer` response value.
596
+ #
597
+ # * The AWS account ID.
598
+ #
599
+ # * The friendly name (the last part of the ARN) of the SAML provider
600
+ # in IAM.
601
+ #
602
+ # The combination of `NameQualifier` and `Subject` can be used to
603
+ # uniquely identify a federated user.
545
604
  #
546
605
  # The following pseudocode shows how the hash value is calculated:
547
606
  #
@@ -549,6 +608,34 @@ module Aws::STS
549
608
  # "/MySAMLIdP" ) )`
550
609
  # @return [String]
551
610
  #
611
+ # @!attribute [rw] source_identity
612
+ # The value in the `SourceIdentity` attribute in the SAML assertion.
613
+ #
614
+ # You can require users to set a source identity value when they
615
+ # assume a role. You do this by using the `sts:SourceIdentity`
616
+ # condition key in a role trust policy. That way, actions that are
617
+ # taken with the role are associated with that user. After the source
618
+ # identity is set, the value cannot be changed. It is present in the
619
+ # request for all actions that are taken by the role and persists
620
+ # across [chained role][1] sessions. You can configure your SAML
621
+ # identity provider to use an attribute associated with your users,
622
+ # like user name or email, as the source identity when calling
623
+ # `AssumeRoleWithSAML`. You do this by adding an attribute to the SAML
624
+ # assertion. For more information about using source identity, see
625
+ # [Monitor and control actions taken with assumed roles][2] in the
626
+ # *IAM User Guide*.
627
+ #
628
+ # The regex used to validate this parameter is a string of characters
629
+ # consisting of upper- and lower-case alphanumeric characters with no
630
+ # spaces. You can also include underscores or any of the following
631
+ # characters: =,.@-
632
+ #
633
+ #
634
+ #
635
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining
636
+ # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
637
+ # @return [String]
638
+ #
552
639
  # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAMLResponse AWS API Documentation
553
640
  #
554
641
  class AssumeRoleWithSAMLResponse < Struct.new(
@@ -559,7 +646,8 @@ module Aws::STS
559
646
  :subject_type,
560
647
  :issuer,
561
648
  :audience,
562
- :name_qualifier)
649
+ :name_qualifier,
650
+ :source_identity)
563
651
  SENSITIVE = []
564
652
  include Aws::Structure
565
653
  end
@@ -626,14 +714,14 @@ module Aws::STS
626
714
  # in the same account as the role.
627
715
  #
628
716
  # This parameter is optional. You can provide up to 10 managed policy
629
- # ARNs. However, the plain text that you use for both inline and
717
+ # ARNs. However, the plaintext that you use for both inline and
630
718
  # managed session policies can't exceed 2,048 characters. For more
631
719
  # information about ARNs, see [Amazon Resource Names (ARNs) and AWS
632
720
  # Service Namespaces][1] in the AWS General Reference.
633
721
  #
634
722
  # <note markdown="1"> An AWS conversion compresses the passed session policies and session
635
723
  # tags into a packed binary format that has a separate limit. Your
636
- # request can fail for this limit even if your plain text meets the
724
+ # request can fail for this limit even if your plaintext meets the
637
725
  # other requirements. The `PackedPolicySize` response element
638
726
  # indicates by percentage how close the policies and tags for your
639
727
  # request are to the upper size limit.
@@ -670,7 +758,7 @@ module Aws::STS
670
758
  # the role that is being assumed. For more information, see [Session
671
759
  # Policies][1] in the *IAM User Guide*.
672
760
  #
673
- # The plain text that you use for both inline and managed session
761
+ # The plaintext that you use for both inline and managed session
674
762
  # policies can't exceed 2,048 characters. The JSON policy characters
675
763
  # can be any ASCII character from the space character to the end of
676
764
  # the valid character list (\\u0020 through \\u00FF). It can also
@@ -679,7 +767,7 @@ module Aws::STS
679
767
  #
680
768
  # <note markdown="1"> An AWS conversion compresses the passed session policies and session
681
769
  # tags into a packed binary format that has a separate limit. Your
682
- # request can fail for this limit even if your plain text meets the
770
+ # request can fail for this limit even if your plaintext meets the
683
771
  # other requirements. The `PackedPolicySize` response element
684
772
  # indicates by percentage how close the policies and tags for your
685
773
  # request are to the upper size limit.
@@ -789,6 +877,38 @@ module Aws::STS
789
877
  # application that requested the web identity token.
790
878
  # @return [String]
791
879
  #
880
+ # @!attribute [rw] source_identity
881
+ # The value of the source identity that is returned in the JSON web
882
+ # token (JWT) from the identity provider.
883
+ #
884
+ # You can require users to set a source identity value when they
885
+ # assume a role. You do this by using the `sts:SourceIdentity`
886
+ # condition key in a role trust policy. That way, actions that are
887
+ # taken with the role are associated with that user. After the source
888
+ # identity is set, the value cannot be changed. It is present in the
889
+ # request for all actions that are taken by the role and persists
890
+ # across [chained role][1] sessions. You can configure your identity
891
+ # provider to use an attribute associated with your users, like user
892
+ # name or email, as the source identity when calling
893
+ # `AssumeRoleWithWebIdentity`. You do this by adding a claim to the
894
+ # JSON web token. To learn more about OIDC tokens and claims, see
895
+ # [Using Tokens with User Pools][2] in the *Amazon Cognito Developer
896
+ # Guide*. For more information about using source identity, see
897
+ # [Monitor and control actions taken with assumed roles][3] in the
898
+ # *IAM User Guide*.
899
+ #
900
+ # The regex used to validate this parameter is a string of characters
901
+ # consisting of upper- and lower-case alphanumeric characters with no
902
+ # spaces. You can also include underscores or any of the following
903
+ # characters: =,.@-
904
+ #
905
+ #
906
+ #
907
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining
908
+ # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html
909
+ # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
910
+ # @return [String]
911
+ #
792
912
  # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentityResponse AWS API Documentation
793
913
  #
794
914
  class AssumeRoleWithWebIdentityResponse < Struct.new(
@@ -797,7 +917,8 @@ module Aws::STS
797
917
  :assumed_role_user,
798
918
  :packed_policy_size,
799
919
  :provider,
800
- :audience)
920
+ :audience,
921
+ :source_identity)
801
922
  SENSITIVE = []
802
923
  include Aws::Structure
803
924
  end
@@ -1074,7 +1195,7 @@ module Aws::STS
1074
1195
  # are granted in addition to the permissions that are granted by the
1075
1196
  # session policies.
1076
1197
  #
1077
- # The plain text that you use for both inline and managed session
1198
+ # The plaintext that you use for both inline and managed session
1078
1199
  # policies can't exceed 2,048 characters. The JSON policy characters
1079
1200
  # can be any ASCII character from the space character to the end of
1080
1201
  # the valid character list (\\u0020 through \\u00FF). It can also
@@ -1083,7 +1204,7 @@ module Aws::STS
1083
1204
  #
1084
1205
  # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1085
1206
  # tags into a packed binary format that has a separate limit. Your
1086
- # request can fail for this limit even if your plain text meets the
1207
+ # request can fail for this limit even if your plaintext meets the
1087
1208
  # other requirements. The `PackedPolicySize` response element
1088
1209
  # indicates by percentage how close the policies and tags for your
1089
1210
  # request are to the upper size limit.
@@ -1104,7 +1225,7 @@ module Aws::STS
1104
1225
  # You must pass an inline or managed [session policy][1] to this
1105
1226
  # operation. You can pass a single JSON policy document to use as an
1106
1227
  # inline session policy. You can also specify up to 10 managed
1107
- # policies to use as managed session policies. The plain text that you
1228
+ # policies to use as managed session policies. The plaintext that you
1108
1229
  # use for both inline and managed session policies can't exceed 2,048
1109
1230
  # characters. You can provide up to 10 managed policy ARNs. For more
1110
1231
  # information about ARNs, see [Amazon Resource Names (ARNs) and AWS
@@ -1131,7 +1252,7 @@ module Aws::STS
1131
1252
  #
1132
1253
  # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1133
1254
  # tags into a packed binary format that has a separate limit. Your
1134
- # request can fail for this limit even if your plain text meets the
1255
+ # request can fail for this limit even if your plaintext meets the
1135
1256
  # other requirements. The `PackedPolicySize` response element
1136
1257
  # indicates by percentage how close the policies and tags for your
1137
1258
  # request are to the upper size limit.
@@ -1160,13 +1281,13 @@ module Aws::STS
1160
1281
  # [Passing Session Tags in STS][1] in the *IAM User Guide*.
1161
1282
  #
1162
1283
  # This parameter is optional. You can pass up to 50 session tags. The
1163
- # plain text session tag keys can’t exceed 128 characters and the
1284
+ # plaintext session tag keys can’t exceed 128 characters and the
1164
1285
  # values can’t exceed 256 characters. For these and additional limits,
1165
1286
  # see [IAM and STS Character Limits][2] in the *IAM User Guide*.
1166
1287
  #
1167
1288
  # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1168
1289
  # tags into a packed binary format that has a separate limit. Your
1169
- # request can fail for this limit even if your plain text meets the
1290
+ # request can fail for this limit even if your plaintext meets the
1170
1291
  # other requirements. The `PackedPolicySize` response element
1171
1292
  # indicates by percentage how close the policies and tags for your
1172
1293
  # request are to the upper size limit.
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: aws-sdk-core
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.113.1
4
+ version: 3.114.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Amazon Web Services
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-03-29 00:00:00.000000000 Z
11
+ date: 2021-04-13 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: jmespath