aws-sdk-core 3.80.0 → 3.81.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/VERSION +1 -1
- data/lib/aws-sdk-sts.rb +1 -1
- data/lib/aws-sdk-sts/client.rb +443 -157
- data/lib/aws-sdk-sts/client_api.rb +16 -0
- data/lib/aws-sdk-sts/types.rb +305 -113
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: a53e3774ffa5eca6d5829317d8cf6376690272f1
|
4
|
+
data.tar.gz: e6ba41bbc1b31f817bcac3c9e43651268a7f5998
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 1bb93bb35954de70a47e4b382390a348ca0ccdfdb5ac08d79e009d816fe9f607704174e51946d46c0bae16906e29eaf8e94069875fb45adc4c31234b94e7ed08
|
7
|
+
data.tar.gz: 473c2d93844c444220add52299bb056d98b513f902a84bc1befaf28628e3884ca0a41b3b6789dd20551b6847a9e81873783cdd0f2bf74b35e663ed2dbea50b36
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
3.
|
1
|
+
3.81.0
|
data/lib/aws-sdk-sts.rb
CHANGED
data/lib/aws-sdk-sts/client.rb
CHANGED
@@ -284,6 +284,8 @@ module Aws::STS
|
|
284
284
|
# those accounts. For more information about roles, see [IAM Roles][3]
|
285
285
|
# in the *IAM User Guide*.
|
286
286
|
#
|
287
|
+
# **Session Duration**
|
288
|
+
#
|
287
289
|
# By default, the temporary security credentials created by `AssumeRole`
|
288
290
|
# last for one hour. However, you can use the optional `DurationSeconds`
|
289
291
|
# parameter to specify the duration of your session. You can provide a
|
@@ -297,6 +299,8 @@ module Aws::STS
|
|
297
299
|
# create a console URL. For more information, see [Using IAM Roles][5]
|
298
300
|
# in the *IAM User Guide*.
|
299
301
|
#
|
302
|
+
# **Permissions**
|
303
|
+
#
|
300
304
|
# The temporary security credentials created by `AssumeRole` can be used
|
301
305
|
# to make API calls to any AWS service with the following exception: You
|
302
306
|
# cannot call the AWS STS `GetFederationToken` or `GetSessionToken` API
|
@@ -306,16 +310,15 @@ module Aws::STS
|
|
306
310
|
# this operation. You can pass a single JSON policy document to use as
|
307
311
|
# an inline session policy. You can also specify up to 10 managed
|
308
312
|
# policies to use as managed session policies. The plain text that you
|
309
|
-
# use for both inline and managed session policies
|
310
|
-
#
|
311
|
-
#
|
312
|
-
#
|
313
|
-
#
|
314
|
-
#
|
315
|
-
#
|
316
|
-
#
|
317
|
-
#
|
318
|
-
# User Guide*.
|
313
|
+
# use for both inline and managed session policies can't exceed 2,048
|
314
|
+
# characters. Passing policies to this operation returns new temporary
|
315
|
+
# credentials. The resulting session's permissions are the intersection
|
316
|
+
# of the role's identity-based policy and the session policies. You can
|
317
|
+
# use the role's temporary credentials in subsequent AWS API calls to
|
318
|
+
# access resources in the account that owns the role. You cannot use
|
319
|
+
# session policies to grant more permissions than those allowed by the
|
320
|
+
# identity-based policy of the role that is being assumed. For more
|
321
|
+
# information, see [Session Policies][6] in the *IAM User Guide*.
|
319
322
|
#
|
320
323
|
# To assume a role from a different account, your AWS account must be
|
321
324
|
# trusted by the role. The trust relationship is defined in the role's
|
@@ -340,6 +343,22 @@ module Aws::STS
|
|
340
343
|
# resource-based policies, see [IAM Policies][7] in the *IAM User
|
341
344
|
# Guide*.
|
342
345
|
#
|
346
|
+
# **Tags**
|
347
|
+
#
|
348
|
+
# (Optional) You can pass tag key-value pairs to your session. These
|
349
|
+
# tags are called session tags. For more information about session tags,
|
350
|
+
# see [Passing Session Tags in STS][8] in the *IAM User Guide*.
|
351
|
+
#
|
352
|
+
# An administrator must grant you the permissions necessary to pass
|
353
|
+
# session tags. The administrator can also create granular permissions
|
354
|
+
# to allow you to pass only specific session tags. For more information,
|
355
|
+
# see [Tutorial: Using Tags for Attribute-Based Access Control][9] in
|
356
|
+
# the *IAM User Guide*.
|
357
|
+
#
|
358
|
+
# You can set the session tags as transitive. Transitive tags persist
|
359
|
+
# during role chaining. For more information, see [Chaining Roles with
|
360
|
+
# Session Tags][10] in the *IAM User Guide*.
|
361
|
+
#
|
343
362
|
# **Using MFA with AssumeRole**
|
344
363
|
#
|
345
364
|
# (Optional) You can include multi-factor authentication (MFA)
|
@@ -354,8 +373,8 @@ module Aws::STS
|
|
354
373
|
#
|
355
374
|
# `"Condition": \{"Bool": \{"aws:MultiFactorAuthPresent": true\}\}`
|
356
375
|
#
|
357
|
-
# For more information, see [Configuring MFA-Protected API Access][
|
358
|
-
# the *IAM User Guide* guide.
|
376
|
+
# For more information, see [Configuring MFA-Protected API Access][11]
|
377
|
+
# in the *IAM User Guide* guide.
|
359
378
|
#
|
360
379
|
# To use MFA with `AssumeRole`, you pass values for the `SerialNumber`
|
361
380
|
# and `TokenCode` parameters. The `SerialNumber` value identifies the
|
@@ -371,7 +390,10 @@ module Aws::STS
|
|
371
390
|
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
|
372
391
|
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
373
392
|
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
|
374
|
-
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
393
|
+
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
394
|
+
# [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
|
395
|
+
# [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
|
396
|
+
# [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html
|
375
397
|
#
|
376
398
|
# @option params [required, String] :role_arn
|
377
399
|
# The Amazon Resource Name (ARN) of the role to assume.
|
@@ -400,16 +422,16 @@ module Aws::STS
|
|
400
422
|
#
|
401
423
|
# This parameter is optional. You can provide up to 10 managed policy
|
402
424
|
# ARNs. However, the plain text that you use for both inline and managed
|
403
|
-
# session policies
|
404
|
-
#
|
405
|
-
#
|
425
|
+
# session policies can't exceed 2,048 characters. For more information
|
426
|
+
# about ARNs, see [Amazon Resource Names (ARNs) and AWS Service
|
427
|
+
# Namespaces][1] in the AWS General Reference.
|
406
428
|
#
|
407
|
-
# <note markdown="1">
|
408
|
-
#
|
409
|
-
#
|
410
|
-
#
|
411
|
-
#
|
412
|
-
# size limit.
|
429
|
+
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
430
|
+
# tags into a packed binary format that has a separate limit. Your
|
431
|
+
# request can fail for this limit even if your plain text meets the
|
432
|
+
# other requirements. The `PackedPolicySize` response element indicates
|
433
|
+
# by percentage how close the policies and tags for your request are to
|
434
|
+
# the upper size limit.
|
413
435
|
#
|
414
436
|
# </note>
|
415
437
|
#
|
@@ -442,18 +464,18 @@ module Aws::STS
|
|
442
464
|
# User Guide*.
|
443
465
|
#
|
444
466
|
# The plain text that you use for both inline and managed session
|
445
|
-
# policies
|
467
|
+
# policies can't exceed 2,048 characters. The JSON policy characters
|
446
468
|
# can be any ASCII character from the space character to the end of the
|
447
469
|
# valid character list (\\u0020 through \\u00FF). It can also include
|
448
470
|
# the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
449
471
|
# characters.
|
450
472
|
#
|
451
|
-
# <note markdown="1">
|
452
|
-
#
|
453
|
-
#
|
454
|
-
#
|
455
|
-
#
|
456
|
-
# size limit.
|
473
|
+
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
474
|
+
# tags into a packed binary format that has a separate limit. Your
|
475
|
+
# request can fail for this limit even if your plain text meets the
|
476
|
+
# other requirements. The `PackedPolicySize` response element indicates
|
477
|
+
# by percentage how close the policies and tags for your request are to
|
478
|
+
# the upper size limit.
|
457
479
|
#
|
458
480
|
# </note>
|
459
481
|
#
|
@@ -489,6 +511,67 @@ module Aws::STS
|
|
489
511
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
|
490
512
|
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
|
491
513
|
#
|
514
|
+
# @option params [Array<Types::Tag>] :tags
|
515
|
+
# A list of session tags that you want to pass. Each session tag
|
516
|
+
# consists of a key name and an associated value. For more information
|
517
|
+
# about session tags, see [Tagging AWS STS Sessions][1] in the *IAM User
|
518
|
+
# Guide*.
|
519
|
+
#
|
520
|
+
# This parameter is optional. You can pass up to 50 session tags. The
|
521
|
+
# plain text session tag keys can’t exceed 128 characters, and the
|
522
|
+
# values can’t exceed 256 characters. For these and additional limits,
|
523
|
+
# see [IAM and STS Character Limits][2] in the *IAM User Guide*.
|
524
|
+
#
|
525
|
+
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
526
|
+
# tags into a packed binary format that has a separate limit. Your
|
527
|
+
# request can fail for this limit even if your plain text meets the
|
528
|
+
# other requirements. The `PackedPolicySize` response element indicates
|
529
|
+
# by percentage how close the policies and tags for your request are to
|
530
|
+
# the upper size limit.
|
531
|
+
#
|
532
|
+
# </note>
|
533
|
+
#
|
534
|
+
# You can pass a session tag with the same key as a tag that is already
|
535
|
+
# attached to the role. When you do, session tags override a role tag
|
536
|
+
# with the same key.
|
537
|
+
#
|
538
|
+
# Tag key–value pairs are not case sensitive, but case is preserved.
|
539
|
+
# This means that you cannot have separate `Department` and `department`
|
540
|
+
# tag keys. Assume that the role has the `Department`=`Marketing` tag
|
541
|
+
# and you pass the `department`=`engineering` session tag. `Department`
|
542
|
+
# and `department` are not saved as separate tags, and the session tag
|
543
|
+
# passed in the request takes precedence over the role tag.
|
544
|
+
#
|
545
|
+
# Additionally, if you used temporary credentials to perform this
|
546
|
+
# operation, the new session inherits any transitive session tags from
|
547
|
+
# the calling session. If you pass a session tag with the same key as an
|
548
|
+
# inherited tag, the operation fails. To view the inherited tags for a
|
549
|
+
# session, see the AWS CloudTrail logs. For more information, see
|
550
|
+
# [Viewing Session Tags in CloudTrail][3] in the *IAM User Guide*.
|
551
|
+
#
|
552
|
+
#
|
553
|
+
#
|
554
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
555
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
|
556
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/session-tags.html#id_session-tags_ctlogs
|
557
|
+
#
|
558
|
+
# @option params [Array<String>] :transitive_tag_keys
|
559
|
+
# A list of keys for session tags that you want to set as transitive. If
|
560
|
+
# you set a tag key as transitive, the corresponding key and value
|
561
|
+
# passes to subsequent sessions in a role chain. For more information,
|
562
|
+
# see [Chaining Roles with Session Tags][1] in the *IAM User Guide*.
|
563
|
+
#
|
564
|
+
# This parameter is optional. When you set session tags as transitive,
|
565
|
+
# the session policy and session tags packed binary limit is not
|
566
|
+
# affected.
|
567
|
+
#
|
568
|
+
# If you choose not to specify a transitive tag key, then no tags are
|
569
|
+
# passed from this session to any subsequent sessions.
|
570
|
+
#
|
571
|
+
#
|
572
|
+
#
|
573
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
|
574
|
+
#
|
492
575
|
# @option params [String] :external_id
|
493
576
|
# A unique identifier that might be required when you assume a role in
|
494
577
|
# another account. If the administrator of the account to which the role
|
@@ -545,11 +628,28 @@ module Aws::STS
|
|
545
628
|
# @example Example: To assume a role
|
546
629
|
#
|
547
630
|
# resp = client.assume_role({
|
548
|
-
# duration_seconds: 3600,
|
549
631
|
# external_id: "123ABC",
|
550
632
|
# policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3:ListAllMyBuckets\",\"Resource\":\"*\"}]}",
|
551
633
|
# role_arn: "arn:aws:iam::123456789012:role/demo",
|
552
|
-
# role_session_name: "
|
634
|
+
# role_session_name: "testAssumeRoleSession",
|
635
|
+
# tags: [
|
636
|
+
# {
|
637
|
+
# key: "Project",
|
638
|
+
# value: "Unicorn",
|
639
|
+
# },
|
640
|
+
# {
|
641
|
+
# key: "Team",
|
642
|
+
# value: "Automation",
|
643
|
+
# },
|
644
|
+
# {
|
645
|
+
# key: "Cost-Center",
|
646
|
+
# value: "12345",
|
647
|
+
# },
|
648
|
+
# ],
|
649
|
+
# transitive_tag_keys: [
|
650
|
+
# "Project",
|
651
|
+
# "Cost-Center",
|
652
|
+
# ],
|
553
653
|
# })
|
554
654
|
#
|
555
655
|
# resp.to_h outputs the following:
|
@@ -564,7 +664,7 @@ module Aws::STS
|
|
564
664
|
# secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY",
|
565
665
|
# session_token: "AQoDYXdzEPT//////////wEXAMPLEtc764bNrC9SAPBSM22wDOk4x4HIZ8j4FZTwdQWLWsKWHGBuFqwAeMicRXmxfpSPfIeoIYRqTflfKD8YUuwthAx7mSEI/qkPpKPi/kMcGdQrmGdeehM4IC1NtBmUpp2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU9HFvlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPPkUL64lIZbqBAz+scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr4rvx3iSIlTJabIQwj2ICCR/oLxBA==",
|
566
666
|
# },
|
567
|
-
# packed_policy_size:
|
667
|
+
# packed_policy_size: 8,
|
568
668
|
# }
|
569
669
|
#
|
570
670
|
# @example Request syntax with placeholder values
|
@@ -579,6 +679,13 @@ module Aws::STS
|
|
579
679
|
# ],
|
580
680
|
# policy: "sessionPolicyDocumentType",
|
581
681
|
# duration_seconds: 1,
|
682
|
+
# tags: [
|
683
|
+
# {
|
684
|
+
# key: "tagKeyType", # required
|
685
|
+
# value: "tagValueType", # required
|
686
|
+
# },
|
687
|
+
# ],
|
688
|
+
# transitive_tag_keys: ["tagKeyType"],
|
582
689
|
# external_id: "externalIdType",
|
583
690
|
# serial_number: "serialNumberType",
|
584
691
|
# token_code: "tokenCodeType",
|
@@ -617,6 +724,8 @@ module Aws::STS
|
|
617
724
|
# Applications can use these temporary security credentials to sign
|
618
725
|
# calls to AWS services.
|
619
726
|
#
|
727
|
+
# **Session Duration**
|
728
|
+
#
|
620
729
|
# By default, the temporary security credentials created by
|
621
730
|
# `AssumeRoleWithSAML` last for one hour. However, you can use the
|
622
731
|
# optional `DurationSeconds` parameter to specify the duration of your
|
@@ -633,6 +742,8 @@ module Aws::STS
|
|
633
742
|
# use those operations to create a console URL. For more information,
|
634
743
|
# see [Using IAM Roles][4] in the *IAM User Guide*.
|
635
744
|
#
|
745
|
+
# **Permissions**
|
746
|
+
#
|
636
747
|
# The temporary security credentials created by `AssumeRoleWithSAML` can
|
637
748
|
# be used to make API calls to any AWS service with the following
|
638
749
|
# exception: you cannot call the STS `GetFederationToken` or
|
@@ -642,23 +753,15 @@ module Aws::STS
|
|
642
753
|
# this operation. You can pass a single JSON policy document to use as
|
643
754
|
# an inline session policy. You can also specify up to 10 managed
|
644
755
|
# policies to use as managed session policies. The plain text that you
|
645
|
-
# use for both inline and managed session policies
|
646
|
-
#
|
647
|
-
#
|
648
|
-
#
|
649
|
-
#
|
650
|
-
#
|
651
|
-
#
|
652
|
-
#
|
653
|
-
#
|
654
|
-
# User Guide*.
|
655
|
-
#
|
656
|
-
# Before your application can call `AssumeRoleWithSAML`, you must
|
657
|
-
# configure your SAML identity provider (IdP) to issue the claims
|
658
|
-
# required by AWS. Additionally, you must use AWS Identity and Access
|
659
|
-
# Management (IAM) to create a SAML provider entity in your AWS account
|
660
|
-
# that represents your identity provider. You must also create an IAM
|
661
|
-
# role that specifies this SAML provider in its trust policy.
|
756
|
+
# use for both inline and managed session policies can't exceed 2,048
|
757
|
+
# characters. Passing policies to this operation returns new temporary
|
758
|
+
# credentials. The resulting session's permissions are the intersection
|
759
|
+
# of the role's identity-based policy and the session policies. You can
|
760
|
+
# use the role's temporary credentials in subsequent AWS API calls to
|
761
|
+
# access resources in the account that owns the role. You cannot use
|
762
|
+
# session policies to grant more permissions than those allowed by the
|
763
|
+
# identity-based policy of the role that is being assumed. For more
|
764
|
+
# information, see [Session Policies][5] in the *IAM User Guide*.
|
662
765
|
#
|
663
766
|
# Calling `AssumeRoleWithSAML` does not require the use of AWS security
|
664
767
|
# credentials. The identity of the caller is validated by using keys in
|
@@ -669,18 +772,63 @@ module Aws::STS
|
|
669
772
|
# CloudTrail logs. The entry includes the value in the `NameID` element
|
670
773
|
# of the SAML assertion. We recommend that you use a `NameIDType` that
|
671
774
|
# is not associated with any personally identifiable information (PII).
|
672
|
-
# For example, you could instead use the
|
775
|
+
# For example, you could instead use the persistent identifier
|
673
776
|
# (`urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`).
|
674
777
|
#
|
778
|
+
# **Tags**
|
779
|
+
#
|
780
|
+
# (Optional) You can configure your IdP to pass attributes into your
|
781
|
+
# SAML assertion as session tags. Each session tag consists of a key
|
782
|
+
# name and an associated value. For more information about session tags,
|
783
|
+
# see [Passing Session Tags in STS][6] in the *IAM User Guide*.
|
784
|
+
#
|
785
|
+
# You can pass up to 50 session tags. The plain text session tag keys
|
786
|
+
# can’t exceed 128 characters and the values can’t exceed 256
|
787
|
+
# characters. For these and additional limits, see [IAM and STS
|
788
|
+
# Character Limits][7] in the *IAM User Guide*.
|
789
|
+
#
|
790
|
+
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
791
|
+
# tags into a packed binary format that has a separate limit. Your
|
792
|
+
# request can fail for this limit even if your plain text meets the
|
793
|
+
# other requirements. The `PackedPolicySize` response element indicates
|
794
|
+
# by percentage how close the policies and tags for your request are to
|
795
|
+
# the upper size limit.
|
796
|
+
#
|
797
|
+
# </note>
|
798
|
+
#
|
799
|
+
# You can pass a session tag with the same key as a tag that is attached
|
800
|
+
# to the role. When you do, session tags override the role's tags with
|
801
|
+
# the same key.
|
802
|
+
#
|
803
|
+
# An administrator must grant you the permissions necessary to pass
|
804
|
+
# session tags. The administrator can also create granular permissions
|
805
|
+
# to allow you to pass only specific session tags. For more information,
|
806
|
+
# see [Tutorial: Using Tags for Attribute-Based Access Control][8] in
|
807
|
+
# the *IAM User Guide*.
|
808
|
+
#
|
809
|
+
# You can set the session tags as transitive. Transitive tags persist
|
810
|
+
# during role chaining. For more information, see [Chaining Roles with
|
811
|
+
# Session Tags][9] in the *IAM User Guide*.
|
812
|
+
#
|
813
|
+
# **SAML Configuration**
|
814
|
+
#
|
815
|
+
# Before your application can call `AssumeRoleWithSAML`, you must
|
816
|
+
# configure your SAML identity provider (IdP) to issue the claims
|
817
|
+
# required by AWS. Additionally, you must use AWS Identity and Access
|
818
|
+
# Management (IAM) to create a SAML provider entity in your AWS account
|
819
|
+
# that represents your identity provider. You must also create an IAM
|
820
|
+
# role that specifies this SAML provider in its trust policy.
|
821
|
+
#
|
675
822
|
# For more information, see the following resources:
|
676
823
|
#
|
677
|
-
# * [About SAML 2.0-based Federation][
|
824
|
+
# * [About SAML 2.0-based Federation][10] in the *IAM User Guide*.
|
678
825
|
#
|
679
|
-
# * [Creating SAML Identity Providers][
|
826
|
+
# * [Creating SAML Identity Providers][11] in the *IAM User Guide*.
|
680
827
|
#
|
681
|
-
# * [Configuring a Relying Party and Claims][
|
828
|
+
# * [Configuring a Relying Party and Claims][12] in the *IAM User
|
829
|
+
# Guide*.
|
682
830
|
#
|
683
|
-
# * [Creating a Role for SAML 2.0 Federation][
|
831
|
+
# * [Creating a Role for SAML 2.0 Federation][13] in the *IAM User
|
684
832
|
# Guide*.
|
685
833
|
#
|
686
834
|
#
|
@@ -690,10 +838,14 @@ module Aws::STS
|
|
690
838
|
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
|
691
839
|
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
|
692
840
|
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
693
|
-
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
694
|
-
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
695
|
-
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
696
|
-
# [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
841
|
+
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
842
|
+
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
|
843
|
+
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
|
844
|
+
# [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
|
845
|
+
# [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
|
846
|
+
# [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html
|
847
|
+
# [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html
|
848
|
+
# [13]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html
|
697
849
|
#
|
698
850
|
# @option params [required, String] :role_arn
|
699
851
|
# The Amazon Resource Name (ARN) of the role that the caller is
|
@@ -720,16 +872,16 @@ module Aws::STS
|
|
720
872
|
#
|
721
873
|
# This parameter is optional. You can provide up to 10 managed policy
|
722
874
|
# ARNs. However, the plain text that you use for both inline and managed
|
723
|
-
# session policies
|
724
|
-
#
|
725
|
-
#
|
875
|
+
# session policies can't exceed 2,048 characters. For more information
|
876
|
+
# about ARNs, see [Amazon Resource Names (ARNs) and AWS Service
|
877
|
+
# Namespaces][1] in the AWS General Reference.
|
726
878
|
#
|
727
|
-
# <note markdown="1">
|
728
|
-
#
|
729
|
-
#
|
730
|
-
#
|
731
|
-
#
|
732
|
-
# size limit.
|
879
|
+
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
880
|
+
# tags into a packed binary format that has a separate limit. Your
|
881
|
+
# request can fail for this limit even if your plain text meets the
|
882
|
+
# other requirements. The `PackedPolicySize` response element indicates
|
883
|
+
# by percentage how close the policies and tags for your request are to
|
884
|
+
# the upper size limit.
|
733
885
|
#
|
734
886
|
# </note>
|
735
887
|
#
|
@@ -762,18 +914,18 @@ module Aws::STS
|
|
762
914
|
# User Guide*.
|
763
915
|
#
|
764
916
|
# The plain text that you use for both inline and managed session
|
765
|
-
# policies
|
917
|
+
# policies can't exceed 2,048 characters. The JSON policy characters
|
766
918
|
# can be any ASCII character from the space character to the end of the
|
767
919
|
# valid character list (\\u0020 through \\u00FF). It can also include
|
768
920
|
# the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
769
921
|
# characters.
|
770
922
|
#
|
771
|
-
# <note markdown="1">
|
772
|
-
#
|
773
|
-
#
|
774
|
-
#
|
775
|
-
#
|
776
|
-
# size limit.
|
923
|
+
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
924
|
+
# tags into a packed binary format that has a separate limit. Your
|
925
|
+
# request can fail for this limit even if your plain text meets the
|
926
|
+
# other requirements. The `PackedPolicySize` response element indicates
|
927
|
+
# by percentage how close the policies and tags for your request are to
|
928
|
+
# the upper size limit.
|
777
929
|
#
|
778
930
|
# </note>
|
779
931
|
#
|
@@ -896,6 +1048,8 @@ module Aws::STS
|
|
896
1048
|
# can use these temporary security credentials to sign calls to AWS
|
897
1049
|
# service API operations.
|
898
1050
|
#
|
1051
|
+
# **Session Duration**
|
1052
|
+
#
|
899
1053
|
# By default, the temporary security credentials created by
|
900
1054
|
# `AssumeRoleWithWebIdentity` last for one hour. However, you can use
|
901
1055
|
# the optional `DurationSeconds` parameter to specify the duration of
|
@@ -909,6 +1063,8 @@ module Aws::STS
|
|
909
1063
|
# use those operations to create a console URL. For more information,
|
910
1064
|
# see [Using IAM Roles][8] in the *IAM User Guide*.
|
911
1065
|
#
|
1066
|
+
# **Permissions**
|
1067
|
+
#
|
912
1068
|
# The temporary security credentials created by
|
913
1069
|
# `AssumeRoleWithWebIdentity` can be used to make API calls to any AWS
|
914
1070
|
# service with the following exception: you cannot call the STS
|
@@ -918,16 +1074,52 @@ module Aws::STS
|
|
918
1074
|
# this operation. You can pass a single JSON policy document to use as
|
919
1075
|
# an inline session policy. You can also specify up to 10 managed
|
920
1076
|
# policies to use as managed session policies. The plain text that you
|
921
|
-
# use for both inline and managed session policies
|
922
|
-
#
|
923
|
-
#
|
924
|
-
#
|
925
|
-
#
|
926
|
-
#
|
927
|
-
#
|
928
|
-
#
|
929
|
-
#
|
930
|
-
#
|
1077
|
+
# use for both inline and managed session policies can't exceed 2,048
|
1078
|
+
# characters. Passing policies to this operation returns new temporary
|
1079
|
+
# credentials. The resulting session's permissions are the intersection
|
1080
|
+
# of the role's identity-based policy and the session policies. You can
|
1081
|
+
# use the role's temporary credentials in subsequent AWS API calls to
|
1082
|
+
# access resources in the account that owns the role. You cannot use
|
1083
|
+
# session policies to grant more permissions than those allowed by the
|
1084
|
+
# identity-based policy of the role that is being assumed. For more
|
1085
|
+
# information, see [Session Policies][9] in the *IAM User Guide*.
|
1086
|
+
#
|
1087
|
+
# **Tags**
|
1088
|
+
#
|
1089
|
+
# (Optional) You can configure your IdP to pass attributes into your web
|
1090
|
+
# identity token as session tags. Each session tag consists of a key
|
1091
|
+
# name and an associated value. For more information about session tags,
|
1092
|
+
# see [Passing Session Tags in STS][10] in the *IAM User Guide*.
|
1093
|
+
#
|
1094
|
+
# You can pass up to 50 session tags. The plain text session tag keys
|
1095
|
+
# can’t exceed 128 characters and the values can’t exceed 256
|
1096
|
+
# characters. For these and additional limits, see [IAM and STS
|
1097
|
+
# Character Limits][11] in the *IAM User Guide*.
|
1098
|
+
#
|
1099
|
+
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
1100
|
+
# tags into a packed binary format that has a separate limit. Your
|
1101
|
+
# request can fail for this limit even if your plain text meets the
|
1102
|
+
# other requirements. The `PackedPolicySize` response element indicates
|
1103
|
+
# by percentage how close the policies and tags for your request are to
|
1104
|
+
# the upper size limit.
|
1105
|
+
#
|
1106
|
+
# </note>
|
1107
|
+
#
|
1108
|
+
# You can pass a session tag with the same key as a tag that is attached
|
1109
|
+
# to the role. When you do, the session tag overrides the role tag with
|
1110
|
+
# the same key.
|
1111
|
+
#
|
1112
|
+
# An administrator must grant you the permissions necessary to pass
|
1113
|
+
# session tags. The administrator can also create granular permissions
|
1114
|
+
# to allow you to pass only specific session tags. For more information,
|
1115
|
+
# see [Tutorial: Using Tags for Attribute-Based Access Control][12] in
|
1116
|
+
# the *IAM User Guide*.
|
1117
|
+
#
|
1118
|
+
# You can set the session tags as transitive. Transitive tags persist
|
1119
|
+
# during role chaining. For more information, see [Chaining Roles with
|
1120
|
+
# Session Tags][13] in the *IAM User Guide*.
|
1121
|
+
#
|
1122
|
+
# **Identities**
|
931
1123
|
#
|
932
1124
|
# Before your application can call `AssumeRoleWithWebIdentity`, you must
|
933
1125
|
# have an identity token from a supported identity provider and create a
|
@@ -937,30 +1129,30 @@ module Aws::STS
|
|
937
1129
|
# specified in the role's trust policy.
|
938
1130
|
#
|
939
1131
|
# Calling `AssumeRoleWithWebIdentity` can result in an entry in your AWS
|
940
|
-
# CloudTrail logs. The entry includes the [Subject][
|
1132
|
+
# CloudTrail logs. The entry includes the [Subject][14] of the provided
|
941
1133
|
# Web Identity Token. We recommend that you avoid using any personally
|
942
1134
|
# identifiable information (PII) in this field. For example, you could
|
943
1135
|
# instead use a GUID or a pairwise identifier, as [suggested in the OIDC
|
944
|
-
# specification][
|
1136
|
+
# specification][15].
|
945
1137
|
#
|
946
1138
|
# For more information about how to use web identity federation and the
|
947
1139
|
# `AssumeRoleWithWebIdentity` API, see the following resources:
|
948
1140
|
#
|
949
|
-
# * [Using Web Identity Federation API Operations for Mobile Apps][
|
950
|
-
# and [Federation Through a Web-based Identity Provider][
|
1141
|
+
# * [Using Web Identity Federation API Operations for Mobile Apps][16]
|
1142
|
+
# and [Federation Through a Web-based Identity Provider][17].
|
951
1143
|
#
|
952
|
-
# * [ Web Identity Federation Playground][
|
1144
|
+
# * [ Web Identity Federation Playground][18]. Walk through the process
|
953
1145
|
# of authenticating through Login with Amazon, Facebook, or Google,
|
954
1146
|
# getting temporary security credentials, and then using those
|
955
1147
|
# credentials to make a request to AWS.
|
956
1148
|
#
|
957
1149
|
# * [AWS SDK for iOS Developer Guide][1] and [AWS SDK for Android
|
958
1150
|
# Developer Guide][2]. These toolkits contain sample apps that show
|
959
|
-
# how to invoke the identity providers
|
960
|
-
# information from these providers to get and use temporary
|
961
|
-
# credentials.
|
1151
|
+
# how to invoke the identity providers. The toolkits then show how to
|
1152
|
+
# use the information from these providers to get and use temporary
|
1153
|
+
# security credentials.
|
962
1154
|
#
|
963
|
-
# * [Web Identity Federation with Mobile Applications][
|
1155
|
+
# * [Web Identity Federation with Mobile Applications][19]. This article
|
964
1156
|
# discusses web identity federation and shows an example of how to use
|
965
1157
|
# web identity federation to get access to content in Amazon S3.
|
966
1158
|
#
|
@@ -975,12 +1167,16 @@ module Aws::STS
|
|
975
1167
|
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
|
976
1168
|
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
|
977
1169
|
# [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
978
|
-
# [10]:
|
979
|
-
# [11]:
|
980
|
-
# [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
981
|
-
# [13]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
982
|
-
# [14]:
|
983
|
-
# [15]: http://
|
1170
|
+
# [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
1171
|
+
# [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
|
1172
|
+
# [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
|
1173
|
+
# [13]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
|
1174
|
+
# [14]: http://openid.net/specs/openid-connect-core-1_0.html#Claims
|
1175
|
+
# [15]: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
|
1176
|
+
# [16]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html
|
1177
|
+
# [17]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
|
1178
|
+
# [18]: https://web-identity-federation-playground.s3.amazonaws.com/index.html
|
1179
|
+
# [19]: http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications
|
984
1180
|
#
|
985
1181
|
# @option params [required, String] :role_arn
|
986
1182
|
# The Amazon Resource Name (ARN) of the role that the caller is
|
@@ -1024,16 +1220,16 @@ module Aws::STS
|
|
1024
1220
|
#
|
1025
1221
|
# This parameter is optional. You can provide up to 10 managed policy
|
1026
1222
|
# ARNs. However, the plain text that you use for both inline and managed
|
1027
|
-
# session policies
|
1028
|
-
#
|
1029
|
-
#
|
1223
|
+
# session policies can't exceed 2,048 characters. For more information
|
1224
|
+
# about ARNs, see [Amazon Resource Names (ARNs) and AWS Service
|
1225
|
+
# Namespaces][1] in the AWS General Reference.
|
1030
1226
|
#
|
1031
|
-
# <note markdown="1">
|
1032
|
-
#
|
1033
|
-
#
|
1034
|
-
#
|
1035
|
-
#
|
1036
|
-
# size limit.
|
1227
|
+
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
1228
|
+
# tags into a packed binary format that has a separate limit. Your
|
1229
|
+
# request can fail for this limit even if your plain text meets the
|
1230
|
+
# other requirements. The `PackedPolicySize` response element indicates
|
1231
|
+
# by percentage how close the policies and tags for your request are to
|
1232
|
+
# the upper size limit.
|
1037
1233
|
#
|
1038
1234
|
# </note>
|
1039
1235
|
#
|
@@ -1066,18 +1262,18 @@ module Aws::STS
|
|
1066
1262
|
# User Guide*.
|
1067
1263
|
#
|
1068
1264
|
# The plain text that you use for both inline and managed session
|
1069
|
-
# policies
|
1265
|
+
# policies can't exceed 2,048 characters. The JSON policy characters
|
1070
1266
|
# can be any ASCII character from the space character to the end of the
|
1071
1267
|
# valid character list (\\u0020 through \\u00FF). It can also include
|
1072
1268
|
# the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
1073
1269
|
# characters.
|
1074
1270
|
#
|
1075
|
-
# <note markdown="1">
|
1076
|
-
#
|
1077
|
-
#
|
1078
|
-
#
|
1079
|
-
#
|
1080
|
-
# size limit.
|
1271
|
+
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
1272
|
+
# tags into a packed binary format that has a separate limit. Your
|
1273
|
+
# request can fail for this limit even if your plain text meets the
|
1274
|
+
# other requirements. The `PackedPolicySize` response element indicates
|
1275
|
+
# by percentage how close the policies and tags for your request are to
|
1276
|
+
# the upper size limit.
|
1081
1277
|
#
|
1082
1278
|
# </note>
|
1083
1279
|
#
|
@@ -1287,7 +1483,7 @@ module Aws::STS
|
|
1287
1483
|
# review your root user access keys. Then, you can pull a [credentials
|
1288
1484
|
# report][2] to learn which IAM user owns the keys. To learn who
|
1289
1485
|
# requested the temporary credentials for an `ASIA` access key, view the
|
1290
|
-
# STS events in your [CloudTrail logs][3]
|
1486
|
+
# STS events in your [CloudTrail logs][3] in the *IAM User Guide*.
|
1291
1487
|
#
|
1292
1488
|
# This operation does not indicate the state of the access key. The key
|
1293
1489
|
# might be active, inactive, or deleted. Active keys might not have
|
@@ -1304,7 +1500,7 @@ module Aws::STS
|
|
1304
1500
|
# The identifier of an access key.
|
1305
1501
|
#
|
1306
1502
|
# This parameter allows (through its regex pattern) a string of
|
1307
|
-
# characters that can consist of any upper- or
|
1503
|
+
# characters that can consist of any upper- or lowercase letter or
|
1308
1504
|
# digit.
|
1309
1505
|
#
|
1310
1506
|
# @return [Types::GetAccessKeyInfoResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
@@ -1339,7 +1535,7 @@ module Aws::STS
|
|
1339
1535
|
# perform this operation. Permissions are not required because the same
|
1340
1536
|
# information is returned when an IAM user or role is denied access. To
|
1341
1537
|
# view an example response, see [I Am Not Authorized to Perform:
|
1342
|
-
# iam:DeleteVirtualMFADevice][1]
|
1538
|
+
# iam:DeleteVirtualMFADevice][1] in the *IAM User Guide*.
|
1343
1539
|
#
|
1344
1540
|
# </note>
|
1345
1541
|
#
|
@@ -1432,7 +1628,7 @@ module Aws::STS
|
|
1432
1628
|
# Amazon, Facebook, Google, or an OpenID Connect-compatible identity
|
1433
1629
|
# provider. In this case, we recommend that you use [Amazon Cognito][3]
|
1434
1630
|
# or `AssumeRoleWithWebIdentity`. For more information, see [Federation
|
1435
|
-
# Through a Web-based Identity Provider][4]
|
1631
|
+
# Through a Web-based Identity Provider][4] in the *IAM User Guide*.
|
1436
1632
|
#
|
1437
1633
|
# </note>
|
1438
1634
|
#
|
@@ -1444,35 +1640,33 @@ module Aws::STS
|
|
1444
1640
|
# access. For more information, see [IAM Best Practices][5] in the *IAM
|
1445
1641
|
# User Guide*.
|
1446
1642
|
#
|
1643
|
+
# **Session duration**
|
1644
|
+
#
|
1447
1645
|
# The temporary credentials are valid for the specified duration, from
|
1448
1646
|
# 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36
|
1449
|
-
# hours). The default is 43,200 seconds (12 hours).
|
1450
|
-
# credentials that are obtained by using AWS account root user
|
1647
|
+
# hours). The default session duration is 43,200 seconds (12 hours).
|
1648
|
+
# Temporary credentials that are obtained by using AWS account root user
|
1451
1649
|
# credentials have a maximum duration of 3,600 seconds (1 hour).
|
1452
1650
|
#
|
1453
|
-
#
|
1454
|
-
# be used to make API calls to any AWS service with the following
|
1455
|
-
# exceptions:
|
1651
|
+
# **Permissions**
|
1456
1652
|
#
|
1457
|
-
#
|
1653
|
+
# You can use the temporary credentials created by `GetFederationToken`
|
1654
|
+
# in any AWS service except the following:
|
1458
1655
|
#
|
1459
|
-
# * You cannot call any
|
1656
|
+
# * You cannot call any IAM operations using the AWS CLI or the AWS API.
|
1460
1657
|
#
|
1461
|
-
#
|
1658
|
+
# * You cannot call any STS operations except `GetCallerIdentity`.
|
1462
1659
|
#
|
1463
1660
|
# You must pass an inline or managed [session policy][6] to this
|
1464
1661
|
# operation. You can pass a single JSON policy document to use as an
|
1465
1662
|
# inline session policy. You can also specify up to 10 managed policies
|
1466
1663
|
# to use as managed session policies. The plain text that you use for
|
1467
|
-
# both inline and managed session policies
|
1664
|
+
# both inline and managed session policies can't exceed 2,048
|
1468
1665
|
# characters.
|
1469
1666
|
#
|
1470
1667
|
# Though the session policy parameters are optional, if you do not pass
|
1471
1668
|
# a policy, then the resulting federated user session has no
|
1472
|
-
# permissions.
|
1473
|
-
# access a resource that has a resource-based policy that specifically
|
1474
|
-
# references the federated user session in the `Principal` element of
|
1475
|
-
# the policy. When you pass session policies, the session permissions
|
1669
|
+
# permissions. When you pass session policies, the session permissions
|
1476
1670
|
# are the intersection of the IAM user policies and the session policies
|
1477
1671
|
# that you pass. This gives you a way to further restrict the
|
1478
1672
|
# permissions for a federated user. You cannot use session policies to
|
@@ -1482,6 +1676,33 @@ module Aws::STS
|
|
1482
1676
|
# `GetFederationToken` to create temporary security credentials, see
|
1483
1677
|
# [GetFederationToken—Federation Through a Custom Identity Broker][7].
|
1484
1678
|
#
|
1679
|
+
# You can use the credentials to access a resource that has a
|
1680
|
+
# resource-based policy. If that policy specifically references the
|
1681
|
+
# federated user session in the `Principal` element of the policy, the
|
1682
|
+
# session has the permissions allowed by the policy. These permissions
|
1683
|
+
# are granted in addition to the permissions granted by the session
|
1684
|
+
# policies.
|
1685
|
+
#
|
1686
|
+
# **Tags**
|
1687
|
+
#
|
1688
|
+
# (Optional) You can pass tag key-value pairs to your session. These are
|
1689
|
+
# called session tags. For more information about session tags, see
|
1690
|
+
# [Passing Session Tags in STS][8] in the *IAM User Guide*.
|
1691
|
+
#
|
1692
|
+
# An administrator must grant you the permissions necessary to pass
|
1693
|
+
# session tags. The administrator can also create granular permissions
|
1694
|
+
# to allow you to pass only specific session tags. For more information,
|
1695
|
+
# see [Tutorial: Using Tags for Attribute-Based Access Control][9] in
|
1696
|
+
# the *IAM User Guide*.
|
1697
|
+
#
|
1698
|
+
# Tag key–value pairs are not case sensitive, but case is preserved.
|
1699
|
+
# This means that you cannot have separate `Department` and `department`
|
1700
|
+
# tag keys. Assume that the user that you are federating has the
|
1701
|
+
# `Department`=`Marketing` tag and you pass the
|
1702
|
+
# `department`=`engineering` session tag. `Department` and `department`
|
1703
|
+
# are not saved as separate tags, and the session tag passed in the
|
1704
|
+
# request takes precedence over the user tag.
|
1705
|
+
#
|
1485
1706
|
#
|
1486
1707
|
#
|
1487
1708
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
@@ -1491,6 +1712,8 @@ module Aws::STS
|
|
1491
1712
|
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
|
1492
1713
|
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
1493
1714
|
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken
|
1715
|
+
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
1716
|
+
# [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
|
1494
1717
|
#
|
1495
1718
|
# @option params [required, String] :name
|
1496
1719
|
# The name of the federated user. The name is used as an identifier for
|
@@ -1514,10 +1737,7 @@ module Aws::STS
|
|
1514
1737
|
#
|
1515
1738
|
# This parameter is optional. However, if you do not pass any session
|
1516
1739
|
# policies, then the resulting federated user session has no
|
1517
|
-
# permissions.
|
1518
|
-
# access a resource that has a resource-based policy that specifically
|
1519
|
-
# references the federated user session in the `Principal` element of
|
1520
|
-
# the policy.
|
1740
|
+
# permissions.
|
1521
1741
|
#
|
1522
1742
|
# When you pass session policies, the session permissions are the
|
1523
1743
|
# intersection of the IAM user policies and the session policies that
|
@@ -1527,19 +1747,26 @@ module Aws::STS
|
|
1527
1747
|
# the IAM user. For more information, see [Session Policies][1] in the
|
1528
1748
|
# *IAM User Guide*.
|
1529
1749
|
#
|
1750
|
+
# The resulting credentials can be used to access a resource that has a
|
1751
|
+
# resource-based policy. If that policy specifically references the
|
1752
|
+
# federated user session in the `Principal` element of the policy, the
|
1753
|
+
# session has the permissions allowed by the policy. These permissions
|
1754
|
+
# are granted in addition to the permissions that are granted by the
|
1755
|
+
# session policies.
|
1756
|
+
#
|
1530
1757
|
# The plain text that you use for both inline and managed session
|
1531
|
-
# policies
|
1758
|
+
# policies can't exceed 2,048 characters. The JSON policy characters
|
1532
1759
|
# can be any ASCII character from the space character to the end of the
|
1533
1760
|
# valid character list (\\u0020 through \\u00FF). It can also include
|
1534
1761
|
# the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
1535
1762
|
# characters.
|
1536
1763
|
#
|
1537
|
-
# <note markdown="1">
|
1538
|
-
#
|
1539
|
-
#
|
1540
|
-
#
|
1541
|
-
#
|
1542
|
-
# size limit.
|
1764
|
+
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
1765
|
+
# tags into a packed binary format that has a separate limit. Your
|
1766
|
+
# request can fail for this limit even if your plain text meets the
|
1767
|
+
# other requirements. The `PackedPolicySize` response element indicates
|
1768
|
+
# by percentage how close the policies and tags for your request are to
|
1769
|
+
# the upper size limit.
|
1543
1770
|
#
|
1544
1771
|
# </note>
|
1545
1772
|
#
|
@@ -1556,17 +1783,14 @@ module Aws::STS
|
|
1556
1783
|
# operation. You can pass a single JSON policy document to use as an
|
1557
1784
|
# inline session policy. You can also specify up to 10 managed policies
|
1558
1785
|
# to use as managed session policies. The plain text that you use for
|
1559
|
-
# both inline and managed session policies
|
1786
|
+
# both inline and managed session policies can't exceed 2,048
|
1560
1787
|
# characters. You can provide up to 10 managed policy ARNs. For more
|
1561
1788
|
# information about ARNs, see [Amazon Resource Names (ARNs) and AWS
|
1562
1789
|
# Service Namespaces][2] in the AWS General Reference.
|
1563
1790
|
#
|
1564
1791
|
# This parameter is optional. However, if you do not pass any session
|
1565
1792
|
# policies, then the resulting federated user session has no
|
1566
|
-
# permissions.
|
1567
|
-
# access a resource that has a resource-based policy that specifically
|
1568
|
-
# references the federated user session in the `Principal` element of
|
1569
|
-
# the policy.
|
1793
|
+
# permissions.
|
1570
1794
|
#
|
1571
1795
|
# When you pass session policies, the session permissions are the
|
1572
1796
|
# intersection of the IAM user policies and the session policies that
|
@@ -1576,12 +1800,19 @@ module Aws::STS
|
|
1576
1800
|
# the IAM user. For more information, see [Session Policies][1] in the
|
1577
1801
|
# *IAM User Guide*.
|
1578
1802
|
#
|
1579
|
-
#
|
1580
|
-
#
|
1581
|
-
#
|
1582
|
-
#
|
1583
|
-
#
|
1584
|
-
#
|
1803
|
+
# The resulting credentials can be used to access a resource that has a
|
1804
|
+
# resource-based policy. If that policy specifically references the
|
1805
|
+
# federated user session in the `Principal` element of the policy, the
|
1806
|
+
# session has the permissions allowed by the policy. These permissions
|
1807
|
+
# are granted in addition to the permissions that are granted by the
|
1808
|
+
# session policies.
|
1809
|
+
#
|
1810
|
+
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
1811
|
+
# tags into a packed binary format that has a separate limit. Your
|
1812
|
+
# request can fail for this limit even if your plain text meets the
|
1813
|
+
# other requirements. The `PackedPolicySize` response element indicates
|
1814
|
+
# by percentage how close the policies and tags for your request are to
|
1815
|
+
# the upper size limit.
|
1585
1816
|
#
|
1586
1817
|
# </note>
|
1587
1818
|
#
|
@@ -1599,6 +1830,41 @@ module Aws::STS
|
|
1599
1830
|
# duration is longer than one hour, the session obtained by using root
|
1600
1831
|
# user credentials defaults to one hour.
|
1601
1832
|
#
|
1833
|
+
# @option params [Array<Types::Tag>] :tags
|
1834
|
+
# A list of session tags. Each session tag consists of a key name and an
|
1835
|
+
# associated value. For more information about session tags, see
|
1836
|
+
# [Passing Session Tags in STS][1] in the *IAM User Guide*.
|
1837
|
+
#
|
1838
|
+
# This parameter is optional. You can pass up to 50 session tags. The
|
1839
|
+
# plain text session tag keys can’t exceed 128 characters and the values
|
1840
|
+
# can’t exceed 256 characters. For these and additional limits, see [IAM
|
1841
|
+
# and STS Character Limits][2] in the *IAM User Guide*.
|
1842
|
+
#
|
1843
|
+
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
1844
|
+
# tags into a packed binary format that has a separate limit. Your
|
1845
|
+
# request can fail for this limit even if your plain text meets the
|
1846
|
+
# other requirements. The `PackedPolicySize` response element indicates
|
1847
|
+
# by percentage how close the policies and tags for your request are to
|
1848
|
+
# the upper size limit.
|
1849
|
+
#
|
1850
|
+
# </note>
|
1851
|
+
#
|
1852
|
+
# You can pass a session tag with the same key as a tag that is already
|
1853
|
+
# attached to the user you are federating. When you do, session tags
|
1854
|
+
# override a user tag with the same key.
|
1855
|
+
#
|
1856
|
+
# Tag key–value pairs are not case sensitive, but case is preserved.
|
1857
|
+
# This means that you cannot have separate `Department` and `department`
|
1858
|
+
# tag keys. Assume that the role has the `Department`=`Marketing` tag
|
1859
|
+
# and you pass the `department`=`engineering` session tag. `Department`
|
1860
|
+
# and `department` are not saved as separate tags, and the session tag
|
1861
|
+
# passed in the request takes precedence over the role tag.
|
1862
|
+
#
|
1863
|
+
#
|
1864
|
+
#
|
1865
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
1866
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
|
1867
|
+
#
|
1602
1868
|
# @return [Types::GetFederationTokenResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1603
1869
|
#
|
1604
1870
|
# * {Types::GetFederationTokenResponse#credentials #credentials} => Types::Credentials
|
@@ -1610,8 +1876,18 @@ module Aws::STS
|
|
1610
1876
|
#
|
1611
1877
|
# resp = client.get_federation_token({
|
1612
1878
|
# duration_seconds: 3600,
|
1613
|
-
# name: "
|
1879
|
+
# name: "testFedUserSession",
|
1614
1880
|
# policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3:ListAllMyBuckets\",\"Resource\":\"*\"}]}",
|
1881
|
+
# tags: [
|
1882
|
+
# {
|
1883
|
+
# key: "Project",
|
1884
|
+
# value: "Pegasus",
|
1885
|
+
# },
|
1886
|
+
# {
|
1887
|
+
# key: "Cost-Center",
|
1888
|
+
# value: "98765",
|
1889
|
+
# },
|
1890
|
+
# ],
|
1615
1891
|
# })
|
1616
1892
|
#
|
1617
1893
|
# resp.to_h outputs the following:
|
@@ -1626,7 +1902,7 @@ module Aws::STS
|
|
1626
1902
|
# arn: "arn:aws:sts::123456789012:federated-user/Bob",
|
1627
1903
|
# federated_user_id: "123456789012:Bob",
|
1628
1904
|
# },
|
1629
|
-
# packed_policy_size:
|
1905
|
+
# packed_policy_size: 8,
|
1630
1906
|
# }
|
1631
1907
|
#
|
1632
1908
|
# @example Request syntax with placeholder values
|
@@ -1640,6 +1916,12 @@ module Aws::STS
|
|
1640
1916
|
# },
|
1641
1917
|
# ],
|
1642
1918
|
# duration_seconds: 1,
|
1919
|
+
# tags: [
|
1920
|
+
# {
|
1921
|
+
# key: "tagKeyType", # required
|
1922
|
+
# value: "tagValueType", # required
|
1923
|
+
# },
|
1924
|
+
# ],
|
1643
1925
|
# })
|
1644
1926
|
#
|
1645
1927
|
# @example Response structure
|
@@ -1676,6 +1958,8 @@ module Aws::STS
|
|
1676
1958
|
# Credentials][1] and [Comparing the AWS STS API operations][2] in the
|
1677
1959
|
# *IAM User Guide*.
|
1678
1960
|
#
|
1961
|
+
# **Session Duration**
|
1962
|
+
#
|
1679
1963
|
# The `GetSessionToken` operation must be called by using the long-term
|
1680
1964
|
# AWS security credentials of the AWS account root user or an IAM user.
|
1681
1965
|
# Credentials that are created by IAM users are valid for the duration
|
@@ -1685,6 +1969,8 @@ module Aws::STS
|
|
1685
1969
|
# can range from 900 seconds (15 minutes) up to 3,600 seconds (1 hour),
|
1686
1970
|
# with a default of 1 hour.
|
1687
1971
|
#
|
1972
|
+
# **Permissions**
|
1973
|
+
#
|
1688
1974
|
# The temporary security credentials created by `GetSessionToken` can be
|
1689
1975
|
# used to make API calls to any AWS service with the following
|
1690
1976
|
# exceptions:
|
@@ -1815,7 +2101,7 @@ module Aws::STS
|
|
1815
2101
|
params: params,
|
1816
2102
|
config: config)
|
1817
2103
|
context[:gem_name] = 'aws-sdk-core'
|
1818
|
-
context[:gem_version] = '3.
|
2104
|
+
context[:gem_version] = '3.81.0'
|
1819
2105
|
Seahorse::Client::Request.new(handlers, context)
|
1820
2106
|
end
|
1821
2107
|
|