RubyGems - aws-sdk-lakeformation - Versions diffs - 1.26.0 → 1.27.0 - Mend

aws-sdk-lakeformation 1.26.0 → 1.27.0

Files changed (8) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +5 -0
data/VERSION +1 -1
data/lib/aws-sdk-lakeformation/client.rb +74 -8
data/lib/aws-sdk-lakeformation/client_api.rb +29 -0
data/lib/aws-sdk-lakeformation/types.rb +73 -0
data/lib/aws-sdk-lakeformation.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a5baf612c864eedf2679448691dbd96b221097a8133badce1375c76dc0f48297
-  data.tar.gz: 160f22b141638242a1ec24a16ab1847c7f891814d562171ce74d2aeb5ce79e9e
+  metadata.gz: f408a75a960c931b6a2b4c88eae1dd513ad341c7bc8aea2ec42cf7ea8a1dbf90
+  data.tar.gz: d90872ab11a0a748f4ca8991e19bcb749f655d4b333f378f9fc04984abe824e1
 SHA512:
-  metadata.gz: a68dd4966f4aa25e5425431b5c08de671d2416b97598d4fffa268be176b84e518bc76be181642d2ad42b20d767b9ba8b9ca63e98a61f636bd8069c8b7437e4d8
-  data.tar.gz: a3ffcafde2bce08b60fb311d71b07fb1125da7cdddf6396b95e23b98d86d2f87976c2e09ed66ac4ae9acb25e277eddd1ca5cd86aba99dd33787fffa31d61b8aa
+  metadata.gz: 76de4c2bc9732757c8992d8a85b44cb73d040dfc549007b62aa46557c497f138a3e14de6d437a2364b60672437b2a7100cef2b2e7c97303db992fcdc80b25c63
+  data.tar.gz: 68f9c009e40d4cda9a6c5dc43ab3767c49fc662fcb66fc95ae7ee06a429d4000f5ee551491732c8de3b97c31a33cd5b8f75ba143ee76a2686a077853632b20c5

data/CHANGELOG.md CHANGED Viewed

@@ -1,6 +1,11 @@
 Unreleased Changes
 ------------------
+1.27.0 (2022-08-17)
+------------------
+* Feature - This release adds a new API support "AssumeDecoratedRoleWithSAML" and also release updates the corresponding documentation.
 1.26.0 (2022-03-22)
 ------------------

data/VERSION CHANGED Viewed

	@@ -1 +1 @@
1	- 1.26.0
1	+ 1.27.0

data/lib/aws-sdk-lakeformation/client.rb CHANGED Viewed

@@ -450,6 +450,73 @@ module Aws::LakeFormation
       req.send_request(options)
     end
+    # Allows a caller to assume an IAM role decorated as the SAML user
+    # specified in the SAML assertion included in the request. This
+    # decoration allows Lake Formation to enforce access policies against
+    # the SAML users and groups. This API operation requires SAML federation
+    # setup in the caller’s account as it can only be called with valid SAML
+    # assertions. Lake Formation does not scope down the permission of the
+    # assumed role. All permissions attached to the role via the SAML
+    # federation setup will be included in the role session.
+    #
+    # This decorated role is expected to access data in Amazon S3 by getting
+    # temporary access from Lake Formation which is authorized via the
+    # virtual API `GetDataAccess`. Therefore, all SAML roles that can be
+    # assumed via `AssumeDecoratedRoleWithSAML` must at a minimum include
+    # `lakeformation:GetDataAccess` in their role policies. A typical IAM
+    # policy attached to such a role would look as follows:
+    #
+    # @option params [required, String] :saml_assertion
+    #   A SAML assertion consisting of an assertion statement for the user who
+    #   needs temporary credentials. This must match the SAML assertion that
+    #   was issued to IAM. This must be Base64 encoded.
+    #
+    # @option params [required, String] :role_arn
+    #   The role that represents an IAM principal whose scope down policy
+    #   allows it to call credential vending APIs such as
+    #   `GetTemporaryTableCredentials`. The caller must also have iam:PassRole
+    #   permission on this role.
+    #
+    # @option params [required, String] :principal_arn
+    #   The Amazon Resource Name (ARN) of the SAML provider in IAM that
+    #   describes the IdP.
+    #
+    # @option params [Integer] :duration_seconds
+    #   The time period, between 900 and 43,200 seconds, for the timeout of
+    #   the temporary credentials.
+    #
+    # @return [Types::AssumeDecoratedRoleWithSAMLResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::AssumeDecoratedRoleWithSAMLResponse#access_key_id #access_key_id} => String
+    #   * {Types::AssumeDecoratedRoleWithSAMLResponse#secret_access_key #secret_access_key} => String
+    #   * {Types::AssumeDecoratedRoleWithSAMLResponse#session_token #session_token} => String
+    #   * {Types::AssumeDecoratedRoleWithSAMLResponse#expiration #expiration} => Time
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.assume_decorated_role_with_saml({
+    #     saml_assertion: "SAMLAssertionString", # required
+    #     role_arn: "IAMRoleArn", # required
+    #     principal_arn: "IAMSAMLProviderArn", # required
+    #     duration_seconds: 1,
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.access_key_id #=> String
+    #   resp.secret_access_key #=> String
+    #   resp.session_token #=> String
+    #   resp.expiration #=> Time
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/lakeformation-2017-03-31/AssumeDecoratedRoleWithSAML AWS API Documentation
+    #
+    # @overload assume_decorated_role_with_saml(params = {})
+    # @param [Hash] params ({})
+    def assume_decorated_role_with_saml(params = {}, options = {})
+      req = build_request(:assume_decorated_role_with_saml, params)
+      req.send_request(options)
+    end
     # Batch operation to grant permissions to the principal.
     #
     # @option params [String] :catalog_id
@@ -868,13 +935,12 @@ module Aws::LakeFormation
       req.send_request(options)
     end
-    # Deletes the specified LF-tag key name. If the attribute key does not
-    # exist or the LF-tag does not exist, then the operation will not do
-    # anything. If the attribute key exists, then the operation checks if
-    # any resources are tagged with this attribute key, if yes, the API
-    # throws a 400 Exception with the message "Delete not allowed" as the
-    # LF-tag key is still attached with resources. You can consider
-    # untagging resources with this LF-tag key.
+    # Deletes the specified LF-tag given a key name. If the input parameter
+    # tag key was not found, then the operation will throw an exception.
+    # When you delete an LF-tag, the `LFTagPolicy` attached to the LF-tag
+    # becomes invalid. If the deleted LF-tag was still assigned to any
+    # resource, the tag policy attach to the deleted LF-tag will no longer
+    # be applied to the resource.
     #
     # @option params [String] :catalog_id
     #   The identifier for the Data Catalog. By default, the account ID. The
@@ -3018,7 +3084,7 @@ module Aws::LakeFormation
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-lakeformation'
-      context[:gem_version] = '1.26.0'
+      context[:gem_version] = '1.27.0'
       Seahorse::Client::Request.new(handlers, context)
     end

data/lib/aws-sdk-lakeformation/client_api.rb CHANGED Viewed

@@ -20,6 +20,8 @@ module Aws::LakeFormation
     AddObjectInput = Shapes::StructureShape.new(name: 'AddObjectInput')
     AllRowsWildcard = Shapes::StructureShape.new(name: 'AllRowsWildcard')
     AlreadyExistsException = Shapes::StructureShape.new(name: 'AlreadyExistsException')
+    AssumeDecoratedRoleWithSAMLRequest = Shapes::StructureShape.new(name: 'AssumeDecoratedRoleWithSAMLRequest')
+    AssumeDecoratedRoleWithSAMLResponse = Shapes::StructureShape.new(name: 'AssumeDecoratedRoleWithSAMLResponse')
     AuditContext = Shapes::StructureShape.new(name: 'AuditContext')
     AuditContextString = Shapes::StringShape.new(name: 'AuditContextString')
     AuthorizedSessionTagValueList = Shapes::ListShape.new(name: 'AuthorizedSessionTagValueList')
@@ -120,6 +122,7 @@ module Aws::LakeFormation
     GrantPermissionsRequest = Shapes::StructureShape.new(name: 'GrantPermissionsRequest')
     GrantPermissionsResponse = Shapes::StructureShape.new(name: 'GrantPermissionsResponse')
     IAMRoleArn = Shapes::StringShape.new(name: 'IAMRoleArn')
+    IAMSAMLProviderArn = Shapes::StringShape.new(name: 'IAMSAMLProviderArn')
     Identifier = Shapes::StringShape.new(name: 'Identifier')
     Integer = Shapes::IntegerShape.new(name: 'Integer')
     InternalServiceException = Shapes::StructureShape.new(name: 'InternalServiceException')
@@ -198,6 +201,7 @@ module Aws::LakeFormation
     RevokePermissionsRequest = Shapes::StructureShape.new(name: 'RevokePermissionsRequest')
     RevokePermissionsResponse = Shapes::StructureShape.new(name: 'RevokePermissionsResponse')
     RowFilter = Shapes::StructureShape.new(name: 'RowFilter')
+    SAMLAssertionString = Shapes::StringShape.new(name: 'SAMLAssertionString')
     SearchDatabasesByLFTagsRequest = Shapes::StructureShape.new(name: 'SearchDatabasesByLFTagsRequest')
     SearchDatabasesByLFTagsResponse = Shapes::StructureShape.new(name: 'SearchDatabasesByLFTagsResponse')
     SearchTablesByLFTagsRequest = Shapes::StructureShape.new(name: 'SearchTablesByLFTagsRequest')
@@ -287,6 +291,18 @@ module Aws::LakeFormation
     AlreadyExistsException.add_member(:message, Shapes::ShapeRef.new(shape: MessageString, location_name: "Message"))
     AlreadyExistsException.struct_class = Types::AlreadyExistsException
+    AssumeDecoratedRoleWithSAMLRequest.add_member(:saml_assertion, Shapes::ShapeRef.new(shape: SAMLAssertionString, required: true, location_name: "SAMLAssertion"))
+    AssumeDecoratedRoleWithSAMLRequest.add_member(:role_arn, Shapes::ShapeRef.new(shape: IAMRoleArn, required: true, location_name: "RoleArn"))
+    AssumeDecoratedRoleWithSAMLRequest.add_member(:principal_arn, Shapes::ShapeRef.new(shape: IAMSAMLProviderArn, required: true, location_name: "PrincipalArn"))
+    AssumeDecoratedRoleWithSAMLRequest.add_member(:duration_seconds, Shapes::ShapeRef.new(shape: CredentialTimeoutDurationSecondInteger, location_name: "DurationSeconds"))
+    AssumeDecoratedRoleWithSAMLRequest.struct_class = Types::AssumeDecoratedRoleWithSAMLRequest
+    AssumeDecoratedRoleWithSAMLResponse.add_member(:access_key_id, Shapes::ShapeRef.new(shape: AccessKeyIdString, location_name: "AccessKeyId"))
+    AssumeDecoratedRoleWithSAMLResponse.add_member(:secret_access_key, Shapes::ShapeRef.new(shape: SecretAccessKeyString, location_name: "SecretAccessKey"))
+    AssumeDecoratedRoleWithSAMLResponse.add_member(:session_token, Shapes::ShapeRef.new(shape: SessionTokenString, location_name: "SessionToken"))
+    AssumeDecoratedRoleWithSAMLResponse.add_member(:expiration, Shapes::ShapeRef.new(shape: ExpirationTimestamp, location_name: "Expiration"))
+    AssumeDecoratedRoleWithSAMLResponse.struct_class = Types::AssumeDecoratedRoleWithSAMLResponse
     AuditContext.add_member(:additional_audit_context, Shapes::ShapeRef.new(shape: AuditContextString, location_name: "AdditionalAuditContext"))
     AuditContext.struct_class = Types::AuditContext
@@ -1007,6 +1023,19 @@ module Aws::LakeFormation
         o.errors << Shapes::ShapeRef.new(shape: ConcurrentModificationException)
       end)
+      api.add_operation(:assume_decorated_role_with_saml, Seahorse::Model::Operation.new.tap do |o|
+        o.name = "AssumeDecoratedRoleWithSAML"
+        o.http_method = "POST"
+        o.http_request_uri = "/AssumeDecoratedRoleWithSAML"
+        o.input = Shapes::ShapeRef.new(shape: AssumeDecoratedRoleWithSAMLRequest)
+        o.output = Shapes::ShapeRef.new(shape: AssumeDecoratedRoleWithSAMLResponse)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidInputException)
+        o.errors << Shapes::ShapeRef.new(shape: InternalServiceException)
+        o.errors << Shapes::ShapeRef.new(shape: OperationTimeoutException)
+        o.errors << Shapes::ShapeRef.new(shape: EntityNotFoundException)
+        o.errors << Shapes::ShapeRef.new(shape: AccessDeniedException)
+      end)
       api.add_operation(:batch_grant_permissions, Seahorse::Model::Operation.new.tap do |o|
         o.name = "BatchGrantPermissions"
         o.http_method = "POST"

data/lib/aws-sdk-lakeformation/types.rb CHANGED Viewed

@@ -192,6 +192,79 @@ module Aws::LakeFormation
       include Aws::Structure
     end
+    # @note When making an API call, you may pass AssumeDecoratedRoleWithSAMLRequest
+    #   data as a hash:
+    #
+    #       {
+    #         saml_assertion: "SAMLAssertionString", # required
+    #         role_arn: "IAMRoleArn", # required
+    #         principal_arn: "IAMSAMLProviderArn", # required
+    #         duration_seconds: 1,
+    #       }
+    #
+    # @!attribute [rw] saml_assertion
+    #   A SAML assertion consisting of an assertion statement for the user
+    #   who needs temporary credentials. This must match the SAML assertion
+    #   that was issued to IAM. This must be Base64 encoded.
+    #   @return [String]
+    #
+    # @!attribute [rw] role_arn
+    #   The role that represents an IAM principal whose scope down policy
+    #   allows it to call credential vending APIs such as
+    #   `GetTemporaryTableCredentials`. The caller must also have
+    #   iam:PassRole permission on this role.
+    #   @return [String]
+    #
+    # @!attribute [rw] principal_arn
+    #   The Amazon Resource Name (ARN) of the SAML provider in IAM that
+    #   describes the IdP.
+    #   @return [String]
+    #
+    # @!attribute [rw] duration_seconds
+    #   The time period, between 900 and 43,200 seconds, for the timeout of
+    #   the temporary credentials.
+    #   @return [Integer]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/lakeformation-2017-03-31/AssumeDecoratedRoleWithSAMLRequest AWS API Documentation
+    #
+    class AssumeDecoratedRoleWithSAMLRequest < Struct.new(
+      :saml_assertion,
+      :role_arn,
+      :principal_arn,
+      :duration_seconds)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+    # @!attribute [rw] access_key_id
+    #   The access key ID for the temporary credentials. (The access key
+    #   consists of an access key ID and a secret key).
+    #   @return [String]
+    #
+    # @!attribute [rw] secret_access_key
+    #   The secret key for the temporary credentials. (The access key
+    #   consists of an access key ID and a secret key).
+    #   @return [String]
+    #
+    # @!attribute [rw] session_token
+    #   The session token for the temporary credentials.
+    #   @return [String]
+    #
+    # @!attribute [rw] expiration
+    #   The date and time when the temporary credentials expire.
+    #   @return [Time]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/lakeformation-2017-03-31/AssumeDecoratedRoleWithSAMLResponse AWS API Documentation
+    #
+    class AssumeDecoratedRoleWithSAMLResponse < Struct.new(
+      :access_key_id,
+      :secret_access_key,
+      :session_token,
+      :expiration)
+      SENSITIVE = []
+      include Aws::Structure
+    end
     # A structure used to include auditing information on the privileged
     # API.
     #

data/lib/aws-sdk-lakeformation.rb CHANGED Viewed

@@ -48,6 +48,6 @@ require_relative 'aws-sdk-lakeformation/customizations'
 # @!group service
 module Aws::LakeFormation
-  GEM_VERSION = '1.26.0'
+  GEM_VERSION = '1.27.0'
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-lakeformation
 version: !ruby/object:Gem::Version
-  version: 1.26.0
+  version: 1.27.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-03-22 00:00:00.000000000 Z
+date: 2022-08-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core