aws-sdk-ssoadmin 1.16.0 → 1.17.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 20aee04e9e8da7b00e9ced7881e3619fca82ba227034ec32bf27667d996bdd2b
-  data.tar.gz: 2719d9ec7730f75befe24ced4112d980947a17675eed763b22e05c94982d7139
+  metadata.gz: c915cef011351abba2ed5524b5fdf1f43a7a39d042724488f2c49d609cca1f82
+  data.tar.gz: 939d7ec566dcacc58dc5ae3fadfcd55d54d5f3aa3b4170ea1be612b1df23c7a3
 SHA512:
-  metadata.gz: b3f0e81d662ffc6f1e6715ad414ed28e93d1b204df5d47224b9930057f9444f0efaef1a76c848fc849c059033614014615c0a991c14b6f3005aaac4aab552252
-  data.tar.gz: 6d4e60011fd21c0b59fb9251cc17ce9ab4cf1dcd2e23e74f7692858c56e38a8a0734689ae2222a9153fdb45db16ca179d073073b174122452a86b219ff568daf
+  metadata.gz: 1f5699026d95effb289e508815d8eefd3711e10647bcc85e2e9feb2fa901ca909fc62a30206da7ae88ee10e6bd2268f873ee969ca595d222e7a5c9046f709118
+  data.tar.gz: aa3e97796906e96c33ac31b04f2ea1bb0ae71745a6290ed9bd2bd32fc0d50e7aa8dcced2444fd2b506b5b1f3d1dd727fa349ca74546068c357a260513de75fce

data/CHANGELOG.md

@@ -1,6 +1,11 @@
 Unreleased Changes
 ------------------
 
+1.17.0 (2022-07-18)
+------------------
+
+* Feature - AWS SSO now supports attaching customer managed policies and a permissions boundary to your permission sets. This release adds new API operations to manage and view the customer managed policies and the permissions boundary for a given permission set.
+
 1.16.0 (2022-02-24)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.16.0
+1.17.0

data/lib/aws-sdk-ssoadmin/client.rb

@@ -361,7 +361,45 @@ module Aws::SSOAdmin
 
     # @!group API Operations
 
-    # Attaches an IAM managed policy ARN to a permission set.
+    # Attaches the specified IAM customer managed policy to the specified
+    # PermissionSet.
+    #
+    # @option params [required, String] :instance_arn
+    #   The ARN of the SSO instance under which the operation will be
+    #   executed.
+    #
+    # @option params [required, String] :permission_set_arn
+    #   The ARN of the `PermissionSet`.
+    #
+    # @option params [required, Types::CustomerManagedPolicyReference] :customer_managed_policy_reference
+    #   Specifies the name and path of the IAM customer managed policy. You
+    #   must have an IAM policy that matches the name and path in each Amazon
+    #   Web Services account where you want to deploy your permission set.
+    #
+    # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.attach_customer_managed_policy_reference_to_permission_set({
+    #     instance_arn: "InstanceArn", # required
+    #     permission_set_arn: "PermissionSetArn", # required
+    #     customer_managed_policy_reference: { # required
+    #       name: "ManagedPolicyName", # required
+    #       path: "ManagedPolicyPath",
+    #     },
+    #   })
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sso-admin-2020-07-20/AttachCustomerManagedPolicyReferenceToPermissionSet AWS API Documentation
+    #
+    # @overload attach_customer_managed_policy_reference_to_permission_set(params = {})
+    # @param [Hash] params ({})
+    def attach_customer_managed_policy_reference_to_permission_set(params = {}, options = {})
+      req = build_request(:attach_customer_managed_policy_reference_to_permission_set, params)
+      req.send_request(options)
+    end
+
+    # Attaches an Amazon Web Services managed IAM policy ARN to a permission
+    # set.
     #
     # <note markdown="1"> If the permission set is already referenced by one or more account
     # assignments, you will need to call ` ProvisionPermissionSet ` after
@@ -382,7 +420,8 @@ module Aws::SSOAdmin
     #   attached to.
     #
     # @option params [required, String] :managed_policy_arn
-    #   The IAM managed policy ARN to be attached to a permission set.
+    #   The Amazon Web Services managed policy ARN to be attached to a
+    #   permission set.
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -579,8 +618,8 @@ module Aws::SSOAdmin
     #     relay_state: "RelayState",
     #     tags: [
     #       {
-    #         key: "TagKey",
-    #         value: "TagValue",
+    #         key: "TagKey", # required
+    #         value: "TagValue", # required
     #       },
     #     ],
     #   })
@@ -760,6 +799,33 @@ module Aws::SSOAdmin
       req.send_request(options)
     end
 
+    # Deletes the permissions boundary from a specified PermissionSet.
+    #
+    # @option params [required, String] :instance_arn
+    #   The ARN of the SSO instance under which the operation will be
+    #   executed.
+    #
+    # @option params [required, String] :permission_set_arn
+    #   The ARN of the `PermissionSet`.
+    #
+    # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.delete_permissions_boundary_from_permission_set({
+    #     instance_arn: "InstanceArn", # required
+    #     permission_set_arn: "PermissionSetArn", # required
+    #   })
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sso-admin-2020-07-20/DeletePermissionsBoundaryFromPermissionSet AWS API Documentation
+    #
+    # @overload delete_permissions_boundary_from_permission_set(params = {})
+    # @param [Hash] params ({})
+    def delete_permissions_boundary_from_permission_set(params = {}, options = {})
+      req = build_request(:delete_permissions_boundary_from_permission_set, params)
+      req.send_request(options)
+    end
+
     # Describes the status of the assignment creation request.
     #
     # @option params [required, String] :instance_arn
@@ -974,8 +1040,45 @@ module Aws::SSOAdmin
       req.send_request(options)
     end
 
-    # Detaches the attached IAM managed policy ARN from the specified
-    # permission set.
+    # Detaches the specified IAM customer managed policy from the specified
+    # PermissionSet.
+    #
+    # @option params [required, String] :instance_arn
+    #   The ARN of the SSO instance under which the operation will be
+    #   executed.
+    #
+    # @option params [required, String] :permission_set_arn
+    #   The ARN of the `PermissionSet`.
+    #
+    # @option params [required, Types::CustomerManagedPolicyReference] :customer_managed_policy_reference
+    #   Specifies the name and path of the IAM customer managed policy. You
+    #   must have an IAM policy that matches the name and path in each Amazon
+    #   Web Services account where you want to deploy your permission set.
+    #
+    # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.detach_customer_managed_policy_reference_from_permission_set({
+    #     instance_arn: "InstanceArn", # required
+    #     permission_set_arn: "PermissionSetArn", # required
+    #     customer_managed_policy_reference: { # required
+    #       name: "ManagedPolicyName", # required
+    #       path: "ManagedPolicyPath",
+    #     },
+    #   })
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sso-admin-2020-07-20/DetachCustomerManagedPolicyReferenceFromPermissionSet AWS API Documentation
+    #
+    # @overload detach_customer_managed_policy_reference_from_permission_set(params = {})
+    # @param [Hash] params ({})
+    def detach_customer_managed_policy_reference_from_permission_set(params = {}, options = {})
+      req = build_request(:detach_customer_managed_policy_reference_from_permission_set, params)
+      req.send_request(options)
+    end
+
+    # Detaches the attached Amazon Web Services managed IAM policy ARN from
+    # the specified permission set.
     #
     # @option params [required, String] :instance_arn
     #   The ARN of the SSO instance under which the operation will be
@@ -988,7 +1091,8 @@ module Aws::SSOAdmin
     #   The ARN of the PermissionSet from which the policy should be detached.
     #
     # @option params [required, String] :managed_policy_arn
-    #   The IAM managed policy ARN to be attached to a permission set.
+    #   The Amazon Web Services managed policy ARN to be detached from a
+    #   permission set.
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -1045,6 +1149,41 @@ module Aws::SSOAdmin
       req.send_request(options)
     end
 
+    # Obtains the permissions boundary for a specified PermissionSet.
+    #
+    # @option params [required, String] :instance_arn
+    #   The ARN of the SSO instance under which the operation will be
+    #   executed.
+    #
+    # @option params [required, String] :permission_set_arn
+    #   The ARN of the `PermissionSet`.
+    #
+    # @return [Types::GetPermissionsBoundaryForPermissionSetResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::GetPermissionsBoundaryForPermissionSetResponse#permissions_boundary #permissions_boundary} => Types::PermissionsBoundary
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.get_permissions_boundary_for_permission_set({
+    #     instance_arn: "InstanceArn", # required
+    #     permission_set_arn: "PermissionSetArn", # required
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.permissions_boundary.customer_managed_policy_reference.name #=> String
+    #   resp.permissions_boundary.customer_managed_policy_reference.path #=> String
+    #   resp.permissions_boundary.managed_policy_arn #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sso-admin-2020-07-20/GetPermissionsBoundaryForPermissionSet AWS API Documentation
+    #
+    # @overload get_permissions_boundary_for_permission_set(params = {})
+    # @param [Hash] params ({})
+    def get_permissions_boundary_for_permission_set(params = {}, options = {})
+      req = build_request(:get_permissions_boundary_for_permission_set, params)
+      req.send_request(options)
+    end
+
     # Lists the status of the Amazon Web Services account assignment
     # creation requests for a specified SSO instance.
     #
@@ -1271,6 +1410,55 @@ module Aws::SSOAdmin
       req.send_request(options)
     end
 
+    # Lists all IAM customer managed policies attached to a specified
+    # PermissionSet.
+    #
+    # @option params [required, String] :instance_arn
+    #   The ARN of the SSO instance under which the operation will be
+    #   executed.
+    #
+    # @option params [required, String] :permission_set_arn
+    #   The ARN of the `PermissionSet`.
+    #
+    # @option params [Integer] :max_results
+    #   The maximum number of results to display for the list call.
+    #
+    # @option params [String] :next_token
+    #   The pagination token for the list API. Initially the value is null.
+    #   Use the output of previous API calls to make subsequent calls.
+    #
+    # @return [Types::ListCustomerManagedPolicyReferencesInPermissionSetResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::ListCustomerManagedPolicyReferencesInPermissionSetResponse#customer_managed_policy_references #customer_managed_policy_references} => Array&lt;Types::CustomerManagedPolicyReference&gt;
+    #   * {Types::ListCustomerManagedPolicyReferencesInPermissionSetResponse#next_token #next_token} => String
+    #
+    # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}.
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.list_customer_managed_policy_references_in_permission_set({
+    #     instance_arn: "InstanceArn", # required
+    #     permission_set_arn: "PermissionSetArn", # required
+    #     max_results: 1,
+    #     next_token: "Token",
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.customer_managed_policy_references #=> Array
+    #   resp.customer_managed_policy_references[0].name #=> String
+    #   resp.customer_managed_policy_references[0].path #=> String
+    #   resp.next_token #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sso-admin-2020-07-20/ListCustomerManagedPolicyReferencesInPermissionSet AWS API Documentation
+    #
+    # @overload list_customer_managed_policy_references_in_permission_set(params = {})
+    # @param [Hash] params ({})
+    def list_customer_managed_policy_references_in_permission_set(params = {}, options = {})
+      req = build_request(:list_customer_managed_policy_references_in_permission_set, params)
+      req.send_request(options)
+    end
+
     # Lists the SSO instances that the caller has access to.
     #
     # @option params [Integer] :max_results
@@ -1310,8 +1498,8 @@ module Aws::SSOAdmin
       req.send_request(options)
     end
 
-    # Lists the IAM managed policy that is attached to a specified
-    # permission set.
+    # Lists the Amazon Web Services managed IAM policy that is attached to a
+    # specified permission set.
     #
     # @option params [required, String] :instance_arn
     #   The ARN of the SSO instance under which the operation will be
@@ -1546,7 +1734,7 @@ module Aws::SSOAdmin
     #
     #   resp = client.list_tags_for_resource({
     #     instance_arn: "InstanceArn", # required
-    #     resource_arn: "GeneralArn", # required
+    #     resource_arn: "TaggableResourceArn", # required
     #     next_token: "Token",
     #   })
     #
@@ -1658,6 +1846,44 @@ module Aws::SSOAdmin
       req.send_request(options)
     end
 
+    # Attaches an Amazon Web Services managed or customer managed IAM policy
+    # to the specified PermissionSet as a permissions boundary.
+    #
+    # @option params [required, String] :instance_arn
+    #   The ARN of the SSO instance under which the operation will be
+    #   executed.
+    #
+    # @option params [required, String] :permission_set_arn
+    #   The ARN of the `PermissionSet`.
+    #
+    # @option params [required, Types::PermissionsBoundary] :permissions_boundary
+    #   The permissions boundary that you want to attach to a `PermissionSet`.
+    #
+    # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.put_permissions_boundary_to_permission_set({
+    #     instance_arn: "InstanceArn", # required
+    #     permission_set_arn: "PermissionSetArn", # required
+    #     permissions_boundary: { # required
+    #       customer_managed_policy_reference: {
+    #         name: "ManagedPolicyName", # required
+    #         path: "ManagedPolicyPath",
+    #       },
+    #       managed_policy_arn: "ManagedPolicyArn",
+    #     },
+    #   })
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sso-admin-2020-07-20/PutPermissionsBoundaryToPermissionSet AWS API Documentation
+    #
+    # @overload put_permissions_boundary_to_permission_set(params = {})
+    # @param [Hash] params ({})
+    def put_permissions_boundary_to_permission_set(params = {}, options = {})
+      req = build_request(:put_permissions_boundary_to_permission_set, params)
+      req.send_request(options)
+    end
+
     # Associates a set of tags with a specified resource.
     #
     # @option params [required, String] :instance_arn
@@ -1679,11 +1905,11 @@ module Aws::SSOAdmin
     #
     #   resp = client.tag_resource({
     #     instance_arn: "InstanceArn", # required
-    #     resource_arn: "GeneralArn", # required
+    #     resource_arn: "TaggableResourceArn", # required
     #     tags: [ # required
     #       {
-    #         key: "TagKey",
-    #         value: "TagValue",
+    #         key: "TagKey", # required
+    #         value: "TagValue", # required
     #       },
     #     ],
     #   })
@@ -1718,7 +1944,7 @@ module Aws::SSOAdmin
     #
     #   resp = client.untag_resource({
     #     instance_arn: "InstanceArn", # required
-    #     resource_arn: "GeneralArn", # required
+    #     resource_arn: "TaggableResourceArn", # required
     #     tag_keys: ["TagKey"], # required
     #   })
     #
@@ -1834,7 +2060,7 @@ module Aws::SSOAdmin
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-ssoadmin'
-      context[:gem_version] = '1.16.0'
+      context[:gem_version] = '1.17.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-ssoadmin/client_api.rb

@@ -28,6 +28,8 @@ module Aws::SSOAdmin
     AccountAssignmentOperationStatusMetadata = Shapes::StructureShape.new(name: 'AccountAssignmentOperationStatusMetadata')
     AccountId = Shapes::StringShape.new(name: 'AccountId')
     AccountList = Shapes::ListShape.new(name: 'AccountList')
+    AttachCustomerManagedPolicyReferenceToPermissionSetRequest = Shapes::StructureShape.new(name: 'AttachCustomerManagedPolicyReferenceToPermissionSetRequest')
+    AttachCustomerManagedPolicyReferenceToPermissionSetResponse = Shapes::StructureShape.new(name: 'AttachCustomerManagedPolicyReferenceToPermissionSetResponse')
     AttachManagedPolicyToPermissionSetRequest = Shapes::StructureShape.new(name: 'AttachManagedPolicyToPermissionSetRequest')
     AttachManagedPolicyToPermissionSetResponse = Shapes::StructureShape.new(name: 'AttachManagedPolicyToPermissionSetResponse')
     AttachedManagedPolicy = Shapes::StructureShape.new(name: 'AttachedManagedPolicy')
@@ -40,6 +42,8 @@ module Aws::SSOAdmin
     CreateInstanceAccessControlAttributeConfigurationResponse = Shapes::StructureShape.new(name: 'CreateInstanceAccessControlAttributeConfigurationResponse')
     CreatePermissionSetRequest = Shapes::StructureShape.new(name: 'CreatePermissionSetRequest')
     CreatePermissionSetResponse = Shapes::StructureShape.new(name: 'CreatePermissionSetResponse')
+    CustomerManagedPolicyReference = Shapes::StructureShape.new(name: 'CustomerManagedPolicyReference')
+    CustomerManagedPolicyReferenceList = Shapes::ListShape.new(name: 'CustomerManagedPolicyReferenceList')
     Date = Shapes::TimestampShape.new(name: 'Date')
     DeleteAccountAssignmentRequest = Shapes::StructureShape.new(name: 'DeleteAccountAssignmentRequest')
     DeleteAccountAssignmentResponse = Shapes::StructureShape.new(name: 'DeleteAccountAssignmentResponse')
@@ -49,6 +53,8 @@ module Aws::SSOAdmin
     DeleteInstanceAccessControlAttributeConfigurationResponse = Shapes::StructureShape.new(name: 'DeleteInstanceAccessControlAttributeConfigurationResponse')
     DeletePermissionSetRequest = Shapes::StructureShape.new(name: 'DeletePermissionSetRequest')
     DeletePermissionSetResponse = Shapes::StructureShape.new(name: 'DeletePermissionSetResponse')
+    DeletePermissionsBoundaryFromPermissionSetRequest = Shapes::StructureShape.new(name: 'DeletePermissionsBoundaryFromPermissionSetRequest')
+    DeletePermissionsBoundaryFromPermissionSetResponse = Shapes::StructureShape.new(name: 'DeletePermissionsBoundaryFromPermissionSetResponse')
     DescribeAccountAssignmentCreationStatusRequest = Shapes::StructureShape.new(name: 'DescribeAccountAssignmentCreationStatusRequest')
     DescribeAccountAssignmentCreationStatusResponse = Shapes::StructureShape.new(name: 'DescribeAccountAssignmentCreationStatusResponse')
     DescribeAccountAssignmentDeletionStatusRequest = Shapes::StructureShape.new(name: 'DescribeAccountAssignmentDeletionStatusRequest')
@@ -59,12 +65,15 @@ module Aws::SSOAdmin
     DescribePermissionSetProvisioningStatusResponse = Shapes::StructureShape.new(name: 'DescribePermissionSetProvisioningStatusResponse')
     DescribePermissionSetRequest = Shapes::StructureShape.new(name: 'DescribePermissionSetRequest')
     DescribePermissionSetResponse = Shapes::StructureShape.new(name: 'DescribePermissionSetResponse')
+    DetachCustomerManagedPolicyReferenceFromPermissionSetRequest = Shapes::StructureShape.new(name: 'DetachCustomerManagedPolicyReferenceFromPermissionSetRequest')
+    DetachCustomerManagedPolicyReferenceFromPermissionSetResponse = Shapes::StructureShape.new(name: 'DetachCustomerManagedPolicyReferenceFromPermissionSetResponse')
     DetachManagedPolicyFromPermissionSetRequest = Shapes::StructureShape.new(name: 'DetachManagedPolicyFromPermissionSetRequest')
     DetachManagedPolicyFromPermissionSetResponse = Shapes::StructureShape.new(name: 'DetachManagedPolicyFromPermissionSetResponse')
     Duration = Shapes::StringShape.new(name: 'Duration')
-    GeneralArn = Shapes::StringShape.new(name: 'GeneralArn')
     GetInlinePolicyForPermissionSetRequest = Shapes::StructureShape.new(name: 'GetInlinePolicyForPermissionSetRequest')
     GetInlinePolicyForPermissionSetResponse = Shapes::StructureShape.new(name: 'GetInlinePolicyForPermissionSetResponse')
+    GetPermissionsBoundaryForPermissionSetRequest = Shapes::StructureShape.new(name: 'GetPermissionsBoundaryForPermissionSetRequest')
+    GetPermissionsBoundaryForPermissionSetResponse = Shapes::StructureShape.new(name: 'GetPermissionsBoundaryForPermissionSetResponse')
     Id = Shapes::StringShape.new(name: 'Id')
     InstanceAccessControlAttributeConfiguration = Shapes::StructureShape.new(name: 'InstanceAccessControlAttributeConfiguration')
     InstanceAccessControlAttributeConfigurationStatus = Shapes::StringShape.new(name: 'InstanceAccessControlAttributeConfigurationStatus')
@@ -82,6 +91,8 @@ module Aws::SSOAdmin
     ListAccountAssignmentsResponse = Shapes::StructureShape.new(name: 'ListAccountAssignmentsResponse')
     ListAccountsForProvisionedPermissionSetRequest = Shapes::StructureShape.new(name: 'ListAccountsForProvisionedPermissionSetRequest')
     ListAccountsForProvisionedPermissionSetResponse = Shapes::StructureShape.new(name: 'ListAccountsForProvisionedPermissionSetResponse')
+    ListCustomerManagedPolicyReferencesInPermissionSetRequest = Shapes::StructureShape.new(name: 'ListCustomerManagedPolicyReferencesInPermissionSetRequest')
+    ListCustomerManagedPolicyReferencesInPermissionSetResponse = Shapes::StructureShape.new(name: 'ListCustomerManagedPolicyReferencesInPermissionSetResponse')
     ListInstancesRequest = Shapes::StructureShape.new(name: 'ListInstancesRequest')
     ListInstancesResponse = Shapes::StructureShape.new(name: 'ListInstancesResponse')
     ListManagedPoliciesInPermissionSetRequest = Shapes::StructureShape.new(name: 'ListManagedPoliciesInPermissionSetRequest')
@@ -95,6 +106,8 @@ module Aws::SSOAdmin
     ListTagsForResourceRequest = Shapes::StructureShape.new(name: 'ListTagsForResourceRequest')
     ListTagsForResourceResponse = Shapes::StructureShape.new(name: 'ListTagsForResourceResponse')
     ManagedPolicyArn = Shapes::StringShape.new(name: 'ManagedPolicyArn')
+    ManagedPolicyName = Shapes::StringShape.new(name: 'ManagedPolicyName')
+    ManagedPolicyPath = Shapes::StringShape.new(name: 'ManagedPolicyPath')
     MaxResults = Shapes::IntegerShape.new(name: 'MaxResults')
     Name = Shapes::StringShape.new(name: 'Name')
     OperationStatusFilter = Shapes::StructureShape.new(name: 'OperationStatusFilter')
@@ -107,6 +120,7 @@ module Aws::SSOAdmin
     PermissionSetProvisioningStatus = Shapes::StructureShape.new(name: 'PermissionSetProvisioningStatus')
     PermissionSetProvisioningStatusList = Shapes::ListShape.new(name: 'PermissionSetProvisioningStatusList')
     PermissionSetProvisioningStatusMetadata = Shapes::StructureShape.new(name: 'PermissionSetProvisioningStatusMetadata')
+    PermissionsBoundary = Shapes::StructureShape.new(name: 'PermissionsBoundary')
     PrincipalId = Shapes::StringShape.new(name: 'PrincipalId')
     PrincipalType = Shapes::StringShape.new(name: 'PrincipalType')
     ProvisionPermissionSetRequest = Shapes::StructureShape.new(name: 'ProvisionPermissionSetRequest')
@@ -115,6 +129,8 @@ module Aws::SSOAdmin
     ProvisioningStatus = Shapes::StringShape.new(name: 'ProvisioningStatus')
     PutInlinePolicyToPermissionSetRequest = Shapes::StructureShape.new(name: 'PutInlinePolicyToPermissionSetRequest')
     PutInlinePolicyToPermissionSetResponse = Shapes::StructureShape.new(name: 'PutInlinePolicyToPermissionSetResponse')
+    PutPermissionsBoundaryToPermissionSetRequest = Shapes::StructureShape.new(name: 'PutPermissionsBoundaryToPermissionSetRequest')
+    PutPermissionsBoundaryToPermissionSetResponse = Shapes::StructureShape.new(name: 'PutPermissionsBoundaryToPermissionSetResponse')
     Reason = Shapes::StringShape.new(name: 'Reason')
     RelayState = Shapes::StringShape.new(name: 'RelayState')
     ResourceNotFoundException = Shapes::StructureShape.new(name: 'ResourceNotFoundException')
@@ -129,6 +145,7 @@ module Aws::SSOAdmin
     TagResourceRequest = Shapes::StructureShape.new(name: 'TagResourceRequest')
     TagResourceResponse = Shapes::StructureShape.new(name: 'TagResourceResponse')
     TagValue = Shapes::StringShape.new(name: 'TagValue')
+    TaggableResourceArn = Shapes::StringShape.new(name: 'TaggableResourceArn')
     TargetId = Shapes::StringShape.new(name: 'TargetId')
     TargetType = Shapes::StringShape.new(name: 'TargetType')
     ThrottlingException = Shapes::StructureShape.new(name: 'ThrottlingException')
@@ -186,6 +203,13 @@ module Aws::SSOAdmin
 
     AccountList.member = Shapes::ShapeRef.new(shape: AccountId)
 
+    AttachCustomerManagedPolicyReferenceToPermissionSetRequest.add_member(:instance_arn, Shapes::ShapeRef.new(shape: InstanceArn, required: true, location_name: "InstanceArn"))
+    AttachCustomerManagedPolicyReferenceToPermissionSetRequest.add_member(:permission_set_arn, Shapes::ShapeRef.new(shape: PermissionSetArn, required: true, location_name: "PermissionSetArn"))
+    AttachCustomerManagedPolicyReferenceToPermissionSetRequest.add_member(:customer_managed_policy_reference, Shapes::ShapeRef.new(shape: CustomerManagedPolicyReference, required: true, location_name: "CustomerManagedPolicyReference"))
+    AttachCustomerManagedPolicyReferenceToPermissionSetRequest.struct_class = Types::AttachCustomerManagedPolicyReferenceToPermissionSetRequest
+
+    AttachCustomerManagedPolicyReferenceToPermissionSetResponse.struct_class = Types::AttachCustomerManagedPolicyReferenceToPermissionSetResponse
+
     AttachManagedPolicyToPermissionSetRequest.add_member(:instance_arn, Shapes::ShapeRef.new(shape: InstanceArn, required: true, location_name: "InstanceArn"))
     AttachManagedPolicyToPermissionSetRequest.add_member(:permission_set_arn, Shapes::ShapeRef.new(shape: PermissionSetArn, required: true, location_name: "PermissionSetArn"))
     AttachManagedPolicyToPermissionSetRequest.add_member(:managed_policy_arn, Shapes::ShapeRef.new(shape: ManagedPolicyArn, required: true, location_name: "ManagedPolicyArn"))
@@ -230,6 +254,12 @@ module Aws::SSOAdmin
     CreatePermissionSetResponse.add_member(:permission_set, Shapes::ShapeRef.new(shape: PermissionSet, location_name: "PermissionSet"))
     CreatePermissionSetResponse.struct_class = Types::CreatePermissionSetResponse
 
+    CustomerManagedPolicyReference.add_member(:name, Shapes::ShapeRef.new(shape: ManagedPolicyName, required: true, location_name: "Name"))
+    CustomerManagedPolicyReference.add_member(:path, Shapes::ShapeRef.new(shape: ManagedPolicyPath, location_name: "Path"))
+    CustomerManagedPolicyReference.struct_class = Types::CustomerManagedPolicyReference
+
+    CustomerManagedPolicyReferenceList.member = Shapes::ShapeRef.new(shape: CustomerManagedPolicyReference)
+
     DeleteAccountAssignmentRequest.add_member(:instance_arn, Shapes::ShapeRef.new(shape: InstanceArn, required: true, location_name: "InstanceArn"))
     DeleteAccountAssignmentRequest.add_member(:target_id, Shapes::ShapeRef.new(shape: TargetId, required: true, location_name: "TargetId"))
     DeleteAccountAssignmentRequest.add_member(:target_type, Shapes::ShapeRef.new(shape: TargetType, required: true, location_name: "TargetType"))
@@ -258,6 +288,12 @@ module Aws::SSOAdmin
 
     DeletePermissionSetResponse.struct_class = Types::DeletePermissionSetResponse
 
+    DeletePermissionsBoundaryFromPermissionSetRequest.add_member(:instance_arn, Shapes::ShapeRef.new(shape: InstanceArn, required: true, location_name: "InstanceArn"))
+    DeletePermissionsBoundaryFromPermissionSetRequest.add_member(:permission_set_arn, Shapes::ShapeRef.new(shape: PermissionSetArn, required: true, location_name: "PermissionSetArn"))
+    DeletePermissionsBoundaryFromPermissionSetRequest.struct_class = Types::DeletePermissionsBoundaryFromPermissionSetRequest
+
+    DeletePermissionsBoundaryFromPermissionSetResponse.struct_class = Types::DeletePermissionsBoundaryFromPermissionSetResponse
+
     DescribeAccountAssignmentCreationStatusRequest.add_member(:instance_arn, Shapes::ShapeRef.new(shape: InstanceArn, required: true, location_name: "InstanceArn"))
     DescribeAccountAssignmentCreationStatusRequest.add_member(:account_assignment_creation_request_id, Shapes::ShapeRef.new(shape: UUId, required: true, location_name: "AccountAssignmentCreationRequestId"))
     DescribeAccountAssignmentCreationStatusRequest.struct_class = Types::DescribeAccountAssignmentCreationStatusRequest
@@ -294,6 +330,13 @@ module Aws::SSOAdmin
     DescribePermissionSetResponse.add_member(:permission_set, Shapes::ShapeRef.new(shape: PermissionSet, location_name: "PermissionSet"))
     DescribePermissionSetResponse.struct_class = Types::DescribePermissionSetResponse
 
+    DetachCustomerManagedPolicyReferenceFromPermissionSetRequest.add_member(:instance_arn, Shapes::ShapeRef.new(shape: InstanceArn, required: true, location_name: "InstanceArn"))
+    DetachCustomerManagedPolicyReferenceFromPermissionSetRequest.add_member(:permission_set_arn, Shapes::ShapeRef.new(shape: PermissionSetArn, required: true, location_name: "PermissionSetArn"))
+    DetachCustomerManagedPolicyReferenceFromPermissionSetRequest.add_member(:customer_managed_policy_reference, Shapes::ShapeRef.new(shape: CustomerManagedPolicyReference, required: true, location_name: "CustomerManagedPolicyReference"))
+    DetachCustomerManagedPolicyReferenceFromPermissionSetRequest.struct_class = Types::DetachCustomerManagedPolicyReferenceFromPermissionSetRequest
+
+    DetachCustomerManagedPolicyReferenceFromPermissionSetResponse.struct_class = Types::DetachCustomerManagedPolicyReferenceFromPermissionSetResponse
+
     DetachManagedPolicyFromPermissionSetRequest.add_member(:instance_arn, Shapes::ShapeRef.new(shape: InstanceArn, required: true, location_name: "InstanceArn"))
     DetachManagedPolicyFromPermissionSetRequest.add_member(:permission_set_arn, Shapes::ShapeRef.new(shape: PermissionSetArn, required: true, location_name: "PermissionSetArn"))
     DetachManagedPolicyFromPermissionSetRequest.add_member(:managed_policy_arn, Shapes::ShapeRef.new(shape: ManagedPolicyArn, required: true, location_name: "ManagedPolicyArn"))
@@ -308,6 +351,13 @@ module Aws::SSOAdmin
     GetInlinePolicyForPermissionSetResponse.add_member(:inline_policy, Shapes::ShapeRef.new(shape: PermissionSetPolicyDocument, location_name: "InlinePolicy"))
     GetInlinePolicyForPermissionSetResponse.struct_class = Types::GetInlinePolicyForPermissionSetResponse
 
+    GetPermissionsBoundaryForPermissionSetRequest.add_member(:instance_arn, Shapes::ShapeRef.new(shape: InstanceArn, required: true, location_name: "InstanceArn"))
+    GetPermissionsBoundaryForPermissionSetRequest.add_member(:permission_set_arn, Shapes::ShapeRef.new(shape: PermissionSetArn, required: true, location_name: "PermissionSetArn"))
+    GetPermissionsBoundaryForPermissionSetRequest.struct_class = Types::GetPermissionsBoundaryForPermissionSetRequest
+
+    GetPermissionsBoundaryForPermissionSetResponse.add_member(:permissions_boundary, Shapes::ShapeRef.new(shape: PermissionsBoundary, location_name: "PermissionsBoundary"))
+    GetPermissionsBoundaryForPermissionSetResponse.struct_class = Types::GetPermissionsBoundaryForPermissionSetResponse
+
     InstanceAccessControlAttributeConfiguration.add_member(:access_control_attributes, Shapes::ShapeRef.new(shape: AccessControlAttributeList, required: true, location_name: "AccessControlAttributes"))
     InstanceAccessControlAttributeConfiguration.struct_class = Types::InstanceAccessControlAttributeConfiguration
 
@@ -362,6 +412,16 @@ module Aws::SSOAdmin
     ListAccountsForProvisionedPermissionSetResponse.add_member(:next_token, Shapes::ShapeRef.new(shape: Token, location_name: "NextToken"))
     ListAccountsForProvisionedPermissionSetResponse.struct_class = Types::ListAccountsForProvisionedPermissionSetResponse
 
+    ListCustomerManagedPolicyReferencesInPermissionSetRequest.add_member(:instance_arn, Shapes::ShapeRef.new(shape: InstanceArn, required: true, location_name: "InstanceArn"))
+    ListCustomerManagedPolicyReferencesInPermissionSetRequest.add_member(:permission_set_arn, Shapes::ShapeRef.new(shape: PermissionSetArn, required: true, location_name: "PermissionSetArn"))
+    ListCustomerManagedPolicyReferencesInPermissionSetRequest.add_member(:max_results, Shapes::ShapeRef.new(shape: MaxResults, location_name: "MaxResults"))
+    ListCustomerManagedPolicyReferencesInPermissionSetRequest.add_member(:next_token, Shapes::ShapeRef.new(shape: Token, location_name: "NextToken"))
+    ListCustomerManagedPolicyReferencesInPermissionSetRequest.struct_class = Types::ListCustomerManagedPolicyReferencesInPermissionSetRequest
+
+    ListCustomerManagedPolicyReferencesInPermissionSetResponse.add_member(:customer_managed_policy_references, Shapes::ShapeRef.new(shape: CustomerManagedPolicyReferenceList, location_name: "CustomerManagedPolicyReferences"))
+    ListCustomerManagedPolicyReferencesInPermissionSetResponse.add_member(:next_token, Shapes::ShapeRef.new(shape: Token, location_name: "NextToken"))
+    ListCustomerManagedPolicyReferencesInPermissionSetResponse.struct_class = Types::ListCustomerManagedPolicyReferencesInPermissionSetResponse
+
     ListInstancesRequest.add_member(:max_results, Shapes::ShapeRef.new(shape: MaxResults, location_name: "MaxResults"))
     ListInstancesRequest.add_member(:next_token, Shapes::ShapeRef.new(shape: Token, location_name: "NextToken"))
     ListInstancesRequest.struct_class = Types::ListInstancesRequest
@@ -411,7 +471,7 @@ module Aws::SSOAdmin
     ListPermissionSetsResponse.struct_class = Types::ListPermissionSetsResponse
 
     ListTagsForResourceRequest.add_member(:instance_arn, Shapes::ShapeRef.new(shape: InstanceArn, required: true, location_name: "InstanceArn"))
-    ListTagsForResourceRequest.add_member(:resource_arn, Shapes::ShapeRef.new(shape: GeneralArn, required: true, location_name: "ResourceArn"))
+    ListTagsForResourceRequest.add_member(:resource_arn, Shapes::ShapeRef.new(shape: TaggableResourceArn, required: true, location_name: "ResourceArn"))
     ListTagsForResourceRequest.add_member(:next_token, Shapes::ShapeRef.new(shape: Token, location_name: "NextToken"))
     ListTagsForResourceRequest.struct_class = Types::ListTagsForResourceRequest
 
@@ -447,6 +507,10 @@ module Aws::SSOAdmin
     PermissionSetProvisioningStatusMetadata.add_member(:created_date, Shapes::ShapeRef.new(shape: Date, location_name: "CreatedDate"))
     PermissionSetProvisioningStatusMetadata.struct_class = Types::PermissionSetProvisioningStatusMetadata
 
+    PermissionsBoundary.add_member(:customer_managed_policy_reference, Shapes::ShapeRef.new(shape: CustomerManagedPolicyReference, location_name: "CustomerManagedPolicyReference"))
+    PermissionsBoundary.add_member(:managed_policy_arn, Shapes::ShapeRef.new(shape: ManagedPolicyArn, location_name: "ManagedPolicyArn"))
+    PermissionsBoundary.struct_class = Types::PermissionsBoundary
+
     ProvisionPermissionSetRequest.add_member(:instance_arn, Shapes::ShapeRef.new(shape: InstanceArn, required: true, location_name: "InstanceArn"))
     ProvisionPermissionSetRequest.add_member(:permission_set_arn, Shapes::ShapeRef.new(shape: PermissionSetArn, required: true, location_name: "PermissionSetArn"))
     ProvisionPermissionSetRequest.add_member(:target_id, Shapes::ShapeRef.new(shape: TargetId, location_name: "TargetId"))
@@ -463,14 +527,21 @@ module Aws::SSOAdmin
 
     PutInlinePolicyToPermissionSetResponse.struct_class = Types::PutInlinePolicyToPermissionSetResponse
 
+    PutPermissionsBoundaryToPermissionSetRequest.add_member(:instance_arn, Shapes::ShapeRef.new(shape: InstanceArn, required: true, location_name: "InstanceArn"))
+    PutPermissionsBoundaryToPermissionSetRequest.add_member(:permission_set_arn, Shapes::ShapeRef.new(shape: PermissionSetArn, required: true, location_name: "PermissionSetArn"))
+    PutPermissionsBoundaryToPermissionSetRequest.add_member(:permissions_boundary, Shapes::ShapeRef.new(shape: PermissionsBoundary, required: true, location_name: "PermissionsBoundary"))
+    PutPermissionsBoundaryToPermissionSetRequest.struct_class = Types::PutPermissionsBoundaryToPermissionSetRequest
+
+    PutPermissionsBoundaryToPermissionSetResponse.struct_class = Types::PutPermissionsBoundaryToPermissionSetResponse
+
     ResourceNotFoundException.add_member(:message, Shapes::ShapeRef.new(shape: ResourceNotFoundMessage, location_name: "Message"))
     ResourceNotFoundException.struct_class = Types::ResourceNotFoundException
 
     ServiceQuotaExceededException.add_member(:message, Shapes::ShapeRef.new(shape: ServiceQuotaExceededMessage, location_name: "Message"))
     ServiceQuotaExceededException.struct_class = Types::ServiceQuotaExceededException
 
-    Tag.add_member(:key, Shapes::ShapeRef.new(shape: TagKey, location_name: "Key"))
-    Tag.add_member(:value, Shapes::ShapeRef.new(shape: TagValue, location_name: "Value"))
+    Tag.add_member(:key, Shapes::ShapeRef.new(shape: TagKey, required: true, location_name: "Key"))
+    Tag.add_member(:value, Shapes::ShapeRef.new(shape: TagValue, required: true, location_name: "Value"))
     Tag.struct_class = Types::Tag
 
     TagKeyList.member = Shapes::ShapeRef.new(shape: TagKey)
@@ -478,7 +549,7 @@ module Aws::SSOAdmin
     TagList.member = Shapes::ShapeRef.new(shape: Tag)
 
     TagResourceRequest.add_member(:instance_arn, Shapes::ShapeRef.new(shape: InstanceArn, required: true, location_name: "InstanceArn"))
-    TagResourceRequest.add_member(:resource_arn, Shapes::ShapeRef.new(shape: GeneralArn, required: true, location_name: "ResourceArn"))
+    TagResourceRequest.add_member(:resource_arn, Shapes::ShapeRef.new(shape: TaggableResourceArn, required: true, location_name: "ResourceArn"))
     TagResourceRequest.add_member(:tags, Shapes::ShapeRef.new(shape: TagList, required: true, location_name: "Tags"))
     TagResourceRequest.struct_class = Types::TagResourceRequest
 
@@ -488,7 +559,7 @@ module Aws::SSOAdmin
     ThrottlingException.struct_class = Types::ThrottlingException
 
     UntagResourceRequest.add_member(:instance_arn, Shapes::ShapeRef.new(shape: InstanceArn, required: true, location_name: "InstanceArn"))
-    UntagResourceRequest.add_member(:resource_arn, Shapes::ShapeRef.new(shape: GeneralArn, required: true, location_name: "ResourceArn"))
+    UntagResourceRequest.add_member(:resource_arn, Shapes::ShapeRef.new(shape: TaggableResourceArn, required: true, location_name: "ResourceArn"))
     UntagResourceRequest.add_member(:tag_keys, Shapes::ShapeRef.new(shape: TagKeyList, required: true, location_name: "TagKeys"))
     UntagResourceRequest.struct_class = Types::UntagResourceRequest
 
@@ -532,6 +603,21 @@ module Aws::SSOAdmin
         "uid" => "sso-admin-2020-07-20",
       }
 
+      api.add_operation(:attach_customer_managed_policy_reference_to_permission_set, Seahorse::Model::Operation.new.tap do |o|
+        o.name = "AttachCustomerManagedPolicyReferenceToPermissionSet"
+        o.http_method = "POST"
+        o.http_request_uri = "/"
+        o.input = Shapes::ShapeRef.new(shape: AttachCustomerManagedPolicyReferenceToPermissionSetRequest)
+        o.output = Shapes::ShapeRef.new(shape: AttachCustomerManagedPolicyReferenceToPermissionSetResponse)
+        o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
+        o.errors << Shapes::ShapeRef.new(shape: InternalServerException)
+        o.errors << Shapes::ShapeRef.new(shape: ServiceQuotaExceededException)
+        o.errors << Shapes::ShapeRef.new(shape: ThrottlingException)
+        o.errors << Shapes::ShapeRef.new(shape: ValidationException)
+        o.errors << Shapes::ShapeRef.new(shape: AccessDeniedException)
+        o.errors << Shapes::ShapeRef.new(shape: ConflictException)
+      end)
+
       api.add_operation(:attach_managed_policy_to_permission_set, Seahorse::Model::Operation.new.tap do |o|
         o.name = "AttachManagedPolicyToPermissionSet"
         o.http_method = "POST"
@@ -647,6 +733,19 @@ module Aws::SSOAdmin
         o.errors << Shapes::ShapeRef.new(shape: ConflictException)
       end)
 
+      api.add_operation(:delete_permissions_boundary_from_permission_set, Seahorse::Model::Operation.new.tap do |o|
+        o.name = "DeletePermissionsBoundaryFromPermissionSet"
+        o.http_method = "POST"
+        o.http_request_uri = "/"
+        o.input = Shapes::ShapeRef.new(shape: DeletePermissionsBoundaryFromPermissionSetRequest)
+        o.output = Shapes::ShapeRef.new(shape: DeletePermissionsBoundaryFromPermissionSetResponse)
+        o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
+        o.errors << Shapes::ShapeRef.new(shape: InternalServerException)
+        o.errors << Shapes::ShapeRef.new(shape: ThrottlingException)
+        o.errors << Shapes::ShapeRef.new(shape: ValidationException)
+        o.errors << Shapes::ShapeRef.new(shape: AccessDeniedException)
+      end)
+
       api.add_operation(:describe_account_assignment_creation_status, Seahorse::Model::Operation.new.tap do |o|
         o.name = "DescribeAccountAssignmentCreationStatus"
         o.http_method = "POST"
@@ -712,6 +811,20 @@ module Aws::SSOAdmin
         o.errors << Shapes::ShapeRef.new(shape: AccessDeniedException)
       end)
 
+      api.add_operation(:detach_customer_managed_policy_reference_from_permission_set, Seahorse::Model::Operation.new.tap do |o|
+        o.name = "DetachCustomerManagedPolicyReferenceFromPermissionSet"
+        o.http_method = "POST"
+        o.http_request_uri = "/"
+        o.input = Shapes::ShapeRef.new(shape: DetachCustomerManagedPolicyReferenceFromPermissionSetRequest)
+        o.output = Shapes::ShapeRef.new(shape: DetachCustomerManagedPolicyReferenceFromPermissionSetResponse)
+        o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
+        o.errors << Shapes::ShapeRef.new(shape: InternalServerException)
+        o.errors << Shapes::ShapeRef.new(shape: ThrottlingException)
+        o.errors << Shapes::ShapeRef.new(shape: ValidationException)
+        o.errors << Shapes::ShapeRef.new(shape: AccessDeniedException)
+        o.errors << Shapes::ShapeRef.new(shape: ConflictException)
+      end)
+
       api.add_operation(:detach_managed_policy_from_permission_set, Seahorse::Model::Operation.new.tap do |o|
         o.name = "DetachManagedPolicyFromPermissionSet"
         o.http_method = "POST"
@@ -739,6 +852,19 @@ module Aws::SSOAdmin
         o.errors << Shapes::ShapeRef.new(shape: AccessDeniedException)
       end)
 
+      api.add_operation(:get_permissions_boundary_for_permission_set, Seahorse::Model::Operation.new.tap do |o|
+        o.name = "GetPermissionsBoundaryForPermissionSet"
+        o.http_method = "POST"
+        o.http_request_uri = "/"
+        o.input = Shapes::ShapeRef.new(shape: GetPermissionsBoundaryForPermissionSetRequest)
+        o.output = Shapes::ShapeRef.new(shape: GetPermissionsBoundaryForPermissionSetResponse)
+        o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
+        o.errors << Shapes::ShapeRef.new(shape: InternalServerException)
+        o.errors << Shapes::ShapeRef.new(shape: ThrottlingException)
+        o.errors << Shapes::ShapeRef.new(shape: ValidationException)
+        o.errors << Shapes::ShapeRef.new(shape: AccessDeniedException)
+      end)
+
       api.add_operation(:list_account_assignment_creation_status, Seahorse::Model::Operation.new.tap do |o|
         o.name = "ListAccountAssignmentCreationStatus"
         o.http_method = "POST"
@@ -815,6 +941,25 @@ module Aws::SSOAdmin
         )
       end)
 
+      api.add_operation(:list_customer_managed_policy_references_in_permission_set, Seahorse::Model::Operation.new.tap do |o|
+        o.name = "ListCustomerManagedPolicyReferencesInPermissionSet"
+        o.http_method = "POST"
+        o.http_request_uri = "/"
+        o.input = Shapes::ShapeRef.new(shape: ListCustomerManagedPolicyReferencesInPermissionSetRequest)
+        o.output = Shapes::ShapeRef.new(shape: ListCustomerManagedPolicyReferencesInPermissionSetResponse)
+        o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
+        o.errors << Shapes::ShapeRef.new(shape: InternalServerException)
+        o.errors << Shapes::ShapeRef.new(shape: ThrottlingException)
+        o.errors << Shapes::ShapeRef.new(shape: ValidationException)
+        o.errors << Shapes::ShapeRef.new(shape: AccessDeniedException)
+        o[:pager] = Aws::Pager.new(
+          limit_key: "max_results",
+          tokens: {
+            "next_token" => "next_token"
+          }
+        )
+      end)
+
       api.add_operation(:list_instances, Seahorse::Model::Operation.new.tap do |o|
         o.name = "ListInstances"
         o.http_method = "POST"
@@ -956,6 +1101,20 @@ module Aws::SSOAdmin
         o.errors << Shapes::ShapeRef.new(shape: ConflictException)
       end)
 
+      api.add_operation(:put_permissions_boundary_to_permission_set, Seahorse::Model::Operation.new.tap do |o|
+        o.name = "PutPermissionsBoundaryToPermissionSet"
+        o.http_method = "POST"
+        o.http_request_uri = "/"
+        o.input = Shapes::ShapeRef.new(shape: PutPermissionsBoundaryToPermissionSetRequest)
+        o.output = Shapes::ShapeRef.new(shape: PutPermissionsBoundaryToPermissionSetResponse)
+        o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
+        o.errors << Shapes::ShapeRef.new(shape: InternalServerException)
+        o.errors << Shapes::ShapeRef.new(shape: ThrottlingException)
+        o.errors << Shapes::ShapeRef.new(shape: ValidationException)
+        o.errors << Shapes::ShapeRef.new(shape: AccessDeniedException)
+        o.errors << Shapes::ShapeRef.new(shape: ConflictException)
+      end)
+
       api.add_operation(:tag_resource, Seahorse::Model::Operation.new.tap do |o|
         o.name = "TagResource"
         o.http_method = "POST"

data/lib/aws-sdk-ssoadmin/types.rb

@@ -49,7 +49,12 @@ module Aws::SSOAdmin
     end
 
     # The value used for mapping a specified attribute to an identity
-    # source.
+    # source. For more information, see [Attribute mappings][1] in the
+    # Amazon Web Services Single Sign-On User Guide.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/singlesignon/latest/userguide/attributemappingsconcept.html
     #
     # @note When making an API call, you may pass AccessControlAttributeValue
     #   data as a hash:
@@ -218,6 +223,48 @@ module Aws::SSOAdmin
       include Aws::Structure
     end
 
+    # @note When making an API call, you may pass AttachCustomerManagedPolicyReferenceToPermissionSetRequest
+    #   data as a hash:
+    #
+    #       {
+    #         instance_arn: "InstanceArn", # required
+    #         permission_set_arn: "PermissionSetArn", # required
+    #         customer_managed_policy_reference: { # required
+    #           name: "ManagedPolicyName", # required
+    #           path: "ManagedPolicyPath",
+    #         },
+    #       }
+    #
+    # @!attribute [rw] instance_arn
+    #   The ARN of the SSO instance under which the operation will be
+    #   executed.
+    #   @return [String]
+    #
+    # @!attribute [rw] permission_set_arn
+    #   The ARN of the `PermissionSet`.
+    #   @return [String]
+    #
+    # @!attribute [rw] customer_managed_policy_reference
+    #   Specifies the name and path of the IAM customer managed policy. You
+    #   must have an IAM policy that matches the name and path in each
+    #   Amazon Web Services account where you want to deploy your permission
+    #   set.
+    #   @return [Types::CustomerManagedPolicyReference]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sso-admin-2020-07-20/AttachCustomerManagedPolicyReferenceToPermissionSetRequest AWS API Documentation
+    #
+    class AttachCustomerManagedPolicyReferenceToPermissionSetRequest < Struct.new(
+      :instance_arn,
+      :permission_set_arn,
+      :customer_managed_policy_reference)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sso-admin-2020-07-20/AttachCustomerManagedPolicyReferenceToPermissionSetResponse AWS API Documentation
+    #
+    class AttachCustomerManagedPolicyReferenceToPermissionSetResponse < Aws::EmptyStructure; end
+
     # @note When making an API call, you may pass AttachManagedPolicyToPermissionSetRequest
     #   data as a hash:
     #
@@ -241,7 +288,8 @@ module Aws::SSOAdmin
     #   @return [String]
     #
     # @!attribute [rw] managed_policy_arn
-    #   The IAM managed policy ARN to be attached to a permission set.
+    #   The Amazon Web Services managed policy ARN to be attached to a
+    #   permission set.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sso-admin-2020-07-20/AttachManagedPolicyToPermissionSetRequest AWS API Documentation
@@ -258,15 +306,17 @@ module Aws::SSOAdmin
     #
     class AttachManagedPolicyToPermissionSetResponse < Aws::EmptyStructure; end
 
-    # A structure that stores the details of the IAM managed policy.
+    # A structure that stores the details of the Amazon Web Services managed
+    # IAM policy.
     #
     # @!attribute [rw] name
-    #   The name of the IAM managed policy.
+    #   The name of the Amazon Web Services managed IAM policy.
     #   @return [String]
     #
     # @!attribute [rw] arn
-    #   The ARN of the IAM managed policy. For more information about ARNs,
-    #   see [Amazon Resource Names (ARNs) and Amazon Web Services Service
+    #   The ARN of the Amazon Web Services managed IAM policy. For more
+    #   information about ARNs, see [Amazon Resource Names (ARNs) and Amazon
+    #   Web Services Service
     #   Namespaces](/general/latest/gr/aws-arns-and-namespaces.html) in the
     #   *Amazon Web Services General Reference*.
     #   @return [String]
@@ -426,8 +476,8 @@ module Aws::SSOAdmin
     #         relay_state: "RelayState",
     #         tags: [
     #           {
-    #             key: "TagKey",
-    #             value: "TagValue",
+    #             key: "TagKey", # required
+    #             value: "TagValue", # required
     #           },
     #         ],
     #       }
@@ -487,6 +537,41 @@ module Aws::SSOAdmin
       include Aws::Structure
     end
 
+    # Specifies the name and path of the IAM customer managed policy. You
+    # must have an IAM policy that matches the name and path in each Amazon
+    # Web Services account where you want to deploy your permission set.
+    #
+    # @note When making an API call, you may pass CustomerManagedPolicyReference
+    #   data as a hash:
+    #
+    #       {
+    #         name: "ManagedPolicyName", # required
+    #         path: "ManagedPolicyPath",
+    #       }
+    #
+    # @!attribute [rw] name
+    #   The name of the policy document.
+    #   @return [String]
+    #
+    # @!attribute [rw] path
+    #   The path for the policy. The default is `/`. For more information,
+    #   see [Friendly names and paths][1] in the Identity and Access
+    #   Management user guide.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sso-admin-2020-07-20/CustomerManagedPolicyReference AWS API Documentation
+    #
+    class CustomerManagedPolicyReference < Struct.new(
+      :name,
+      :path)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @note When making an API call, you may pass DeleteAccountAssignmentRequest
     #   data as a hash:
     #
@@ -648,6 +733,36 @@ module Aws::SSOAdmin
     #
     class DeletePermissionSetResponse < Aws::EmptyStructure; end
 
+    # @note When making an API call, you may pass DeletePermissionsBoundaryFromPermissionSetRequest
+    #   data as a hash:
+    #
+    #       {
+    #         instance_arn: "InstanceArn", # required
+    #         permission_set_arn: "PermissionSetArn", # required
+    #       }
+    #
+    # @!attribute [rw] instance_arn
+    #   The ARN of the SSO instance under which the operation will be
+    #   executed.
+    #   @return [String]
+    #
+    # @!attribute [rw] permission_set_arn
+    #   The ARN of the `PermissionSet`.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sso-admin-2020-07-20/DeletePermissionsBoundaryFromPermissionSetRequest AWS API Documentation
+    #
+    class DeletePermissionsBoundaryFromPermissionSetRequest < Struct.new(
+      :instance_arn,
+      :permission_set_arn)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sso-admin-2020-07-20/DeletePermissionsBoundaryFromPermissionSetResponse AWS API Documentation
+    #
+    class DeletePermissionsBoundaryFromPermissionSetResponse < Aws::EmptyStructure; end
+
     # @note When making an API call, you may pass DescribeAccountAssignmentCreationStatusRequest
     #   data as a hash:
     #
@@ -857,6 +972,48 @@ module Aws::SSOAdmin
       include Aws::Structure
     end
 
+    # @note When making an API call, you may pass DetachCustomerManagedPolicyReferenceFromPermissionSetRequest
+    #   data as a hash:
+    #
+    #       {
+    #         instance_arn: "InstanceArn", # required
+    #         permission_set_arn: "PermissionSetArn", # required
+    #         customer_managed_policy_reference: { # required
+    #           name: "ManagedPolicyName", # required
+    #           path: "ManagedPolicyPath",
+    #         },
+    #       }
+    #
+    # @!attribute [rw] instance_arn
+    #   The ARN of the SSO instance under which the operation will be
+    #   executed.
+    #   @return [String]
+    #
+    # @!attribute [rw] permission_set_arn
+    #   The ARN of the `PermissionSet`.
+    #   @return [String]
+    #
+    # @!attribute [rw] customer_managed_policy_reference
+    #   Specifies the name and path of the IAM customer managed policy. You
+    #   must have an IAM policy that matches the name and path in each
+    #   Amazon Web Services account where you want to deploy your permission
+    #   set.
+    #   @return [Types::CustomerManagedPolicyReference]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sso-admin-2020-07-20/DetachCustomerManagedPolicyReferenceFromPermissionSetRequest AWS API Documentation
+    #
+    class DetachCustomerManagedPolicyReferenceFromPermissionSetRequest < Struct.new(
+      :instance_arn,
+      :permission_set_arn,
+      :customer_managed_policy_reference)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sso-admin-2020-07-20/DetachCustomerManagedPolicyReferenceFromPermissionSetResponse AWS API Documentation
+    #
+    class DetachCustomerManagedPolicyReferenceFromPermissionSetResponse < Aws::EmptyStructure; end
+
     # @note When making an API call, you may pass DetachManagedPolicyFromPermissionSetRequest
     #   data as a hash:
     #
@@ -880,7 +1037,8 @@ module Aws::SSOAdmin
     #   @return [String]
     #
     # @!attribute [rw] managed_policy_arn
-    #   The IAM managed policy ARN to be attached to a permission set.
+    #   The Amazon Web Services managed policy ARN to be detached from a
+    #   permission set.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sso-admin-2020-07-20/DetachManagedPolicyFromPermissionSetRequest AWS API Documentation
@@ -934,7 +1092,45 @@ module Aws::SSOAdmin
     #
     class GetInlinePolicyForPermissionSetResponse < Struct.new(
       :inline_policy)
-      SENSITIVE = [:inline_policy]
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass GetPermissionsBoundaryForPermissionSetRequest
+    #   data as a hash:
+    #
+    #       {
+    #         instance_arn: "InstanceArn", # required
+    #         permission_set_arn: "PermissionSetArn", # required
+    #       }
+    #
+    # @!attribute [rw] instance_arn
+    #   The ARN of the SSO instance under which the operation will be
+    #   executed.
+    #   @return [String]
+    #
+    # @!attribute [rw] permission_set_arn
+    #   The ARN of the `PermissionSet`.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sso-admin-2020-07-20/GetPermissionsBoundaryForPermissionSetRequest AWS API Documentation
+    #
+    class GetPermissionsBoundaryForPermissionSetRequest < Struct.new(
+      :instance_arn,
+      :permission_set_arn)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] permissions_boundary
+    #   The permissions boundary attached to the specified permission set.
+    #   @return [Types::PermissionsBoundary]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sso-admin-2020-07-20/GetPermissionsBoundaryForPermissionSetResponse AWS API Documentation
+    #
+    class GetPermissionsBoundaryForPermissionSetResponse < Struct.new(
+      :permissions_boundary)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1266,6 +1462,64 @@ module Aws::SSOAdmin
       include Aws::Structure
     end
 
+    # @note When making an API call, you may pass ListCustomerManagedPolicyReferencesInPermissionSetRequest
+    #   data as a hash:
+    #
+    #       {
+    #         instance_arn: "InstanceArn", # required
+    #         permission_set_arn: "PermissionSetArn", # required
+    #         max_results: 1,
+    #         next_token: "Token",
+    #       }
+    #
+    # @!attribute [rw] instance_arn
+    #   The ARN of the SSO instance under which the operation will be
+    #   executed.
+    #   @return [String]
+    #
+    # @!attribute [rw] permission_set_arn
+    #   The ARN of the `PermissionSet`.
+    #   @return [String]
+    #
+    # @!attribute [rw] max_results
+    #   The maximum number of results to display for the list call.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] next_token
+    #   The pagination token for the list API. Initially the value is null.
+    #   Use the output of previous API calls to make subsequent calls.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sso-admin-2020-07-20/ListCustomerManagedPolicyReferencesInPermissionSetRequest AWS API Documentation
+    #
+    class ListCustomerManagedPolicyReferencesInPermissionSetRequest < Struct.new(
+      :instance_arn,
+      :permission_set_arn,
+      :max_results,
+      :next_token)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] customer_managed_policy_references
+    #   Specifies the names and paths of the IAM customer managed policies
+    #   that you have attached to your permission set.
+    #   @return [Array<Types::CustomerManagedPolicyReference>]
+    #
+    # @!attribute [rw] next_token
+    #   The pagination token for the list API. Initially the value is null.
+    #   Use the output of previous API calls to make subsequent calls.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sso-admin-2020-07-20/ListCustomerManagedPolicyReferencesInPermissionSetResponse AWS API Documentation
+    #
+    class ListCustomerManagedPolicyReferencesInPermissionSetResponse < Struct.new(
+      :customer_managed_policy_references,
+      :next_token)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @note When making an API call, you may pass ListInstancesRequest
     #   data as a hash:
     #
@@ -1558,7 +1812,7 @@ module Aws::SSOAdmin
     #
     #       {
     #         instance_arn: "InstanceArn", # required
-    #         resource_arn: "GeneralArn", # required
+    #         resource_arn: "TaggableResourceArn", # required
     #         next_token: "Token",
     #       }
     #
@@ -1744,6 +1998,59 @@ module Aws::SSOAdmin
       include Aws::Structure
     end
 
+    # Specifies the configuration of the Amazon Web Services managed or
+    # customer managed policy that you want to set as a permissions
+    # boundary. Specify either `CustomerManagedPolicyReference` to use the
+    # name and path of a customer managed policy, or `ManagedPolicyArn` to
+    # use the ARN of an Amazon Web Services managed IAM policy. A
+    # permissions boundary represents the maximum permissions that any
+    # policy can grant your role. For more information, see [Permissions
+    # boundaries for IAM entities][1] in the *Identity and Access Management
+    # User Guide*.
+    #
+    # Policies used as permissions boundaries do not provide permissions.
+    # You must also attach an IAM policy to the role. To learn how the
+    # effective permissions for a role are evaluated, see [IAM JSON policy
+    # evaluation logic][2] in the *Identity and Access Management User
+    # Guide*.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
+    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html
+    #
+    # @note When making an API call, you may pass PermissionsBoundary
+    #   data as a hash:
+    #
+    #       {
+    #         customer_managed_policy_reference: {
+    #           name: "ManagedPolicyName", # required
+    #           path: "ManagedPolicyPath",
+    #         },
+    #         managed_policy_arn: "ManagedPolicyArn",
+    #       }
+    #
+    # @!attribute [rw] customer_managed_policy_reference
+    #   Specifies the name and path of the IAM customer managed policy. You
+    #   must have an IAM policy that matches the name and path in each
+    #   Amazon Web Services account where you want to deploy your permission
+    #   set.
+    #   @return [Types::CustomerManagedPolicyReference]
+    #
+    # @!attribute [rw] managed_policy_arn
+    #   The Amazon Web Services managed policy ARN that you want to attach
+    #   to a permission set as a permissions boundary.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sso-admin-2020-07-20/PermissionsBoundary AWS API Documentation
+    #
+    class PermissionsBoundary < Struct.new(
+      :customer_managed_policy_reference,
+      :managed_policy_arn)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @note When making an API call, you may pass ProvisionPermissionSetRequest
     #   data as a hash:
     #
@@ -1829,7 +2136,7 @@ module Aws::SSOAdmin
       :instance_arn,
       :permission_set_arn,
       :inline_policy)
-      SENSITIVE = [:inline_policy]
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1837,6 +2144,49 @@ module Aws::SSOAdmin
     #
     class PutInlinePolicyToPermissionSetResponse < Aws::EmptyStructure; end
 
+    # @note When making an API call, you may pass PutPermissionsBoundaryToPermissionSetRequest
+    #   data as a hash:
+    #
+    #       {
+    #         instance_arn: "InstanceArn", # required
+    #         permission_set_arn: "PermissionSetArn", # required
+    #         permissions_boundary: { # required
+    #           customer_managed_policy_reference: {
+    #             name: "ManagedPolicyName", # required
+    #             path: "ManagedPolicyPath",
+    #           },
+    #           managed_policy_arn: "ManagedPolicyArn",
+    #         },
+    #       }
+    #
+    # @!attribute [rw] instance_arn
+    #   The ARN of the SSO instance under which the operation will be
+    #   executed.
+    #   @return [String]
+    #
+    # @!attribute [rw] permission_set_arn
+    #   The ARN of the `PermissionSet`.
+    #   @return [String]
+    #
+    # @!attribute [rw] permissions_boundary
+    #   The permissions boundary that you want to attach to a
+    #   `PermissionSet`.
+    #   @return [Types::PermissionsBoundary]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sso-admin-2020-07-20/PutPermissionsBoundaryToPermissionSetRequest AWS API Documentation
+    #
+    class PutPermissionsBoundaryToPermissionSetRequest < Struct.new(
+      :instance_arn,
+      :permission_set_arn,
+      :permissions_boundary)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sso-admin-2020-07-20/PutPermissionsBoundaryToPermissionSetResponse AWS API Documentation
+    #
+    class PutPermissionsBoundaryToPermissionSetResponse < Aws::EmptyStructure; end
+
     # Indicates that a requested resource is not found.
     #
     # @!attribute [rw] message
@@ -1873,8 +2223,8 @@ module Aws::SSOAdmin
     #   data as a hash:
     #
     #       {
-    #         key: "TagKey",
-    #         value: "TagValue",
+    #         key: "TagKey", # required
+    #         value: "TagValue", # required
     #       }
     #
     # @!attribute [rw] key
@@ -1899,11 +2249,11 @@ module Aws::SSOAdmin
     #
     #       {
     #         instance_arn: "InstanceArn", # required
-    #         resource_arn: "GeneralArn", # required
+    #         resource_arn: "TaggableResourceArn", # required
     #         tags: [ # required
     #           {
-    #             key: "TagKey",
-    #             value: "TagValue",
+    #             key: "TagKey", # required
+    #             value: "TagValue", # required
     #           },
     #         ],
     #       }
@@ -1957,7 +2307,7 @@ module Aws::SSOAdmin
     #
     #       {
     #         instance_arn: "InstanceArn", # required
-    #         resource_arn: "GeneralArn", # required
+    #         resource_arn: "TaggableResourceArn", # required
     #         tag_keys: ["TagKey"], # required
     #       }
     #

data/lib/aws-sdk-ssoadmin.rb

@@ -28,7 +28,7 @@ require_relative 'aws-sdk-ssoadmin/customizations'
 # structure.
 #
 #     sso_admin = Aws::SSOAdmin::Client.new
-#     resp = sso_admin.attach_managed_policy_to_permission_set(params)
+#     resp = sso_admin.attach_customer_managed_policy_reference_to_permission_set(params)
 #
 # See {Client} for more information.
 #
@@ -48,6 +48,6 @@ require_relative 'aws-sdk-ssoadmin/customizations'
 # @!group service
 module Aws::SSOAdmin
 
-  GEM_VERSION = '1.16.0'
+  GEM_VERSION = '1.17.0'
 
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-ssoadmin
 version: !ruby/object:Gem::Version
-  version: 1.16.0
+  version: 1.17.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-02-24 00:00:00.000000000 Z
+date: 2022-07-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core