npm - @aws-amplify/graphql-api-construct - Versions diffs - 1.18.2 → 1.18.3 - Mend

@aws-amplify/graphql-api-construct 1.18.2 → 1.18.3

Files changed (1807) hide show

package/node_modules/@aws-sdk/client-sts/dist-types/models/models_0.d.ts CHANGED Viewed

@@ -32,7 +32,7 @@ export interface PolicyDescriptorType {
      *             Service Namespaces</a> in the <i>Amazon Web Services General Reference</i>.</p>
      * @public
      */
-    arn?: string;
+    arn?: string | undefined;
 }
 /**
  * <p>Contains information about the provided context. This includes the signed and encrypted
@@ -45,13 +45,13 @@ export interface ProvidedContext {
      * <p>The context provider ARN from which the trusted context assertion was generated.</p>
      * @public
      */
-    ProviderArn?: string;
+    ProviderArn?: string | undefined;
     /**
      * <p>The signed and encrypted trusted context assertion generated by the context provider.
      *          The trusted context assertion is signed and encrypted by Amazon Web Services STS.</p>
      * @public
      */
-    ContextAssertion?: string;
+    ContextAssertion?: string | undefined;
 }
 /**
  * <p>You can pass custom key-value pair attributes when you assume a role or federate a user.
@@ -95,6 +95,11 @@ export interface AssumeRoleRequest {
      *          session name is also used in the ARN of the assumed role principal. This means that
      *          subsequent cross-account API requests that use the temporary security credentials will
      *          expose the role session name to the external account in their CloudTrail logs.</p>
+     *          <p>For security purposes, administrators can view this field in <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html#cloudtrail-integration_signin-tempcreds">CloudTrail logs</a> to help identify who performed an action in Amazon Web Services. Your
+     *          administrator might require that you specify your user name as the session name when you
+     *          assume the role. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_rolesessionname">
+     *                <code>sts:RoleSessionName</code>
+     *             </a>.</p>
      *          <p>The regex used to validate this parameter is a string of characters
      *     consisting of upper- and lower-case alphanumeric characters with no spaces. You can
      *     also include underscores or any of the following characters: =,.@-</p>
@@ -125,7 +130,7 @@ export interface AssumeRoleRequest {
      *             Policies</a> in the <i>IAM User Guide</i>.</p>
      * @public
      */
-    PolicyArns?: PolicyDescriptorType[];
+    PolicyArns?: PolicyDescriptorType[] | undefined;
     /**
      * <p>An IAM policy in JSON format that you want to use as an inline session policy.</p>
      *          <p>This parameter is optional. Passing policies to this operation returns new
@@ -148,9 +153,11 @@ export interface AssumeRoleRequest {
      *                <code>PackedPolicySize</code> response element indicates by percentage how close the
      *             policies and tags for your request are to the upper size limit.</p>
      *          </note>
+     *          <p>For more information about role session permissions, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session
+     *             policies</a>.</p>
      * @public
      */
-    Policy?: string;
+    Policy?: string | undefined;
     /**
      * <p>The duration, in seconds, of the role session. The value specified can range from 900
      *          seconds (15 minutes) up to the maximum session duration set for the role. The maximum
@@ -164,9 +171,7 @@ export interface AssumeRoleRequest {
      *          specify a parameter value of up to 43200 seconds (12 hours), depending on the maximum
      *          session duration setting for your role. However, if you assume a role using role chaining
      *          and provide a <code>DurationSeconds</code> parameter value greater than one hour, the
-     *          operation fails. To learn how to view the maximum value for your role, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session">View the
-     *             Maximum Session Duration Setting for a Role</a> in the
-     *             <i>IAM User Guide</i>.</p>
+     *          operation fails. To learn how to view the maximum value for your role, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-role-settings.html#id_roles_update-session-duration">Update the maximum session duration for a role</a>.</p>
      *          <p>By default, the value is set to <code>3600</code> seconds. </p>
      *          <note>
      *             <p>The <code>DurationSeconds</code> parameter is separate from the duration of a console
@@ -179,7 +184,7 @@ export interface AssumeRoleRequest {
      *          </note>
      * @public
      */
-    DurationSeconds?: number;
+    DurationSeconds?: number | undefined;
     /**
      * <p>A list of session tags that you want to pass. Each session tag consists of a key name
      *          and an associated value. For more information about session tags, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html">Tagging Amazon Web Services STS
@@ -210,19 +215,19 @@ export interface AssumeRoleRequest {
      *          <i>IAM User Guide</i>.</p>
      * @public
      */
-    Tags?: Tag[];
+    Tags?: Tag[] | undefined;
     /**
      * <p>A list of keys for session tags that you want to set as transitive. If you set a tag key
      *          as transitive, the corresponding key and value passes to subsequent sessions in a role
      *          chain. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining">Chaining Roles
      *             with Session Tags</a> in the <i>IAM User Guide</i>.</p>
-     *          <p>This parameter is optional. When you set session tags as transitive, the session policy
-     *          and session tags packed binary limit is not affected.</p>
+     *          <p>This parameter is optional. The transitive status of a session tag does not impact its
+     *          packed binary size.</p>
      *          <p>If you choose not to specify a transitive tag key, then no tags are passed from this
      *          session to any subsequent sessions.</p>
      * @public
      */
-    TransitiveTagKeys?: string[];
+    TransitiveTagKeys?: string[] | undefined;
     /**
      * <p>A unique identifier that might be required when you assume a role in another account. If
      *          the administrator of the account to which the role belongs provided you with an external
@@ -239,7 +244,7 @@ export interface AssumeRoleRequest {
      *     You can also include underscores or any of the following characters: =,.@:/-</p>
      * @public
      */
-    ExternalId?: string;
+    ExternalId?: string | undefined;
     /**
      * <p>The identification number of the MFA device that is associated with the user who is
      *          making the <code>AssumeRole</code> call. Specify this value if the trust policy of the role
@@ -252,7 +257,7 @@ export interface AssumeRoleRequest {
      *     also include underscores or any of the following characters: =,.@-</p>
      * @public
      */
-    SerialNumber?: string;
+    SerialNumber?: string | undefined;
     /**
      * <p>The value provided by the MFA device, if the trust policy of the role being assumed
      *          requires MFA. (In other words, if the policy includes a condition that tests for MFA). If
@@ -262,16 +267,18 @@ export interface AssumeRoleRequest {
      *          numeric digits.</p>
      * @public
      */
-    TokenCode?: string;
+    TokenCode?: string | undefined;
     /**
      * <p>The source identity specified by the principal that is calling the
-     *             <code>AssumeRole</code> operation.</p>
+     *             <code>AssumeRole</code> operation. The source identity value persists across <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#iam-term-role-chaining">chained role</a> sessions.</p>
      *          <p>You can require users to specify a source identity when they assume a role. You do this
-     *          by using the <code>sts:SourceIdentity</code> condition key in a role trust policy. You can
-     *          use source identity information in CloudTrail logs to determine who took actions with a role.
-     *          You can use the <code>aws:SourceIdentity</code> condition key to further control access to
-     *          Amazon Web Services resources based on the value of source identity. For more information about using
-     *          source identity, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html">Monitor and control
+     *          by using the <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceidentity">
+     *                <code>sts:SourceIdentity</code>
+     *             </a> condition key in a role trust policy. You
+     *          can use source identity information in CloudTrail logs to determine who took actions with a
+     *          role. You can use the <code>aws:SourceIdentity</code> condition key to further control
+     *          access to Amazon Web Services resources based on the value of source identity. For more information about
+     *          using source identity, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html">Monitor and control
      *             actions taken with assumed roles</a> in the
      *          <i>IAM User Guide</i>.</p>
      *          <p>The regex used to validate this parameter is a string of characters consisting of upper-
@@ -280,7 +287,7 @@ export interface AssumeRoleRequest {
      *             <code>aws:</code>. This prefix is reserved for Amazon Web Services internal use.</p>
      * @public
      */
-    SourceIdentity?: string;
+    SourceIdentity?: string | undefined;
     /**
      * <p>A list of previously acquired trusted context assertions in the format of a JSON array.
      *          The trusted context assertion is signed and encrypted by Amazon Web Services STS.</p>
@@ -292,7 +299,7 @@ export interface AssumeRoleRequest {
      *          </p>
      * @public
      */
-    ProvidedContexts?: ProvidedContext[];
+    ProvidedContexts?: ProvidedContext[] | undefined;
 }
 /**
  * <p>Amazon Web Services credentials for API authentication.</p>
@@ -336,7 +343,7 @@ export interface AssumeRoleResponse {
      *          </note>
      * @public
      */
-    Credentials?: Credentials;
+    Credentials?: Credentials | undefined;
     /**
      * <p>The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers that you
      *          can use to refer to the resulting temporary security credentials. For example, you can
@@ -345,14 +352,14 @@ export interface AssumeRoleResponse {
      *          when you called <code>AssumeRole</code>. </p>
      * @public
      */
-    AssumedRoleUser?: AssumedRoleUser;
+    AssumedRoleUser?: AssumedRoleUser | undefined;
     /**
      * <p>A percentage value that indicates the packed size of the session policies and session
      *       tags combined passed in the request. The request fails if the packed size is greater than 100 percent,
      *       which means the policies and tags exceeded the allowed space.</p>
      * @public
      */
-    PackedPolicySize?: number;
+    PackedPolicySize?: number | undefined;
     /**
      * <p>The source identity specified by the principal that is calling the
      *             <code>AssumeRole</code> operation.</p>
@@ -369,7 +376,7 @@ export interface AssumeRoleResponse {
      *          any of the following characters: =,.@-</p>
      * @public
      */
-    SourceIdentity?: string;
+    SourceIdentity?: string | undefined;
 }
 /**
  * <p>The web identity token that was passed is expired or is not valid. Get a new identity
@@ -405,8 +412,8 @@ export declare class MalformedPolicyDocumentException extends __BaseException {
  *             tags are to the upper size limit. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html">Passing Session Tags in STS</a> in
  *             the <i>IAM User Guide</i>.</p>
  *          <p>You could receive this error even though you meet other defined session policy and
- *             session tag limits. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length">IAM and STS Entity
- *                 Character Limits</a> in the <i>IAM User Guide</i>.</p>
+ *             session tag limits. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length">IAM and STS Entity Character Limits</a> in the <i>IAM User
+ *                 Guide</i>.</p>
  * @public
  */
 export declare class PackedPolicyTooLargeException extends __BaseException {
@@ -419,10 +426,10 @@ export declare class PackedPolicyTooLargeException extends __BaseException {
 }
 /**
  * <p>STS is not activated in the requested region for the account that is being asked to
- *             generate credentials. The account administrator must use the IAM console to activate STS
- *             in that region. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html">Activating and
- *                 Deactivating Amazon Web Services STS in an Amazon Web Services Region</a> in the <i>IAM User
- *                     Guide</i>.</p>
+ *             generate credentials. The account administrator must use the IAM console to activate
+ *             STS in that region. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html">Activating and
+ *                 Deactivating STS in an Amazon Web Services Region</a> in the <i>IAM User
+ *                 Guide</i>.</p>
  * @public
  */
 export declare class RegionDisabledException extends __BaseException {
@@ -479,7 +486,7 @@ export interface AssumeRoleWithSAMLRequest {
      *             Policies</a> in the <i>IAM User Guide</i>.</p>
      * @public
      */
-    PolicyArns?: PolicyDescriptorType[];
+    PolicyArns?: PolicyDescriptorType[] | undefined;
     /**
      * <p>An IAM policy in JSON format that you want to use as an inline session policy.</p>
      *          <p>This parameter is optional. Passing policies to this operation returns new
@@ -495,6 +502,8 @@ export interface AssumeRoleWithSAMLRequest {
      *          character to the end of the valid character list (\u0020 through \u00FF). It can also
      *          include the tab (\u0009), linefeed (\u000A), and carriage return (\u000D)
      *          characters.</p>
+     *          <p>For more information about role session permissions, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session
+     *             policies</a>.</p>
      *          <note>
      *             <p>An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs,
      *             and session tags into a packed binary format that has a separate limit. Your request can
@@ -504,7 +513,7 @@ export interface AssumeRoleWithSAMLRequest {
      *          </note>
      * @public
      */
-    Policy?: string;
+    Policy?: string | undefined;
     /**
      * <p>The duration, in seconds, of the role session. Your role session lasts for the duration
      *          that you specify for the <code>DurationSeconds</code> parameter, or until the time
@@ -529,7 +538,7 @@ export interface AssumeRoleWithSAMLRequest {
      *          </note>
      * @public
      */
-    DurationSeconds?: number;
+    DurationSeconds?: number | undefined;
 }
 /**
  * <p>Contains the response to a successful <a>AssumeRoleWithSAML</a> request,
@@ -546,26 +555,26 @@ export interface AssumeRoleWithSAMLResponse {
      *          </note>
      * @public
      */
-    Credentials?: Credentials;
+    Credentials?: Credentials | undefined;
     /**
      * <p>The identifiers for the temporary security credentials that the operation
      *          returns.</p>
      * @public
      */
-    AssumedRoleUser?: AssumedRoleUser;
+    AssumedRoleUser?: AssumedRoleUser | undefined;
     /**
      * <p>A percentage value that indicates the packed size of the session policies and session
      *       tags combined passed in the request. The request fails if the packed size is greater than 100 percent,
      *       which means the policies and tags exceeded the allowed space.</p>
      * @public
      */
-    PackedPolicySize?: number;
+    PackedPolicySize?: number | undefined;
     /**
      * <p>The value of the <code>NameID</code> element in the <code>Subject</code> element of the
      *          SAML assertion.</p>
      * @public
      */
-    Subject?: string;
+    Subject?: string | undefined;
     /**
      * <p> The format of the name ID, as defined by the <code>Format</code> attribute in the
      *             <code>NameID</code> element of the SAML assertion. Typical examples of the format are
@@ -577,18 +586,18 @@ export interface AssumeRoleWithSAMLResponse {
      *          with no modifications.</p>
      * @public
      */
-    SubjectType?: string;
+    SubjectType?: string | undefined;
     /**
      * <p>The value of the <code>Issuer</code> element of the SAML assertion.</p>
      * @public
      */
-    Issuer?: string;
+    Issuer?: string | undefined;
     /**
      * <p> The value of the <code>Recipient</code> attribute of the
      *             <code>SubjectConfirmationData</code> element of the SAML assertion. </p>
      * @public
      */
-    Audience?: string;
+    Audience?: string | undefined;
     /**
      * <p>A hash value based on the concatenation of the following:</p>
      *          <ul>
@@ -610,16 +619,18 @@ export interface AssumeRoleWithSAMLResponse {
      *          </p>
      * @public
      */
-    NameQualifier?: string;
+    NameQualifier?: string | undefined;
     /**
-     * <p>The value in the <code>SourceIdentity</code> attribute in the SAML assertion. </p>
+     * <p>The value in the <code>SourceIdentity</code> attribute in the SAML assertion. The source
+     *          identity value persists across <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#iam-term-role-chaining">chained role</a>
+     *          sessions.</p>
      *          <p>You can require users to set a source identity value when they assume a role. You do
      *          this by using the <code>sts:SourceIdentity</code> condition key in a role trust policy.
      *          That way, actions that are taken with the role are associated with that user. After the
      *          source identity is set, the value cannot be changed. It is present in the request for all
-     *          actions that are taken by the role and persists across <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining">chained
-     *             role</a> sessions. You can configure your SAML identity provider to use an attribute
-     *          associated with your users, like user name or email, as the source identity when calling
+     *          actions that are taken by the role and persists across <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts">chained role</a>
+     *          sessions. You can configure your SAML identity provider to use an attribute associated with
+     *          your users, like user name or email, as the source identity when calling
      *             <code>AssumeRoleWithSAML</code>. You do this by adding an attribute to the SAML
      *          assertion. For more information about using source identity, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html">Monitor and control
      *             actions taken with assumed roles</a> in the
@@ -629,7 +640,7 @@ export interface AssumeRoleWithSAMLResponse {
      *     also include underscores or any of the following characters: =,.@-</p>
      * @public
      */
-    SourceIdentity?: string;
+    SourceIdentity?: string | undefined;
 }
 /**
  * <p>The identity provider (IdP) reported that authentication failed. This might be because
@@ -665,6 +676,16 @@ export declare class InvalidIdentityTokenException extends __BaseException {
 export interface AssumeRoleWithWebIdentityRequest {
     /**
      * <p>The Amazon Resource Name (ARN) of the role that the caller is assuming.</p>
+     *          <note>
+     *             <p>Additional considerations apply to Amazon Cognito identity pools that assume <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html">cross-account IAM roles</a>. The trust policies of these roles must accept the
+     *                <code>cognito-identity.amazonaws.com</code> service principal and must contain the
+     *                <code>cognito-identity.amazonaws.com:aud</code> condition key to restrict role
+     *             assumption to users from your intended identity pools. A policy that trusts Amazon Cognito
+     *             identity pools without this condition creates a risk that a user from an unintended
+     *             identity pool can assume the role. For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html#trust-policies"> Trust policies for
+     *                IAM roles in Basic (Classic) authentication </a> in the <i>Amazon Cognito
+     *                Developer Guide</i>.</p>
+     *          </note>
      * @public
      */
     RoleArn: string | undefined;
@@ -674,6 +695,11 @@ export interface AssumeRoleWithWebIdentityRequest {
      *          security credentials that your application will use are associated with that user. This
      *          session name is included as part of the ARN and assumed role ID in the
      *             <code>AssumedRoleUser</code> response element.</p>
+     *          <p>For security purposes, administrators can view this field in <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html#cloudtrail-integration_signin-tempcreds">CloudTrail logs</a> to help identify who performed an action in Amazon Web Services. Your
+     *          administrator might require that you specify your user name as the session name when you
+     *          assume the role. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_rolesessionname">
+     *                <code>sts:RoleSessionName</code>
+     *             </a>.</p>
      *          <p>The regex used to validate this parameter is a string of characters
      *     consisting of upper- and lower-case alphanumeric characters with no spaces. You can
      *     also include underscores or any of the following characters: =,.@-</p>
@@ -684,7 +710,8 @@ export interface AssumeRoleWithWebIdentityRequest {
      * <p>The OAuth 2.0 access token or OpenID Connect ID token that is provided by the identity
      *          provider. Your application must get this token by authenticating the user who is using your
      *          application with a web identity provider before the application makes an
-     *             <code>AssumeRoleWithWebIdentity</code> call. Only tokens with RSA algorithms (RS256) are
+     *             <code>AssumeRoleWithWebIdentity</code> call. Timestamps in the token must be formatted
+     *          as either an integer or a long integer. Only tokens with RSA algorithms (RS256) are
      *          supported.</p>
      * @public
      */
@@ -698,7 +725,7 @@ export interface AssumeRoleWithWebIdentityRequest {
      *          <p>Do not specify this value for OpenID Connect ID tokens.</p>
      * @public
      */
-    ProviderId?: string;
+    ProviderId?: string | undefined;
     /**
      * <p>The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as
      *          managed session policies. The policies must exist in the same account as the role.</p>
@@ -723,7 +750,7 @@ export interface AssumeRoleWithWebIdentityRequest {
      *             Policies</a> in the <i>IAM User Guide</i>.</p>
      * @public
      */
-    PolicyArns?: PolicyDescriptorType[];
+    PolicyArns?: PolicyDescriptorType[] | undefined;
     /**
      * <p>An IAM policy in JSON format that you want to use as an inline session policy.</p>
      *          <p>This parameter is optional. Passing policies to this operation returns new
@@ -739,6 +766,8 @@ export interface AssumeRoleWithWebIdentityRequest {
      *          character to the end of the valid character list (\u0020 through \u00FF). It can also
      *          include the tab (\u0009), linefeed (\u000A), and carriage return (\u000D)
      *          characters.</p>
+     *          <p>For more information about role session permissions, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session
+     *             policies</a>.</p>
      *          <note>
      *             <p>An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs,
      *             and session tags into a packed binary format that has a separate limit. Your request can
@@ -748,7 +777,7 @@ export interface AssumeRoleWithWebIdentityRequest {
      *          </note>
      * @public
      */
-    Policy?: string;
+    Policy?: string | undefined;
     /**
      * <p>The duration, in seconds, of the role session. The value can range from 900 seconds (15
      *          minutes) up to the maximum session duration setting for the role. This setting can have a
@@ -770,7 +799,7 @@ export interface AssumeRoleWithWebIdentityRequest {
      *          </note>
      * @public
      */
-    DurationSeconds?: number;
+    DurationSeconds?: number | undefined;
 }
 /**
  * <p>Contains the response to a successful <a>AssumeRoleWithWebIdentity</a>
@@ -787,7 +816,7 @@ export interface AssumeRoleWithWebIdentityResponse {
      *          </note>
      * @public
      */
-    Credentials?: Credentials;
+    Credentials?: Credentials | undefined;
     /**
      * <p>The unique user identifier that is returned by the identity provider. This identifier is
      *          associated with the <code>WebIdentityToken</code> that was submitted with the
@@ -797,7 +826,7 @@ export interface AssumeRoleWithWebIdentityResponse {
      *          identity provider as the token's <code>sub</code> (Subject) claim. </p>
      * @public
      */
-    SubjectFromWebIdentityToken?: string;
+    SubjectFromWebIdentityToken?: string | undefined;
     /**
      * <p>The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers that you
      *          can use to refer to the resulting temporary security credentials. For example, you can
@@ -806,14 +835,14 @@ export interface AssumeRoleWithWebIdentityResponse {
      *          when you called <code>AssumeRole</code>. </p>
      * @public
      */
-    AssumedRoleUser?: AssumedRoleUser;
+    AssumedRoleUser?: AssumedRoleUser | undefined;
     /**
      * <p>A percentage value that indicates the packed size of the session policies and session
      *       tags combined passed in the request. The request fails if the packed size is greater than 100 percent,
      *       which means the policies and tags exceeded the allowed space.</p>
      * @public
      */
-    PackedPolicySize?: number;
+    PackedPolicySize?: number | undefined;
     /**
      * <p> The issuing authority of the web identity token presented. For OpenID Connect ID
      *          tokens, this contains the value of the <code>iss</code> field. For OAuth 2.0 access tokens,
@@ -821,14 +850,14 @@ export interface AssumeRoleWithWebIdentityResponse {
      *             <code>AssumeRoleWithWebIdentity</code> request.</p>
      * @public
      */
-    Provider?: string;
+    Provider?: string | undefined;
     /**
      * <p>The intended audience (also known as client ID) of the web identity token. This is
      *          traditionally the client identifier issued to the application that requested the web
      *          identity token.</p>
      * @public
      */
-    Audience?: string;
+    Audience?: string | undefined;
     /**
      * <p>The value of the source identity that is returned in the JSON web token (JWT) from the
      *          identity provider.</p>
@@ -836,9 +865,9 @@ export interface AssumeRoleWithWebIdentityResponse {
      *          this by using the <code>sts:SourceIdentity</code> condition key in a role trust policy.
      *          That way, actions that are taken with the role are associated with that user. After the
      *          source identity is set, the value cannot be changed. It is present in the request for all
-     *          actions that are taken by the role and persists across <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining">chained
-     *             role</a> sessions. You can configure your identity provider to use an attribute
-     *          associated with your users, like user name or email, as the source identity when calling
+     *          actions that are taken by the role and persists across <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts">chained role</a>
+     *          sessions. You can configure your identity provider to use an attribute associated with your
+     *          users, like user name or email, as the source identity when calling
      *             <code>AssumeRoleWithWebIdentity</code>. You do this by adding a claim to the JSON web
      *          token. To learn more about OIDC tokens and claims, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html">Using Tokens with User Pools</a> in the <i>Amazon Cognito Developer Guide</i>.
      *          For more information about using source identity, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html">Monitor and control
@@ -849,14 +878,14 @@ export interface AssumeRoleWithWebIdentityResponse {
      *     also include underscores or any of the following characters: =,.@-</p>
      * @public
      */
-    SourceIdentity?: string;
+    SourceIdentity?: string | undefined;
 }
 /**
- * <p>The request could not be fulfilled because the identity provider (IDP) that
- *             was asked to verify the incoming identity token could not be reached. This is often a
- *             transient error caused by network conditions. Retry the request a limited number of
- *             times so that you don't exceed the request rate. If the error persists, the
- *             identity provider might be down or not responding.</p>
+ * <p>The request could not be fulfilled because the identity provider (IDP) that was asked
+ *             to verify the incoming identity token could not be reached. This is often a transient
+ *             error caused by network conditions. Retry the request a limited number of times so that
+ *             you don't exceed the request rate. If the error persists, the identity provider might be
+ *             down or not responding.</p>
  * @public
  */
 export declare class IDPCommunicationErrorException extends __BaseException {
@@ -867,6 +896,87 @@ export declare class IDPCommunicationErrorException extends __BaseException {
      */
     constructor(opts: __ExceptionOptionType<IDPCommunicationErrorException, __BaseException>);
 }
+/**
+ * @public
+ */
+export interface AssumeRootRequest {
+    /**
+     * <p>The member account principal ARN or account ID.</p>
+     * @public
+     */
+    TargetPrincipal: string | undefined;
+    /**
+     * <p>The identity based policy that scopes the session to the privileged tasks that can be
+     *          performed. You can use one of following Amazon Web Services managed policies to scope
+     *          root session actions. You can add additional customer managed policies to further limit the
+     *          permissions for the root session.</p>
+     *          <ul>
+     *             <li>
+     *                <p>
+     *                   <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMAuditRootUserCredentials">IAMAuditRootUserCredentials</a>
+     *                </p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMCreateRootUserPassword">IAMCreateRootUserPassword</a>
+     *                </p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMDeleteRootUserCredentials">IAMDeleteRootUserCredentials</a>
+     *                </p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-S3UnlockBucketPolicy">S3UnlockBucketPolicy</a>
+     *                </p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-SQSUnlockQueuePolicy">SQSUnlockQueuePolicy</a>
+     *                </p>
+     *             </li>
+     *          </ul>
+     * @public
+     */
+    TaskPolicyArn: PolicyDescriptorType | undefined;
+    /**
+     * <p>The duration, in seconds, of the privileged session. The value can range from 0 seconds
+     *          up to the maximum session duration of 900 seconds (15 minutes). If you specify a value
+     *          higher than this setting, the operation fails.</p>
+     *          <p>By default, the value is set to <code>900</code> seconds.</p>
+     * @public
+     */
+    DurationSeconds?: number | undefined;
+}
+/**
+ * @public
+ */
+export interface AssumeRootResponse {
+    /**
+     * <p>The temporary security credentials, which include an access key ID, a secret access key,
+     *          and a security token.</p>
+     *          <note>
+     *             <p>The size of the security token that STS API operations return is not fixed. We
+     *         strongly recommend that you make no assumptions about the maximum size.</p>
+     *          </note>
+     * @public
+     */
+    Credentials?: Credentials | undefined;
+    /**
+     * <p>The source identity specified by the principal that is calling the
+     *             <code>AssumeRoot</code> operation.</p>
+     *          <p>You can use the <code>aws:SourceIdentity</code> condition key to control access based on
+     *          the value of source identity. For more information about using source identity, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html">Monitor and control
+     *             actions taken with assumed roles</a> in the
+     *          <i>IAM User Guide</i>.</p>
+     *          <p>The regex used to validate this parameter is a string of characters consisting of upper-
+     *          and lower-case alphanumeric characters with no spaces. You can also include underscores or
+     *          any of the following characters: =,.@-</p>
+     * @public
+     */
+    SourceIdentity?: string | undefined;
+}
 /**
  * @public
  */
@@ -887,12 +997,12 @@ export interface DecodeAuthorizationMessageResponse {
      * <p>The API returns a response with the decoded message.</p>
      * @public
      */
-    DecodedMessage?: string;
+    DecodedMessage?: string | undefined;
 }
 /**
  * <p>The error returned if the message passed to <code>DecodeAuthorizationMessage</code>
- *             was invalid. This can happen if the token contains invalid characters, such as
- *             linebreaks. </p>
+ *             was invalid. This can happen if the token contains invalid characters, such as line
+ *             breaks, or if the message has expired.</p>
  * @public
  */
 export declare class InvalidAuthorizationMessageException extends __BaseException {
@@ -923,7 +1033,7 @@ export interface GetAccessKeyInfoResponse {
      * <p>The number used to identify the Amazon Web Services account.</p>
      * @public
      */
-    Account?: string;
+    Account?: string | undefined;
 }
 /**
  * @public
@@ -943,18 +1053,18 @@ export interface GetCallerIdentityResponse {
      *          page in the <i>IAM User Guide</i>.</p>
      * @public
      */
-    UserId?: string;
+    UserId?: string | undefined;
     /**
      * <p>The Amazon Web Services account ID number of the account that owns or contains the calling
      *          entity.</p>
      * @public
      */
-    Account?: string;
+    Account?: string | undefined;
     /**
      * <p>The Amazon Web Services ARN associated with the calling entity.</p>
      * @public
      */
-    Arn?: string;
+    Arn?: string | undefined;
 }
 /**
  * @public
@@ -1003,7 +1113,7 @@ export interface GetFederationTokenRequest {
      *          </note>
      * @public
      */
-    Policy?: string;
+    Policy?: string | undefined;
     /**
      * <p>The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as a
      *          managed session policy. The policies must exist in the same account as the IAM user that is requesting federated access.</p>
@@ -1036,7 +1146,7 @@ export interface GetFederationTokenRequest {
      *          </note>
      * @public
      */
-    PolicyArns?: PolicyDescriptorType[];
+    PolicyArns?: PolicyDescriptorType[] | undefined;
     /**
      * <p>The duration, in seconds, that the session should last. Acceptable durations for
      *          federation sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with
@@ -1046,7 +1156,7 @@ export interface GetFederationTokenRequest {
      *          credentials defaults to one hour.</p>
      * @public
      */
-    DurationSeconds?: number;
+    DurationSeconds?: number | undefined;
     /**
      * <p>A list of session tags. Each session tag consists of a key name and an associated value.
      *          For more information about session tags, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html">Passing Session Tags in STS</a> in the
@@ -1072,7 +1182,7 @@ export interface GetFederationTokenRequest {
      *          the request takes precedence over the role tag.</p>
      * @public
      */
-    Tags?: Tag[];
+    Tags?: Tag[] | undefined;
 }
 /**
  * <p>Identifiers for the federated user that is associated with the credentials.</p>
@@ -1108,7 +1218,7 @@ export interface GetFederationTokenResponse {
      *          </note>
      * @public
      */
-    Credentials?: Credentials;
+    Credentials?: Credentials | undefined;
     /**
      * <p>Identifiers for the federated user associated with the credentials (such as
      *             <code>arn:aws:sts::123456789012:federated-user/Bob</code> or
@@ -1116,14 +1226,14 @@ export interface GetFederationTokenResponse {
      *          resource-based policies, such as an Amazon S3 bucket policy. </p>
      * @public
      */
-    FederatedUser?: FederatedUser;
+    FederatedUser?: FederatedUser | undefined;
     /**
      * <p>A percentage value that indicates the packed size of the session policies and session
      *       tags combined passed in the request. The request fails if the packed size is greater than 100 percent,
      *       which means the policies and tags exceeded the allowed space.</p>
      * @public
      */
-    PackedPolicySize?: number;
+    PackedPolicySize?: number | undefined;
 }
 /**
  * @public
@@ -1137,7 +1247,7 @@ export interface GetSessionTokenRequest {
      *          than one hour, the session for Amazon Web Services account owners defaults to one hour.</p>
      * @public
      */
-    DurationSeconds?: number;
+    DurationSeconds?: number | undefined;
     /**
      * <p>The identification number of the MFA device that is associated with the IAM user who is making the <code>GetSessionToken</code> call. Specify this value
      *          if the IAM user has a policy that requires MFA authentication. The value is
@@ -1149,7 +1259,7 @@ export interface GetSessionTokenRequest {
      *     You can also include underscores or any of the following characters: =,.@:/-</p>
      * @public
      */
-    SerialNumber?: string;
+    SerialNumber?: string | undefined;
     /**
      * <p>The value provided by the MFA device, if MFA is required. If any policy requires the
      *             IAM user to submit an MFA code, specify this value. If MFA authentication
@@ -1160,7 +1270,7 @@ export interface GetSessionTokenRequest {
      *          numeric digits.</p>
      * @public
      */
-    TokenCode?: string;
+    TokenCode?: string | undefined;
 }
 /**
  * <p>Contains the response to a successful <a>GetSessionToken</a> request,
@@ -1177,7 +1287,7 @@ export interface GetSessionTokenResponse {
      *          </note>
      * @public
      */
-    Credentials?: Credentials;
+    Credentials?: Credentials | undefined;
 }
 /**
  * @internal
@@ -1203,6 +1313,10 @@ export declare const AssumeRoleWithWebIdentityRequestFilterSensitiveLog: (obj: A
  * @internal
  */
 export declare const AssumeRoleWithWebIdentityResponseFilterSensitiveLog: (obj: AssumeRoleWithWebIdentityResponse) => any;
+/**
+ * @internal
+ */
+export declare const AssumeRootResponseFilterSensitiveLog: (obj: AssumeRootResponse) => any;
 /**
  * @internal
  */