@aws-sdk/client-service-catalog 3.213.0 → 3.214.0

package/dist-types/ServiceCatalog.d.ts

@@ -88,9 +88,9 @@ import { UpdateServiceActionCommandInput, UpdateServiceActionCommandOutput } fro
 import { UpdateTagOptionCommandInput, UpdateTagOptionCommandOutput } from "./commands/UpdateTagOptionCommand";
 import { ServiceCatalogClient } from "./ServiceCatalogClient";
 /**
- * <fullname>AWS Service Catalog</fullname>
+ * <fullname>Service Catalog</fullname>
  *          <p>
- *             <a href="https://aws.amazon.com/servicecatalog/">Service Catalog</a> enables
+ *             <a href="http://aws.amazon.com/servicecatalog">Service Catalog</a> enables
  *          organizations to create and manage catalogs of IT services that are approved for Amazon Web Services. To
  *          get the most out of this documentation, you should be familiar with the terminology
  *          discussed in <a href="http://docs.aws.amazon.com/servicecatalog/latest/adminguide/what-is_concepts.html">Service Catalog
@@ -111,6 +111,22 @@ export declare class ServiceCatalog extends ServiceCatalogClient {
     associateBudgetWithResource(args: AssociateBudgetWithResourceCommandInput, options: __HttpHandlerOptions, cb: (err: any, data?: AssociateBudgetWithResourceCommandOutput) => void): void;
     /**
      * <p>Associates the specified principal ARN with the specified portfolio.</p>
+     *          <p>If you share the portfolio with principal name sharing enabled, the <code>PrincipalARN</code> association is
+     *          included in the share. </p>
+     *          <p>The <code>PortfolioID</code>, <code>PrincipalARN</code>, and <code>PrincipalType</code> parameters are
+     *       required. </p>
+     *          <p>You can associate a maximum of 10 Principals with a portfolio using <code>PrincipalType</code> as <code>IAM_PATTERN</code>
+     *          </p>
+     *
+     *          <note>
+     *             <p>When you associate a principal with portfolio, a potential privilege escalation path may occur when that portfolio is
+     *          then shared with other accounts. For a user in a recipient account who is <i>not</i> an Service Catalog Admin,
+     *          but still has the ability to create Principals (Users/Groups/Roles), that user could create a role that matches a principal
+     *          name association for the portfolio. Although this user may not know which principal names are associated through
+     *          Service Catalog, they may be able to guess the user. If this potential escalation path is a concern, then
+     *          Service Catalog recommends using <code>PrincipalType</code> as <code>IAM</code>. With this configuration,
+     *          the <code>PrincipalARN</code> must already exist in the recipient account before it can be associated. </p>
+     *          </note>
      */
     associatePrincipalWithPortfolio(args: AssociatePrincipalWithPortfolioCommandInput, options?: __HttpHandlerOptions): Promise<AssociatePrincipalWithPortfolioCommandOutput>;
     associatePrincipalWithPortfolio(args: AssociatePrincipalWithPortfolioCommandInput, cb: (err: any, data?: AssociatePrincipalWithPortfolioCommandOutput) => void): void;
@@ -181,7 +197,18 @@ export declare class ServiceCatalog extends ServiceCatalogClient {
      *         <p>
      *             <code>AWSOrganizationsAccess</code> must be enabled in order to create a portfolio share to an organization node.</p>
      *          <p>You can't share a shared resource, including portfolios that contain a shared product.</p>
-     *          <p>If the portfolio share with the specified account or organization node already exists, this action will have no effect and will not return an error. To update an existing share, you must use the <code> UpdatePortfolioShare</code> API instead.</p>
+     *          <p>If the portfolio share with the specified account or organization node already exists, this action will have no effect
+     *          and will not return an error. To update an existing share, you must use the <code> UpdatePortfolioShare</code> API instead. </p>
+     *
+     *          <note>
+     *             <p>When you associate a principal with portfolio, a potential privilege escalation path may occur when that portfolio is
+     *          then shared with other accounts. For a user in a recipient account who is <i>not</i> an Service Catalog Admin,
+     *          but still has the ability to create Principals (Users/Groups/Roles), that user could create a role that matches a principal
+     *          name association for the portfolio. Although this user may not know which principal names are associated through
+     *          Service Catalog, they may be able to guess the user. If this potential escalation path is a concern, then
+     *          Service Catalog recommends using <code>PrincipalType</code> as <code>IAM</code>. With this configuration,
+     *          the <code>PrincipalARN</code> must already exist in the recipient account before it can be associated. </p>
+     *          </note>
      */
     createPortfolioShare(args: CreatePortfolioShareCommandInput, options?: __HttpHandlerOptions): Promise<CreatePortfolioShareCommandOutput>;
     createPortfolioShare(args: CreatePortfolioShareCommandInput, cb: (err: any, data?: CreatePortfolioShareCommandOutput) => void): void;
@@ -439,6 +466,13 @@ export declare class ServiceCatalog extends ServiceCatalogClient {
     /**
      * <p>Disassociates a previously associated principal ARN from a specified
      *          portfolio.</p>
+     *          <p>The <code>PrincipalType</code> and <code>PrincipalARN</code> must match the
+     *          <code>AssociatePrincipalWithPortfolio</code> call request details. For example,
+     *          to disassociate an association created with a <code>PrincipalARN</code> of <code>PrincipalType</code>
+     *          IAM you must use the <code>PrincipalType</code> IAM when calling <code>DisassociatePrincipalFromPortfolio</code>. </p>
+     *          <p>For portfolios that have been shared with principal name sharing enabled: after disassociating a principal,
+     *    share recipient accounts will no longer be able to provision products in this portfolio using a role matching the name
+     *    of the associated principal. </p>
      */
     disassociatePrincipalFromPortfolio(args: DisassociatePrincipalFromPortfolioCommandInput, options?: __HttpHandlerOptions): Promise<DisassociatePrincipalFromPortfolioCommandOutput>;
     disassociatePrincipalFromPortfolio(args: DisassociatePrincipalFromPortfolioCommandInput, cb: (err: any, data?: DisassociatePrincipalFromPortfolioCommandOutput) => void): void;
@@ -506,9 +540,9 @@ export declare class ServiceCatalog extends ServiceCatalogClient {
     getProvisionedProductOutputs(args: GetProvisionedProductOutputsCommandInput, cb: (err: any, data?: GetProvisionedProductOutputsCommandOutput) => void): void;
     getProvisionedProductOutputs(args: GetProvisionedProductOutputsCommandInput, options: __HttpHandlerOptions, cb: (err: any, data?: GetProvisionedProductOutputsCommandOutput) => void): void;
     /**
-     * <p>Requests the import of a resource as a Amazon Web Services Service Catalog provisioned product that is
-     *          associated to a Amazon Web Services Service Catalog product and provisioning artifact. Once imported, all
-     *          supported Amazon Web Services Service Catalog governance actions are supported on the provisioned
+     * <p>Requests the import of a resource as an Service Catalog provisioned product that is
+     *          associated to an Service Catalog product and provisioning artifact. Once imported, all
+     *          supported Service Catalog governance actions are supported on the provisioned
      *          product.</p>
      *          <p>Resource import only supports CloudFormation stack ARNs. CloudFormation StackSets and
      *          non-root nested stacks are not supported.</p>
@@ -516,7 +550,7 @@ export declare class ServiceCatalog extends ServiceCatalogClient {
      *          <code>CREATE_COMPLETE</code>, <code>UPDATE_COMPLETE</code>, <code>UPDATE_ROLLBACK_COMPLETE</code>, <code>IMPORT_COMPLETE</code>,
      *          <code>IMPORT_ROLLBACK_COMPLETE</code>.</p>
      *          <p>Import of the resource requires that the CloudFormation stack template matches the
-     *          associated Amazon Web Services Service Catalog product provisioning artifact. </p>
+     *          associated Service Catalog product provisioning artifact. </p>
      *
      *          <p>The user or role that performs this operation must have the <code>cloudformation:GetTemplate</code>
      *          and <code>cloudformation:DescribeStacks</code> IAM policy permissions. </p>
@@ -581,7 +615,7 @@ export declare class ServiceCatalog extends ServiceCatalogClient {
     listPortfoliosForProduct(args: ListPortfoliosForProductCommandInput, cb: (err: any, data?: ListPortfoliosForProductCommandOutput) => void): void;
     listPortfoliosForProduct(args: ListPortfoliosForProductCommandInput, options: __HttpHandlerOptions, cb: (err: any, data?: ListPortfoliosForProductCommandOutput) => void): void;
     /**
-     * <p>Lists all principal ARNs associated with the specified portfolio.</p>
+     * <p>Lists all <code>PrincipalARN</code>s and corresponding <code>PrincipalType</code>s associated with the specified portfolio.</p>
      */
     listPrincipalsForPortfolio(args: ListPrincipalsForPortfolioCommandInput, options?: __HttpHandlerOptions): Promise<ListPrincipalsForPortfolioCommandOutput>;
     listPrincipalsForPortfolio(args: ListPrincipalsForPortfolioCommandInput, cb: (err: any, data?: ListPrincipalsForPortfolioCommandOutput) => void): void;
@@ -717,15 +751,26 @@ export declare class ServiceCatalog extends ServiceCatalogClient {
     updatePortfolio(args: UpdatePortfolioCommandInput, cb: (err: any, data?: UpdatePortfolioCommandOutput) => void): void;
     updatePortfolio(args: UpdatePortfolioCommandInput, options: __HttpHandlerOptions, cb: (err: any, data?: UpdatePortfolioCommandOutput) => void): void;
     /**
-     * <p>Updates the specified portfolio share. You can use this API to enable or disable TagOptions sharing for an existing portfolio share. </p>
+     * <p>Updates the specified portfolio share. You can use this API to enable or disable <code>TagOptions</code> sharing
+     *          or Principal sharing for an existing portfolio share. </p>
      *
-     *          <p>The portfolio share cannot be updated if the <code> CreatePortfolioShare</code> operation is <code>IN_PROGRESS</code>, as the share is not available to recipient entities. In this case, you must wait for the portfolio share to be COMPLETED.</p>
+     *          <p>The portfolio share cannot be updated if the <code>CreatePortfolioShare</code> operation is <code>IN_PROGRESS</code>, as the share is not available to recipient entities. In this case, you must wait for the portfolio share to be COMPLETED.</p>
      *
      *          <p>You must provide the <code>accountId</code> or organization node in the input, but not both.</p>
      *
      *          <p>If the portfolio is shared to both an external account and an organization node, and both shares need to be updated, you must invoke <code>UpdatePortfolioShare</code> separately for each share type. </p>
      *
      *          <p>This API cannot be used for removing the portfolio share. You must use <code>DeletePortfolioShare</code> API for that action. </p>
+     *
+     *          <note>
+     *             <p>When you associate a principal with portfolio, a potential privilege escalation path may occur when that portfolio is
+     *          then shared with other accounts. For a user in a recipient account who is <i>not</i> an Service Catalog Admin,
+     *          but still has the ability to create Principals (Users/Groups/Roles), that user could create a role that matches a principal
+     *          name association for the portfolio. Although this user may not know which principal names are associated through
+     *          Service Catalog, they may be able to guess the user. If this potential escalation path is a concern, then
+     *          Service Catalog recommends using <code>PrincipalType</code> as <code>IAM</code>. With this configuration,
+     *          the <code>PrincipalARN</code> must already exist in the recipient account before it can be associated. </p>
+     *          </note>
      */
     updatePortfolioShare(args: UpdatePortfolioShareCommandInput, options?: __HttpHandlerOptions): Promise<UpdatePortfolioShareCommandOutput>;
     updatePortfolioShare(args: UpdatePortfolioShareCommandInput, cb: (err: any, data?: UpdatePortfolioShareCommandOutput) => void): void;

package/dist-types/ServiceCatalogClient.d.ts

@@ -210,9 +210,9 @@ declare type ServiceCatalogClientResolvedConfigType = __SmithyResolvedConfigurat
 export interface ServiceCatalogClientResolvedConfig extends ServiceCatalogClientResolvedConfigType {
 }
 /**
- * <fullname>AWS Service Catalog</fullname>
+ * <fullname>Service Catalog</fullname>
  *          <p>
- *             <a href="https://aws.amazon.com/servicecatalog/">Service Catalog</a> enables
+ *             <a href="http://aws.amazon.com/servicecatalog">Service Catalog</a> enables
  *          organizations to create and manage catalogs of IT services that are approved for Amazon Web Services. To
  *          get the most out of this documentation, you should be familiar with the terminology
  *          discussed in <a href="http://docs.aws.amazon.com/servicecatalog/latest/adminguide/what-is_concepts.html">Service Catalog

package/dist-types/commands/AssociatePrincipalWithPortfolioCommand.d.ts

@@ -9,6 +9,22 @@ export interface AssociatePrincipalWithPortfolioCommandOutput extends AssociateP
 }
 /**
  * <p>Associates the specified principal ARN with the specified portfolio.</p>
+ *          <p>If you share the portfolio with principal name sharing enabled, the <code>PrincipalARN</code> association is
+ *          included in the share. </p>
+ *          <p>The <code>PortfolioID</code>, <code>PrincipalARN</code>, and <code>PrincipalType</code> parameters are
+ *       required. </p>
+ *          <p>You can associate a maximum of 10 Principals with a portfolio using <code>PrincipalType</code> as <code>IAM_PATTERN</code>
+ *          </p>
+ *
+ *          <note>
+ *             <p>When you associate a principal with portfolio, a potential privilege escalation path may occur when that portfolio is
+ *          then shared with other accounts. For a user in a recipient account who is <i>not</i> an Service Catalog Admin,
+ *          but still has the ability to create Principals (Users/Groups/Roles), that user could create a role that matches a principal
+ *          name association for the portfolio. Although this user may not know which principal names are associated through
+ *          Service Catalog, they may be able to guess the user. If this potential escalation path is a concern, then
+ *          Service Catalog recommends using <code>PrincipalType</code> as <code>IAM</code>. With this configuration,
+ *          the <code>PrincipalARN</code> must already exist in the recipient account before it can be associated. </p>
+ *          </note>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript

package/dist-types/commands/CreatePortfolioShareCommand.d.ts

@@ -16,7 +16,18 @@ export interface CreatePortfolioShareCommandOutput extends CreatePortfolioShareO
  *         <p>
  *             <code>AWSOrganizationsAccess</code> must be enabled in order to create a portfolio share to an organization node.</p>
  *          <p>You can't share a shared resource, including portfolios that contain a shared product.</p>
- *          <p>If the portfolio share with the specified account or organization node already exists, this action will have no effect and will not return an error. To update an existing share, you must use the <code> UpdatePortfolioShare</code> API instead.</p>
+ *          <p>If the portfolio share with the specified account or organization node already exists, this action will have no effect
+ *          and will not return an error. To update an existing share, you must use the <code> UpdatePortfolioShare</code> API instead. </p>
+ *
+ *          <note>
+ *             <p>When you associate a principal with portfolio, a potential privilege escalation path may occur when that portfolio is
+ *          then shared with other accounts. For a user in a recipient account who is <i>not</i> an Service Catalog Admin,
+ *          but still has the ability to create Principals (Users/Groups/Roles), that user could create a role that matches a principal
+ *          name association for the portfolio. Although this user may not know which principal names are associated through
+ *          Service Catalog, they may be able to guess the user. If this potential escalation path is a concern, then
+ *          Service Catalog recommends using <code>PrincipalType</code> as <code>IAM</code>. With this configuration,
+ *          the <code>PrincipalARN</code> must already exist in the recipient account before it can be associated. </p>
+ *          </note>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript

package/dist-types/commands/DisassociatePrincipalFromPortfolioCommand.d.ts

@@ -10,6 +10,13 @@ export interface DisassociatePrincipalFromPortfolioCommandOutput extends Disasso
 /**
  * <p>Disassociates a previously associated principal ARN from a specified
  *          portfolio.</p>
+ *          <p>The <code>PrincipalType</code> and <code>PrincipalARN</code> must match the
+ *          <code>AssociatePrincipalWithPortfolio</code> call request details. For example,
+ *          to disassociate an association created with a <code>PrincipalARN</code> of <code>PrincipalType</code>
+ *          IAM you must use the <code>PrincipalType</code> IAM when calling <code>DisassociatePrincipalFromPortfolio</code>. </p>
+ *          <p>For portfolios that have been shared with principal name sharing enabled: after disassociating a principal,
+ *    share recipient accounts will no longer be able to provision products in this portfolio using a role matching the name
+ *    of the associated principal. </p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript

package/dist-types/commands/ImportAsProvisionedProductCommand.d.ts

@@ -8,9 +8,9 @@ export interface ImportAsProvisionedProductCommandInput extends ImportAsProvisio
 export interface ImportAsProvisionedProductCommandOutput extends ImportAsProvisionedProductOutput, __MetadataBearer {
 }
 /**
- * <p>Requests the import of a resource as a Amazon Web Services Service Catalog provisioned product that is
- *          associated to a Amazon Web Services Service Catalog product and provisioning artifact. Once imported, all
- *          supported Amazon Web Services Service Catalog governance actions are supported on the provisioned
+ * <p>Requests the import of a resource as an Service Catalog provisioned product that is
+ *          associated to an Service Catalog product and provisioning artifact. Once imported, all
+ *          supported Service Catalog governance actions are supported on the provisioned
  *          product.</p>
  *          <p>Resource import only supports CloudFormation stack ARNs. CloudFormation StackSets and
  *          non-root nested stacks are not supported.</p>
@@ -18,7 +18,7 @@ export interface ImportAsProvisionedProductCommandOutput extends ImportAsProvisi
  *          <code>CREATE_COMPLETE</code>, <code>UPDATE_COMPLETE</code>, <code>UPDATE_ROLLBACK_COMPLETE</code>, <code>IMPORT_COMPLETE</code>,
  *          <code>IMPORT_ROLLBACK_COMPLETE</code>.</p>
  *          <p>Import of the resource requires that the CloudFormation stack template matches the
- *          associated Amazon Web Services Service Catalog product provisioning artifact. </p>
+ *          associated Service Catalog product provisioning artifact. </p>
  *
  *          <p>The user or role that performs this operation must have the <code>cloudformation:GetTemplate</code>
  *          and <code>cloudformation:DescribeStacks</code> IAM policy permissions. </p>

package/dist-types/commands/ListPrincipalsForPortfolioCommand.d.ts

@@ -8,7 +8,7 @@ export interface ListPrincipalsForPortfolioCommandInput extends ListPrincipalsFo
 export interface ListPrincipalsForPortfolioCommandOutput extends ListPrincipalsForPortfolioOutput, __MetadataBearer {
 }
 /**
- * <p>Lists all principal ARNs associated with the specified portfolio.</p>
+ * <p>Lists all <code>PrincipalARN</code>s and corresponding <code>PrincipalType</code>s associated with the specified portfolio.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript

package/dist-types/commands/UpdatePortfolioShareCommand.d.ts

@@ -8,15 +8,26 @@ export interface UpdatePortfolioShareCommandInput extends UpdatePortfolioShareIn
 export interface UpdatePortfolioShareCommandOutput extends UpdatePortfolioShareOutput, __MetadataBearer {
 }
 /**
- * <p>Updates the specified portfolio share. You can use this API to enable or disable TagOptions sharing for an existing portfolio share. </p>
+ * <p>Updates the specified portfolio share. You can use this API to enable or disable <code>TagOptions</code> sharing
+ *          or Principal sharing for an existing portfolio share. </p>
  *
- *          <p>The portfolio share cannot be updated if the <code> CreatePortfolioShare</code> operation is <code>IN_PROGRESS</code>, as the share is not available to recipient entities. In this case, you must wait for the portfolio share to be COMPLETED.</p>
+ *          <p>The portfolio share cannot be updated if the <code>CreatePortfolioShare</code> operation is <code>IN_PROGRESS</code>, as the share is not available to recipient entities. In this case, you must wait for the portfolio share to be COMPLETED.</p>
  *
  *          <p>You must provide the <code>accountId</code> or organization node in the input, but not both.</p>
  *
  *          <p>If the portfolio is shared to both an external account and an organization node, and both shares need to be updated, you must invoke <code>UpdatePortfolioShare</code> separately for each share type. </p>
  *
  *          <p>This API cannot be used for removing the portfolio share. You must use <code>DeletePortfolioShare</code> API for that action. </p>
+ *
+ *          <note>
+ *             <p>When you associate a principal with portfolio, a potential privilege escalation path may occur when that portfolio is
+ *          then shared with other accounts. For a user in a recipient account who is <i>not</i> an Service Catalog Admin,
+ *          but still has the ability to create Principals (Users/Groups/Roles), that user could create a role that matches a principal
+ *          name association for the portfolio. Although this user may not know which principal names are associated through
+ *          Service Catalog, they may be able to guess the user. If this potential escalation path is a concern, then
+ *          Service Catalog recommends using <code>PrincipalType</code> as <code>IAM</code>. With this configuration,
+ *          the <code>PrincipalARN</code> must already exist in the recipient account before it can be associated. </p>
+ *          </note>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript