npm - @cdklabs/cdk-ecs-codedeploy - Versions diffs - 0.0.345 → 0.0.347 - Mend

@cdklabs/cdk-ecs-codedeploy 0.0.345 → 0.0.347

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (132) hide show

package/node_modules/@aws-sdk/client-sts/dist-types/models/models_0.d.ts CHANGED Viewed

@@ -32,7 +32,7 @@ export interface PolicyDescriptorType {
      *             Service Namespaces</a> in the <i>Amazon Web Services General Reference</i>.</p>
      * @public
      */
-    arn?: string;
+    arn?: string | undefined;
 }
 /**
  * <p>Contains information about the provided context. This includes the signed and encrypted
@@ -45,13 +45,13 @@ export interface ProvidedContext {
      * <p>The context provider ARN from which the trusted context assertion was generated.</p>
      * @public
      */
-    ProviderArn?: string;
+    ProviderArn?: string | undefined;
     /**
      * <p>The signed and encrypted trusted context assertion generated by the context provider.
      *          The trusted context assertion is signed and encrypted by Amazon Web Services STS.</p>
      * @public
      */
-    ContextAssertion?: string;
+    ContextAssertion?: string | undefined;
 }
 /**
  * <p>You can pass custom key-value pair attributes when you assume a role or federate a user.
@@ -95,6 +95,11 @@ export interface AssumeRoleRequest {
      *          session name is also used in the ARN of the assumed role principal. This means that
      *          subsequent cross-account API requests that use the temporary security credentials will
      *          expose the role session name to the external account in their CloudTrail logs.</p>
+     *          <p>For security purposes, administrators can view this field in <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html#cloudtrail-integration_signin-tempcreds">CloudTrail logs</a> to help identify who performed an action in Amazon Web Services. Your
+     *          administrator might require that you specify your user name as the session name when you
+     *          assume the role. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_rolesessionname">
+     *                <code>sts:RoleSessionName</code>
+     *             </a>.</p>
      *          <p>The regex used to validate this parameter is a string of characters
      *     consisting of upper- and lower-case alphanumeric characters with no spaces. You can
      *     also include underscores or any of the following characters: =,.@-</p>
@@ -125,7 +130,7 @@ export interface AssumeRoleRequest {
      *             Policies</a> in the <i>IAM User Guide</i>.</p>
      * @public
      */
-    PolicyArns?: PolicyDescriptorType[];
+    PolicyArns?: PolicyDescriptorType[] | undefined;
     /**
      * <p>An IAM policy in JSON format that you want to use as an inline session policy.</p>
      *          <p>This parameter is optional. Passing policies to this operation returns new
@@ -148,9 +153,11 @@ export interface AssumeRoleRequest {
      *                <code>PackedPolicySize</code> response element indicates by percentage how close the
      *             policies and tags for your request are to the upper size limit.</p>
      *          </note>
+     *          <p>For more information about role session permissions, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session
+     *             policies</a>.</p>
      * @public
      */
-    Policy?: string;
+    Policy?: string | undefined;
     /**
      * <p>The duration, in seconds, of the role session. The value specified can range from 900
      *          seconds (15 minutes) up to the maximum session duration set for the role. The maximum
@@ -164,9 +171,7 @@ export interface AssumeRoleRequest {
      *          specify a parameter value of up to 43200 seconds (12 hours), depending on the maximum
      *          session duration setting for your role. However, if you assume a role using role chaining
      *          and provide a <code>DurationSeconds</code> parameter value greater than one hour, the
-     *          operation fails. To learn how to view the maximum value for your role, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session">View the
-     *             Maximum Session Duration Setting for a Role</a> in the
-     *             <i>IAM User Guide</i>.</p>
+     *          operation fails. To learn how to view the maximum value for your role, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-role-settings.html#id_roles_update-session-duration">Update the maximum session duration for a role</a>.</p>
      *          <p>By default, the value is set to <code>3600</code> seconds. </p>
      *          <note>
      *             <p>The <code>DurationSeconds</code> parameter is separate from the duration of a console
@@ -179,7 +184,7 @@ export interface AssumeRoleRequest {
      *          </note>
      * @public
      */
-    DurationSeconds?: number;
+    DurationSeconds?: number | undefined;
     /**
      * <p>A list of session tags that you want to pass. Each session tag consists of a key name
      *          and an associated value. For more information about session tags, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html">Tagging Amazon Web Services STS
@@ -210,19 +215,19 @@ export interface AssumeRoleRequest {
      *          <i>IAM User Guide</i>.</p>
      * @public
      */
-    Tags?: Tag[];
+    Tags?: Tag[] | undefined;
     /**
      * <p>A list of keys for session tags that you want to set as transitive. If you set a tag key
      *          as transitive, the corresponding key and value passes to subsequent sessions in a role
      *          chain. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining">Chaining Roles
      *             with Session Tags</a> in the <i>IAM User Guide</i>.</p>
-     *          <p>This parameter is optional. When you set session tags as transitive, the session policy
-     *          and session tags packed binary limit is not affected.</p>
+     *          <p>This parameter is optional. The transitive status of a session tag does not impact its
+     *          packed binary size.</p>
      *          <p>If you choose not to specify a transitive tag key, then no tags are passed from this
      *          session to any subsequent sessions.</p>
      * @public
      */
-    TransitiveTagKeys?: string[];
+    TransitiveTagKeys?: string[] | undefined;
     /**
      * <p>A unique identifier that might be required when you assume a role in another account. If
      *          the administrator of the account to which the role belongs provided you with an external
@@ -239,7 +244,7 @@ export interface AssumeRoleRequest {
      *     You can also include underscores or any of the following characters: =,.@:/-</p>
      * @public
      */
-    ExternalId?: string;
+    ExternalId?: string | undefined;
     /**
      * <p>The identification number of the MFA device that is associated with the user who is
      *          making the <code>AssumeRole</code> call. Specify this value if the trust policy of the role
@@ -252,7 +257,7 @@ export interface AssumeRoleRequest {
      *     also include underscores or any of the following characters: =,.@-</p>
      * @public
      */
-    SerialNumber?: string;
+    SerialNumber?: string | undefined;
     /**
      * <p>The value provided by the MFA device, if the trust policy of the role being assumed
      *          requires MFA. (In other words, if the policy includes a condition that tests for MFA). If
@@ -262,16 +267,18 @@ export interface AssumeRoleRequest {
      *          numeric digits.</p>
      * @public
      */
-    TokenCode?: string;
+    TokenCode?: string | undefined;
     /**
      * <p>The source identity specified by the principal that is calling the
-     *             <code>AssumeRole</code> operation.</p>
+     *             <code>AssumeRole</code> operation. The source identity value persists across <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#iam-term-role-chaining">chained role</a> sessions.</p>
      *          <p>You can require users to specify a source identity when they assume a role. You do this
-     *          by using the <code>sts:SourceIdentity</code> condition key in a role trust policy. You can
-     *          use source identity information in CloudTrail logs to determine who took actions with a role.
-     *          You can use the <code>aws:SourceIdentity</code> condition key to further control access to
-     *          Amazon Web Services resources based on the value of source identity. For more information about using
-     *          source identity, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html">Monitor and control
+     *          by using the <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceidentity">
+     *                <code>sts:SourceIdentity</code>
+     *             </a> condition key in a role trust policy. You
+     *          can use source identity information in CloudTrail logs to determine who took actions with a
+     *          role. You can use the <code>aws:SourceIdentity</code> condition key to further control
+     *          access to Amazon Web Services resources based on the value of source identity. For more information about
+     *          using source identity, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html">Monitor and control
      *             actions taken with assumed roles</a> in the
      *          <i>IAM User Guide</i>.</p>
      *          <p>The regex used to validate this parameter is a string of characters consisting of upper-
@@ -280,7 +287,7 @@ export interface AssumeRoleRequest {
      *             <code>aws:</code>. This prefix is reserved for Amazon Web Services internal use.</p>
      * @public
      */
-    SourceIdentity?: string;
+    SourceIdentity?: string | undefined;
     /**
      * <p>A list of previously acquired trusted context assertions in the format of a JSON array.
      *          The trusted context assertion is signed and encrypted by Amazon Web Services STS.</p>
@@ -292,7 +299,7 @@ export interface AssumeRoleRequest {
      *          </p>
      * @public
      */
-    ProvidedContexts?: ProvidedContext[];
+    ProvidedContexts?: ProvidedContext[] | undefined;
 }
 /**
  * <p>Amazon Web Services credentials for API authentication.</p>
@@ -336,7 +343,7 @@ export interface AssumeRoleResponse {
      *          </note>
      * @public
      */
-    Credentials?: Credentials;
+    Credentials?: Credentials | undefined;
     /**
      * <p>The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers that you
      *          can use to refer to the resulting temporary security credentials. For example, you can
@@ -345,14 +352,14 @@ export interface AssumeRoleResponse {
      *          when you called <code>AssumeRole</code>. </p>
      * @public
      */
-    AssumedRoleUser?: AssumedRoleUser;
+    AssumedRoleUser?: AssumedRoleUser | undefined;
     /**
      * <p>A percentage value that indicates the packed size of the session policies and session
      *       tags combined passed in the request. The request fails if the packed size is greater than 100 percent,
      *       which means the policies and tags exceeded the allowed space.</p>
      * @public
      */
-    PackedPolicySize?: number;
+    PackedPolicySize?: number | undefined;
     /**
      * <p>The source identity specified by the principal that is calling the
      *             <code>AssumeRole</code> operation.</p>
@@ -369,7 +376,7 @@ export interface AssumeRoleResponse {
      *          any of the following characters: =,.@-</p>
      * @public
      */
-    SourceIdentity?: string;
+    SourceIdentity?: string | undefined;
 }
 /**
  * <p>The web identity token that was passed is expired or is not valid. Get a new identity
@@ -405,8 +412,8 @@ export declare class MalformedPolicyDocumentException extends __BaseException {
  *             tags are to the upper size limit. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html">Passing Session Tags in STS</a> in
  *             the <i>IAM User Guide</i>.</p>
  *          <p>You could receive this error even though you meet other defined session policy and
- *             session tag limits. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length">IAM and STS Entity
- *                 Character Limits</a> in the <i>IAM User Guide</i>.</p>
+ *             session tag limits. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length">IAM and STS Entity Character Limits</a> in the <i>IAM User
+ *                 Guide</i>.</p>
  * @public
  */
 export declare class PackedPolicyTooLargeException extends __BaseException {
@@ -419,10 +426,10 @@ export declare class PackedPolicyTooLargeException extends __BaseException {
 }
 /**
  * <p>STS is not activated in the requested region for the account that is being asked to
- *             generate credentials. The account administrator must use the IAM console to activate STS
- *             in that region. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html">Activating and
- *                 Deactivating Amazon Web Services STS in an Amazon Web Services Region</a> in the <i>IAM User
- *                     Guide</i>.</p>
+ *             generate credentials. The account administrator must use the IAM console to activate
+ *             STS in that region. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html">Activating and
+ *                 Deactivating STS in an Amazon Web Services Region</a> in the <i>IAM User
+ *                 Guide</i>.</p>
  * @public
  */
 export declare class RegionDisabledException extends __BaseException {
@@ -479,7 +486,7 @@ export interface AssumeRoleWithSAMLRequest {
      *             Policies</a> in the <i>IAM User Guide</i>.</p>
      * @public
      */
-    PolicyArns?: PolicyDescriptorType[];
+    PolicyArns?: PolicyDescriptorType[] | undefined;
     /**
      * <p>An IAM policy in JSON format that you want to use as an inline session policy.</p>
      *          <p>This parameter is optional. Passing policies to this operation returns new
@@ -495,6 +502,8 @@ export interface AssumeRoleWithSAMLRequest {
      *          character to the end of the valid character list (\u0020 through \u00FF). It can also
      *          include the tab (\u0009), linefeed (\u000A), and carriage return (\u000D)
      *          characters.</p>
+     *          <p>For more information about role session permissions, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session
+     *             policies</a>.</p>
      *          <note>
      *             <p>An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs,
      *             and session tags into a packed binary format that has a separate limit. Your request can
@@ -504,7 +513,7 @@ export interface AssumeRoleWithSAMLRequest {
      *          </note>
      * @public
      */
-    Policy?: string;
+    Policy?: string | undefined;
     /**
      * <p>The duration, in seconds, of the role session. Your role session lasts for the duration
      *          that you specify for the <code>DurationSeconds</code> parameter, or until the time
@@ -529,7 +538,7 @@ export interface AssumeRoleWithSAMLRequest {
      *          </note>
      * @public
      */
-    DurationSeconds?: number;
+    DurationSeconds?: number | undefined;
 }
 /**
  * <p>Contains the response to a successful <a>AssumeRoleWithSAML</a> request,
@@ -546,26 +555,26 @@ export interface AssumeRoleWithSAMLResponse {
      *          </note>
      * @public
      */
-    Credentials?: Credentials;
+    Credentials?: Credentials | undefined;
     /**
      * <p>The identifiers for the temporary security credentials that the operation
      *          returns.</p>
      * @public
      */
-    AssumedRoleUser?: AssumedRoleUser;
+    AssumedRoleUser?: AssumedRoleUser | undefined;
     /**
      * <p>A percentage value that indicates the packed size of the session policies and session
      *       tags combined passed in the request. The request fails if the packed size is greater than 100 percent,
      *       which means the policies and tags exceeded the allowed space.</p>
      * @public
      */
-    PackedPolicySize?: number;
+    PackedPolicySize?: number | undefined;
     /**
      * <p>The value of the <code>NameID</code> element in the <code>Subject</code> element of the
      *          SAML assertion.</p>
      * @public
      */
-    Subject?: string;
+    Subject?: string | undefined;
     /**
      * <p> The format of the name ID, as defined by the <code>Format</code> attribute in the
      *             <code>NameID</code> element of the SAML assertion. Typical examples of the format are
@@ -577,18 +586,18 @@ export interface AssumeRoleWithSAMLResponse {
      *          with no modifications.</p>
      * @public
      */
-    SubjectType?: string;
+    SubjectType?: string | undefined;
     /**
      * <p>The value of the <code>Issuer</code> element of the SAML assertion.</p>
      * @public
      */
-    Issuer?: string;
+    Issuer?: string | undefined;
     /**
      * <p> The value of the <code>Recipient</code> attribute of the
      *             <code>SubjectConfirmationData</code> element of the SAML assertion. </p>
      * @public
      */
-    Audience?: string;
+    Audience?: string | undefined;
     /**
      * <p>A hash value based on the concatenation of the following:</p>
      *          <ul>
@@ -610,16 +619,18 @@ export interface AssumeRoleWithSAMLResponse {
      *          </p>
      * @public
      */
-    NameQualifier?: string;
+    NameQualifier?: string | undefined;
     /**
-     * <p>The value in the <code>SourceIdentity</code> attribute in the SAML assertion. </p>
+     * <p>The value in the <code>SourceIdentity</code> attribute in the SAML assertion. The source
+     *          identity value persists across <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#iam-term-role-chaining">chained role</a>
+     *          sessions.</p>
      *          <p>You can require users to set a source identity value when they assume a role. You do
      *          this by using the <code>sts:SourceIdentity</code> condition key in a role trust policy.
      *          That way, actions that are taken with the role are associated with that user. After the
      *          source identity is set, the value cannot be changed. It is present in the request for all
-     *          actions that are taken by the role and persists across <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining">chained
-     *             role</a> sessions. You can configure your SAML identity provider to use an attribute
-     *          associated with your users, like user name or email, as the source identity when calling
+     *          actions that are taken by the role and persists across <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts">chained role</a>
+     *          sessions. You can configure your SAML identity provider to use an attribute associated with
+     *          your users, like user name or email, as the source identity when calling
      *             <code>AssumeRoleWithSAML</code>. You do this by adding an attribute to the SAML
      *          assertion. For more information about using source identity, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html">Monitor and control
      *             actions taken with assumed roles</a> in the
@@ -629,7 +640,7 @@ export interface AssumeRoleWithSAMLResponse {
      *     also include underscores or any of the following characters: =,.@-</p>
      * @public
      */
-    SourceIdentity?: string;
+    SourceIdentity?: string | undefined;
 }
 /**
  * <p>The identity provider (IdP) reported that authentication failed. This might be because
@@ -665,6 +676,16 @@ export declare class InvalidIdentityTokenException extends __BaseException {
 export interface AssumeRoleWithWebIdentityRequest {
     /**
      * <p>The Amazon Resource Name (ARN) of the role that the caller is assuming.</p>
+     *          <note>
+     *             <p>Additional considerations apply to Amazon Cognito identity pools that assume <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html">cross-account IAM roles</a>. The trust policies of these roles must accept the
+     *                <code>cognito-identity.amazonaws.com</code> service principal and must contain the
+     *                <code>cognito-identity.amazonaws.com:aud</code> condition key to restrict role
+     *             assumption to users from your intended identity pools. A policy that trusts Amazon Cognito
+     *             identity pools without this condition creates a risk that a user from an unintended
+     *             identity pool can assume the role. For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html#trust-policies"> Trust policies for
+     *                IAM roles in Basic (Classic) authentication </a> in the <i>Amazon Cognito
+     *                Developer Guide</i>.</p>
+     *          </note>
      * @public
      */
     RoleArn: string | undefined;
@@ -674,6 +695,11 @@ export interface AssumeRoleWithWebIdentityRequest {
      *          security credentials that your application will use are associated with that user. This
      *          session name is included as part of the ARN and assumed role ID in the
      *             <code>AssumedRoleUser</code> response element.</p>
+     *          <p>For security purposes, administrators can view this field in <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html#cloudtrail-integration_signin-tempcreds">CloudTrail logs</a> to help identify who performed an action in Amazon Web Services. Your
+     *          administrator might require that you specify your user name as the session name when you
+     *          assume the role. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_rolesessionname">
+     *                <code>sts:RoleSessionName</code>
+     *             </a>.</p>
      *          <p>The regex used to validate this parameter is a string of characters
      *     consisting of upper- and lower-case alphanumeric characters with no spaces. You can
      *     also include underscores or any of the following characters: =,.@-</p>
@@ -684,7 +710,8 @@ export interface AssumeRoleWithWebIdentityRequest {
      * <p>The OAuth 2.0 access token or OpenID Connect ID token that is provided by the identity
      *          provider. Your application must get this token by authenticating the user who is using your
      *          application with a web identity provider before the application makes an
-     *             <code>AssumeRoleWithWebIdentity</code> call. Only tokens with RSA algorithms (RS256) are
+     *             <code>AssumeRoleWithWebIdentity</code> call. Timestamps in the token must be formatted
+     *          as either an integer or a long integer. Only tokens with RSA algorithms (RS256) are
      *          supported.</p>
      * @public
      */
@@ -698,7 +725,7 @@ export interface AssumeRoleWithWebIdentityRequest {
      *          <p>Do not specify this value for OpenID Connect ID tokens.</p>
      * @public
      */
-    ProviderId?: string;
+    ProviderId?: string | undefined;
     /**
      * <p>The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as
      *          managed session policies. The policies must exist in the same account as the role.</p>
@@ -723,7 +750,7 @@ export interface AssumeRoleWithWebIdentityRequest {
      *             Policies</a> in the <i>IAM User Guide</i>.</p>
      * @public
      */
-    PolicyArns?: PolicyDescriptorType[];
+    PolicyArns?: PolicyDescriptorType[] | undefined;
     /**
      * <p>An IAM policy in JSON format that you want to use as an inline session policy.</p>
      *          <p>This parameter is optional. Passing policies to this operation returns new
@@ -739,6 +766,8 @@ export interface AssumeRoleWithWebIdentityRequest {
      *          character to the end of the valid character list (\u0020 through \u00FF). It can also
      *          include the tab (\u0009), linefeed (\u000A), and carriage return (\u000D)
      *          characters.</p>
+     *          <p>For more information about role session permissions, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session
+     *             policies</a>.</p>
      *          <note>
      *             <p>An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs,
      *             and session tags into a packed binary format that has a separate limit. Your request can
@@ -748,7 +777,7 @@ export interface AssumeRoleWithWebIdentityRequest {
      *          </note>
      * @public
      */
-    Policy?: string;
+    Policy?: string | undefined;
     /**
      * <p>The duration, in seconds, of the role session. The value can range from 900 seconds (15
      *          minutes) up to the maximum session duration setting for the role. This setting can have a
@@ -770,7 +799,7 @@ export interface AssumeRoleWithWebIdentityRequest {
      *          </note>
      * @public
      */
-    DurationSeconds?: number;
+    DurationSeconds?: number | undefined;
 }
 /**
  * <p>Contains the response to a successful <a>AssumeRoleWithWebIdentity</a>
@@ -787,7 +816,7 @@ export interface AssumeRoleWithWebIdentityResponse {
      *          </note>
      * @public
      */
-    Credentials?: Credentials;
+    Credentials?: Credentials | undefined;
     /**
      * <p>The unique user identifier that is returned by the identity provider. This identifier is
      *          associated with the <code>WebIdentityToken</code> that was submitted with the
@@ -797,7 +826,7 @@ export interface AssumeRoleWithWebIdentityResponse {
      *          identity provider as the token's <code>sub</code> (Subject) claim. </p>
      * @public
      */
-    SubjectFromWebIdentityToken?: string;
+    SubjectFromWebIdentityToken?: string | undefined;
     /**
      * <p>The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers that you
      *          can use to refer to the resulting temporary security credentials. For example, you can
@@ -806,14 +835,14 @@ export interface AssumeRoleWithWebIdentityResponse {
      *          when you called <code>AssumeRole</code>. </p>
      * @public
      */
-    AssumedRoleUser?: AssumedRoleUser;
+    AssumedRoleUser?: AssumedRoleUser | undefined;
     /**
      * <p>A percentage value that indicates the packed size of the session policies and session
      *       tags combined passed in the request. The request fails if the packed size is greater than 100 percent,
      *       which means the policies and tags exceeded the allowed space.</p>
      * @public
      */
-    PackedPolicySize?: number;
+    PackedPolicySize?: number | undefined;
     /**
      * <p> The issuing authority of the web identity token presented. For OpenID Connect ID
      *          tokens, this contains the value of the <code>iss</code> field. For OAuth 2.0 access tokens,
@@ -821,14 +850,14 @@ export interface AssumeRoleWithWebIdentityResponse {
      *             <code>AssumeRoleWithWebIdentity</code> request.</p>
      * @public
      */
-    Provider?: string;
+    Provider?: string | undefined;
     /**
      * <p>The intended audience (also known as client ID) of the web identity token. This is
      *          traditionally the client identifier issued to the application that requested the web
      *          identity token.</p>
      * @public
      */
-    Audience?: string;
+    Audience?: string | undefined;
     /**
      * <p>The value of the source identity that is returned in the JSON web token (JWT) from the
      *          identity provider.</p>
@@ -836,9 +865,9 @@ export interface AssumeRoleWithWebIdentityResponse {
      *          this by using the <code>sts:SourceIdentity</code> condition key in a role trust policy.
      *          That way, actions that are taken with the role are associated with that user. After the
      *          source identity is set, the value cannot be changed. It is present in the request for all
-     *          actions that are taken by the role and persists across <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining">chained
-     *             role</a> sessions. You can configure your identity provider to use an attribute
-     *          associated with your users, like user name or email, as the source identity when calling
+     *          actions that are taken by the role and persists across <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts">chained role</a>
+     *          sessions. You can configure your identity provider to use an attribute associated with your
+     *          users, like user name or email, as the source identity when calling
      *             <code>AssumeRoleWithWebIdentity</code>. You do this by adding a claim to the JSON web
      *          token. To learn more about OIDC tokens and claims, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html">Using Tokens with User Pools</a> in the <i>Amazon Cognito Developer Guide</i>.
      *          For more information about using source identity, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html">Monitor and control
@@ -849,14 +878,14 @@ export interface AssumeRoleWithWebIdentityResponse {
      *     also include underscores or any of the following characters: =,.@-</p>
      * @public
      */
-    SourceIdentity?: string;
+    SourceIdentity?: string | undefined;
 }
 /**
- * <p>The request could not be fulfilled because the identity provider (IDP) that
- *             was asked to verify the incoming identity token could not be reached. This is often a
- *             transient error caused by network conditions. Retry the request a limited number of
- *             times so that you don't exceed the request rate. If the error persists, the
- *             identity provider might be down or not responding.</p>
+ * <p>The request could not be fulfilled because the identity provider (IDP) that was asked
+ *             to verify the incoming identity token could not be reached. This is often a transient
+ *             error caused by network conditions. Retry the request a limited number of times so that
+ *             you don't exceed the request rate. If the error persists, the identity provider might be
+ *             down or not responding.</p>
  * @public
  */
 export declare class IDPCommunicationErrorException extends __BaseException {
@@ -867,6 +896,87 @@ export declare class IDPCommunicationErrorException extends __BaseException {
      */
     constructor(opts: __ExceptionOptionType<IDPCommunicationErrorException, __BaseException>);
 }
+/**
+ * @public
+ */
+export interface AssumeRootRequest {
+    /**
+     * <p>The member account principal ARN or account ID.</p>
+     * @public
+     */
+    TargetPrincipal: string | undefined;
+    /**
+     * <p>The identity based policy that scopes the session to the privileged tasks that can be
+     *          performed. You can use one of following Amazon Web Services managed policies to scope
+     *          root session actions. You can add additional customer managed policies to further limit the
+     *          permissions for the root session.</p>
+     *          <ul>
+     *             <li>
+     *                <p>
+     *                   <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMAuditRootUserCredentials">IAMAuditRootUserCredentials</a>
+     *                </p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMCreateRootUserPassword">IAMCreateRootUserPassword</a>
+     *                </p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMDeleteRootUserCredentials">IAMDeleteRootUserCredentials</a>
+     *                </p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-S3UnlockBucketPolicy">S3UnlockBucketPolicy</a>
+     *                </p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-SQSUnlockQueuePolicy">SQSUnlockQueuePolicy</a>
+     *                </p>
+     *             </li>
+     *          </ul>
+     * @public
+     */
+    TaskPolicyArn: PolicyDescriptorType | undefined;
+    /**
+     * <p>The duration, in seconds, of the privileged session. The value can range from 0 seconds
+     *          up to the maximum session duration of 900 seconds (15 minutes). If you specify a value
+     *          higher than this setting, the operation fails.</p>
+     *          <p>By default, the value is set to <code>900</code> seconds.</p>
+     * @public
+     */
+    DurationSeconds?: number | undefined;
+}
+/**
+ * @public
+ */
+export interface AssumeRootResponse {
+    /**
+     * <p>The temporary security credentials, which include an access key ID, a secret access key,
+     *          and a security token.</p>
+     *          <note>
+     *             <p>The size of the security token that STS API operations return is not fixed. We
+     *         strongly recommend that you make no assumptions about the maximum size.</p>
+     *          </note>
+     * @public
+     */
+    Credentials?: Credentials | undefined;
+    /**
+     * <p>The source identity specified by the principal that is calling the
+     *             <code>AssumeRoot</code> operation.</p>
+     *          <p>You can use the <code>aws:SourceIdentity</code> condition key to control access based on
+     *          the value of source identity. For more information about using source identity, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html">Monitor and control
+     *             actions taken with assumed roles</a> in the
+     *          <i>IAM User Guide</i>.</p>
+     *          <p>The regex used to validate this parameter is a string of characters consisting of upper-
+     *          and lower-case alphanumeric characters with no spaces. You can also include underscores or
+     *          any of the following characters: =,.@-</p>
+     * @public
+     */
+    SourceIdentity?: string | undefined;
+}
 /**
  * @public
  */
@@ -887,12 +997,12 @@ export interface DecodeAuthorizationMessageResponse {
      * <p>The API returns a response with the decoded message.</p>
      * @public
      */
-    DecodedMessage?: string;
+    DecodedMessage?: string | undefined;
 }
 /**
  * <p>The error returned if the message passed to <code>DecodeAuthorizationMessage</code>
- *             was invalid. This can happen if the token contains invalid characters, such as
- *             linebreaks. </p>
+ *             was invalid. This can happen if the token contains invalid characters, such as line
+ *             breaks, or if the message has expired.</p>
  * @public
  */
 export declare class InvalidAuthorizationMessageException extends __BaseException {
@@ -923,7 +1033,7 @@ export interface GetAccessKeyInfoResponse {
      * <p>The number used to identify the Amazon Web Services account.</p>
      * @public
      */
-    Account?: string;
+    Account?: string | undefined;
 }
 /**
  * @public
@@ -943,18 +1053,18 @@ export interface GetCallerIdentityResponse {
      *          page in the <i>IAM User Guide</i>.</p>
      * @public
      */
-    UserId?: string;
+    UserId?: string | undefined;
     /**
      * <p>The Amazon Web Services account ID number of the account that owns or contains the calling
      *          entity.</p>
      * @public
      */
-    Account?: string;
+    Account?: string | undefined;
     /**
      * <p>The Amazon Web Services ARN associated with the calling entity.</p>
      * @public
      */
-    Arn?: string;
+    Arn?: string | undefined;
 }
 /**
  * @public
@@ -1003,7 +1113,7 @@ export interface GetFederationTokenRequest {
      *          </note>
      * @public
      */
-    Policy?: string;
+    Policy?: string | undefined;
     /**
      * <p>The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as a
      *          managed session policy. The policies must exist in the same account as the IAM user that is requesting federated access.</p>
@@ -1036,7 +1146,7 @@ export interface GetFederationTokenRequest {
      *          </note>
      * @public
      */
-    PolicyArns?: PolicyDescriptorType[];
+    PolicyArns?: PolicyDescriptorType[] | undefined;
     /**
      * <p>The duration, in seconds, that the session should last. Acceptable durations for
      *          federation sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with
@@ -1046,7 +1156,7 @@ export interface GetFederationTokenRequest {
      *          credentials defaults to one hour.</p>
      * @public
      */
-    DurationSeconds?: number;
+    DurationSeconds?: number | undefined;
     /**
      * <p>A list of session tags. Each session tag consists of a key name and an associated value.
      *          For more information about session tags, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html">Passing Session Tags in STS</a> in the
@@ -1072,7 +1182,7 @@ export interface GetFederationTokenRequest {
      *          the request takes precedence over the role tag.</p>
      * @public
      */
-    Tags?: Tag[];
+    Tags?: Tag[] | undefined;
 }
 /**
  * <p>Identifiers for the federated user that is associated with the credentials.</p>
@@ -1108,7 +1218,7 @@ export interface GetFederationTokenResponse {
      *          </note>
      * @public
      */
-    Credentials?: Credentials;
+    Credentials?: Credentials | undefined;
     /**
      * <p>Identifiers for the federated user associated with the credentials (such as
      *             <code>arn:aws:sts::123456789012:federated-user/Bob</code> or
@@ -1116,14 +1226,14 @@ export interface GetFederationTokenResponse {
      *          resource-based policies, such as an Amazon S3 bucket policy. </p>
      * @public
      */
-    FederatedUser?: FederatedUser;
+    FederatedUser?: FederatedUser | undefined;
     /**
      * <p>A percentage value that indicates the packed size of the session policies and session
      *       tags combined passed in the request. The request fails if the packed size is greater than 100 percent,
      *       which means the policies and tags exceeded the allowed space.</p>
      * @public
      */
-    PackedPolicySize?: number;
+    PackedPolicySize?: number | undefined;
 }
 /**
  * @public
@@ -1137,7 +1247,7 @@ export interface GetSessionTokenRequest {
      *          than one hour, the session for Amazon Web Services account owners defaults to one hour.</p>
      * @public
      */
-    DurationSeconds?: number;
+    DurationSeconds?: number | undefined;
     /**
      * <p>The identification number of the MFA device that is associated with the IAM user who is making the <code>GetSessionToken</code> call. Specify this value
      *          if the IAM user has a policy that requires MFA authentication. The value is
@@ -1149,7 +1259,7 @@ export interface GetSessionTokenRequest {
      *     You can also include underscores or any of the following characters: =,.@:/-</p>
      * @public
      */
-    SerialNumber?: string;
+    SerialNumber?: string | undefined;
     /**
      * <p>The value provided by the MFA device, if MFA is required. If any policy requires the
      *             IAM user to submit an MFA code, specify this value. If MFA authentication
@@ -1160,7 +1270,7 @@ export interface GetSessionTokenRequest {
      *          numeric digits.</p>
      * @public
      */
-    TokenCode?: string;
+    TokenCode?: string | undefined;
 }
 /**
  * <p>Contains the response to a successful <a>GetSessionToken</a> request,
@@ -1177,7 +1287,7 @@ export interface GetSessionTokenResponse {
      *          </note>
      * @public
      */
-    Credentials?: Credentials;
+    Credentials?: Credentials | undefined;
 }
 /**
  * @internal
@@ -1203,6 +1313,10 @@ export declare const AssumeRoleWithWebIdentityRequestFilterSensitiveLog: (obj: A
  * @internal
  */
 export declare const AssumeRoleWithWebIdentityResponseFilterSensitiveLog: (obj: AssumeRoleWithWebIdentityResponse) => any;
+/**
+ * @internal
+ */
+export declare const AssumeRootResponseFilterSensitiveLog: (obj: AssumeRootResponse) => any;
 /**
  * @internal
  */