@cdklabs/cdk-ecs-codedeploy 0.0.346 → 0.0.347

package/node_modules/@aws-sdk/client-sts/dist-types/commands/AssumeRootCommand.d.ts

@@ -0,0 +1,129 @@
+import { Command as $Command } from "@smithy/smithy-client";
+import { MetadataBearer as __MetadataBearer } from "@smithy/types";
+import { AssumeRootRequest, AssumeRootResponse } from "../models/models_0";
+import { ServiceInputTypes, ServiceOutputTypes, STSClientResolvedConfig } from "../STSClient";
+/**
+ * @public
+ */
+export type { __MetadataBearer };
+export { $Command };
+/**
+ * @public
+ *
+ * The input for {@link AssumeRootCommand}.
+ */
+export interface AssumeRootCommandInput extends AssumeRootRequest {
+}
+/**
+ * @public
+ *
+ * The output of {@link AssumeRootCommand}.
+ */
+export interface AssumeRootCommandOutput extends AssumeRootResponse, __MetadataBearer {
+}
+declare const AssumeRootCommand_base: {
+    new (input: AssumeRootCommandInput): import("@smithy/smithy-client").CommandImpl<AssumeRootCommandInput, AssumeRootCommandOutput, STSClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes>;
+    new (__0_0: AssumeRootCommandInput): import("@smithy/smithy-client").CommandImpl<AssumeRootCommandInput, AssumeRootCommandOutput, STSClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes>;
+    getEndpointParameterInstructions(): import("@smithy/middleware-endpoint").EndpointParameterInstructions;
+};
+/**
+ * <p>Returns a set of short term credentials you can use to perform privileged tasks in a
+ *          member account.</p>
+ *          <p>Before you can launch a privileged session, you must have enabled centralized root
+ *          access in your organization. For steps to enable this feature, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-enable-root-access.html">Centralize root access for member accounts</a> in the <i>IAM User
+ *             Guide</i>.</p>
+ *          <note>
+ *             <p>The global endpoint is not supported for AssumeRoot. You must send this request to a
+ *             Regional STS endpoint. For more information, see <a href="https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html#sts-endpoints">Endpoints</a>.</p>
+ *          </note>
+ *          <p>You can track AssumeRoot in CloudTrail logs to determine what actions were performed in a
+ *          session. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-track-privileged-tasks.html">Track privileged tasks
+ *             in CloudTrail</a> in the <i>IAM User Guide</i>.</p>
+ * @example
+ * Use a bare-bones client and the command you need to make an API call.
+ * ```javascript
+ * import { STSClient, AssumeRootCommand } from "@aws-sdk/client-sts"; // ES Modules import
+ * // const { STSClient, AssumeRootCommand } = require("@aws-sdk/client-sts"); // CommonJS import
+ * const client = new STSClient(config);
+ * const input = { // AssumeRootRequest
+ *   TargetPrincipal: "STRING_VALUE", // required
+ *   TaskPolicyArn: { // PolicyDescriptorType
+ *     arn: "STRING_VALUE",
+ *   },
+ *   DurationSeconds: Number("int"),
+ * };
+ * const command = new AssumeRootCommand(input);
+ * const response = await client.send(command);
+ * // { // AssumeRootResponse
+ * //   Credentials: { // Credentials
+ * //     AccessKeyId: "STRING_VALUE", // required
+ * //     SecretAccessKey: "STRING_VALUE", // required
+ * //     SessionToken: "STRING_VALUE", // required
+ * //     Expiration: new Date("TIMESTAMP"), // required
+ * //   },
+ * //   SourceIdentity: "STRING_VALUE",
+ * // };
+ *
+ * ```
+ *
+ * @param AssumeRootCommandInput - {@link AssumeRootCommandInput}
+ * @returns {@link AssumeRootCommandOutput}
+ * @see {@link AssumeRootCommandInput} for command's `input` shape.
+ * @see {@link AssumeRootCommandOutput} for command's `response` shape.
+ * @see {@link STSClientResolvedConfig | config} for STSClient's `config` shape.
+ *
+ * @throws {@link ExpiredTokenException} (client fault)
+ *  <p>The web identity token that was passed is expired or is not valid. Get a new identity
+ *             token from the identity provider and then retry the request.</p>
+ *
+ * @throws {@link RegionDisabledException} (client fault)
+ *  <p>STS is not activated in the requested region for the account that is being asked to
+ *             generate credentials. The account administrator must use the IAM console to activate
+ *             STS in that region. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html">Activating and
+ *                 Deactivating STS in an Amazon Web Services Region</a> in the <i>IAM User
+ *                 Guide</i>.</p>
+ *
+ * @throws {@link STSServiceException}
+ * <p>Base exception class for all service exceptions from STS service.</p>
+ *
+ * @public
+ * @example To launch a privileged session
+ * ```javascript
+ * // The following command retrieves a set of short-term credentials you can use to unlock an S3 bucket for a member account by removing the bucket policy.
+ * const input = {
+ *   "DurationSeconds": 900,
+ *   "TargetPrincipal": "111122223333",
+ *   "TaskPolicyArn": {
+ *     "arn": "arn:aws:iam::aws:policy/root-task/S3UnlockBucketPolicy"
+ *   }
+ * };
+ * const command = new AssumeRootCommand(input);
+ * const response = await client.send(command);
+ * /* response ==
+ * {
+ *   "Credentials": {
+ *     "AccessKeyId": "ASIAJEXAMPLEXEG2JICEA",
+ *     "Expiration": "2024-11-15T00:05:07Z",
+ *     "SecretAccessKey": "9drTJvcXLB89EXAMPLELB8923FB892xMFI",
+ *     "SessionToken": "AQoXdzELDDY//////////wEaoAK1wvxJY12r2IrDFT2IvAzTCn3zHoZ7YNtpiQLF0MqZye/qwjzP2iEXAMPLEbw/m3hsj8VBTkPORGvr9jM5sgP+w9IZWZnU+LWhmg+a5fDi2oTGUYcdg9uexQ4mtCHIHfi4citgqZTgco40Yqr4lIlo4V2b2Dyauk0eYFNebHtYlFVgAUj+7Indz3LU0aTWk1WKIjHmmMCIoTkyYp/k7kUG7moeEYKSitwQIi6Gjn+nyzM+PtoA3685ixzv0R7i5rjQi0YE0lf1oeie3bDiNHncmzosRM6SFiPzSvp6h/32xQuZsjcypmwsPSDtTPYcs0+YN/8BRi2/IcrxSpnWEXAMPLEXSDFTAQAM6Dl9zR0tXoybnlrZIwMLlMi1Kcgo5OytwU="
+ *   },
+ *   "SourceIdentity": "Alice"
+ * }
+ * *\/
+ * // example id: to-launch-a-privileged-session-1731335424565
+ * ```
+ *
+ */
+export declare class AssumeRootCommand extends AssumeRootCommand_base {
+    /** @internal type navigation helper, not in runtime. */
+    protected static __types: {
+        api: {
+            input: AssumeRootRequest;
+            output: AssumeRootResponse;
+        };
+        sdk: {
+            input: AssumeRootCommandInput;
+            output: AssumeRootCommandOutput;
+        };
+    };
+}

package/node_modules/@aws-sdk/client-sts/dist-types/commands/DecodeAuthorizationMessageCommand.d.ts

@@ -88,8 +88,8 @@ declare const DecodeAuthorizationMessageCommand_base: {
  *
  * @throws {@link InvalidAuthorizationMessageException} (client fault)
  *  <p>The error returned if the message passed to <code>DecodeAuthorizationMessage</code>
- *             was invalid. This can happen if the token contains invalid characters, such as
- *             linebreaks. </p>
+ *             was invalid. This can happen if the token contains invalid characters, such as line
+ *             breaks, or if the message has expired.</p>
  *
  * @throws {@link STSServiceException}
  * <p>Base exception class for all service exceptions from STS service.</p>

package/node_modules/@aws-sdk/client-sts/dist-types/commands/GetFederationTokenCommand.d.ts

@@ -36,8 +36,8 @@ declare const GetFederationTokenCommand_base: {
  *          contexts where those credentials can be safeguarded, usually in a server-based application.
  *          For a comparison of <code>GetFederationToken</code> with the other API operations that
  *          produce temporary credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html">Requesting Temporary Security
- *             Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing the
- *             Amazon Web Services STS API operations</a> in the <i>IAM User Guide</i>.</p>
+ *             Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_sts-comparison.html">Compare STS
+ *             credentials</a> in the <i>IAM User Guide</i>.</p>
  *          <p>Although it is possible to call <code>GetFederationToken</code> using the security
  *          credentials of an Amazon Web Services account root user rather than an IAM user that you
  *          create for the purpose of a proxy application, we do not recommend it. For more
@@ -174,15 +174,15 @@ declare const GetFederationTokenCommand_base: {
  *             tags are to the upper size limit. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html">Passing Session Tags in STS</a> in
  *             the <i>IAM User Guide</i>.</p>
  *          <p>You could receive this error even though you meet other defined session policy and
- *             session tag limits. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length">IAM and STS Entity
- *                 Character Limits</a> in the <i>IAM User Guide</i>.</p>
+ *             session tag limits. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length">IAM and STS Entity Character Limits</a> in the <i>IAM User
+ *                 Guide</i>.</p>
  *
  * @throws {@link RegionDisabledException} (client fault)
  *  <p>STS is not activated in the requested region for the account that is being asked to
- *             generate credentials. The account administrator must use the IAM console to activate STS
- *             in that region. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html">Activating and
- *                 Deactivating Amazon Web Services STS in an Amazon Web Services Region</a> in the <i>IAM User
- *                     Guide</i>.</p>
+ *             generate credentials. The account administrator must use the IAM console to activate
+ *             STS in that region. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html">Activating and
+ *                 Deactivating STS in an Amazon Web Services Region</a> in the <i>IAM User
+ *                 Guide</i>.</p>
  *
  * @throws {@link STSServiceException}
  * <p>Base exception class for all service exceptions from STS service.</p>

package/node_modules/@aws-sdk/client-sts/dist-types/commands/GetSessionTokenCommand.d.ts

@@ -38,8 +38,8 @@ declare const GetSessionTokenCommand_base: {
  *          calls to API operations that require MFA authentication. An incorrect MFA code causes the
  *          API to return an access denied error. For a comparison of <code>GetSessionToken</code> with
  *          the other API operations that produce temporary credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html">Requesting
- *             Temporary Security Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing the
- *             Amazon Web Services STS API operations</a> in the <i>IAM User Guide</i>.</p>
+ *             Temporary Security Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_sts-comparison.html">Compare STS
+ *             credentials</a> in the <i>IAM User Guide</i>.</p>
  *          <note>
  *             <p>No permissions are required for users to perform this operation. The purpose of the
  *                <code>sts:GetSessionToken</code> operation is to authenticate the user using MFA. You
@@ -118,10 +118,10 @@ declare const GetSessionTokenCommand_base: {
  *
  * @throws {@link RegionDisabledException} (client fault)
  *  <p>STS is not activated in the requested region for the account that is being asked to
- *             generate credentials. The account administrator must use the IAM console to activate STS
- *             in that region. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html">Activating and
- *                 Deactivating Amazon Web Services STS in an Amazon Web Services Region</a> in the <i>IAM User
- *                     Guide</i>.</p>
+ *             generate credentials. The account administrator must use the IAM console to activate
+ *             STS in that region. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html">Activating and
+ *                 Deactivating STS in an Amazon Web Services Region</a> in the <i>IAM User
+ *                 Guide</i>.</p>
  *
  * @throws {@link STSServiceException}
  * <p>Base exception class for all service exceptions from STS service.</p>

package/node_modules/@aws-sdk/client-sts/dist-types/commands/index.d.ts

@@ -1,6 +1,7 @@
 export * from "./AssumeRoleCommand";
 export * from "./AssumeRoleWithSAMLCommand";
 export * from "./AssumeRoleWithWebIdentityCommand";
+export * from "./AssumeRootCommand";
 export * from "./DecodeAuthorizationMessageCommand";
 export * from "./GetAccessKeyInfoCommand";
 export * from "./GetCallerIdentityCommand";

package/node_modules/@aws-sdk/client-sts/dist-types/models/models_0.d.ts

@@ -95,6 +95,11 @@ export interface AssumeRoleRequest {
      *          session name is also used in the ARN of the assumed role principal. This means that
      *          subsequent cross-account API requests that use the temporary security credentials will
      *          expose the role session name to the external account in their CloudTrail logs.</p>
+     *          <p>For security purposes, administrators can view this field in <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html#cloudtrail-integration_signin-tempcreds">CloudTrail logs</a> to help identify who performed an action in Amazon Web Services. Your
+     *          administrator might require that you specify your user name as the session name when you
+     *          assume the role. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_rolesessionname">
+     *                <code>sts:RoleSessionName</code>
+     *             </a>.</p>
      *          <p>The regex used to validate this parameter is a string of characters
      *     consisting of upper- and lower-case alphanumeric characters with no spaces. You can
      *     also include underscores or any of the following characters: =,.@-</p>
@@ -148,6 +153,8 @@ export interface AssumeRoleRequest {
      *                <code>PackedPolicySize</code> response element indicates by percentage how close the
      *             policies and tags for your request are to the upper size limit.</p>
      *          </note>
+     *          <p>For more information about role session permissions, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session
+     *             policies</a>.</p>
      * @public
      */
     Policy?: string | undefined;
@@ -164,9 +171,7 @@ export interface AssumeRoleRequest {
      *          specify a parameter value of up to 43200 seconds (12 hours), depending on the maximum
      *          session duration setting for your role. However, if you assume a role using role chaining
      *          and provide a <code>DurationSeconds</code> parameter value greater than one hour, the
-     *          operation fails. To learn how to view the maximum value for your role, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session">View the
-     *             Maximum Session Duration Setting for a Role</a> in the
-     *             <i>IAM User Guide</i>.</p>
+     *          operation fails. To learn how to view the maximum value for your role, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-role-settings.html#id_roles_update-session-duration">Update the maximum session duration for a role</a>.</p>
      *          <p>By default, the value is set to <code>3600</code> seconds. </p>
      *          <note>
      *             <p>The <code>DurationSeconds</code> parameter is separate from the duration of a console
@@ -216,8 +221,8 @@ export interface AssumeRoleRequest {
      *          as transitive, the corresponding key and value passes to subsequent sessions in a role
      *          chain. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining">Chaining Roles
      *             with Session Tags</a> in the <i>IAM User Guide</i>.</p>
-     *          <p>This parameter is optional. When you set session tags as transitive, the session policy
-     *          and session tags packed binary limit is not affected.</p>
+     *          <p>This parameter is optional. The transitive status of a session tag does not impact its
+     *          packed binary size.</p>
      *          <p>If you choose not to specify a transitive tag key, then no tags are passed from this
      *          session to any subsequent sessions.</p>
      * @public
@@ -265,13 +270,15 @@ export interface AssumeRoleRequest {
     TokenCode?: string | undefined;
     /**
      * <p>The source identity specified by the principal that is calling the
-     *             <code>AssumeRole</code> operation.</p>
+     *             <code>AssumeRole</code> operation. The source identity value persists across <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#iam-term-role-chaining">chained role</a> sessions.</p>
      *          <p>You can require users to specify a source identity when they assume a role. You do this
-     *          by using the <code>sts:SourceIdentity</code> condition key in a role trust policy. You can
-     *          use source identity information in CloudTrail logs to determine who took actions with a role.
-     *          You can use the <code>aws:SourceIdentity</code> condition key to further control access to
-     *          Amazon Web Services resources based on the value of source identity. For more information about using
-     *          source identity, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html">Monitor and control
+     *          by using the <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceidentity">
+     *                <code>sts:SourceIdentity</code>
+     *             </a> condition key in a role trust policy. You
+     *          can use source identity information in CloudTrail logs to determine who took actions with a
+     *          role. You can use the <code>aws:SourceIdentity</code> condition key to further control
+     *          access to Amazon Web Services resources based on the value of source identity. For more information about
+     *          using source identity, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html">Monitor and control
      *             actions taken with assumed roles</a> in the
      *          <i>IAM User Guide</i>.</p>
      *          <p>The regex used to validate this parameter is a string of characters consisting of upper-
@@ -405,8 +412,8 @@ export declare class MalformedPolicyDocumentException extends __BaseException {
  *             tags are to the upper size limit. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html">Passing Session Tags in STS</a> in
  *             the <i>IAM User Guide</i>.</p>
  *          <p>You could receive this error even though you meet other defined session policy and
- *             session tag limits. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length">IAM and STS Entity
- *                 Character Limits</a> in the <i>IAM User Guide</i>.</p>
+ *             session tag limits. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length">IAM and STS Entity Character Limits</a> in the <i>IAM User
+ *                 Guide</i>.</p>
  * @public
  */
 export declare class PackedPolicyTooLargeException extends __BaseException {
@@ -419,10 +426,10 @@ export declare class PackedPolicyTooLargeException extends __BaseException {
 }
 /**
  * <p>STS is not activated in the requested region for the account that is being asked to
- *             generate credentials. The account administrator must use the IAM console to activate STS
- *             in that region. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html">Activating and
- *                 Deactivating Amazon Web Services STS in an Amazon Web Services Region</a> in the <i>IAM User
- *                     Guide</i>.</p>
+ *             generate credentials. The account administrator must use the IAM console to activate
+ *             STS in that region. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html">Activating and
+ *                 Deactivating STS in an Amazon Web Services Region</a> in the <i>IAM User
+ *                 Guide</i>.</p>
  * @public
  */
 export declare class RegionDisabledException extends __BaseException {
@@ -495,6 +502,8 @@ export interface AssumeRoleWithSAMLRequest {
      *          character to the end of the valid character list (\u0020 through \u00FF). It can also
      *          include the tab (\u0009), linefeed (\u000A), and carriage return (\u000D)
      *          characters.</p>
+     *          <p>For more information about role session permissions, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session
+     *             policies</a>.</p>
      *          <note>
      *             <p>An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs,
      *             and session tags into a packed binary format that has a separate limit. Your request can
@@ -612,14 +621,16 @@ export interface AssumeRoleWithSAMLResponse {
      */
     NameQualifier?: string | undefined;
     /**
-     * <p>The value in the <code>SourceIdentity</code> attribute in the SAML assertion. </p>
+     * <p>The value in the <code>SourceIdentity</code> attribute in the SAML assertion. The source
+     *          identity value persists across <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#iam-term-role-chaining">chained role</a>
+     *          sessions.</p>
      *          <p>You can require users to set a source identity value when they assume a role. You do
      *          this by using the <code>sts:SourceIdentity</code> condition key in a role trust policy.
      *          That way, actions that are taken with the role are associated with that user. After the
      *          source identity is set, the value cannot be changed. It is present in the request for all
-     *          actions that are taken by the role and persists across <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining">chained
-     *             role</a> sessions. You can configure your SAML identity provider to use an attribute
-     *          associated with your users, like user name or email, as the source identity when calling
+     *          actions that are taken by the role and persists across <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts">chained role</a>
+     *          sessions. You can configure your SAML identity provider to use an attribute associated with
+     *          your users, like user name or email, as the source identity when calling
      *             <code>AssumeRoleWithSAML</code>. You do this by adding an attribute to the SAML
      *          assertion. For more information about using source identity, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html">Monitor and control
      *             actions taken with assumed roles</a> in the
@@ -665,6 +676,16 @@ export declare class InvalidIdentityTokenException extends __BaseException {
 export interface AssumeRoleWithWebIdentityRequest {
     /**
      * <p>The Amazon Resource Name (ARN) of the role that the caller is assuming.</p>
+     *          <note>
+     *             <p>Additional considerations apply to Amazon Cognito identity pools that assume <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html">cross-account IAM roles</a>. The trust policies of these roles must accept the
+     *                <code>cognito-identity.amazonaws.com</code> service principal and must contain the
+     *                <code>cognito-identity.amazonaws.com:aud</code> condition key to restrict role
+     *             assumption to users from your intended identity pools. A policy that trusts Amazon Cognito
+     *             identity pools without this condition creates a risk that a user from an unintended
+     *             identity pool can assume the role. For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html#trust-policies"> Trust policies for
+     *                IAM roles in Basic (Classic) authentication </a> in the <i>Amazon Cognito
+     *                Developer Guide</i>.</p>
+     *          </note>
      * @public
      */
     RoleArn: string | undefined;
@@ -674,6 +695,11 @@ export interface AssumeRoleWithWebIdentityRequest {
      *          security credentials that your application will use are associated with that user. This
      *          session name is included as part of the ARN and assumed role ID in the
      *             <code>AssumedRoleUser</code> response element.</p>
+     *          <p>For security purposes, administrators can view this field in <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html#cloudtrail-integration_signin-tempcreds">CloudTrail logs</a> to help identify who performed an action in Amazon Web Services. Your
+     *          administrator might require that you specify your user name as the session name when you
+     *          assume the role. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_rolesessionname">
+     *                <code>sts:RoleSessionName</code>
+     *             </a>.</p>
      *          <p>The regex used to validate this parameter is a string of characters
      *     consisting of upper- and lower-case alphanumeric characters with no spaces. You can
      *     also include underscores or any of the following characters: =,.@-</p>
@@ -684,7 +710,8 @@ export interface AssumeRoleWithWebIdentityRequest {
      * <p>The OAuth 2.0 access token or OpenID Connect ID token that is provided by the identity
      *          provider. Your application must get this token by authenticating the user who is using your
      *          application with a web identity provider before the application makes an
-     *             <code>AssumeRoleWithWebIdentity</code> call. Only tokens with RSA algorithms (RS256) are
+     *             <code>AssumeRoleWithWebIdentity</code> call. Timestamps in the token must be formatted
+     *          as either an integer or a long integer. Only tokens with RSA algorithms (RS256) are
      *          supported.</p>
      * @public
      */
@@ -739,6 +766,8 @@ export interface AssumeRoleWithWebIdentityRequest {
      *          character to the end of the valid character list (\u0020 through \u00FF). It can also
      *          include the tab (\u0009), linefeed (\u000A), and carriage return (\u000D)
      *          characters.</p>
+     *          <p>For more information about role session permissions, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session
+     *             policies</a>.</p>
      *          <note>
      *             <p>An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs,
      *             and session tags into a packed binary format that has a separate limit. Your request can
@@ -836,9 +865,9 @@ export interface AssumeRoleWithWebIdentityResponse {
      *          this by using the <code>sts:SourceIdentity</code> condition key in a role trust policy.
      *          That way, actions that are taken with the role are associated with that user. After the
      *          source identity is set, the value cannot be changed. It is present in the request for all
-     *          actions that are taken by the role and persists across <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining">chained
-     *             role</a> sessions. You can configure your identity provider to use an attribute
-     *          associated with your users, like user name or email, as the source identity when calling
+     *          actions that are taken by the role and persists across <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts">chained role</a>
+     *          sessions. You can configure your identity provider to use an attribute associated with your
+     *          users, like user name or email, as the source identity when calling
      *             <code>AssumeRoleWithWebIdentity</code>. You do this by adding a claim to the JSON web
      *          token. To learn more about OIDC tokens and claims, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html">Using Tokens with User Pools</a> in the <i>Amazon Cognito Developer Guide</i>.
      *          For more information about using source identity, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html">Monitor and control
@@ -852,11 +881,11 @@ export interface AssumeRoleWithWebIdentityResponse {
     SourceIdentity?: string | undefined;
 }
 /**
- * <p>The request could not be fulfilled because the identity provider (IDP) that
- *             was asked to verify the incoming identity token could not be reached. This is often a
- *             transient error caused by network conditions. Retry the request a limited number of
- *             times so that you don't exceed the request rate. If the error persists, the
- *             identity provider might be down or not responding.</p>
+ * <p>The request could not be fulfilled because the identity provider (IDP) that was asked
+ *             to verify the incoming identity token could not be reached. This is often a transient
+ *             error caused by network conditions. Retry the request a limited number of times so that
+ *             you don't exceed the request rate. If the error persists, the identity provider might be
+ *             down or not responding.</p>
  * @public
  */
 export declare class IDPCommunicationErrorException extends __BaseException {
@@ -867,6 +896,87 @@ export declare class IDPCommunicationErrorException extends __BaseException {
      */
     constructor(opts: __ExceptionOptionType<IDPCommunicationErrorException, __BaseException>);
 }
+/**
+ * @public
+ */
+export interface AssumeRootRequest {
+    /**
+     * <p>The member account principal ARN or account ID.</p>
+     * @public
+     */
+    TargetPrincipal: string | undefined;
+    /**
+     * <p>The identity based policy that scopes the session to the privileged tasks that can be
+     *          performed. You can use one of following Amazon Web Services managed policies to scope
+     *          root session actions. You can add additional customer managed policies to further limit the
+     *          permissions for the root session.</p>
+     *          <ul>
+     *             <li>
+     *                <p>
+     *                   <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMAuditRootUserCredentials">IAMAuditRootUserCredentials</a>
+     *                </p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMCreateRootUserPassword">IAMCreateRootUserPassword</a>
+     *                </p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMDeleteRootUserCredentials">IAMDeleteRootUserCredentials</a>
+     *                </p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-S3UnlockBucketPolicy">S3UnlockBucketPolicy</a>
+     *                </p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-SQSUnlockQueuePolicy">SQSUnlockQueuePolicy</a>
+     *                </p>
+     *             </li>
+     *          </ul>
+     * @public
+     */
+    TaskPolicyArn: PolicyDescriptorType | undefined;
+    /**
+     * <p>The duration, in seconds, of the privileged session. The value can range from 0 seconds
+     *          up to the maximum session duration of 900 seconds (15 minutes). If you specify a value
+     *          higher than this setting, the operation fails.</p>
+     *          <p>By default, the value is set to <code>900</code> seconds.</p>
+     * @public
+     */
+    DurationSeconds?: number | undefined;
+}
+/**
+ * @public
+ */
+export interface AssumeRootResponse {
+    /**
+     * <p>The temporary security credentials, which include an access key ID, a secret access key,
+     *          and a security token.</p>
+     *          <note>
+     *             <p>The size of the security token that STS API operations return is not fixed. We
+     *         strongly recommend that you make no assumptions about the maximum size.</p>
+     *          </note>
+     * @public
+     */
+    Credentials?: Credentials | undefined;
+    /**
+     * <p>The source identity specified by the principal that is calling the
+     *             <code>AssumeRoot</code> operation.</p>
+     *          <p>You can use the <code>aws:SourceIdentity</code> condition key to control access based on
+     *          the value of source identity. For more information about using source identity, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html">Monitor and control
+     *             actions taken with assumed roles</a> in the
+     *          <i>IAM User Guide</i>.</p>
+     *          <p>The regex used to validate this parameter is a string of characters consisting of upper-
+     *          and lower-case alphanumeric characters with no spaces. You can also include underscores or
+     *          any of the following characters: =,.@-</p>
+     * @public
+     */
+    SourceIdentity?: string | undefined;
+}
 /**
  * @public
  */
@@ -891,8 +1001,8 @@ export interface DecodeAuthorizationMessageResponse {
 }
 /**
  * <p>The error returned if the message passed to <code>DecodeAuthorizationMessage</code>
- *             was invalid. This can happen if the token contains invalid characters, such as
- *             linebreaks. </p>
+ *             was invalid. This can happen if the token contains invalid characters, such as line
+ *             breaks, or if the message has expired.</p>
  * @public
  */
 export declare class InvalidAuthorizationMessageException extends __BaseException {
@@ -1203,6 +1313,10 @@ export declare const AssumeRoleWithWebIdentityRequestFilterSensitiveLog: (obj: A
  * @internal
  */
 export declare const AssumeRoleWithWebIdentityResponseFilterSensitiveLog: (obj: AssumeRoleWithWebIdentityResponse) => any;
+/**
+ * @internal
+ */
+export declare const AssumeRootResponseFilterSensitiveLog: (obj: AssumeRootResponse) => any;
 /**
  * @internal
  */

package/node_modules/@aws-sdk/client-sts/dist-types/protocols/Aws_query.d.ts

@@ -3,6 +3,7 @@ import { SerdeContext as __SerdeContext } from "@smithy/types";
 import { AssumeRoleCommandInput, AssumeRoleCommandOutput } from "../commands/AssumeRoleCommand";
 import { AssumeRoleWithSAMLCommandInput, AssumeRoleWithSAMLCommandOutput } from "../commands/AssumeRoleWithSAMLCommand";
 import { AssumeRoleWithWebIdentityCommandInput, AssumeRoleWithWebIdentityCommandOutput } from "../commands/AssumeRoleWithWebIdentityCommand";
+import { AssumeRootCommandInput, AssumeRootCommandOutput } from "../commands/AssumeRootCommand";
 import { DecodeAuthorizationMessageCommandInput, DecodeAuthorizationMessageCommandOutput } from "../commands/DecodeAuthorizationMessageCommand";
 import { GetAccessKeyInfoCommandInput, GetAccessKeyInfoCommandOutput } from "../commands/GetAccessKeyInfoCommand";
 import { GetCallerIdentityCommandInput, GetCallerIdentityCommandOutput } from "../commands/GetCallerIdentityCommand";
@@ -20,6 +21,10 @@ export declare const se_AssumeRoleWithSAMLCommand: (input: AssumeRoleWithSAMLCom
  * serializeAws_queryAssumeRoleWithWebIdentityCommand
  */
 export declare const se_AssumeRoleWithWebIdentityCommand: (input: AssumeRoleWithWebIdentityCommandInput, context: __SerdeContext) => Promise<__HttpRequest>;
+/**
+ * serializeAws_queryAssumeRootCommand
+ */
+export declare const se_AssumeRootCommand: (input: AssumeRootCommandInput, context: __SerdeContext) => Promise<__HttpRequest>;
 /**
  * serializeAws_queryDecodeAuthorizationMessageCommand
  */
@@ -52,6 +57,10 @@ export declare const de_AssumeRoleWithSAMLCommand: (output: __HttpResponse, cont
  * deserializeAws_queryAssumeRoleWithWebIdentityCommand
  */
 export declare const de_AssumeRoleWithWebIdentityCommand: (output: __HttpResponse, context: __SerdeContext) => Promise<AssumeRoleWithWebIdentityCommandOutput>;
+/**
+ * deserializeAws_queryAssumeRootCommand
+ */
+export declare const de_AssumeRootCommand: (output: __HttpResponse, context: __SerdeContext) => Promise<AssumeRootCommandOutput>;
 /**
  * deserializeAws_queryDecodeAuthorizationMessageCommand
  */

package/node_modules/@aws-sdk/client-sts/dist-types/ts3.4/STS.d.ts

@@ -11,6 +11,10 @@ import {
   AssumeRoleWithWebIdentityCommandInput,
   AssumeRoleWithWebIdentityCommandOutput,
 } from "./commands/AssumeRoleWithWebIdentityCommand";
+import {
+  AssumeRootCommandInput,
+  AssumeRootCommandOutput,
+} from "./commands/AssumeRootCommand";
 import {
   DecodeAuthorizationMessageCommandInput,
   DecodeAuthorizationMessageCommandOutput,
@@ -72,6 +76,19 @@ export interface STS {
     options: __HttpHandlerOptions,
     cb: (err: any, data?: AssumeRoleWithWebIdentityCommandOutput) => void
   ): void;
+  assumeRoot(
+    args: AssumeRootCommandInput,
+    options?: __HttpHandlerOptions
+  ): Promise<AssumeRootCommandOutput>;
+  assumeRoot(
+    args: AssumeRootCommandInput,
+    cb: (err: any, data?: AssumeRootCommandOutput) => void
+  ): void;
+  assumeRoot(
+    args: AssumeRootCommandInput,
+    options: __HttpHandlerOptions,
+    cb: (err: any, data?: AssumeRootCommandOutput) => void
+  ): void;
   decodeAuthorizationMessage(
     args: DecodeAuthorizationMessageCommandInput,
     options?: __HttpHandlerOptions

package/node_modules/@aws-sdk/client-sts/dist-types/ts3.4/STSClient.d.ts

@@ -57,6 +57,10 @@ import {
   AssumeRoleWithWebIdentityCommandInput,
   AssumeRoleWithWebIdentityCommandOutput,
 } from "./commands/AssumeRoleWithWebIdentityCommand";
+import {
+  AssumeRootCommandInput,
+  AssumeRootCommandOutput,
+} from "./commands/AssumeRootCommand";
 import {
   DecodeAuthorizationMessageCommandInput,
   DecodeAuthorizationMessageCommandOutput,
@@ -88,6 +92,7 @@ export type ServiceInputTypes =
   | AssumeRoleCommandInput
   | AssumeRoleWithSAMLCommandInput
   | AssumeRoleWithWebIdentityCommandInput
+  | AssumeRootCommandInput
   | DecodeAuthorizationMessageCommandInput
   | GetAccessKeyInfoCommandInput
   | GetCallerIdentityCommandInput
@@ -97,6 +102,7 @@ export type ServiceOutputTypes =
   | AssumeRoleCommandOutput
   | AssumeRoleWithSAMLCommandOutput
   | AssumeRoleWithWebIdentityCommandOutput
+  | AssumeRootCommandOutput
   | DecodeAuthorizationMessageCommandOutput
   | GetAccessKeyInfoCommandOutput
   | GetCallerIdentityCommandOutput