cdk-docker-image-deployment 0.0.145 → 0.0.146
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.jsii +3 -3
- package/lib/destination.js +1 -1
- package/lib/docker-image-deployment.js +1 -1
- package/lib/source.js +1 -1
- package/node_modules/aws-sdk/CHANGELOG.md +9 -1
- package/node_modules/aws-sdk/README.md +1 -1
- package/node_modules/aws-sdk/apis/ec2-2016-11-15.min.json +1721 -1253
- package/node_modules/aws-sdk/apis/ec2-2016-11-15.paginators.json +24 -0
- package/node_modules/aws-sdk/apis/m2-2021-04-28.min.json +40 -29
- package/node_modules/aws-sdk/apis/s3control-2018-08-20.min.json +23 -1
- package/node_modules/aws-sdk/apis/sagemaker-2017-07-24.min.json +541 -534
- package/node_modules/aws-sdk/clients/ec2.d.ts +544 -14
- package/node_modules/aws-sdk/clients/m2.d.ts +10 -0
- package/node_modules/aws-sdk/clients/polly.d.ts +1 -1
- package/node_modules/aws-sdk/clients/redshiftserverless.d.ts +16 -16
- package/node_modules/aws-sdk/clients/sagemaker.d.ts +28 -1
- package/node_modules/aws-sdk/clients/sts.d.ts +4 -4
- package/node_modules/aws-sdk/dist/aws-sdk-core-react-native.js +1 -1
- package/node_modules/aws-sdk/dist/aws-sdk-react-native.js +6 -6
- package/node_modules/aws-sdk/dist/aws-sdk.js +1723 -1231
- package/node_modules/aws-sdk/dist/aws-sdk.min.js +73 -72
- package/node_modules/aws-sdk/lib/core.js +1 -1
- package/node_modules/aws-sdk/package.json +1 -1
- package/package.json +4 -4
|
@@ -380,6 +380,7 @@ declare namespace M2 {
|
|
|
380
380
|
* The unique identifier of the application that hosts this batch job.
|
|
381
381
|
*/
|
|
382
382
|
applicationId: Identifier;
|
|
383
|
+
batchJobIdentifier?: BatchJobIdentifier;
|
|
383
384
|
/**
|
|
384
385
|
* The timestamp when this batch job execution ended.
|
|
385
386
|
*/
|
|
@@ -400,6 +401,10 @@ declare namespace M2 {
|
|
|
400
401
|
* The type of a particular batch job execution.
|
|
401
402
|
*/
|
|
402
403
|
jobType?: BatchJobType;
|
|
404
|
+
/**
|
|
405
|
+
*
|
|
406
|
+
*/
|
|
407
|
+
returnCode?: String;
|
|
403
408
|
/**
|
|
404
409
|
* The timestamp when a particular batch job execution started.
|
|
405
410
|
*/
|
|
@@ -1059,6 +1064,7 @@ declare namespace M2 {
|
|
|
1059
1064
|
* The identifier of the application.
|
|
1060
1065
|
*/
|
|
1061
1066
|
applicationId: Identifier;
|
|
1067
|
+
batchJobIdentifier?: BatchJobIdentifier;
|
|
1062
1068
|
/**
|
|
1063
1069
|
* The timestamp when the batch job execution ended.
|
|
1064
1070
|
*/
|
|
@@ -1083,6 +1089,10 @@ declare namespace M2 {
|
|
|
1083
1089
|
* The user for the job.
|
|
1084
1090
|
*/
|
|
1085
1091
|
jobUser?: String100;
|
|
1092
|
+
/**
|
|
1093
|
+
*
|
|
1094
|
+
*/
|
|
1095
|
+
returnCode?: String;
|
|
1086
1096
|
/**
|
|
1087
1097
|
* The timestamp when the batch job execution started.
|
|
1088
1098
|
*/
|
|
@@ -488,7 +488,7 @@ declare namespace Polly {
|
|
|
488
488
|
*/
|
|
489
489
|
SupportedEngines?: EngineList;
|
|
490
490
|
}
|
|
491
|
-
export type VoiceId = "Aditi"|"Amy"|"Astrid"|"Bianca"|"Brian"|"Camila"|"Carla"|"Carmen"|"Celine"|"Chantal"|"Conchita"|"Cristiano"|"Dora"|"Emma"|"Enrique"|"Ewa"|"Filiz"|"Gabrielle"|"Geraint"|"Giorgio"|"Gwyneth"|"Hans"|"Ines"|"Ivy"|"Jacek"|"Jan"|"Joanna"|"Joey"|"Justin"|"Karl"|"Kendra"|"Kevin"|"Kimberly"|"Lea"|"Liv"|"Lotte"|"Lucia"|"Lupe"|"Mads"|"Maja"|"Marlene"|"Mathieu"|"Matthew"|"Maxim"|"Mia"|"Miguel"|"Mizuki"|"Naja"|"Nicole"|"Olivia"|"Penelope"|"Raveena"|"Ricardo"|"Ruben"|"Russell"|"Salli"|"Seoyeon"|"Takumi"|"Tatyana"|"Vicki"|"Vitoria"|"Zeina"|"Zhiyu"|"Aria"|"Ayanda"|"Arlet"|"Hannah"|"Arthur"|"Daniel"|"Liam"|"Pedro"|"Kajal"|"Hiujin"|"Laura"|"Elin"|"Ida"|"Suvi"|"Ola"|"Hala"|string;
|
|
491
|
+
export type VoiceId = "Aditi"|"Amy"|"Astrid"|"Bianca"|"Brian"|"Camila"|"Carla"|"Carmen"|"Celine"|"Chantal"|"Conchita"|"Cristiano"|"Dora"|"Emma"|"Enrique"|"Ewa"|"Filiz"|"Gabrielle"|"Geraint"|"Giorgio"|"Gwyneth"|"Hans"|"Ines"|"Ivy"|"Jacek"|"Jan"|"Joanna"|"Joey"|"Justin"|"Karl"|"Kendra"|"Kevin"|"Kimberly"|"Lea"|"Liv"|"Lotte"|"Lucia"|"Lupe"|"Mads"|"Maja"|"Marlene"|"Mathieu"|"Matthew"|"Maxim"|"Mia"|"Miguel"|"Mizuki"|"Naja"|"Nicole"|"Olivia"|"Penelope"|"Raveena"|"Ricardo"|"Ruben"|"Russell"|"Salli"|"Seoyeon"|"Takumi"|"Tatyana"|"Vicki"|"Vitoria"|"Zeina"|"Zhiyu"|"Aria"|"Ayanda"|"Arlet"|"Hannah"|"Arthur"|"Daniel"|"Liam"|"Pedro"|"Kajal"|"Hiujin"|"Laura"|"Elin"|"Ida"|"Suvi"|"Ola"|"Hala"|"Andres"|"Sergio"|"Remi"|"Adriano"|"Thiago"|string;
|
|
492
492
|
export type VoiceList = Voice[];
|
|
493
493
|
export type VoiceName = string;
|
|
494
494
|
/**
|
|
@@ -268,11 +268,11 @@ declare class RedshiftServerless extends Service {
|
|
|
268
268
|
*/
|
|
269
269
|
restoreFromSnapshot(callback?: (err: AWSError, data: RedshiftServerless.Types.RestoreFromSnapshotResponse) => void): Request<RedshiftServerless.Types.RestoreFromSnapshotResponse, AWSError>;
|
|
270
270
|
/**
|
|
271
|
-
* Restores a table from a snapshot to your Amazon Redshift Serverless instance.
|
|
271
|
+
* Restores a table from a snapshot to your Amazon Redshift Serverless instance. You can't use this operation to restore tables with interleaved sort keys.
|
|
272
272
|
*/
|
|
273
273
|
restoreTableFromSnapshot(params: RedshiftServerless.Types.RestoreTableFromSnapshotRequest, callback?: (err: AWSError, data: RedshiftServerless.Types.RestoreTableFromSnapshotResponse) => void): Request<RedshiftServerless.Types.RestoreTableFromSnapshotResponse, AWSError>;
|
|
274
274
|
/**
|
|
275
|
-
* Restores a table from a snapshot to your Amazon Redshift Serverless instance.
|
|
275
|
+
* Restores a table from a snapshot to your Amazon Redshift Serverless instance. You can't use this operation to restore tables with interleaved sort keys.
|
|
276
276
|
*/
|
|
277
277
|
restoreTableFromSnapshot(callback?: (err: AWSError, data: RedshiftServerless.Types.RestoreTableFromSnapshotResponse) => void): Request<RedshiftServerless.Types.RestoreTableFromSnapshotResponse, AWSError>;
|
|
278
278
|
/**
|
|
@@ -300,11 +300,11 @@ declare class RedshiftServerless extends Service {
|
|
|
300
300
|
*/
|
|
301
301
|
updateEndpointAccess(callback?: (err: AWSError, data: RedshiftServerless.Types.UpdateEndpointAccessResponse) => void): Request<RedshiftServerless.Types.UpdateEndpointAccessResponse, AWSError>;
|
|
302
302
|
/**
|
|
303
|
-
* Updates a namespace with the specified settings.
|
|
303
|
+
* Updates a namespace with the specified settings. Unless required, you can't update multiple parameters in one request. For example, you must specify both adminUsername and adminUserPassword to update either field, but you can't update both kmsKeyId and logExports in a single request.
|
|
304
304
|
*/
|
|
305
305
|
updateNamespace(params: RedshiftServerless.Types.UpdateNamespaceRequest, callback?: (err: AWSError, data: RedshiftServerless.Types.UpdateNamespaceResponse) => void): Request<RedshiftServerless.Types.UpdateNamespaceResponse, AWSError>;
|
|
306
306
|
/**
|
|
307
|
-
* Updates a namespace with the specified settings.
|
|
307
|
+
* Updates a namespace with the specified settings. Unless required, you can't update multiple parameters in one request. For example, you must specify both adminUsername and adminUserPassword to update either field, but you can't update both kmsKeyId and logExports in a single request.
|
|
308
308
|
*/
|
|
309
309
|
updateNamespace(callback?: (err: AWSError, data: RedshiftServerless.Types.UpdateNamespaceResponse) => void): Request<RedshiftServerless.Types.UpdateNamespaceResponse, AWSError>;
|
|
310
310
|
/**
|
|
@@ -324,11 +324,11 @@ declare class RedshiftServerless extends Service {
|
|
|
324
324
|
*/
|
|
325
325
|
updateUsageLimit(callback?: (err: AWSError, data: RedshiftServerless.Types.UpdateUsageLimitResponse) => void): Request<RedshiftServerless.Types.UpdateUsageLimitResponse, AWSError>;
|
|
326
326
|
/**
|
|
327
|
-
* Updates a workgroup with the specified configuration settings.
|
|
327
|
+
* Updates a workgroup with the specified configuration settings. You can't update multiple parameters in one request. For example, you can update baseCapacity or port in a single request, but you can't update both in the same request.
|
|
328
328
|
*/
|
|
329
329
|
updateWorkgroup(params: RedshiftServerless.Types.UpdateWorkgroupRequest, callback?: (err: AWSError, data: RedshiftServerless.Types.UpdateWorkgroupResponse) => void): Request<RedshiftServerless.Types.UpdateWorkgroupResponse, AWSError>;
|
|
330
330
|
/**
|
|
331
|
-
* Updates a workgroup with the specified configuration settings.
|
|
331
|
+
* Updates a workgroup with the specified configuration settings. You can't update multiple parameters in one request. For example, you can update baseCapacity or port in a single request, but you can't update both in the same request.
|
|
332
332
|
*/
|
|
333
333
|
updateWorkgroup(callback?: (err: AWSError, data: RedshiftServerless.Types.UpdateWorkgroupResponse) => void): Request<RedshiftServerless.Types.UpdateWorkgroupResponse, AWSError>;
|
|
334
334
|
}
|
|
@@ -338,7 +338,7 @@ declare namespace RedshiftServerless {
|
|
|
338
338
|
export type Boolean = boolean;
|
|
339
339
|
export interface ConfigParameter {
|
|
340
340
|
/**
|
|
341
|
-
* The key of the parameter. The options are datestyle, enable_user_activity_logging, query_group, search_path, and
|
|
341
|
+
* The key of the parameter. The options are auto_mv, datestyle, enable_case_sensitivity_identifier, enable_user_activity_logging, query_group, search_path, and query monitoring metrics that let you define performance boundaries. For more information about query monitoring rules and available metrics, see Query monitoring metrics for Amazon Redshift Serverless.
|
|
342
342
|
*/
|
|
343
343
|
parameterKey?: ParameterKey;
|
|
344
344
|
/**
|
|
@@ -497,7 +497,7 @@ declare namespace RedshiftServerless {
|
|
|
497
497
|
*/
|
|
498
498
|
baseCapacity?: Integer;
|
|
499
499
|
/**
|
|
500
|
-
* An array of parameters to set for
|
|
500
|
+
* An array of parameters to set for advanced control over a database. The options are auto_mv, datestyle, enable_case_sensitivity_identifier, enable_user_activity_logging, query_group, search_path, and query monitoring metrics that let you define performance boundaries. For more information about query monitoring rules and available metrics, see Query monitoring metrics for Amazon Redshift Serverless.
|
|
501
501
|
*/
|
|
502
502
|
configParameters?: ConfigParameterList;
|
|
503
503
|
/**
|
|
@@ -1477,19 +1477,19 @@ declare namespace RedshiftServerless {
|
|
|
1477
1477
|
}
|
|
1478
1478
|
export interface UpdateNamespaceRequest {
|
|
1479
1479
|
/**
|
|
1480
|
-
* The password of the administrator for the first database created in the namespace.
|
|
1480
|
+
* The password of the administrator for the first database created in the namespace. This parameter must be updated together with adminUsername.
|
|
1481
1481
|
*/
|
|
1482
1482
|
adminUserPassword?: DbPassword;
|
|
1483
1483
|
/**
|
|
1484
|
-
* The username of the administrator for the first database created in the namespace.
|
|
1484
|
+
* The username of the administrator for the first database created in the namespace. This parameter must be updated together with adminUserPassword.
|
|
1485
1485
|
*/
|
|
1486
1486
|
adminUsername?: DbUser;
|
|
1487
1487
|
/**
|
|
1488
|
-
* The Amazon Resource Name (ARN) of the IAM role to set as a default in the namespace.
|
|
1488
|
+
* The Amazon Resource Name (ARN) of the IAM role to set as a default in the namespace. This parameter must be updated together with iamRoles.
|
|
1489
1489
|
*/
|
|
1490
1490
|
defaultIamRoleArn?: String;
|
|
1491
1491
|
/**
|
|
1492
|
-
* A list of IAM roles to associate with the namespace.
|
|
1492
|
+
* A list of IAM roles to associate with the namespace. This parameter must be updated together with defaultIamRoleArn.
|
|
1493
1493
|
*/
|
|
1494
1494
|
iamRoles?: IamRoleArnList;
|
|
1495
1495
|
/**
|
|
@@ -1501,7 +1501,7 @@ declare namespace RedshiftServerless {
|
|
|
1501
1501
|
*/
|
|
1502
1502
|
logExports?: LogExportList;
|
|
1503
1503
|
/**
|
|
1504
|
-
* The name of the namespace.
|
|
1504
|
+
* The name of the namespace to update. You can't update the name of a namespace once it is created.
|
|
1505
1505
|
*/
|
|
1506
1506
|
namespaceName: NamespaceName;
|
|
1507
1507
|
}
|
|
@@ -1553,7 +1553,7 @@ declare namespace RedshiftServerless {
|
|
|
1553
1553
|
*/
|
|
1554
1554
|
baseCapacity?: Integer;
|
|
1555
1555
|
/**
|
|
1556
|
-
* An array of parameters to set for advanced control over a database. The options are datestyle, enable_user_activity_logging, query_group, search_path, and
|
|
1556
|
+
* An array of parameters to set for advanced control over a database. The options are auto_mv, datestyle, enable_case_sensitivity_identifier, enable_user_activity_logging, query_group, search_path, and query monitoring metrics that let you define performance boundaries. For more information about query monitoring rules and available metrics, see Query monitoring metrics for Amazon Redshift Serverless.
|
|
1557
1557
|
*/
|
|
1558
1558
|
configParameters?: ConfigParameterList;
|
|
1559
1559
|
/**
|
|
@@ -1577,7 +1577,7 @@ declare namespace RedshiftServerless {
|
|
|
1577
1577
|
*/
|
|
1578
1578
|
subnetIds?: SubnetIdList;
|
|
1579
1579
|
/**
|
|
1580
|
-
* The name of the workgroup to update.
|
|
1580
|
+
* The name of the workgroup to update. You can't update the name of a workgroup once it is created.
|
|
1581
1581
|
*/
|
|
1582
1582
|
workgroupName: WorkgroupName;
|
|
1583
1583
|
}
|
|
@@ -1655,7 +1655,7 @@ declare namespace RedshiftServerless {
|
|
|
1655
1655
|
*/
|
|
1656
1656
|
baseCapacity?: Integer;
|
|
1657
1657
|
/**
|
|
1658
|
-
* An array of parameters to set for
|
|
1658
|
+
* An array of parameters to set for advanced control over a database. The options are auto_mv, datestyle, enable_case_sensitivity_identifier, enable_user_activity_logging, query_group, , search_path, and query monitoring metrics that let you define performance boundaries. For more information about query monitoring rules and available metrics, see Query monitoring metrics for Amazon Redshift Serverless.
|
|
1659
1659
|
*/
|
|
1660
1660
|
configParameters?: ConfigParameterList;
|
|
1661
1661
|
/**
|
|
@@ -12052,6 +12052,10 @@ declare namespace SageMaker {
|
|
|
12052
12052
|
* Defines the model configuration.
|
|
12053
12053
|
*/
|
|
12054
12054
|
ModelConfiguration: ModelConfiguration;
|
|
12055
|
+
/**
|
|
12056
|
+
* The recommendation ID which uniquely identifies each recommendation.
|
|
12057
|
+
*/
|
|
12058
|
+
RecommendationId?: String;
|
|
12055
12059
|
}
|
|
12056
12060
|
export type InferenceRecommendations = InferenceRecommendation[];
|
|
12057
12061
|
export interface InferenceRecommendationsJob {
|
|
@@ -16008,6 +16012,10 @@ declare namespace SageMaker {
|
|
|
16008
16012
|
* Defines the environment parameters that includes key, value types, and values.
|
|
16009
16013
|
*/
|
|
16010
16014
|
EnvironmentParameters?: EnvironmentParameters;
|
|
16015
|
+
/**
|
|
16016
|
+
* The name of the compilation job used to create the recommended model artifacts.
|
|
16017
|
+
*/
|
|
16018
|
+
CompilationJobName?: RecommendationJobCompilationJobName;
|
|
16011
16019
|
}
|
|
16012
16020
|
export interface ModelDashboardEndpoint {
|
|
16013
16021
|
/**
|
|
@@ -18688,6 +18696,7 @@ declare namespace SageMaker {
|
|
|
18688
18696
|
export type RealtimeInferenceInstanceTypes = ProductionVariantInstanceType[];
|
|
18689
18697
|
export type RecommendationFailureReason = string;
|
|
18690
18698
|
export type RecommendationJobArn = string;
|
|
18699
|
+
export type RecommendationJobCompilationJobName = string;
|
|
18691
18700
|
export interface RecommendationJobCompiledOutputConfig {
|
|
18692
18701
|
/**
|
|
18693
18702
|
* Identifies the Amazon S3 bucket where you want SageMaker to store the compiled model artifacts.
|
|
@@ -18723,7 +18732,12 @@ declare namespace SageMaker {
|
|
|
18723
18732
|
* A list of the instance types that are used to generate inferences in real-time.
|
|
18724
18733
|
*/
|
|
18725
18734
|
SupportedInstanceTypes?: RecommendationJobSupportedInstanceTypes;
|
|
18735
|
+
/**
|
|
18736
|
+
* Specifies the name and shape of the expected data inputs for your trained model with a JSON dictionary form. This field is used for optimizing your model using SageMaker Neo. For more information, see DataInputConfig.
|
|
18737
|
+
*/
|
|
18738
|
+
DataInputConfig?: RecommendationJobDataInputConfig;
|
|
18726
18739
|
}
|
|
18740
|
+
export type RecommendationJobDataInputConfig = string;
|
|
18727
18741
|
export type RecommendationJobDescription = string;
|
|
18728
18742
|
export interface RecommendationJobInferenceBenchmark {
|
|
18729
18743
|
Metrics?: RecommendationMetrics;
|
|
@@ -18738,7 +18752,7 @@ declare namespace SageMaker {
|
|
|
18738
18752
|
/**
|
|
18739
18753
|
* The Amazon Resource Name (ARN) of a versioned model package.
|
|
18740
18754
|
*/
|
|
18741
|
-
ModelPackageVersionArn
|
|
18755
|
+
ModelPackageVersionArn?: ModelPackageArn;
|
|
18742
18756
|
/**
|
|
18743
18757
|
* Specifies the maximum duration of the job, in seconds.>
|
|
18744
18758
|
*/
|
|
@@ -18771,6 +18785,10 @@ declare namespace SageMaker {
|
|
|
18771
18785
|
* Inference Recommender provisions SageMaker endpoints with access to VPC in the inference recommendation job.
|
|
18772
18786
|
*/
|
|
18773
18787
|
VpcConfig?: RecommendationJobVpcConfig;
|
|
18788
|
+
/**
|
|
18789
|
+
* The name of the created model.
|
|
18790
|
+
*/
|
|
18791
|
+
ModelName?: ModelName;
|
|
18774
18792
|
}
|
|
18775
18793
|
export type RecommendationJobName = string;
|
|
18776
18794
|
export interface RecommendationJobOutputConfig {
|
|
@@ -18848,6 +18866,14 @@ declare namespace SageMaker {
|
|
|
18848
18866
|
* The expected model latency at maximum invocation per minute for the instance.
|
|
18849
18867
|
*/
|
|
18850
18868
|
ModelLatency: Integer;
|
|
18869
|
+
/**
|
|
18870
|
+
* The expected CPU utilization at maximum invocations per minute for the instance. NaN indicates that the value is not available.
|
|
18871
|
+
*/
|
|
18872
|
+
CpuUtilization?: UtilizationMetric;
|
|
18873
|
+
/**
|
|
18874
|
+
* The expected memory utilization at maximum invocations per minute for the instance. NaN indicates that the value is not available.
|
|
18875
|
+
*/
|
|
18876
|
+
MemoryUtilization?: UtilizationMetric;
|
|
18851
18877
|
}
|
|
18852
18878
|
export type RecommendationStepType = "BENCHMARK"|string;
|
|
18853
18879
|
export type RecordWrapper = "None"|"RecordIO"|string;
|
|
@@ -21604,6 +21630,7 @@ declare namespace SageMaker {
|
|
|
21604
21630
|
*/
|
|
21605
21631
|
CanvasAppSettings?: CanvasAppSettings;
|
|
21606
21632
|
}
|
|
21633
|
+
export type UtilizationMetric = number;
|
|
21607
21634
|
export type ValidationFraction = number;
|
|
21608
21635
|
export type VariantName = string;
|
|
21609
21636
|
export interface VariantProperty {
|
|
@@ -12,11 +12,11 @@ declare class STS extends Service {
|
|
|
12
12
|
constructor(options?: STS.Types.ClientConfiguration)
|
|
13
13
|
config: Config & STS.Types.ClientConfiguration;
|
|
14
14
|
/**
|
|
15
|
-
* Returns a set of temporary security credentials that you can use to access Amazon Web Services resources
|
|
15
|
+
* Returns a set of temporary security credentials that you can use to access Amazon Web Services resources. These temporary credentials consist of an access key ID, a secret access key, and a security token. Typically, you use AssumeRole within your account or for cross-account access. For a comparison of AssumeRole with other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the Amazon Web Services STS API operations in the IAM User Guide. Permissions The temporary security credentials created by AssumeRole can be used to make API calls to any Amazon Web Services service with the following exception: You cannot call the Amazon Web Services STS GetFederationToken or GetSessionToken API operations. (Optional) You can pass inline or managed session policies to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed session policies. The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide. When you create a role, you create two policies: A role trust policy that specifies who can assume the role and a permissions policy that specifies what can be done with the role. You specify the trusted principal who is allowed to assume the role in the role trust policy. To assume a role from a different account, your Amazon Web Services account must be trusted by the role. The trust relationship is defined in the role's trust policy when the role is created. That trust policy states which accounts are allowed to delegate that access to users in the account. A user who wants to access a role in a different account must also have permissions that are delegated from the user account administrator. The administrator must attach a policy that allows the user to call AssumeRole for the ARN of the role in the other account. To allow a user to assume a role in the same account, you can do either of the following: Attach a policy to the user that allows the user to call AssumeRole (as long as the role's trust policy trusts the account). Add the user as a principal directly in the role's trust policy. You can do either because the role’s trust policy acts as an IAM resource-based policy. When a resource-based policy grants access to a principal in the same account, no additional identity-based policy is required. For more information about trust policies and resource-based policies, see IAM Policies in the IAM User Guide. Tags (Optional) You can pass tag key-value pairs to your session. These tags are called session tags. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide. An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide. You can set the session tags as transitive. Transitive tags persist during role chaining. For more information, see Chaining Roles with Session Tags in the IAM User Guide. Using MFA with AssumeRole (Optional) You can include multi-factor authentication (MFA) information when you call AssumeRole. This is useful for cross-account scenarios to ensure that the user that assumes the role has been authenticated with an Amazon Web Services MFA device. In that scenario, the trust policy of the role being assumed includes a condition that tests for MFA authentication. If the caller does not include valid MFA information, the request to assume the role is denied. The condition in a trust policy that tests for MFA authentication might look like the following example. "Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}} For more information, see Configuring MFA-Protected API Access in the IAM User Guide guide. To use MFA with AssumeRole, you pass values for the SerialNumber and TokenCode parameters. The SerialNumber value identifies the user's hardware or virtual MFA device. The TokenCode is the time-based one-time password (TOTP) that the MFA device produces.
|
|
16
16
|
*/
|
|
17
17
|
assumeRole(params: STS.Types.AssumeRoleRequest, callback?: (err: AWSError, data: STS.Types.AssumeRoleResponse) => void): Request<STS.Types.AssumeRoleResponse, AWSError>;
|
|
18
18
|
/**
|
|
19
|
-
* Returns a set of temporary security credentials that you can use to access Amazon Web Services resources
|
|
19
|
+
* Returns a set of temporary security credentials that you can use to access Amazon Web Services resources. These temporary credentials consist of an access key ID, a secret access key, and a security token. Typically, you use AssumeRole within your account or for cross-account access. For a comparison of AssumeRole with other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the Amazon Web Services STS API operations in the IAM User Guide. Permissions The temporary security credentials created by AssumeRole can be used to make API calls to any Amazon Web Services service with the following exception: You cannot call the Amazon Web Services STS GetFederationToken or GetSessionToken API operations. (Optional) You can pass inline or managed session policies to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed session policies. The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide. When you create a role, you create two policies: A role trust policy that specifies who can assume the role and a permissions policy that specifies what can be done with the role. You specify the trusted principal who is allowed to assume the role in the role trust policy. To assume a role from a different account, your Amazon Web Services account must be trusted by the role. The trust relationship is defined in the role's trust policy when the role is created. That trust policy states which accounts are allowed to delegate that access to users in the account. A user who wants to access a role in a different account must also have permissions that are delegated from the user account administrator. The administrator must attach a policy that allows the user to call AssumeRole for the ARN of the role in the other account. To allow a user to assume a role in the same account, you can do either of the following: Attach a policy to the user that allows the user to call AssumeRole (as long as the role's trust policy trusts the account). Add the user as a principal directly in the role's trust policy. You can do either because the role’s trust policy acts as an IAM resource-based policy. When a resource-based policy grants access to a principal in the same account, no additional identity-based policy is required. For more information about trust policies and resource-based policies, see IAM Policies in the IAM User Guide. Tags (Optional) You can pass tag key-value pairs to your session. These tags are called session tags. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide. An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide. You can set the session tags as transitive. Transitive tags persist during role chaining. For more information, see Chaining Roles with Session Tags in the IAM User Guide. Using MFA with AssumeRole (Optional) You can include multi-factor authentication (MFA) information when you call AssumeRole. This is useful for cross-account scenarios to ensure that the user that assumes the role has been authenticated with an Amazon Web Services MFA device. In that scenario, the trust policy of the role being assumed includes a condition that tests for MFA authentication. If the caller does not include valid MFA information, the request to assume the role is denied. The condition in a trust policy that tests for MFA authentication might look like the following example. "Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}} For more information, see Configuring MFA-Protected API Access in the IAM User Guide guide. To use MFA with AssumeRole, you pass values for the SerialNumber and TokenCode parameters. The SerialNumber value identifies the user's hardware or virtual MFA device. The TokenCode is the time-based one-time password (TOTP) that the MFA device produces.
|
|
20
20
|
*/
|
|
21
21
|
assumeRole(callback?: (err: AWSError, data: STS.Types.AssumeRoleResponse) => void): Request<STS.Types.AssumeRoleResponse, AWSError>;
|
|
22
22
|
/**
|
|
@@ -60,11 +60,11 @@ declare class STS extends Service {
|
|
|
60
60
|
*/
|
|
61
61
|
getCallerIdentity(callback?: (err: AWSError, data: STS.Types.GetCallerIdentityResponse) => void): Request<STS.Types.GetCallerIdentityResponse, AWSError>;
|
|
62
62
|
/**
|
|
63
|
-
* Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user. A typical use is in a proxy application that gets temporary security credentials on behalf of distributed applications inside a corporate network. You must call the GetFederationToken operation using the long-term security credentials of an IAM user. As a result, this call is appropriate in contexts where those credentials can be safely stored, usually in a server-based application. For a comparison of GetFederationToken with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the Amazon Web Services STS API operations in the IAM User Guide. You can create a mobile-based or browser-based app that can authenticate users using a web identity provider like Login with Amazon, Facebook, Google, or an OpenID Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or AssumeRoleWithWebIdentity. For more information, see Federation Through a Web-based Identity Provider in the IAM User Guide. You can also call GetFederationToken using the security credentials of an Amazon Web Services account root user, but we do not recommend it. Instead, we recommend that you create an IAM user for the purpose of the proxy application. Then attach a policy to the IAM user that limits federated users to only the actions and resources that they need to access. For more information, see IAM Best Practices in the IAM User Guide. Session duration The temporary credentials are valid for the specified duration, from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default session duration is 43,200 seconds (12 hours). Temporary credentials obtained by using the Amazon Web Services account root user credentials have a maximum duration of 3,600 seconds (1 hour). Permissions You can use the temporary credentials created by GetFederationToken in any Amazon Web Services service
|
|
63
|
+
* Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user. A typical use is in a proxy application that gets temporary security credentials on behalf of distributed applications inside a corporate network. You must call the GetFederationToken operation using the long-term security credentials of an IAM user. As a result, this call is appropriate in contexts where those credentials can be safely stored, usually in a server-based application. For a comparison of GetFederationToken with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the Amazon Web Services STS API operations in the IAM User Guide. You can create a mobile-based or browser-based app that can authenticate users using a web identity provider like Login with Amazon, Facebook, Google, or an OpenID Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or AssumeRoleWithWebIdentity. For more information, see Federation Through a Web-based Identity Provider in the IAM User Guide. You can also call GetFederationToken using the security credentials of an Amazon Web Services account root user, but we do not recommend it. Instead, we recommend that you create an IAM user for the purpose of the proxy application. Then attach a policy to the IAM user that limits federated users to only the actions and resources that they need to access. For more information, see IAM Best Practices in the IAM User Guide. Session duration The temporary credentials are valid for the specified duration, from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default session duration is 43,200 seconds (12 hours). Temporary credentials obtained by using the Amazon Web Services account root user credentials have a maximum duration of 3,600 seconds (1 hour). Permissions You can use the temporary credentials created by GetFederationToken in any Amazon Web Services service with the following exceptions: You cannot call any IAM operations using the CLI or the Amazon Web Services API. This limitation does not apply to console sessions. You cannot call any STS operations except GetCallerIdentity. You can use temporary credentials for single sign-on (SSO) to the console. You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed session policies. The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. Though the session policy parameters are optional, if you do not pass a policy, then the resulting federated user session has no permissions. When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide. For information about using GetFederationToken to create temporary security credentials, see GetFederationToken—Federation Through a Custom Identity Broker. You can use the credentials to access a resource that has a resource-based policy. If that policy specifically references the federated user session in the Principal element of the policy, the session has the permissions allowed by the policy. These permissions are granted in addition to the permissions granted by the session policies. Tags (Optional) You can pass tag key-value pairs to your session. These are called session tags. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide. You can create a mobile-based or browser-based app that can authenticate users using a web identity provider like Login with Amazon, Facebook, Google, or an OpenID Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or AssumeRoleWithWebIdentity. For more information, see Federation Through a Web-based Identity Provider in the IAM User Guide. An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide. Tag key–value pairs are not case sensitive, but case is preserved. This means that you cannot have separate Department and department tag keys. Assume that the user that you are federating has the Department=Marketing tag and you pass the department=engineering session tag. Department and department are not saved as separate tags, and the session tag passed in the request takes precedence over the user tag.
|
|
64
64
|
*/
|
|
65
65
|
getFederationToken(params: STS.Types.GetFederationTokenRequest, callback?: (err: AWSError, data: STS.Types.GetFederationTokenResponse) => void): Request<STS.Types.GetFederationTokenResponse, AWSError>;
|
|
66
66
|
/**
|
|
67
|
-
* Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user. A typical use is in a proxy application that gets temporary security credentials on behalf of distributed applications inside a corporate network. You must call the GetFederationToken operation using the long-term security credentials of an IAM user. As a result, this call is appropriate in contexts where those credentials can be safely stored, usually in a server-based application. For a comparison of GetFederationToken with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the Amazon Web Services STS API operations in the IAM User Guide. You can create a mobile-based or browser-based app that can authenticate users using a web identity provider like Login with Amazon, Facebook, Google, or an OpenID Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or AssumeRoleWithWebIdentity. For more information, see Federation Through a Web-based Identity Provider in the IAM User Guide. You can also call GetFederationToken using the security credentials of an Amazon Web Services account root user, but we do not recommend it. Instead, we recommend that you create an IAM user for the purpose of the proxy application. Then attach a policy to the IAM user that limits federated users to only the actions and resources that they need to access. For more information, see IAM Best Practices in the IAM User Guide. Session duration The temporary credentials are valid for the specified duration, from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default session duration is 43,200 seconds (12 hours). Temporary credentials obtained by using the Amazon Web Services account root user credentials have a maximum duration of 3,600 seconds (1 hour). Permissions You can use the temporary credentials created by GetFederationToken in any Amazon Web Services service
|
|
67
|
+
* Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user. A typical use is in a proxy application that gets temporary security credentials on behalf of distributed applications inside a corporate network. You must call the GetFederationToken operation using the long-term security credentials of an IAM user. As a result, this call is appropriate in contexts where those credentials can be safely stored, usually in a server-based application. For a comparison of GetFederationToken with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the Amazon Web Services STS API operations in the IAM User Guide. You can create a mobile-based or browser-based app that can authenticate users using a web identity provider like Login with Amazon, Facebook, Google, or an OpenID Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or AssumeRoleWithWebIdentity. For more information, see Federation Through a Web-based Identity Provider in the IAM User Guide. You can also call GetFederationToken using the security credentials of an Amazon Web Services account root user, but we do not recommend it. Instead, we recommend that you create an IAM user for the purpose of the proxy application. Then attach a policy to the IAM user that limits federated users to only the actions and resources that they need to access. For more information, see IAM Best Practices in the IAM User Guide. Session duration The temporary credentials are valid for the specified duration, from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default session duration is 43,200 seconds (12 hours). Temporary credentials obtained by using the Amazon Web Services account root user credentials have a maximum duration of 3,600 seconds (1 hour). Permissions You can use the temporary credentials created by GetFederationToken in any Amazon Web Services service with the following exceptions: You cannot call any IAM operations using the CLI or the Amazon Web Services API. This limitation does not apply to console sessions. You cannot call any STS operations except GetCallerIdentity. You can use temporary credentials for single sign-on (SSO) to the console. You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed session policies. The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. Though the session policy parameters are optional, if you do not pass a policy, then the resulting federated user session has no permissions. When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide. For information about using GetFederationToken to create temporary security credentials, see GetFederationToken—Federation Through a Custom Identity Broker. You can use the credentials to access a resource that has a resource-based policy. If that policy specifically references the federated user session in the Principal element of the policy, the session has the permissions allowed by the policy. These permissions are granted in addition to the permissions granted by the session policies. Tags (Optional) You can pass tag key-value pairs to your session. These are called session tags. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide. You can create a mobile-based or browser-based app that can authenticate users using a web identity provider like Login with Amazon, Facebook, Google, or an OpenID Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or AssumeRoleWithWebIdentity. For more information, see Federation Through a Web-based Identity Provider in the IAM User Guide. An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide. Tag key–value pairs are not case sensitive, but case is preserved. This means that you cannot have separate Department and department tag keys. Assume that the user that you are federating has the Department=Marketing tag and you pass the department=engineering session tag. Department and department are not saved as separate tags, and the session tag passed in the request takes precedence over the user tag.
|
|
68
68
|
*/
|
|
69
69
|
getFederationToken(callback?: (err: AWSError, data: STS.Types.GetFederationTokenResponse) => void): Request<STS.Types.GetFederationTokenResponse, AWSError>;
|
|
70
70
|
/**
|