awscli 1.36.25__py3-none-any.whl → 1.36.27__py3-none-any.whl

awscli/examples/cloudfront/update-distribution.rst

@@ -1,9 +1,9 @@
-**To update a CloudFront distribution's default root object**
+**Example 1: To update a CloudFront distribution's default root object**
 
-The following example updates the default root object to ``index.html`` for the
-CloudFront distribution with the ID ``EDFDVBD6EXAMPLE``::
+The following example updates the default root object to ``index.html`` for the CloudFront distribution with the ID ``EDFDVBD6EXAMPLE``. ::
 
-    aws cloudfront update-distribution --id EDFDVBD6EXAMPLE \
+    aws cloudfront update-distribution \
+        --id EDFDVBD6EXAMPLE \
         --default-root-object index.html
 
 Output::
@@ -136,28 +136,20 @@ Output::
         }
     }
 
-**To update a CloudFront distribution**
-
-The following example disables the CloudFront distribution with the ID
-``EMLARXS9EXAMPLE`` by providing the distribution configuration in a JSON file
-named ``dist-config-disable.json``. To update a distribution, you must use the
-``--if-match`` option to provide the distribution's ``ETag``. To get the
-``ETag``, use the `get-distribution <get-distribution.html>`_ or
-`get-distribution-config <get-distribution-config.html>`_ command.
+**Example 2: To update a CloudFront distribution**
 
-After you use the following example to disable a distribution, you can use the
-`delete-distribution <delete-distribution.html>`_ command to delete it.
+The following example disables the CloudFront distribution with the ID ``EMLARXS9EXAMPLE`` by providing the distribution configuration in a JSON file named ``dist-config-disable.json``. To update a distribution, you must use the ``--if-match`` option to provide the distribution's ``ETag``. To get the
+``ETag``, use the `get-distribution <get-distribution.html>`_ or `get-distribution-config <get-distribution-config.html>`_ command. Note that the ``Enabled`` field is set to
+``false`` in the JSON file.
 
-::
+After you use the following example to disable a distribution, you can use the `delete-distribution <delete-distribution.html>`_ command to delete it. ::
 
     aws cloudfront update-distribution \
         --id EMLARXS9EXAMPLE \
         --if-match E2QWRUHEXAMPLE \
         --distribution-config file://dist-config-disable.json
 
-The file ``dist-config-disable.json`` is a JSON document in the current folder
-that contains the following. Note that the ``Enabled`` field is set to
-``false``::
+Contents of ``dist-config-disable.json``::
 
     {
         "CallerReference": "cli-1574382155-496510",
@@ -169,8 +161,8 @@ that contains the following. Note that the ``Enabled`` field is set to
             "Quantity": 1,
             "Items": [
                 {
-                    "Id": "awsexamplebucket.s3.amazonaws.com-1574382155-273939",
-                    "DomainName": "awsexamplebucket.s3.amazonaws.com",
+                    "Id": "amzn-s3-demo-bucket.s3.amazonaws.com-1574382155-273939",
+                    "DomainName": "amzn-s3-demo-bucket.s3.amazonaws.com",
                     "OriginPath": "",
                     "CustomHeaders": {
                         "Quantity": 0
@@ -185,7 +177,7 @@ that contains the following. Note that the ``Enabled`` field is set to
             "Quantity": 0
         },
         "DefaultCacheBehavior": {
-            "TargetOriginId": "awsexamplebucket.s3.amazonaws.com-1574382155-273939",
+            "TargetOriginId": "amzn-s3-demo-bucket.s3.amazonaws.com-1574382155-273939",
             "ForwardedValues": {
                 "QueryString": false,
                 "Cookies": {
@@ -283,8 +275,8 @@ Output::
                     "Quantity": 1,
                     "Items": [
                         {
-                            "Id": "awsexamplebucket.s3.amazonaws.com-1574382155-273939",
-                            "DomainName": "awsexamplebucket.s3.amazonaws.com",
+                            "Id": "amzn-s3-demo-bucket.s3.amazonaws.com-1574382155-273939",
+                            "DomainName": "amzn-s3-demo-bucket.s3.amazonaws.com",
                             "OriginPath": "",
                             "CustomHeaders": {
                                 "Quantity": 0
@@ -299,7 +291,7 @@ Output::
                     "Quantity": 0
                 },
                 "DefaultCacheBehavior": {
-                    "TargetOriginId": "awsexamplebucket.s3.amazonaws.com-1574382155-273939",
+                    "TargetOriginId": "amzn-s3-demo-bucket.s3.amazonaws.com-1574382155-273939",
                     "ForwardedValues": {
                         "QueryString": false,
                         "Cookies": {

awscli/examples/cognito-idp/admin-disable-provider-for-user.rst

@@ -0,0 +1,9 @@
+**To unlink a federated user from a local user profile**
+
+The following ``admin-disable-provider-for-user`` example disconnects a Google user from their linked local profile. ::
+
+    aws cognito-idp admin-disable-provider-for-user \
+        --user-pool-id us-west-2_EXAMPLE \
+        --user ProviderAttributeName=Cognito_Subject,ProviderAttributeValue=0000000000000000,ProviderName=Google
+
+For more information, see `Linking federated users to an existing user profile <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation-consolidate-users.html>`__ in the *Amazon Cognito Developer Guide*.

awscli/examples/cognito-idp/admin-disable-user.rst

@@ -0,0 +1,9 @@
+**To prevent sign-in by a user**
+
+The following ``admin-disable-user`` example prevents sign-in by the user ``diego@example.com``. ::
+
+    aws cognito-idp admin-disable-user \
+        --user-pool-id us-west-2_EXAMPLE \
+        --username diego@example.com
+
+For more information, see `Managing users <https://docs.aws.amazon.com/cognito/latest/developerguide/managing-users.html>`__ in the *Amazon Cognito Developer Guide*.

awscli/examples/cognito-idp/admin-enable-user.rst

@@ -0,0 +1,9 @@
+**To enable sign-in by a user**
+
+The following ``admin-enable-user`` example enables sign-in by the user diego@example.com. ::
+
+    aws cognito-idp admin-enable-user \
+        --user-pool-id us-west-2_EXAMPLE \
+        --username diego@example.com
+
+For more information, see `Managing users <https://docs.aws.amazon.com/cognito/latest/developerguide/managing-users.html>`__ in the *Amazon Cognito Developer Guide*.

awscli/examples/cognito-idp/admin-get-device.rst

@@ -1,8 +1,51 @@
-**To get a device**
-
-This example gets a device for username jane@example.com
-
-Command::
-
-  aws cognito-idp admin-get-device --user-pool-id us-west-2_aaaaaaaaa --username jane@example.com --device-key us-west-2_abcd_1234-5678
-
+**To get a device**
+
+The following ``admin-get-device`` example displays one device for the user ``diego``. ::
+
+    aws cognito-idp admin-get-device \
+        --user-pool-id us-west-2_EXAMPLE \
+        --username diego \
+        --device-key us-west-2_a1b2c3d4-5678-90ab-cdef-EXAMPLE11111
+
+Output::
+
+    {
+        "Device": {
+            "DeviceKey": "us-west-2_a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
+            "DeviceAttributes": [
+                {
+                    "Name": "device_status",
+                    "Value": "valid"
+                },
+                {
+                    "Name": "device_name",
+                    "Value": "MyDevice"
+                },
+                {
+                    "Name": "dev:device_arn",
+                    "Value": "arn:aws:cognito-idp:us-west-2:123456789012:owner/diego.us-west-2_EXAMPLE/device/us-west-2_a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
+                },
+                {
+                    "Name": "dev:device_owner",
+                    "Value": "diego.us-west-2_EXAMPLE"
+                },
+                {
+                    "Name": "last_ip_used",
+                    "Value": "192.0.2.1"
+                },
+                {
+                    "Name": "dev:device_remembered_status",
+                    "Value": "remembered"
+                },
+                {
+                    "Name": "dev:device_sdk",
+                    "Value": "aws-sdk"
+                }
+            ],
+            "DeviceCreateDate": 1715100742.022,
+            "DeviceLastModifiedDate": 1723233651.167,
+            "DeviceLastAuthenticatedDate": 1715100742.0
+        }
+    }
+
+For more information, see `Working with user devices in your user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html>`__ in the *Amazon Cognito Developer Guide*.

awscli/examples/cognito-idp/admin-initiate-auth.rst

@@ -1,25 +1,24 @@
-**To initiate authorization**
-
-This example initiates authorization using the ADMIN_NO_SRP_AUTH flow for username jane@example.com
-
-The client must have sign-in API for server-based authentication (ADMIN_NO_SRP_AUTH) enabled.
-
-Use the session information in the return value to call `admin-respond-to-auth-challenge`_.
-
-Command::
-
-  aws cognito-idp admin-initiate-auth --user-pool-id us-west-2_aaaaaaaaa --client-id 3n4b5urk1ft4fl3mg5e62d9ado --auth-flow ADMIN_NO_SRP_AUTH --auth-parameters USERNAME=jane@example.com,PASSWORD=password
-  
-Output::
-
-  {
-    "ChallengeName": "NEW_PASSWORD_REQUIRED",
-    "Session": "SESSION",
-    "ChallengeParameters": {
-        "USER_ID_FOR_SRP": "84514837-dcbc-4af1-abff-f3c109334894",
-        "requiredAttributes": "[]",
-        "userAttributes": "{\"email_verified\":\"true\",\"phone_number_verified\":\"true\",\"phone_number\":\"+01xxx5550100\",\"email\":\"jane@example.com\"}"
-    }
-  }
-  
-.. _`admin-respond-to-auth-challenge`: https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/admin-respond-to-auth-challenge.html
+**To sign in a user as an admin**
+
+The following ``admin-initiate-auth`` example signs in the user diego@example.com. This example also includes metadata for threat protection and ClientMetadata for Lambda triggers. The user is configured for TOTP MFA and receives a challenge to provide a code from their authenticator app before they can complete authentication. ::
+
+    aws cognito-idp admin-initiate-auth \
+        --user-pool-id us-west-2_EXAMPLE \
+        --client-id 1example23456789 \
+        --auth-flow ADMIN_USER_PASSWORD_AUTH \
+        --auth-parameters USERNAME=diego@example.com,PASSWORD="My@Example$Password3!",SECRET_HASH=ExampleEncodedClientIdSecretAndUsername= \
+        --context-data="{\"EncodedData\":\"abc123example\",\"HttpHeaders\":[{\"headerName\":\"UserAgent\",\"headerValue\":\"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0\"}],\"IpAddress\":\"192.0.2.1\",\"ServerName\":\"example.com\",\"ServerPath\":\"/login\"}" \
+        --client-metadata="{\"MyExampleKey\": \"MyExampleValue\"}"
+
+Output::
+
+    {
+        "ChallengeName": "SOFTWARE_TOKEN_MFA",
+        "Session": "AYABeExample...",
+        "ChallengeParameters": {
+            "FRIENDLY_DEVICE_NAME": "MyAuthenticatorApp",
+            "USER_ID_FOR_SRP": "diego@example.com"
+        }
+    }
+
+For more information, see `Admin authentication flow <https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#amazon-cognito-user-pools-admin-authentication-flow>`__ in the *Amazon Cognito Developer Guide*.

awscli/examples/cognito-idp/admin-link-provider-for-user.rst

@@ -0,0 +1,10 @@
+**To link a local user to a federated user**
+
+The following ``admin-link-provider-for-user`` example links the local user diego to a user who will do federated sign-in with Google. ::
+
+    aws cognito-idp admin-link-provider-for-user \
+        --user-pool-id us-west-2_EXAMPLE \
+        --destination-user ProviderName=Cognito,ProviderAttributeValue=diego \
+        --source-user ProviderAttributeName=Cognito_Subject,ProviderAttributeValue=0000000000000000,ProviderName=Google
+
+For more information, see `Linking federated users to an existing user profile <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation-consolidate-users.html>`__ in the *Amazon Cognito Developer Guide*.

awscli/examples/cognito-idp/admin-list-devices.rst

@@ -1,7 +1,53 @@
-**To list devices for a user**
-
-This example lists devices for username jane@example.com. 
-
-Command::
-
-  aws cognito-idp admin-list-devices --user-pool-id us-west-2_aaaaaaaaa --username jane@example.com
+**To list devices for a user**
+
+The following ``admin-list-devices`` example lists devices for the user diego. ::
+
+    aws cognito-idp admin-list-devices \
+        --user-pool-id us-west-2_EXAMPLE \
+        --username diego \
+        --limit 1
+
+Output::
+
+    {
+        "Devices": [
+            {
+                "DeviceKey": "us-west-2_a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
+                "DeviceAttributes": [
+                    {
+                        "Name": "device_status",
+                        "Value": "valid"
+                    },
+                    {
+                        "Name": "device_name",
+                        "Value": "MyDevice"
+                    },
+                    {
+                        "Name": "dev:device_arn",
+                        "Value": "arn:aws:cognito-idp:us-west-2:123456789012:owner/diego.us-west-2_EXAMPLE/device/us-west-2_a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
+                    },
+                    {
+                        "Name": "dev:device_owner",
+                        "Value": "diego.us-west-2_EXAMPLE"
+                    },
+                    {
+                        "Name": "last_ip_used",
+                        "Value": "192.0.2.1"
+                    },
+                    {
+                        "Name": "dev:device_remembered_status",
+                        "Value": "remembered"
+                    },
+                    {
+                        "Name": "dev:device_sdk",
+                        "Value": "aws-sdk"
+                    }
+                ],
+                "DeviceCreateDate": 1715100742.022,
+                "DeviceLastModifiedDate": 1723233651.167,
+                "DeviceLastAuthenticatedDate": 1715100742.0
+            }
+        ]
+    }
+
+For more information, see `Working with user devices in your user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html>`__ in the *Amazon Cognito Developer Guide*.

awscli/examples/cognito-idp/admin-list-user-auth-events.rst

@@ -1,8 +1,40 @@
-**To list authorization events for a user**
-
-This example lists authorization events for username diego@example.com. 
-
-Command::
-
-  aws cognito-idp admin-list-user-auth-events --user-pool-id us-west-2_aaaaaaaaa --username diego@example.com
-  
+**To list authorization events for a user**
+
+The following ``admin-list-user-auth-events`` example lists the most recent user activity log event for the user diego. ::
+
+    aws cognito-idp admin-list-user-auth-events \
+        --user-pool-id us-west-2_ywDJHlIfU \
+        --username brcotter+050123 \
+        --max-results 1
+
+Output::
+
+    {
+        "AuthEvents": [
+            {
+                "EventId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",
+                "EventType": "SignIn",
+                "CreationDate": 1726694203.495,
+                "EventResponse": "InProgress",
+                "EventRisk": {
+                    "RiskDecision": "AccountTakeover",
+                    "RiskLevel": "Medium",
+                    "CompromisedCredentialsDetected": false
+                },
+                "ChallengeResponses": [
+                    {
+                        "ChallengeName": "Password",
+                        "ChallengeResponse": "Success"
+                    }
+                ],
+                "EventContextData": {
+                    "IpAddress": "192.0.2.1",
+                    "City": "Seattle",
+                    "Country": "United States"
+                }
+            }
+        ],
+        "NextToken": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222#2024-09-18T21:16:43.495Z"
+    }
+
+For more information, see `Viewing and exporting user event history <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html#user-pool-settings-adaptive-authentication-event-user-history>`__ in the *Amazon Cognito Developer Guide*.

awscli/examples/cognito-idp/admin-respond-to-auth-challenge.rst

@@ -0,0 +1,29 @@
+**To respond to an authentication challenge**
+
+There are many ways to respond to different authentication challenges, depending on your authentication flow, user pool configuration, and user settings. The following ``admin-respond-to-auth-challenge`` example provides a TOTP MFA code for diego@example.com and completes sign-in. This user pool has device remembering turned on, so the authentication result also returns a new device key. ::
+
+    aws cognito-idp admin-respond-to-auth-challenge \
+        --user-pool-id us-west-2_EXAMPLE \
+        --client-id 1example23456789 \
+        --challenge-name SOFTWARE_TOKEN_MFA \
+        --challenge-responses USERNAME=diego@example.com,SOFTWARE_TOKEN_MFA_CODE=000000 \
+        --session AYABeExample...
+
+Output::
+
+    {
+        "ChallengeParameters": {},
+        "AuthenticationResult": {
+            "AccessToken": "eyJra456defEXAMPLE",
+            "ExpiresIn": 3600,
+            "TokenType": "Bearer",
+            "RefreshToken": "eyJra123abcEXAMPLE",
+            "IdToken": "eyJra789ghiEXAMPLE",
+            "NewDeviceMetadata": {
+                "DeviceKey": "us-west-2_a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
+                "DeviceGroupKey": "-ExAmPlE1"
+            }
+        }
+    }
+
+For more information, see `Admin authentication flow <https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#amazon-cognito-user-pools-admin-authentication-flow>`__ in the *Amazon Cognito Developer Guide*.

awscli/examples/cognito-idp/admin-set-user-password.rst

@@ -0,0 +1,13 @@
+**To set a user password as an admin**
+
+The following ``admin-set-user-password`` example permanently sets the password for diego@example.com. ::
+
+    aws cognito-idp admin-set-user-password \
+        --user-pool-id us-west-2_EXAMPLE \
+        --username diego@example.com \
+        --password MyExamplePassword1! \
+        --permanent
+
+This command produces no output.
+
+For more information, see `Passwords, password recovery, and password policies <https://docs.aws.amazon.com/cognito/latest/developerguide/managing-users-passwords.html>`__ in the *Amazon Cognito Developer Guide*.

awscli/examples/cognito-idp/admin-user-global-sign-out.rst

@@ -0,0 +1,9 @@
+**To sign out a user as an admin**
+
+The following ``admin-user-global-sign-out`` example signs out the user diego@example.com. ::
+
+    aws cognito-idp admin-user-global-sign-out \
+        --user-pool-id us-west-2_EXAMPLE \
+        --username diego@example.com
+
+For more information, see `Authentication with a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/authentication.html>`__ in the *Amazon Cognito Developer Guide*.

awscli/examples/cognito-idp/associate-software-token.rst

@@ -0,0 +1,14 @@
+**To generate a secret key for an MFA authenticator app**
+
+The following ``associate-software-token`` example generates a TOTP private key for a user who has signed in and received an access token. The resulting private key can be manually entered into an authenticator app, or applications can render it as a QR code that the user can scan. ::
+
+    aws cognito-idp associate-software-token \
+        --access-token eyJra456defEXAMPLE
+
+Output::
+
+    {
+        "SecretCode": "QWERTYUIOP123456EXAMPLE"
+    }
+
+For more information, see `TOTP software token MFA <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa-totp.html>`__ in the *Amazon Cognito Developer Guide*.

awscli/examples/cognito-idp/confirm-device.rst

@@ -0,0 +1,16 @@
+**To confirm a user device**
+
+The following ``confirm-device`` example adds a new remembered device for the current user. ::
+
+     aws cognito-idp confirm-device \
+        --access-token eyJra456defEXAMPLE \
+        --device-key us-west-2_a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 \
+        --device-secret-verifier-config PasswordVerifier=TXlWZXJpZmllclN0cmluZw,Salt=TXlTUlBTYWx0
+
+Output::
+
+    {
+         "UserConfirmationNecessary": false
+    }
+
+For more information, see `Working with user devices in your user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html>`__ in the *Amazon Cognito Developer Guide*.

awscli/examples/cognito-idp/create-identity-provider.rst

@@ -0,0 +1,102 @@
+**Example 1: To create a user pool SAML identity provider (IdP) with a metadata URL**
+
+The following ``create-identity-provider`` example creates a new SAML IdP with metadata from a public URL, attribute mapping, and two identifiers. ::
+
+    aws cognito-idp create-identity-provider \
+        --user-pool-id us-west-2_EXAMPLE \
+        --provider-name MySAML \
+        --provider-type SAML \
+        --provider-details IDPInit=true,IDPSignout=true,EncryptedResponses=true,MetadataURL=https://auth.example.com/sso/saml/metadata,RequestSigningAlgorithm=rsa-sha256 \
+        --attribute-mapping email=emailaddress,phone_number=phone,custom:111=department \
+        --idp-identifiers CorpSAML WestSAML
+
+Output::
+
+    {
+        "IdentityProvider": {
+            "UserPoolId": "us-west-2_EXAMPLE",
+            "ProviderName": "MySAML",
+            "ProviderType": "SAML",
+            "ProviderDetails": {
+                "ActiveEncryptionCertificate": "MIICvTCCAaEXAMPLE",
+                "EncryptedResponses": "true",
+                "IDPInit": "true",
+                "IDPSignout": "true",
+                "MetadataURL": "https://auth.example.com/sso/saml/metadata",
+                "RequestSigningAlgorithm": "rsa-sha256",
+                "SLORedirectBindingURI": "https://auth.example.com/slo/saml",
+                "SSORedirectBindingURI": "https://auth.example.com/sso/saml"
+            },
+            "AttributeMapping": {
+                "custom:111": "department",
+                "emailaddress": "email",
+                "phone": "phone_number"
+            },
+            "IdpIdentifiers": [
+                "CorpSAML",
+                "WestSAML"
+            ],
+            "LastModifiedDate": 1726853833.977,
+            "CreationDate": 1726853833.977
+        }
+    }
+
+For more information, see `Adding user pool sign-in through a third party <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation.html>`__ in the *Amazon Cognito Developer Guide*.
+
+**Example 2: To create a user pool SAML identity provider (IdP) with a metadata file**
+
+The following ``create-identity-provider`` example creates a new SAML IdP with metadata from a file, attribute mapping, and two identifiers. File syntax can differ between operating systems in the ``--provider-details`` parameter. It's easiest to create a JSON input file for this operation.::
+
+    aws cognito-idp create-identity-provider \
+        --cli-input-json file://.\SAML-identity-provider.json
+
+Contents of ``SAML-identity-provider.json``::
+
+    {
+        "AttributeMapping": { 
+            "email" : "idp_email",
+            "email_verified" : "idp_email_verified"
+        },
+        "IdpIdentifiers": [ "platform" ],
+        "ProviderDetails": { 
+            "MetadataFile": "<md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"http://www.example.com/sso\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\"false\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"><md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>[IDP_CERTIFICATE_DATA]</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://www.example.com/slo/saml\"/><md:SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://www.example.com/slo/saml\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://www.example.com/sso/saml\"/><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://www.example.com/sso/saml\"/></md:IDPSSODescriptor></md:EntityDescriptor>",
+            "IDPSignout" : "true",
+            "RequestSigningAlgorithm" : "rsa-sha256",
+            "EncryptedResponses" : "true",
+            "IDPInit" : "true"
+        },
+        "ProviderName": "MySAML2",
+        "ProviderType": "SAML",
+        "UserPoolId": "us-west-2_EXAMPLE"
+    }
+
+Output::
+
+    {
+        "IdentityProvider": {
+            "UserPoolId": "us-west-2_EXAMPLE",
+            "ProviderName": "MySAML2",
+            "ProviderType": "SAML",
+            "ProviderDetails": {
+                "ActiveEncryptionCertificate": "[USER_POOL_ENCRYPTION_CERTIFICATE_DATA]",
+                "EncryptedResponses": "true",
+                "IDPInit": "true",
+                "IDPSignout": "true",
+                "MetadataFile": "<md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"http://www.example.com/sso\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\"false\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"><md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>[IDP_CERTIFICATE_DATA]</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://www.example.com/slo/saml\"/><md:SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://www.example.com/slo/saml\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://www.example.com/sso/saml\"/><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://www.example.com/sso/saml\"/></md:IDPSSODescriptor></md:EntityDescriptor>",
+                "RequestSigningAlgorithm": "rsa-sha256",
+                "SLORedirectBindingURI": "https://www.example.com/slo/saml",
+                "SSORedirectBindingURI": "https://www.example.com/sso/saml"
+            },
+            "AttributeMapping": {
+                "email": "idp_email",
+                "email_verified": "idp_email_verified"
+            },
+            "IdpIdentifiers": [
+                "platform"
+            ],
+            "LastModifiedDate": 1726855290.731,
+            "CreationDate": 1726855290.731
+        }
+    }
+
+For more information, see `Adding user pool sign-in through a third party <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation.html>`__ in the *Amazon Cognito Developer Guide*.

awscli/examples/cognito-idp/create-resource-server.rst

@@ -0,0 +1,31 @@
+**To create a user pool client**
+
+The following ``create-resource-server`` example creates a new resource server with custom scopes. ::
+
+    aws cognito-idp create-resource-server \
+        --user-pool-id us-west-2_EXAMPLE \
+        --identifier solar-system-data \
+        --name "Solar system object tracker" \
+        --scopes ScopeName=sunproximity.read,ScopeDescription="Distance in AU from Sol" ScopeName=asteroids.add,ScopeDescription="Enter a new asteroid"
+
+Output::
+
+    {
+        "ResourceServer": {
+            "UserPoolId": "us-west-2_EXAMPLE",
+            "Identifier": "solar-system-data",
+            "Name": "Solar system object tracker",
+            "Scopes": [
+                {
+                    "ScopeName": "sunproximity.read",
+                    "ScopeDescription": "Distance in AU from Sol"
+                },
+                {
+                    "ScopeName": "asteroids.add",
+                    "ScopeDescription": "Enter a new asteroid"
+                }
+            ]
+        }
+    }
+
+For more information, see `Scopes, M2M, and APIs with resource servers <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.html>`__ in the *Amazon Cognito Developer Guide*.