From 8743d50c9fc6a56004fe714e5993d2a8a22a978b Mon Sep 17 00:00:00 2001 From: Jason Del Ponte <961963+jasdel@users.noreply.github.com> Date: Wed, 14 Apr 2021 15:19:42 -0700 Subject: [PATCH] Update AWS API models (#1227) Updates the API models for AWS services, regenerating clients. --- ...codebuild-feature-1618434065941089000.json | 9 + ...nnections-feature-1618434065955012000.json | 9 + ...ndmedical-feature-1618434065970280000.json | 9 + ...igservice-feature-1618434065986453000.json | 9 + ...rvice.ec2-feature-1618434066002616000.json | 9 + ...rvice.fsx-feature-1618434066018929000.json | 9 + ...lightsail-feature-1618434066034745000.json | 9 + ...iaconnect-feature-1618434066050311000.json | 9 + ...rvice.rds-feature-1618434066068818000.json | 9 + ....redshift-feature-1618434066084956000.json | 9 + ...ce.shield-feature-1618434066102878000.json | 9 + ...rvice.sts-feature-1618434066119716000.json | 9 + .../aws-models/codebuild.2016-10-06.json | 39 +- .../codestarconnections.2019-12-01.json | 15 +- .../comprehendmedical.2018-10-30.json | 73 +- .../aws-models/configservice.2014-11-12.json | 16 +- .../aws-models/ec2.2016-11-15.json | 76 +- .../aws-models/fsx.2018-03-01.json | 254 +++++- .../aws-models/lightsail.2016-11-28.json | 12 +- .../aws-models/mediaconnect.2018-11-14.json | 159 ++++ .../aws-models/rds.2014-10-31.json | 24 +- .../aws-models/redshift.2012-12-01.json | 136 +++- .../aws-models/shield.2016-06-02.json | 15 +- .../aws-models/sts.2011-06-15.json | 84 +- .../smithy/aws/go/codegen/endpoints.json | 36 + service/codebuild/deserializers.go | 27 + service/codebuild/serializers.go | 10 + service/codebuild/types/enums.go | 20 + service/codebuild/types/types.go | 94 ++- .../codestarconnections/api_op_CreateHost.go | 4 + service/codestarconnections/deserializers.go | 5 + service/codestarconnections/serializers.go | 7 + service/codestarconnections/validators.go | 5 + service/comprehendmedical/deserializers.go | 18 + service/comprehendmedical/types/enums.go | 26 +- service/comprehendmedical/types/types.go | 12 +- ...beAggregateComplianceByConformancePacks.go | 10 +- ...gregateConformancePackComplianceSummary.go | 6 +- service/configservice/deserializers.go | 6 + service/configservice/types/types.go | 24 +- .../internal/endpoints/endpoints.go | 1 + .../ec2/api_op_CreateInstanceExportTask.go | 2 +- .../api_op_DescribeCapacityReservations.go | 3 + service/ec2/api_op_DescribeInstanceTypes.go | 13 +- .../ec2/api_op_DescribeSpotPriceHistory.go | 7 +- service/ec2/api_op_DescribeStoreImageTasks.go | 88 +++ service/ec2/api_op_ExportImage.go | 2 +- service/ec2/api_op_ImportImage.go | 2 +- service/ec2/api_op_ImportInstance.go | 13 +- service/ec2/api_op_ImportSnapshot.go | 5 +- service/ec2/api_op_ImportVolume.go | 14 +- service/ec2/api_op_ModifyInstanceAttribute.go | 7 +- .../api_op_ModifyNetworkInterfaceAttribute.go | 11 +- service/ec2/types/types.go | 38 +- service/ec2/validators.go | 12 +- service/fms/internal/endpoints/endpoints.go | 16 + service/fsx/api_op_CopyBackup.go | 207 +++++ service/fsx/api_op_CreateFileSystem.go | 10 +- .../fsx/api_op_CreateFileSystemFromBackup.go | 13 +- service/fsx/api_op_DescribeBackups.go | 2 +- service/fsx/deserializers.go | 730 +++++++++++++++++- service/fsx/serializers.go | 91 +++ service/fsx/types/enums.go | 14 +- service/fsx/types/errors.go | 110 +++ service/fsx/types/types.go | 100 +-- service/fsx/validators.go | 44 ++ .../guardduty/internal/endpoints/endpoints.go | 1 + service/internal/benchmark/go.mod | 1 - service/internal/integrationtest/go.mod | 6 - .../api_op_CreateRelationalDatabase.go | 86 ++- ...op_CreateRelationalDatabaseFromSnapshot.go | 10 +- .../api_op_UpdateRelationalDatabase.go | 8 +- .../internal/endpoints/endpoints.go | 5 + service/mediaconnect/api_op_DescribeFlow.go | 617 +++++++++++++++ service/mediaconnect/deserializers.go | 9 + service/mediaconnect/go.mod | 1 + service/mediaconnect/go.sum | 6 + service/mediaconnect/types/types.go | 7 + service/mq/internal/endpoints/endpoints.go | 4 + service/rds/api_op_CreateDBCluster.go | 5 +- service/rds/api_op_CreateDBInstance.go | 25 +- service/rds/api_op_CreateEventSubscription.go | 8 +- service/rds/api_op_FailoverGlobalCluster.go | 2 +- service/rds/api_op_ModifyDBCluster.go | 5 +- service/rds/api_op_ModifyDBInstance.go | 49 +- service/rds/api_op_RestoreDBClusterFromS3.go | 5 +- service/rds/api_op_RestoreDBInstanceFromS3.go | 2 +- .../api_op_RevokeDBSecurityGroupIngress.go | 2 +- service/rds/types/types.go | 1 + service/redshift/api_op_CreateCluster.go | 13 + .../api_op_CreateHsmClientCertificate.go | 4 +- .../api_op_ModifyAquaConfiguration.go | 129 ++++ .../api_op_RestoreFromClusterSnapshot.go | 13 + .../api_op_RestoreTableFromClusterSnapshot.go | 5 + service/redshift/deserializers.go | 221 ++++++ service/redshift/serializers.go | 88 +++ service/redshift/types/enums.go | 40 + service/redshift/types/types.go | 30 + service/redshift/validators.go | 39 + service/s3/internal/configtesting/go.mod | 6 - service/shield/deserializers.go | 3 + service/shield/types/errors.go | 4 +- service/sts/api_op_AssumeRole.go | 97 +-- service/sts/api_op_AssumeRoleWithSAML.go | 68 +- .../sts/api_op_AssumeRoleWithWebIdentity.go | 41 +- service/sts/api_op_GetFederationToken.go | 72 +- service/sts/deserializers.go | 39 + service/sts/serializers.go | 5 + 108 files changed, 4191 insertions(+), 467 deletions(-) create mode 100644 .changes/next-release/service.codebuild-feature-1618434065941089000.json create mode 100644 .changes/next-release/service.codestarconnections-feature-1618434065955012000.json create mode 100644 .changes/next-release/service.comprehendmedical-feature-1618434065970280000.json create mode 100644 .changes/next-release/service.configservice-feature-1618434065986453000.json create mode 100644 .changes/next-release/service.ec2-feature-1618434066002616000.json create mode 100644 .changes/next-release/service.fsx-feature-1618434066018929000.json create mode 100644 .changes/next-release/service.lightsail-feature-1618434066034745000.json create mode 100644 .changes/next-release/service.mediaconnect-feature-1618434066050311000.json create mode 100644 .changes/next-release/service.rds-feature-1618434066068818000.json create mode 100644 .changes/next-release/service.redshift-feature-1618434066084956000.json create mode 100644 .changes/next-release/service.shield-feature-1618434066102878000.json create mode 100644 .changes/next-release/service.sts-feature-1618434066119716000.json create mode 100644 service/fsx/api_op_CopyBackup.go create mode 100644 service/redshift/api_op_ModifyAquaConfiguration.go diff --git a/.changes/next-release/service.codebuild-feature-1618434065941089000.json b/.changes/next-release/service.codebuild-feature-1618434065941089000.json new file mode 100644 index 00000000000..7e85c979ad5 --- /dev/null +++ b/.changes/next-release/service.codebuild-feature-1618434065941089000.json @@ -0,0 +1,9 @@ +{ + "ID": "service.codebuild-feature-1618434065941089000", + "SchemaVersion": 1, + "Module": "service/codebuild", + "Type": "feature", + "Description": "API client updated", + "MinVersion": "", + "AffectedModules": null +} \ No newline at end of file diff --git a/.changes/next-release/service.codestarconnections-feature-1618434065955012000.json b/.changes/next-release/service.codestarconnections-feature-1618434065955012000.json new file mode 100644 index 00000000000..419fe4d24ca --- /dev/null +++ b/.changes/next-release/service.codestarconnections-feature-1618434065955012000.json @@ -0,0 +1,9 @@ +{ + "ID": "service.codestarconnections-feature-1618434065955012000", + "SchemaVersion": 1, + "Module": "service/codestarconnections", + "Type": "feature", + "Description": "API client updated", + "MinVersion": "", + "AffectedModules": null +} \ No newline at end of file diff --git a/.changes/next-release/service.comprehendmedical-feature-1618434065970280000.json b/.changes/next-release/service.comprehendmedical-feature-1618434065970280000.json new file mode 100644 index 00000000000..e6f738e3f9c --- /dev/null +++ b/.changes/next-release/service.comprehendmedical-feature-1618434065970280000.json @@ -0,0 +1,9 @@ +{ + "ID": "service.comprehendmedical-feature-1618434065970280000", + "SchemaVersion": 1, + "Module": "service/comprehendmedical", + "Type": "feature", + "Description": "API client updated", + "MinVersion": "", + "AffectedModules": null +} \ No newline at end of file diff --git a/.changes/next-release/service.configservice-feature-1618434065986453000.json b/.changes/next-release/service.configservice-feature-1618434065986453000.json new file mode 100644 index 00000000000..fe40d404aa5 --- /dev/null +++ b/.changes/next-release/service.configservice-feature-1618434065986453000.json @@ -0,0 +1,9 @@ +{ + "ID": "service.configservice-feature-1618434065986453000", + "SchemaVersion": 1, + "Module": "service/configservice", + "Type": "feature", + "Description": "API client updated", + "MinVersion": "", + "AffectedModules": null +} \ No newline at end of file diff --git a/.changes/next-release/service.ec2-feature-1618434066002616000.json b/.changes/next-release/service.ec2-feature-1618434066002616000.json new file mode 100644 index 00000000000..702e0398540 --- /dev/null +++ b/.changes/next-release/service.ec2-feature-1618434066002616000.json @@ -0,0 +1,9 @@ +{ + "ID": "service.ec2-feature-1618434066002616000", + "SchemaVersion": 1, + "Module": "service/ec2", + "Type": "feature", + "Description": "API client updated", + "MinVersion": "", + "AffectedModules": null +} \ No newline at end of file diff --git a/.changes/next-release/service.fsx-feature-1618434066018929000.json b/.changes/next-release/service.fsx-feature-1618434066018929000.json new file mode 100644 index 00000000000..0ac364fed95 --- /dev/null +++ b/.changes/next-release/service.fsx-feature-1618434066018929000.json @@ -0,0 +1,9 @@ +{ + "ID": "service.fsx-feature-1618434066018929000", + "SchemaVersion": 1, + "Module": "service/fsx", + "Type": "feature", + "Description": "API client updated", + "MinVersion": "", + "AffectedModules": null +} \ No newline at end of file diff --git a/.changes/next-release/service.lightsail-feature-1618434066034745000.json b/.changes/next-release/service.lightsail-feature-1618434066034745000.json new file mode 100644 index 00000000000..1c3f8901389 --- /dev/null +++ b/.changes/next-release/service.lightsail-feature-1618434066034745000.json @@ -0,0 +1,9 @@ +{ + "ID": "service.lightsail-feature-1618434066034745000", + "SchemaVersion": 1, + "Module": "service/lightsail", + "Type": "feature", + "Description": "API client updated", + "MinVersion": "", + "AffectedModules": null +} \ No newline at end of file diff --git a/.changes/next-release/service.mediaconnect-feature-1618434066050311000.json b/.changes/next-release/service.mediaconnect-feature-1618434066050311000.json new file mode 100644 index 00000000000..b34dbc1a77b --- /dev/null +++ b/.changes/next-release/service.mediaconnect-feature-1618434066050311000.json @@ -0,0 +1,9 @@ +{ + "ID": "service.mediaconnect-feature-1618434066050311000", + "SchemaVersion": 1, + "Module": "service/mediaconnect", + "Type": "feature", + "Description": "API client updated", + "MinVersion": "", + "AffectedModules": null +} \ No newline at end of file diff --git a/.changes/next-release/service.rds-feature-1618434066068818000.json b/.changes/next-release/service.rds-feature-1618434066068818000.json new file mode 100644 index 00000000000..830eac7c996 --- /dev/null +++ b/.changes/next-release/service.rds-feature-1618434066068818000.json @@ -0,0 +1,9 @@ +{ + "ID": "service.rds-feature-1618434066068818000", + "SchemaVersion": 1, + "Module": "service/rds", + "Type": "feature", + "Description": "API client updated", + "MinVersion": "", + "AffectedModules": null +} \ No newline at end of file diff --git a/.changes/next-release/service.redshift-feature-1618434066084956000.json b/.changes/next-release/service.redshift-feature-1618434066084956000.json new file mode 100644 index 00000000000..8f697eb69b3 --- /dev/null +++ b/.changes/next-release/service.redshift-feature-1618434066084956000.json @@ -0,0 +1,9 @@ +{ + "ID": "service.redshift-feature-1618434066084956000", + "SchemaVersion": 1, + "Module": "service/redshift", + "Type": "feature", + "Description": "API client updated", + "MinVersion": "", + "AffectedModules": null +} \ No newline at end of file diff --git a/.changes/next-release/service.shield-feature-1618434066102878000.json b/.changes/next-release/service.shield-feature-1618434066102878000.json new file mode 100644 index 00000000000..3cacc023fba --- /dev/null +++ b/.changes/next-release/service.shield-feature-1618434066102878000.json @@ -0,0 +1,9 @@ +{ + "ID": "service.shield-feature-1618434066102878000", + "SchemaVersion": 1, + "Module": "service/shield", + "Type": "feature", + "Description": "API client updated", + "MinVersion": "", + "AffectedModules": null +} \ No newline at end of file diff --git a/.changes/next-release/service.sts-feature-1618434066119716000.json b/.changes/next-release/service.sts-feature-1618434066119716000.json new file mode 100644 index 00000000000..186de3d8678 --- /dev/null +++ b/.changes/next-release/service.sts-feature-1618434066119716000.json @@ -0,0 +1,9 @@ +{ + "ID": "service.sts-feature-1618434066119716000", + "SchemaVersion": 1, + "Module": "service/sts", + "Type": "feature", + "Description": "API client updated", + "MinVersion": "", + "AffectedModules": null +} \ No newline at end of file diff --git a/codegen/sdk-codegen/aws-models/codebuild.2016-10-06.json b/codegen/sdk-codegen/aws-models/codebuild.2016-10-06.json index ecc0b667b75..83c4a1bea83 100644 --- a/codegen/sdk-codegen/aws-models/codebuild.2016-10-06.json +++ b/codegen/sdk-codegen/aws-models/codebuild.2016-10-06.json @@ -408,6 +408,26 @@ "com.amazonaws.codebuild#Boolean": { "type": "boolean" }, + "com.amazonaws.codebuild#BucketOwnerAccess": { + "type": "string", + "traits": { + "smithy.api#documentation": "
Specifies the access for objects that are uploaded to an Amazon S3 bucket that is owned by\n another account.
\nBy default, only the account that uploads the objects to the bucket has access to\n these objects. This property allows you to give the bucket owner access to these\n objects.
\nThe bucket owner does not have access to the objects. This is the\n default.
\nThe bucket owner has read only access to the objects. The uploading account\n retains ownership of the objects.
\nThe bucket owner has full access to the objects. Object ownership is determined\n by the following criteria:
\nIf the bucket is configured with the Bucket\n owner preferred setting, the bucket owner owns the\n objects. The uploading account will have object access as specified\n by the bucket's policy.
\nOtherwise, the uploading account retains ownership of the\n objects.
\nFor more information about Amazon S3 object ownership, see Controlling ownership of uploaded objects using S3\n Object Ownership in the Amazon Simple Storage Service User\n Guide.
\nA list of exported environment variables for this build.
" + "smithy.api#documentation": "A list of exported environment variables for this build.
\nExported environment variables are used in conjunction with AWS CodePipeline to export\n environment variables from the current build stage to subsequent stages in the pipeline.\n For more information, see Working with variables in the AWS CodePipeline User Guide.
" } }, "reportArns": { @@ -646,6 +666,9 @@ "traits": { "smithy.api#documentation": "An identifier for this artifact definition.
" } + }, + "bucketOwnerAccess": { + "target": "com.amazonaws.codebuild#BucketOwnerAccess" } }, "traits": { @@ -826,7 +849,7 @@ "debugSessionEnabled": { "target": "com.amazonaws.codebuild#WrapperBoolean", "traits": { - "smithy.api#documentation": "\nSpecifies if session debugging is enabled for this batch build. For more information, see\n Viewing a running build in Session Manager. Batch session debugging is not supported for matrix batch builds.
" + "smithy.api#documentation": "Specifies if session debugging is enabled for this batch build. For more information, see\n Viewing a running build in Session Manager. Batch session debugging is not supported for matrix batch builds.
" } } }, @@ -2518,18 +2541,18 @@ "name": { "target": "com.amazonaws.codebuild#NonEmptyString", "traits": { - "smithy.api#documentation": "The name of this exported environment variable.
" + "smithy.api#documentation": "The name of the exported environment variable.
" } }, "value": { "target": "com.amazonaws.codebuild#String", "traits": { - "smithy.api#documentation": "The value assigned to this exported environment variable.
\n During a build, the value of a variable is available starting with the\n install
phase. It can be updated between the start of the\n install
phase and the end of the post_build
phase.\n After the post_build
phase ends, the value of exported variables cannot\n change.
The value assigned to the exported environment variable.
" } } }, "traits": { - "smithy.api#documentation": "Information about an exported environment variable.
" + "smithy.api#documentation": "Contains information about an exported environment variable.
\nExported environment variables are used in conjunction with AWS CodePipeline to export\n environment variables from the current build stage to subsequent stages in the pipeline.\n For more information, see Working with variables in the AWS CodePipeline User Guide.
\n During a build, the value of a variable is available starting with the\n install
phase. It can be updated between the start of the\n install
phase and the end of the post_build
phase.\n After the post_build
phase ends, the value of exported variables cannot\n change.
An identifier for this artifact definition.
" } + }, + "bucketOwnerAccess": { + "target": "com.amazonaws.codebuild#BucketOwnerAccess" } }, "traits": { @@ -5167,6 +5193,9 @@ "traits": { "smithy.api#documentation": "Set to true if you do not want your S3 build log output encrypted. By default S3\n build logs are encrypted.
" } + }, + "bucketOwnerAccess": { + "target": "com.amazonaws.codebuild#BucketOwnerAccess" } }, "traits": { diff --git a/codegen/sdk-codegen/aws-models/codestarconnections.2019-12-01.json b/codegen/sdk-codegen/aws-models/codestarconnections.2019-12-01.json index 8c52bae2962..2f3f22e6dad 100644 --- a/codegen/sdk-codegen/aws-models/codestarconnections.2019-12-01.json +++ b/codegen/sdk-codegen/aws-models/codestarconnections.2019-12-01.json @@ -325,6 +325,9 @@ "traits": { "smithy.api#documentation": "The VPC configuration to be provisioned for the host. A VPC must be configured and the\n infrastructure to be represented by the host must already be connected to the VPC.
" } + }, + "Tags": { + "target": "com.amazonaws.codestarconnections#TagList" } } }, @@ -336,6 +339,9 @@ "traits": { "smithy.api#documentation": "The Amazon Resource Name (ARN) of the host to be created.
" } + }, + "Tags": { + "target": "com.amazonaws.codestarconnections#TagList" } } }, @@ -604,7 +610,14 @@ } }, "com.amazonaws.codestarconnections#HostStatus": { - "type": "string" + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 64 + }, + "smithy.api#pattern": ".*" + } }, "com.amazonaws.codestarconnections#HostStatusMessage": { "type": "string" diff --git a/codegen/sdk-codegen/aws-models/comprehendmedical.2018-10-30.json b/codegen/sdk-codegen/aws-models/comprehendmedical.2018-10-30.json index b700e8973bb..b954de2780b 100644 --- a/codegen/sdk-codegen/aws-models/comprehendmedical.2018-10-30.json +++ b/codegen/sdk-codegen/aws-models/comprehendmedical.2018-10-30.json @@ -56,7 +56,7 @@ "RelationshipType": { "target": "com.amazonaws.comprehendmedical#RelationshipType", "traits": { - "smithy.api#documentation": "The type of relationship between the entity and attribute. Type for the relationship is OVERLAP
, indicating that the entity occurred at the same time as the Date_Expression
.\n
The type of relationship between the entity and attribute. Type for the relationship is\n OVERLAP
, indicating that the entity occurred at the same time as the\n Date_Expression
.
Gets the properties associated with an InferICD10CM job.\n Use this operation to get the status of an inference job.
" + "smithy.api#documentation": "Gets the properties associated with an InferICD10CM job. Use this operation to get the\n status of an inference job.
" } }, "com.amazonaws.comprehendmedical#DescribeICD10CMInferenceJobRequest": { @@ -443,7 +443,7 @@ "JobId": { "target": "com.amazonaws.comprehendmedical#JobId", "traits": { - "smithy.api#documentation": "The identifier that Amazon Comprehend Medical generated for the job. The StartICD10CMInferenceJob
operation returns this identifier in its response.
The identifier that Amazon Comprehend Medical generated for the job. The\n StartICD10CMInferenceJob
operation returns this identifier in its response.
Gets the properties associated with an InferRxNorm job.\n Use this operation to get the status of an inference job.
" + "smithy.api#documentation": "Gets the properties associated with an InferRxNorm job. Use this operation to get the\n status of an inference job.
" } }, "com.amazonaws.comprehendmedical#DescribeRxNormInferenceJobRequest": { @@ -541,7 +541,7 @@ "JobId": { "target": "com.amazonaws.comprehendmedical#JobId", "traits": { - "smithy.api#documentation": "The identifier that Amazon Comprehend Medical generated for the job. The StartRxNormInferenceJob operation returns this identifier in its response.
", + "smithy.api#documentation": "The identifier that Amazon Comprehend Medical generated for the job. The\n StartRxNormInferenceJob operation returns this identifier in its response.
", "smithy.api#required": {} } } @@ -1078,6 +1078,18 @@ "traits": { "smithy.api#documentation": "The contextual information for the attribute. The traits recognized by InferICD10CM are\n DIAGNOSIS
, SIGN
, SYMPTOM
, and\n NEGATION
.
The category of attribute. Can be either of DX_NAME
or TIME_EXPRESSION
.
The type of relationship between the entity and attribute. Type for the relationship can\n be either of OVERLAP
or SYSTEM_ORGAN_SITE
.
Describes the specific type of entity with category of entities. InferICD10CM detects\n entities of the type DX_NAME
.
Describes the specific type of entity with category of entities. InferICD10CM detects\n entities of the type DX_NAME
and TIME_EXPRESSION
.
InferICD10CM detects medical conditions as entities listed in a patient record and links\n those entities to normalized concept identifiers in the ICD-10-CM knowledge base from the\n Centers for Disease Control. Amazon Comprehend Medical only detects medical entities in\n English language texts.
" + "smithy.api#documentation": "InferICD10CM detects medical conditions as entities listed in a patient record and links\n those entities to normalized concept identifiers in the ICD-10-CM knowledge base from the\n Centers for Disease Control. Amazon Comprehend Medical only detects medical entities in\n English language texts.
" } }, "com.amazonaws.comprehendmedical#InferICD10CMRequest": { @@ -1401,7 +1440,7 @@ } ], "traits": { - "smithy.api#documentation": "InferRxNorm detects medications as entities listed in a patient record and links to the\n normalized concept identifiers in the RxNorm database from the National Library of Medicine.\n Amazon Comprehend Medical only detects medical entities in English language texts.
" + "smithy.api#documentation": "InferRxNorm detects medications as entities listed in a patient record and links to the\n normalized concept identifiers in the RxNorm database from the National Library of Medicine.\n Amazon Comprehend Medical only detects medical entities in English language texts.
" } }, "com.amazonaws.comprehendmedical#InferRxNormRequest": { @@ -1458,7 +1497,7 @@ } }, "traits": { - "smithy.api#documentation": "The input properties for an entities detection job. This includes the name of the S3 bucket and the path to the files to be analyzed. See batch-manifest for more information.
" + "smithy.api#documentation": "The input properties for an entities detection job. This includes the name of the S3\n bucket and the path to the files to be analyzed.
" } }, "com.amazonaws.comprehendmedical#Integer": { @@ -1671,7 +1710,7 @@ } ], "traits": { - "smithy.api#documentation": "Gets a list of InferICD10CM jobs that you have\n submitted.
" + "smithy.api#documentation": "Gets a list of InferICD10CM jobs that you have submitted.
" } }, "com.amazonaws.comprehendmedical#ListICD10CMInferenceJobsRequest": { @@ -1680,7 +1719,7 @@ "Filter": { "target": "com.amazonaws.comprehendmedical#ComprehendMedicalAsyncJobFilter", "traits": { - "smithy.api#documentation": "Filters the jobs that are returned. You can filter jobs based on their names, status, or the date and time that they were submitted. You can only set one filter at a time.
" + "smithy.api#documentation": "Filters the jobs that are returned. You can filter jobs based on their names, status, or\n the date and time that they were submitted. You can only set one filter at a time.
" } }, "NextToken": { @@ -1803,7 +1842,7 @@ } ], "traits": { - "smithy.api#documentation": "Gets a list of InferRxNorm jobs that you have\n submitted.
" + "smithy.api#documentation": "Gets a list of InferRxNorm jobs that you have submitted.
" } }, "com.amazonaws.comprehendmedical#ListRxNormInferenceJobsRequest": { @@ -1812,7 +1851,7 @@ "Filter": { "target": "com.amazonaws.comprehendmedical#ComprehendMedicalAsyncJobFilter", "traits": { - "smithy.api#documentation": "Filters the jobs that are returned. You can filter jobs based on their names, status, or the date and time that they were submitted. You can only set one filter at a time.
" + "smithy.api#documentation": "Filters the jobs that are returned. You can filter jobs based on their names, status, or\n the date and time that they were submitted. You can only set one filter at a time.
" } }, "NextToken": { @@ -2401,7 +2440,7 @@ } ], "traits": { - "smithy.api#documentation": "Starts an asynchronous job to detect medical conditions and link them to the ICD-10-CM ontology. Use the\n DescribeICD10CMInferenceJob
operation to track the status of a job.
Starts an asynchronous job to detect medical conditions and link them to the ICD-10-CM\n ontology. Use the DescribeICD10CMInferenceJob
operation to track the status of a\n job.
Starts an asynchronous job to detect medication entities and link them to the RxNorm ontology. Use the\n DescribeRxNormInferenceJob
operation to track the status of a job.
Starts an asynchronous job to detect medication entities and link them to the RxNorm\n ontology. Use the DescribeRxNormInferenceJob
operation to track the status of a\n job.
The identifier generated for the job. To get the status of job, use this identifier with the DescribeICD10CMInferenceJob
operation.
The identifier generated for the job. To get the status of job, use this identifier with\n the DescribeICD10CMInferenceJob
operation.
The identifier generated for the job. To get the status of job, use this identifier with the DescribeRxNormInferenceJob
operation.
The identifier generated for the job. To get the status of job, use this identifier with\n the DescribeRxNormInferenceJob
operation.
Provides aggregate compliance of the conformance pack. Indicates whether a conformance pack is compliant based on the name of the conformance pack, account ID, and region.
\n\t\tA conformance pack is compliant if all of the rules in that conformance packs are compliant. It is noncompliant if any of the rules are not compliant.
\n\t\tIf a conformance pack has rules that return INSUFFICIENT_DATA, the conformance pack returns INSUFFICIENT_DATA only if all the rules within that conformance pack return INSUFFICIENT_DATA.\n\t\t\tIf some of the rules in a conformance pack are compliant and others return INSUFFICIENT_DATA, the conformance pack shows compliant.
\nProvides aggregate compliance of the conformance pack. Indicates whether a conformance pack is compliant based on the name of the conformance pack, account ID, and region.
\n\t\tA conformance pack is compliant if all of the rules in a conformance packs are compliant. It is noncompliant if any of the rules are not compliant.\n\t\t\tThe compliance status of a conformance pack is INSUFFICIENT_DATA only if all rules within a conformance pack cannot be evaluated due to insufficient data.\n\t\t\tIf some of the rules in a conformance pack are compliant but the compliance status of other rules in that same conformance pack is INSUFFICIENT_DATA, the conformance pack shows compliant.
" } }, "com.amazonaws.configservice#AggregateComplianceByConformancePackList": { @@ -219,7 +219,7 @@ } }, "traits": { - "smithy.api#documentation": "Provides the number of compliant and noncompliant rules within a conformance pack. \n\t\t\tAlso provides the total count of compliant rules, noncompliant rules, and the rules that do not have any applicable resources to evaluate upon resulting in insufficient data. \n\t\t\t
" + "smithy.api#documentation": "Provides the number of compliant and noncompliant rules within a conformance pack.\n\t\t\tAlso provides the compliance status of the conformance pack and the total rule count which includes compliant rules, noncompliant rules, and rules that cannot be evaluated due to insufficient data.
\n\t\t\n\t\tA conformance pack is compliant if all of the rules in a conformance packs are compliant. It is noncompliant if any of the rules are not compliant.\n\t\t\tThe compliance status of a conformance pack is INSUFFICIENT_DATA only if all rules within a conformance pack cannot be evaluated due to insufficient data.\n\t\t\tIf some of the rules in a conformance pack are compliant but the compliance status of other rules in that same conformance pack is INSUFFICIENT_DATA, the conformance pack shows compliant.
" } }, "com.amazonaws.configservice#AggregateConformancePackComplianceCount": { @@ -2638,6 +2638,9 @@ { "target": "com.amazonaws.configservice#InsufficientPermissionsException" }, + { + "target": "com.amazonaws.configservice#InvalidParameterValueException" + }, { "target": "com.amazonaws.configservice#NoSuchRemediationConfigurationException" }, @@ -3098,7 +3101,7 @@ } ], "traits": { - "smithy.api#documentation": "Returns a list of the conformance packs and their associated compliance status with the count of compliant and noncompliant AWS Config rules within each conformance pack.
\n\t\tThe results can return an empty result page, but if you have a nextToken
, the results are displayed on the next page.
Returns a list of the conformance packs and their associated compliance status with the count of compliant and noncompliant AWS Config rules within each conformance pack.\n\t\t\tAlso returns the total rule count which includes compliant rules, noncompliant rules, and rules that cannot be evaluated due to insufficient data.
\n\t\tThe results can return an empty result page, but if you have a nextToken
, the results are displayed on the next page.
The maximum number of conformance packs details returned on each page. The default is maximum. If you specify 0, AWS Config uses the default.
" + "smithy.api#documentation": "The maximum number of conformance packs compliance details returned on each page. The default is maximum. If you specify 0, AWS Config uses the default.
" } }, "NextToken": { @@ -4471,6 +4474,9 @@ { "target": "com.amazonaws.configservice#InvalidNextTokenException" }, + { + "target": "com.amazonaws.configservice#InvalidParameterValueException" + }, { "target": "com.amazonaws.configservice#NoSuchRemediationConfigurationException" } @@ -5151,7 +5157,7 @@ } ], "traits": { - "smithy.api#documentation": "Returns the count of compliant and noncompliant conformance packs across all AWS Accounts and AWS Regions. You can filter based on AWS Account ID or AWS Region.
\n\t\tThe results can return an empty result page, but if you have a nextToken, the results are displayed on the next page.
\nReturns the count of compliant and noncompliant conformance packs across all AWS Accounts and AWS Regions in an aggregator. You can filter based on AWS Account ID or AWS Region.
\n\t\tThe results can return an empty result page, but if you have a nextToken, the results are displayed on the next page.
\nThe IPv6 CIDR block for your subnet. The subnet must have a /64 prefix\n length.
", - "smithy.api#required": {}, - "smithy.api#xmlName": "ipv6CidrBlock" - } - }, "SubnetId": { "target": "com.amazonaws.ec2#SubnetId", "traits": { @@ -3562,6 +3553,15 @@ "smithy.api#required": {}, "smithy.api#xmlName": "subnetId" } + }, + "Ipv6CidrBlock": { + "target": "com.amazonaws.ec2#String", + "traits": { + "aws.protocols#ec2QueryName": "Ipv6CidrBlock", + "smithy.api#documentation": "The IPv6 CIDR block for your subnet. The subnet must have a /64 prefix\n length.
", + "smithy.api#required": {}, + "smithy.api#xmlName": "ipv6CidrBlock" + } } } }, @@ -9587,7 +9587,7 @@ "target": "com.amazonaws.ec2#CreateInstanceExportTaskResult" }, "traits": { - "smithy.api#documentation": "Exports a running or stopped instance to an Amazon S3 bucket.
\nFor information about the supported operating systems, image formats, and known limitations for the types of\n instances you can export, see Exporting an Instance as\n a VM Using VM Import/Export in the VM Import/Export User Guide.
" + "smithy.api#documentation": "Exports a running or stopped instance to an Amazon S3 bucket.
\nFor information about the supported operating systems, image formats, and known limitations\n for the types of instances you can export, see Exporting an instance as a VM Using VM Import/Export\n in the VM Import/Export User Guide.
" } }, "com.amazonaws.ec2#CreateInstanceExportTaskRequest": { @@ -11391,13 +11391,6 @@ "smithy.api#documentation": "The AZ ID or the Local Zone ID of the subnet.
" } }, - "CidrBlock": { - "target": "com.amazonaws.ec2#String", - "traits": { - "smithy.api#documentation": "The IPv4 network range for the subnet, in CIDR notation. For example, 10.0.0.0/24
. We modify the specified CIDR block to its canonical form; for example, if you specify 100.68.0.18/18
, we modify it to 100.68.0.0/18
.
Checks whether you have the required permissions for the action, without actually making the request, \n and provides an error response. If you have the required permissions, the error response is DryRunOperation
. \n Otherwise, it is UnauthorizedOperation
.
The IPv4 network range for the subnet, in CIDR notation. For example, 10.0.0.0/24
. We modify the specified CIDR block to its canonical form; for example, if you specify 100.68.0.18/18
, we modify it to 100.68.0.0/18
.
One or more filters.
\n\t \t\n instance-type
- The type of instance for which the Capacity Reservation reserves capacity.
\n owner-id
- The ID of the AWS account that owns the Capacity Reservation.
\n availability-zone-id
- The Availability Zone ID of the Capacity Reservation.
\n instance-platform
- The type of operating system for which the Capacity Reservation reserves capacity.
\n availability-zone
- The Availability Zone ID of the Capacity Reservation.
\n tenancy
- Indicates the tenancy of the Capacity Reservation. A Capacity Reservation can have one of the \n\t \t\t\tfollowing tenancy settings:
\n default
- The Capacity Reservation is created on hardware that is shared with other AWS accounts.
\n dedicated
- The Capacity Reservation is created on single-tenant hardware that is dedicated to a single AWS account.
\n state
- The current state of the Capacity Reservation. A Capacity Reservation can be in one of the following states:
\n active
- The Capacity Reservation is active and the capacity is available for your use.
\n expired
- The Capacity Reservation expired automatically at the date and time specified in your request. \n\t \t\t\t\tThe reserved capacity is no longer available for your use.
\n cancelled
- The Capacity Reservation was cancelled. The reserved capacity is no longer available for your use.
\n pending
- The Capacity Reservation request was successful but the capacity provisioning is still pending.
\n failed
- The Capacity Reservation request has failed. A request might fail due to invalid request parameters, \n\t \t\t\t\tcapacity constraints, or instance limit constraints. Failed requests are retained for 60 minutes.
\n end-date
- The date and time at which the Capacity Reservation expires. When a Capacity Reservation expires, the reserved capacity is \n\t \t\t\treleased and you can no longer launch instances into it. The Capacity Reservation's state changes to expired when it reaches its end date and time.
\n end-date-type
- Indicates the way in which the Capacity Reservation ends. A Capacity Reservation can have one of the following end types:
\n unlimited
- The Capacity Reservation remains active until you explicitly cancel it.
\n limited
- The Capacity Reservation expires automatically at a specified date and time.
\n instance-match-criteria
- Indicates the type of instance launches that the Capacity Reservation accepts. The options include:
\n open
- The Capacity Reservation accepts all instances that have matching\n\t\t\t\t\t\t\tattributes (instance type, platform, and Availability Zone). Instances\n\t\t\t\t\t\t\tthat have matching attributes launch into the Capacity Reservation\n\t\t\t\t\t\t\tautomatically without specifying any additional parameters.
\n targeted
- The Capacity Reservation only accepts instances that have matching\n\t\t\t\t\t\t\tattributes (instance type, platform, and Availability Zone), and\n\t\t\t\t\t\t\texplicitly target the Capacity Reservation. This ensures that only\n\t\t\t\t\t\t\tpermitted instances can use the reserved capacity.
One or more filters.
\n\t \t\n instance-type
- The type of instance for which the Capacity Reservation reserves capacity.
\n owner-id
- The ID of the AWS account that owns the Capacity Reservation.
\n availability-zone-id
- The Availability Zone ID of the Capacity Reservation.
\n instance-platform
- The type of operating system for which the Capacity Reservation reserves capacity.
\n availability-zone
- The Availability Zone ID of the Capacity Reservation.
\n tenancy
- Indicates the tenancy of the Capacity Reservation. A Capacity Reservation can have one of the \n\t \t\t\tfollowing tenancy settings:
\n default
- The Capacity Reservation is created on hardware that is shared with other AWS accounts.
\n dedicated
- The Capacity Reservation is created on single-tenant hardware that is dedicated to a single AWS account.
\n state
- The current state of the Capacity Reservation. A Capacity Reservation can be in one of the following states:
\n active
- The Capacity Reservation is active and the capacity is available for your use.
\n expired
- The Capacity Reservation expired automatically at the date and time specified in your request. \n\t \t\t\t\tThe reserved capacity is no longer available for your use.
\n cancelled
- The Capacity Reservation was cancelled. The reserved capacity is no longer available for your use.
\n pending
- The Capacity Reservation request was successful but the capacity provisioning is still pending.
\n failed
- The Capacity Reservation request has failed. A request might fail due to invalid request parameters, \n\t \t\t\t\tcapacity constraints, or instance limit constraints. Failed requests are retained for 60 minutes.
\n start-date
- The date and time at which the Capacity Reservation was started.
\n end-date
- The date and time at which the Capacity Reservation expires. When a Capacity Reservation expires, the reserved capacity is \n\t \t\t\treleased and you can no longer launch instances into it. The Capacity Reservation's state changes to expired when it reaches its end date and time.
\n end-date-type
- Indicates the way in which the Capacity Reservation ends. A Capacity Reservation can have one of the following end types:
\n unlimited
- The Capacity Reservation remains active until you explicitly cancel it.
\n limited
- The Capacity Reservation expires automatically at a specified date and time.
\n instance-match-criteria
- Indicates the type of instance launches that the Capacity Reservation accepts. The options include:
\n open
- The Capacity Reservation accepts all instances that have matching\n\t\t\t\t\t\t\tattributes (instance type, platform, and Availability Zone). Instances\n\t\t\t\t\t\t\tthat have matching attributes launch into the Capacity Reservation\n\t\t\t\t\t\t\tautomatically without specifying any additional parameters.
\n targeted
- The Capacity Reservation only accepts instances that have matching\n\t\t\t\t\t\t\tattributes (instance type, platform, and Availability Zone), and\n\t\t\t\t\t\t\texplicitly target the Capacity Reservation. This ensures that only\n\t\t\t\t\t\t\tpermitted instances can use the reserved capacity.
One or more filters. Filter names and values are case-sensitive.
\n\n auto-recovery-supported
- Indicates whether auto recovery is supported\n (true
| false
).
\n bare-metal
- Indicates whether it is a bare metal instance type\n (true
| false
).
\n burstable-performance-supported
- Indicates whether it is a burstable\n performance instance type (true
| false
).
\n current-generation
- Indicates whether this instance type is the latest\n generation instance type of an instance family (true
| false
).
\n ebs-info.ebs-optimized-info.baseline-bandwidth-in-mbps
- The baseline\n bandwidth performance for an EBS-optimized instance type, in Mbps.
\n ebs-info.ebs-optimized-info.baseline-iops
- The baseline input/output storage\n operations per second for an EBS-optimized instance type.
\n ebs-info.ebs-optimized-info.baseline-throughput-in-mbps
- The baseline\n throughput performance for an EBS-optimized instance type, in MB/s.
\n ebs-info.ebs-optimized-info.maximum-bandwidth-in-mbps
- The maximum bandwidth\n performance for an EBS-optimized instance type, in Mbps.
\n ebs-info.ebs-optimized-info.maximum-iops
- The maximum input/output storage\n operations per second for an EBS-optimized instance type.
\n ebs-info.ebs-optimized-info.maximum-throughput-in-mbps
- The maximum\n throughput performance for an EBS-optimized instance type, in MB/s.
\n ebs-info.ebs-optimized-support
- Indicates whether the instance type is\n EBS-optimized (supported
| unsupported
|\n default
).
\n ebs-info.encryption-support
- Indicates whether EBS encryption is supported\n (supported
| unsupported
).
\n ebs-info.nvme-support
- Indicates whether non-volatile memory express (NVMe)\n is supported for EBS volumes (required
| supported
|\n unsupported
).
\n free-tier-eligible
- Indicates whether the instance type is eligible to use\n in the free tier (true
| false
).
\n hibernation-supported
- Indicates whether On-Demand hibernation is supported\n (true
| false
).
\n hypervisor
- The hypervisor (nitro
| xen
).
\n instance-storage-info.disk.count
- The number of local disks.
\n instance-storage-info.disk.size-in-gb
- The storage size of each instance storage disk, in\n GB.
\n instance-storage-info.disk.type
- The storage technology for the local\n instance storage disks (hdd
| ssd
).
\n instance-storage-info.nvme-support
- Indicates whether non-volatile memory\n express (NVMe) is supported for instance store (required
| supported
)\n | unsupported
).
\n instance-storage-info.total-size-in-gb
- The total amount of storage available from all local\n instance storage, in GB.
\n instance-storage-supported
- Indicates whether the instance type has local\n instance storage (true
| false
).
\n instance-type
- The instance type (for example c5.2xlarge
or\n c5*).
\n memory-info.size-in-mib
- The memory size.
\n network-info.efa-info.maximum-efa-interfaces
- The maximum number of Elastic \n Fabric Adapters (EFAs) per instance. (true
| false
).
\n network-info.efa-supported
- Indicates whether the instance type supports\n Elastic Fabric Adapter (EFA) (true
| false
).
\n network-info.ena-support
- Indicates whether Elastic Network Adapter (ENA) is\n supported or required (required
| supported
|\n unsupported
).
\n network-info.ipv4-addresses-per-interface
- The maximum number of private IPv4 addresses per\n network interface.
\n network-info.ipv6-addresses-per-interface
- The maximum number of private IPv6 addresses per\n network interface.
\n network-info.ipv6-supported
- Indicates whether the instance type supports\n IPv6 (true
| false
).
\n network-info.maximum-network-interfaces
- The maximum number of network interfaces per instance.
\n network-info.network-performance
- The network performance (for example, \"25\n Gigabit\").
\n processor-info.supported-architecture
- The CPU architecture\n (arm64
| i386
| x86_64
).
\n processor-info.sustained-clock-speed-in-ghz
- The CPU clock speed, in GHz.
\n supported-boot-mode
- The boot mode (legacy-bios
|\n uefi
).
\n supported-root-device-type
- The root device type (ebs
|\n instance-store
).
\n supported-usage-class
- The usage class (on-demand
|\n spot
).
\n supported-virtualization-type
- The virtualization type (hvm
|\n paravirtual
).
\n vcpu-info.default-cores
- The default number of cores for the instance type.
\n vcpu-info.default-threads-per-core
- The default number of threads per core for the instance\n type.
\n vcpu-info.default-vcpus
- The default number of vCPUs for the instance type.
\n vcpu-info.valid-cores
- The number of cores that can be configured for the instance type.
\n vcpu-info.valid-threads-per-core
- The number of threads per core that can be configured for the instance type.\n For example, \"1\" or \"1,2\".
One or more filters. Filter names and values are case-sensitive.
\n\n auto-recovery-supported
- Indicates whether auto recovery is supported\n (true
| false
).
\n bare-metal
- Indicates whether it is a bare metal instance type\n (true
| false
).
\n burstable-performance-supported
- Indicates whether it is a burstable\n performance instance type (true
| false
).
\n current-generation
- Indicates whether this instance type is the latest\n generation instance type of an instance family (true
| false
).
\n ebs-info.ebs-optimized-info.baseline-bandwidth-in-mbps
- The baseline\n bandwidth performance for an EBS-optimized instance type, in Mbps.
\n ebs-info.ebs-optimized-info.baseline-iops
- The baseline input/output storage\n operations per second for an EBS-optimized instance type.
\n ebs-info.ebs-optimized-info.baseline-throughput-in-mbps
- The baseline\n throughput performance for an EBS-optimized instance type, in MB/s.
\n ebs-info.ebs-optimized-info.maximum-bandwidth-in-mbps
- The maximum bandwidth\n performance for an EBS-optimized instance type, in Mbps.
\n ebs-info.ebs-optimized-info.maximum-iops
- The maximum input/output storage\n operations per second for an EBS-optimized instance type.
\n ebs-info.ebs-optimized-info.maximum-throughput-in-mbps
- The maximum\n throughput performance for an EBS-optimized instance type, in MB/s.
\n ebs-info.ebs-optimized-support
- Indicates whether the instance type is\n EBS-optimized (supported
| unsupported
|\n default
).
\n ebs-info.encryption-support
- Indicates whether EBS encryption is supported\n (supported
| unsupported
).
\n ebs-info.nvme-support
- Indicates whether non-volatile memory express (NVMe)\n is supported for EBS volumes (required
| supported
|\n unsupported
).
\n free-tier-eligible
- Indicates whether the instance type is eligible to use\n in the free tier (true
| false
).
\n hibernation-supported
- Indicates whether On-Demand hibernation is supported\n (true
| false
).
\n hypervisor
- The hypervisor (nitro
| xen
).
\n instance-storage-info.disk.count
- The number of local disks.
\n instance-storage-info.disk.size-in-gb
- The storage size of each instance storage disk, in\n GB.
\n instance-storage-info.disk.type
- The storage technology for the local\n instance storage disks (hdd
| ssd
).
\n instance-storage-info.nvme-support
- Indicates whether non-volatile memory\n express (NVMe) is supported for instance store (required
| supported
)\n | unsupported
).
\n instance-storage-info.total-size-in-gb
- The total amount of storage available from all local\n instance storage, in GB.
\n instance-storage-supported
- Indicates whether the instance type has local\n instance storage (true
| false
).
\n instance-type
- The instance type (for example c5.2xlarge
or\n c5*).
\n memory-info.size-in-mib
- The memory size.
\n network-info.efa-info.maximum-efa-interfaces
- The maximum number of Elastic \n Fabric Adapters (EFAs) per instance.
\n network-info.efa-supported
- Indicates whether the instance type supports\n Elastic Fabric Adapter (EFA) (true
| false
).
\n network-info.ena-support
- Indicates whether Elastic Network Adapter (ENA) is\n supported or required (required
| supported
|\n unsupported
).
\n network-info.ipv4-addresses-per-interface
- The maximum number of private IPv4 addresses per\n network interface.
\n network-info.ipv6-addresses-per-interface
- The maximum number of private IPv6 addresses per\n network interface.
\n network-info.ipv6-supported
- Indicates whether the instance type supports\n IPv6 (true
| false
).
\n network-info.maximum-network-interfaces
- The maximum number of network interfaces per instance.
\n network-info.network-performance
- The network performance (for example, \"25\n Gigabit\").
\n processor-info.supported-architecture
- The CPU architecture\n (arm64
| i386
| x86_64
).
\n processor-info.sustained-clock-speed-in-ghz
- The CPU clock speed, in GHz.
\n supported-boot-mode
- The boot mode (legacy-bios
|\n uefi
).
\n supported-root-device-type
- The root device type (ebs
|\n instance-store
).
\n supported-usage-class
- The usage class (on-demand
|\n spot
).
\n supported-virtualization-type
- The virtualization type (hvm
|\n paravirtual
).
\n vcpu-info.default-cores
- The default number of cores for the instance type.
\n vcpu-info.default-threads-per-core
- The default number of threads per core for the instance\n type.
\n vcpu-info.default-vcpus
- The default number of vCPUs for the instance type.
\n vcpu-info.valid-cores
- The number of cores that can be configured for the instance type.
\n vcpu-info.valid-threads-per-core
- The number of threads per core that can be configured for the instance type.\n For example, \"1\" or \"1,2\".
Describes the Spot price history. For more information, see\n\t\tSpot Instance pricing history \n in the Amazon EC2 User Guide for Linux Instances.
\n\tWhen you specify a start and end time, this operation returns the prices of the instance types within the time range that you specified and the time when the price changed. \n\t The price is valid within the time period that you specified; the response merely indicates the last time that the price changed.
", + "smithy.api#documentation": "Describes the Spot price history. For more information, see\n\t\tSpot Instance pricing history \n in the Amazon EC2 User Guide for Linux Instances.
\nWhen you specify a start and end time, the operation returns the prices of the\n instance types within that time range. It also returns the last price change before the\n start time, which is the effective price as of the start time.
", "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -23762,7 +23762,13 @@ "target": "com.amazonaws.ec2#DescribeStoreImageTasksResult" }, "traits": { - "smithy.api#documentation": "Describes the progress of the AMI store tasks. You can describe the store tasks for\n specified AMIs. If you don't specify the AMIs, you get a paginated list of store tasks from\n the last 31 days.
\nFor each AMI task, the response indicates if the task is InProgress
,\n Completed
, or Failed
. For tasks InProgress
, the\n response shows the estimated progress as a percentage.
Tasks are listed in reverse chronological order. Currently, only tasks from the past 31\n days can be viewed.
\nTo use this API, you must have the required permissions. For more information, see Permissions for storing and restoring AMIs using S3 in the\n Amazon Elastic Compute Cloud User Guide.
\nFor more information, see Store and restore an AMI using\n S3 in the Amazon Elastic Compute Cloud User Guide.
" + "smithy.api#documentation": "Describes the progress of the AMI store tasks. You can describe the store tasks for\n specified AMIs. If you don't specify the AMIs, you get a paginated list of store tasks from\n the last 31 days.
\nFor each AMI task, the response indicates if the task is InProgress
,\n Completed
, or Failed
. For tasks InProgress
, the\n response shows the estimated progress as a percentage.
Tasks are listed in reverse chronological order. Currently, only tasks from the past 31\n days can be viewed.
\nTo use this API, you must have the required permissions. For more information, see Permissions for storing and restoring AMIs using S3 in the\n Amazon Elastic Compute Cloud User Guide.
\nFor more information, see Store and restore an AMI using\n S3 in the Amazon Elastic Compute Cloud User Guide.
", + "smithy.api#paginated": { + "inputToken": "NextToken", + "outputToken": "NextToken", + "items": "StoreImageTaskResults", + "pageSize": "MaxResults" + } } }, "com.amazonaws.ec2#DescribeStoreImageTasksRequest": { @@ -29767,7 +29773,7 @@ "target": "com.amazonaws.ec2#ExportImageResult" }, "traits": { - "smithy.api#documentation": "Exports an Amazon Machine Image (AMI) to a VM file. For more information, see Exporting a VM Directory from an Amazon Machine Image\n (AMI) in the VM Import/Export User Guide.
" + "smithy.api#documentation": "Exports an Amazon Machine Image (AMI) to a VM file. For more information, see Exporting a VM\n directly from an Amazon Machine Image (AMI) in the\n VM Import/Export User Guide.
" } }, "com.amazonaws.ec2#ExportImageRequest": { @@ -30793,7 +30799,7 @@ "target": "com.amazonaws.ec2#Double", "traits": { "aws.protocols#ec2QueryName": "Priority", - "smithy.api#documentation": "The priority for the launch template override. The highest priority is launched\n first.
\nIf the On-Demand AllocationStrategy
is set to prioritized
,\n EC2 Fleet uses priority to determine which launch template override to use first in fulfilling\n On-Demand capacity.
If the Spot AllocationStrategy
is set to\n capacity-optimized-prioritized
, EC2 Fleet uses priority on a best-effort basis\n to determine which launch template override to use first in fulfilling Spot capacity, but\n optimizes for capacity first.
Valid values are whole numbers starting at 0
. The lower the number, the\n higher the priority. If no number is set, the override has the lowest priority. You can set\n the same priority for different launch template overrides.
The priority for the launch template override. The highest priority is launched\n first.
\nIf the On-Demand AllocationStrategy
is set to prioritized
,\n EC2 Fleet uses priority to determine which launch template override to use first in fulfilling\n On-Demand capacity.
If the Spot AllocationStrategy
is set to\n capacity-optimized-prioritized
, EC2 Fleet uses priority on a best-effort basis\n to determine which launch template override to use in fulfilling Spot capacity, but\n optimizes for capacity first.
Valid values are whole numbers starting at 0
. The lower the number, the\n higher the priority. If no number is set, the override has the lowest priority. You can set\n the same priority for different launch template overrides.
The priority for the launch template override. The highest priority is launched\n first.
\nIf the On-Demand AllocationStrategy
is set to prioritized
,\n EC2 Fleet uses priority to determine which launch template override to use first in fulfilling\n On-Demand capacity.
If the Spot AllocationStrategy
is set to\n capacity-optimized-prioritized
, EC2 Fleet uses priority on a best-effort basis\n to determine which launch template override to use first in fulfilling Spot capacity, but\n optimizes for capacity first.
Valid values are whole numbers starting at 0
. The lower the number, the\n higher the priority. If no number is set, the launch template override has the lowest\n priority. You can set the same priority for different launch template overrides.
The priority for the launch template override. The highest priority is launched\n first.
\nIf the On-Demand AllocationStrategy
is set to prioritized
,\n EC2 Fleet uses priority to determine which launch template override to use first in fulfilling\n On-Demand capacity.
If the Spot AllocationStrategy
is set to\n capacity-optimized-prioritized
, EC2 Fleet uses priority on a best-effort basis\n to determine which launch template override to use in fulfilling Spot capacity, but\n optimizes for capacity first.
Valid values are whole numbers starting at 0
. The lower the number, the\n higher the priority. If no number is set, the launch template override has the lowest\n priority. You can set the same priority for different launch template overrides.
Import single or multi-volume disk images or EBS snapshots into an Amazon Machine Image (AMI). For more\n information, see Importing a VM as an\n Image Using VM Import/Export in the VM Import/Export User Guide.
" + "smithy.api#documentation": "Import single or multi-volume disk images or EBS snapshots into an Amazon Machine Image (AMI).
\nFor more information, see Importing a \n VM as an image using VM Import/Export in the VM Import/Export User Guide.
" } }, "com.amazonaws.ec2#ImportImageLicenseConfigurationRequest": { @@ -35231,7 +35237,7 @@ "target": "com.amazonaws.ec2#ImportInstanceResult" }, "traits": { - "smithy.api#documentation": "Creates an import instance task using metadata from the specified disk image. ImportInstance
only\n supports single-volume VMs. To import multi-volume VMs, use ImportImage. For more information, see\n Importing a\n Virtual Machine Using the Amazon EC2 CLI.
For information about the import manifest referenced by this API action, see VM Import Manifest.
" + "smithy.api#documentation": "Creates an import instance task using metadata from the specified disk image.
\nThis API action supports only single-volume VMs. To import multi-volume VMs, use ImportImage\n instead.
\nThis API action is not supported by the AWS Command Line Interface (AWS CLI). For \n information about using the Amazon EC2 CLI, which is deprecated, see\n Importing a VM to Amazon EC2 in the Amazon EC2 CLI Reference PDF file.
\nFor information about the import manifest referenced by this API action, see VM Import Manifest.
" } }, "com.amazonaws.ec2#ImportInstanceLaunchSpecification": { @@ -35596,7 +35602,7 @@ "target": "com.amazonaws.ec2#ImportSnapshotResult" }, "traits": { - "smithy.api#documentation": "Imports a disk into an EBS snapshot.
" + "smithy.api#documentation": "Imports a disk into an EBS snapshot.
\nFor more information, see Importing a disk as a snapshot using VM Import/Export in the \n VM Import/Export User Guide.
" } }, "com.amazonaws.ec2#ImportSnapshotRequest": { @@ -35778,7 +35784,7 @@ "target": "com.amazonaws.ec2#ImportVolumeResult" }, "traits": { - "smithy.api#documentation": "Creates an import volume task using metadata from the specified disk image.For more information, see Importing\n Disks to Amazon EBS.
\nFor information about the import manifest referenced by this API action, see VM Import Manifest.
" + "smithy.api#documentation": "Creates an import volume task using metadata from the specified disk image.
\nThis API action supports only single-volume VMs. To import multi-volume VMs, use \n ImportImage instead. To import a disk to a snapshot, use\n ImportSnapshot instead.
\nThis API action is not supported by the AWS Command Line Interface (AWS CLI). For \n information about using the Amazon EC2 CLI, which is deprecated, see Importing Disks to Amazon EBS in the Amazon EC2 CLI Reference PDF file.
\nFor information about the import manifest referenced by this API action, see VM Import Manifest.
" } }, "com.amazonaws.ec2#ImportVolumeRequest": { @@ -37238,7 +37244,7 @@ "target": "com.amazonaws.ec2#Boolean", "traits": { "aws.protocols#ec2QueryName": "SourceDestCheck", - "smithy.api#documentation": "Indicates whether to validate network traffic to or from this network interface.
", + "smithy.api#documentation": "Indicates whether source/destination checking is enabled.
", "smithy.api#xmlName": "sourceDestCheck" } }, @@ -41813,7 +41819,7 @@ "target": "com.amazonaws.ec2#Double", "traits": { "aws.protocols#ec2QueryName": "Priority", - "smithy.api#documentation": "The priority for the launch template override. The highest priority is launched\n first.
\nIf OnDemandAllocationStrategy
is set to prioritized
, Spot Fleet\n uses priority to determine which launch template override to use first in fulfilling\n On-Demand capacity.
If the Spot AllocationStrategy
is set to\n capacityOptimizedPrioritized
, Spot Fleet uses priority on a best-effort basis\n to determine which launch template override to use first in fulfilling Spot capacity,\n but optimizes for capacity first.
Valid values are whole numbers starting at 0
. The lower the number, the\n higher the priority. If no number is set, the launch template override has the lowest\n priority. You can set the same priority for different launch template overrides.
The priority for the launch template override. The highest priority is launched\n first.
\nIf OnDemandAllocationStrategy
is set to prioritized
, Spot Fleet\n uses priority to determine which launch template override to use first in fulfilling\n On-Demand capacity.
If the Spot AllocationStrategy
is set to\n capacityOptimizedPrioritized
, Spot Fleet uses priority on a best-effort basis\n to determine which launch template override to use in fulfilling Spot capacity,\n but optimizes for capacity first.
Valid values are whole numbers starting at 0
. The lower the number, the\n higher the priority. If no number is set, the launch template override has the lowest\n priority. You can set the same priority for different launch template overrides.
[EC2-VPC] Changes the security groups of the instance. You must specify at least one\n security group, even if it's just the default security group for the VPC. You must\n specify the security group ID, not the security group name.
", + "smithy.api#documentation": "[EC2-VPC] Replaces the security groups of the instance with the specified security groups. \n You must specify at least one security group, even if it's just the default security group for the VPC. You must\n specify the security group ID, not the security group name.
", "smithy.api#xmlName": "GroupId" } }, @@ -44729,7 +44735,7 @@ "target": "com.amazonaws.ec2#AttributeBooleanValue", "traits": { "aws.protocols#ec2QueryName": "SourceDestCheck", - "smithy.api#documentation": "Indicates whether source/destination checking is enabled.\n A value of true
means checking\n is enabled, and false
means checking is disabled. This value\n must be false
for a NAT instance to perform NAT. For more\n information, see NAT\n Instances in the Amazon Virtual Private Cloud User Guide.
Enable or disable source/destination checks, which ensure that the instance\n is either the source or the destination of any traffic that it receives.\n If the value is true
, source/destination checks are enabled;\n otherwise, they are disabled. The default value is true
. \n You must disable source/destination checks if the instance runs services \n such as network address translation, routing, or firewalls.
Indicates whether traffic to or from the instance is validated.
", + "smithy.api#documentation": "Indicates whether source/destination checking is enabled.
", "smithy.api#xmlName": "sourceDestCheck" } }, @@ -52581,7 +52587,7 @@ "target": "com.amazonaws.ec2#SubnetId", "traits": { "aws.protocols#ec2QueryName": "SubnetId", - "smithy.api#documentation": "The IDs of the subnets in which to launch the instance. To specify multiple subnets, separate\n them using commas; for example, \"subnet-1234abcdeexample1, subnet-0987cdef6example2\".
", + "smithy.api#documentation": "The ID of the subnet in which to launch the instance.
", "smithy.api#xmlName": "subnetId" } }, @@ -52610,7 +52616,7 @@ "com.amazonaws.ec2#RequestSpotLaunchSpecificationSecurityGroupList": { "type": "list", "member": { - "target": "com.amazonaws.ec2#SecurityGroupName", + "target": "com.amazonaws.ec2#String", "traits": { "smithy.api#xmlName": "item" } diff --git a/codegen/sdk-codegen/aws-models/fsx.2018-03-01.json b/codegen/sdk-codegen/aws-models/fsx.2018-03-01.json index 3095438f75a..75c8379f6a3 100644 --- a/codegen/sdk-codegen/aws-models/fsx.2018-03-01.json +++ b/codegen/sdk-codegen/aws-models/fsx.2018-03-01.json @@ -50,6 +50,9 @@ { "target": "com.amazonaws.fsx#CancelDataRepositoryTask" }, + { + "target": "com.amazonaws.fsx#CopyBackup" + }, { "target": "com.amazonaws.fsx#CreateBackup" }, @@ -126,6 +129,9 @@ "traits": { "smithy.api#documentation": "The ID of the AWS Managed Microsoft Active Directory instance to which the file system is joined.
" } + }, + "ResourceARN": { + "target": "com.amazonaws.fsx#ResourceARN" } }, "traits": { @@ -285,7 +291,7 @@ "Name": { "target": "com.amazonaws.fsx#AlternateDNSName", "traits": { - "smithy.api#documentation": "The name of the DNS alias. The alias name has to meet the following requirements:
\nFormatted as a fully-qualified domain name (FQDN), hostname.domain
, for example, accounting.example.com
.
Can contain alphanumeric characters and the hyphen (-).
\nCannot start or end with a hyphen.
\nCan start with a numeric.
\nFor DNS names, Amazon FSx stores alphabetic characters as lowercase letters (a-z), regardless of how you specify them: \n as uppercase letters, lowercase letters, or the corresponding letters in escape codes.
" + "smithy.api#documentation": "The name of the DNS alias. The alias name has to meet the following requirements:
\nFormatted as a fully-qualified domain name (FQDN), hostname.domain
, for example, accounting.example.com
.
Can contain alphanumeric characters, the underscore (_), and the hyphen (-).
\nCannot start or end with a hyphen.
\nCan start with a numeric.
\nFor DNS names, Amazon FSx stores alphabetic characters as lowercase letters (a-z), regardless of how you specify them: \n as uppercase letters, lowercase letters, or the corresponding letters in escape codes.
" } }, "Lifecycle": { @@ -296,7 +302,7 @@ } }, "traits": { - "smithy.api#documentation": "A DNS alias that is associated with the file system. You can use a DNS alias to access a file system using \n user-defined DNS names, in addition to the default DNS name\n that Amazon FSx assigns to the file system. For more information, see \n DNS aliases in the FSx for Windows File Server User Guide.
" + "smithy.api#documentation": "A DNS alias that is associated with the file system. You can use a DNS alias to access a file system using \n user-defined DNS names, in addition to the default DNS name\n that Amazon FSx assigns to the file system. For more information, see \n DNS aliases \n in the FSx for Windows File Server User Guide.
" } }, "com.amazonaws.fsx#AliasLifecycle": { @@ -479,7 +485,7 @@ "Lifecycle": { "target": "com.amazonaws.fsx#BackupLifecycle", "traits": { - "smithy.api#documentation": "The lifecycle status of the backup.
\n\n AVAILABLE
- The backup is fully available.
\n PENDING
- For user-initiated backups on Lustre file systems only; Amazon FSx has not started creating the backup.
\n CREATING
- Amazon FSx is creating the backup.
\n TRANSFERRING
- For user-initiated backups on Lustre file systems only; Amazon FSx is transferring the backup to S3.
\n DELETED
- Amazon FSx deleted the backup and it is no longer available.
\n FAILED
- Amazon FSx could not complete the backup.
The lifecycle status of the backup.
\n\n AVAILABLE
- The backup is fully available.
\n PENDING
- For user-initiated backups on Lustre file systems only; Amazon FSx has not started creating the backup.
\n CREATING
- Amazon FSx is creating the backup.
\n TRANSFERRING
- For user-initiated backups on Lustre file systems only; Amazon FSx is transferring the backup to S3.
\n COPYING
- Amazon FSx is copying the backup.
\n DELETED
- Amazon FSx deleted the backup and it is no longer available.
\n FAILED
- Amazon FSx could not complete the backup.
The configuration of the self-managed Microsoft Active Directory (AD) to which the Windows File Server instance is joined.
" } + }, + "OwnerId": { + "target": "com.amazonaws.fsx#AWSAccountId" + }, + "SourceBackupId": { + "target": "com.amazonaws.fsx#BackupId" + }, + "SourceBackupRegion": { + "target": "com.amazonaws.fsx#Region", + "traits": { + "smithy.api#documentation": "The source Region of the backup. Specifies the Region from where this backup\n is copied.
" + } + } + }, + "traits": { + "smithy.api#documentation": "A backup of an Amazon FSx file system.
" + } + }, + "com.amazonaws.fsx#BackupBeingCopied": { + "type": "structure", + "members": { + "Message": { + "target": "com.amazonaws.fsx#ErrorMessage" + }, + "BackupId": { + "target": "com.amazonaws.fsx#BackupId" } }, "traits": { - "smithy.api#documentation": "A backup of an Amazon FSx file system. For more information see:
\nYou can't delete a backup while it's being copied.
", + "smithy.api#error": "client" } }, "com.amazonaws.fsx#BackupFailureDetails": { @@ -559,7 +592,7 @@ "com.amazonaws.fsx#BackupId": { "type": "string", "traits": { - "smithy.api#documentation": "The ID of the backup. Specifies the backup to use if you're creating a file system from an existing backup.
", + "smithy.api#documentation": "The ID of the source backup. Specifies the backup you are copying.
", "smithy.api#length": { "min": 12, "max": 128 @@ -595,7 +628,7 @@ "com.amazonaws.fsx#BackupLifecycle": { "type": "string", "traits": { - "smithy.api#documentation": "The lifecycle status of the backup.
\n\n AVAILABLE
- The backup is fully available.
\n PENDING
- For user-initiated backups on Lustre file systems only; Amazon FSx has not started creating the backup.
\n CREATING
- Amazon FSx is creating the new user-intiated backup
\n TRANSFERRING
- For user-initiated backups on Lustre file systems only; Amazon FSx is backing up the file system.
\n DELETED
- Amazon FSx deleted the backup and it is no longer available.
\n FAILED
- Amazon FSx could not complete the backup.
The lifecycle status of the backup.
\n\n AVAILABLE
- The backup is fully available.
\n PENDING
- For user-initiated backups on Lustre file systems only; Amazon FSx has not started creating the backup.
\n CREATING
- Amazon FSx is creating the new user-intiated backup
\n TRANSFERRING
- For user-initiated backups on Lustre file systems only; Amazon FSx is backing up the file system.
\n COPYING
- Amazon FSx is copying the backup.
\n DELETED
- Amazon FSx deleted the backup and it is no longer available.
\n FAILED
- Amazon FSx could not complete the backup.
Provides a report detailing the data repository task results of the files processed that match the criteria specified in the report Scope
parameter. \n FSx delivers the report to the file system's linked data repository in Amazon S3, \n using the path specified in the report Path
parameter. \n You can specify whether or not a report gets generated for a task using the Enabled
parameter.
Copies an existing backup within the same AWS account to another Region\n (cross-Region copy) or within the same Region (in-Region copy). You can have up to five\n backup copy requests in progress to a single destination Region per account.
\nYou can use cross-Region backup copies for cross-region disaster recovery.\n You periodically take backups and copy them to another Region so that in the\n event of a disaster in the primary Region, you can restore from backup and recover\n availability quickly in the other Region. You can make cross-Region copies\n only within your AWS partition.
\nYou can also use backup copies to clone your file data set to another Region\n or within the same Region.
\nYou can use the SourceRegion
parameter to specify the AWS Region\n from which the backup will be copied. For example, if you make the call from the\n us-west-1
Region and want to copy a backup from the us-east-2
\n Region, you specify us-east-2
in the SourceRegion
parameter\n to make a cross-Region copy. If you don't specify a Region, the backup copy is\n created in the same Region where the request is sent from (in-Region copy).
For more information on creating backup copies, see \n \n Copying backups in the Amazon FSx for Windows User Guide and \n Copying backups \n in the Amazon FSx for Lustre User Guide.
", + "smithy.api#idempotent": {} + } + }, + "com.amazonaws.fsx#CopyBackupRequest": { + "type": "structure", + "members": { + "ClientRequestToken": { + "target": "com.amazonaws.fsx#ClientRequestToken", + "traits": { + "smithy.api#idempotencyToken": {} + } + }, + "SourceBackupId": { + "target": "com.amazonaws.fsx#SourceBackupId", + "traits": { + "smithy.api#documentation": "The ID of the source backup. Specifies the ID of the backup that is\n being copied.
", + "smithy.api#required": {} + } + }, + "SourceRegion": { + "target": "com.amazonaws.fsx#Region", + "traits": { + "smithy.api#documentation": "The source AWS Region of the backup. Specifies the AWS Region from which\n the backup is being copied. The source and destination Regions must be in\n the same AWS partition. If you don't specify a Region, it defaults to\n the Region where the request is sent from (in-Region copy).
" + } + }, + "KmsKeyId": { + "target": "com.amazonaws.fsx#KmsKeyId" + }, + "CopyTags": { + "target": "com.amazonaws.fsx#Flag", + "traits": { + "smithy.api#documentation": "A boolean flag indicating whether tags from the source backup\n should be copied to the backup copy. This value defaults to false.
\nIf you set CopyTags
to true and the source backup has\n existing tags, you can use the Tags
parameter to create new\n tags, provided that the sum of the source backup tags and the new tags\n doesn't exceed 50. Both sets of tags are merged. If there are tag\n conflicts (for example, two tags with the same key but different values),\n the tags created with the Tags
parameter take precedence.
Sets the storage type for the Windows file system you're creating from a backup. \n Valid values are SSD
and HDD
.
Set to SSD
to use solid state drive storage. \n Supported on all Windows deployment types.
Set to HDD
to use hard disk drive storage. \n Supported on SINGLE_AZ_2
and MULTI_AZ_1
Windows file system deployment types. \n
\n Default value is SSD
. \n
HDD and SSD storage types have different minimum storage capacity requirements. \n A restored file system's storage capacity is tied to the file system that was backed up. \n You can create a file system that uses HDD storage from a backup of a file system that \n used SSD storage only if the original SSD file system had a storage capacity of at least 2000 GiB. \n
\nSpecifies the IDs of the subnets that the file system will be accessible from. For Windows MULTI_AZ_1
\n file system deployment types, provide exactly two subnet IDs, one for the preferred file server \n and one for the standby file server. You specify one of these subnets as the preferred subnet \n using the WindowsConfiguration > PreferredSubnetID
property.
For Windows SINGLE_AZ_1
and SINGLE_AZ_2
file system deployment types and Lustre file systems, provide exactly one subnet ID.\n The file server is launched in that subnet's Availability Zone.
Specifies the IDs of the subnets that the file system will be accessible from. For Windows MULTI_AZ_1
\n file system deployment types, provide exactly two subnet IDs, one for the preferred file server \n and one for the standby file server. You specify one of these subnets as the preferred subnet \n using the WindowsConfiguration > PreferredSubnetID
property. For more information, \n see \n Availability and durability: Single-AZ and Multi-AZ file systems.
For Windows SINGLE_AZ_1
and SINGLE_AZ_2
file system deployment types and Lustre file systems, provide exactly one subnet ID.\n The file server is launched in that subnet's Availability Zone.
An array of one or more DNS alias names that you want to associate with the Amazon FSx file system. \n Aliases allow you to use existing DNS names to access the data in your Amazon FSx file system. \n You can associate up to 50 aliases with a file system at any time. \n You can associate additional DNS aliases after you create the file system using the AssociateFileSystemAliases operation. \n You can remove DNS aliases from the file system after it is created using the DisassociateFileSystemAliases operation.\n You only need to specify the alias name in the request payload.
\nFor more information, see Working with DNS Aliases and \n Walkthrough 5: Using DNS aliases to access your file system, including\n additional steps you must take to be able to access your file system using a DNS alias.
\nAn alias name has to meet the following requirements:
\nFormatted as a fully-qualified domain name (FQDN), hostname.domain
, for example, accounting.example.com
.
Can contain alphanumeric characters and the hyphen (-).
\nCannot start or end with a hyphen.
\nCan start with a numeric.
\nFor DNS alias names, Amazon FSx stores alphabetic characters as lowercase letters (a-z), regardless of how you specify them: \n as uppercase letters, lowercase letters, or the corresponding letters in escape codes.
" + "smithy.api#documentation": "An array of one or more DNS alias names that you want to associate with the Amazon FSx file system. \n Aliases allow you to use existing DNS names to access the data in your Amazon FSx file system. \n You can associate up to 50 aliases with a file system at any time. \n You can associate additional DNS aliases after you create the file system using the AssociateFileSystemAliases operation. \n You can remove DNS aliases from the file system after it is created using the DisassociateFileSystemAliases operation.\n You only need to specify the alias name in the request payload.
\nFor more information, see Working with DNS Aliases and \n Walkthrough 5: Using DNS aliases to access your file system, including\n additional steps you must take to be able to access your file system using a DNS alias.
\nAn alias name has to meet the following requirements:
\nFormatted as a fully-qualified domain name (FQDN), hostname.domain
, for example, accounting.example.com
.
Can contain alphanumeric characters, the underscore (_), and the hyphen (-).
\nCannot start or end with a hyphen.
\nCan start with a numeric.
\nFor DNS alias names, Amazon FSx stores alphabetic characters as lowercase letters (a-z), regardless of how you specify them: \n as uppercase letters, lowercase letters, or the corresponding letters in escape codes.
" } } }, @@ -1758,6 +1890,9 @@ "target": "com.amazonaws.fsx#DeleteBackupResponse" }, "errors": [ + { + "target": "com.amazonaws.fsx#BackupBeingCopied" + }, { "target": "com.amazonaws.fsx#BackupInProgress" }, @@ -2057,7 +2192,7 @@ "Backups": { "target": "com.amazonaws.fsx#Backups", "traits": { - "smithy.api#documentation": "Any array of backups.
" + "smithy.api#documentation": "An array of backups.
" } }, "NextToken": { @@ -2798,6 +2933,18 @@ "smithy.api#error": "client" } }, + "com.amazonaws.fsx#IncompatibleRegionForMultiAZ": { + "type": "structure", + "members": { + "Message": { + "target": "com.amazonaws.fsx#ErrorMessage" + } + }, + "traits": { + "smithy.api#documentation": "Amazon FSx doesn't support Multi-AZ Windows File Server\n copy backup in the destination Region, so the copied backup\n can't be restored.
", + "smithy.api#error": "client" + } + }, "com.amazonaws.fsx#InternalServerError": { "type": "structure", "members": { @@ -2810,6 +2957,18 @@ "smithy.api#error": "server" } }, + "com.amazonaws.fsx#InvalidDestinationKmsKey": { + "type": "structure", + "members": { + "Message": { + "target": "com.amazonaws.fsx#ErrorMessage" + } + }, + "traits": { + "smithy.api#documentation": "The AWS Key Management Service (AWS KMS) key of the destination\n backup is invalid.
", + "smithy.api#error": "client" + } + }, "com.amazonaws.fsx#InvalidExportPath": { "type": "structure", "members": { @@ -2864,6 +3023,30 @@ "smithy.api#error": "client" } }, + "com.amazonaws.fsx#InvalidRegion": { + "type": "structure", + "members": { + "Message": { + "target": "com.amazonaws.fsx#ErrorMessage" + } + }, + "traits": { + "smithy.api#documentation": "The Region provided for Source Region
is invalid or\n is in a different AWS partition.
The AWS Key Management Service (AWS KMS) key of the source backup\n is invalid.
", + "smithy.api#error": "client" + } + }, "com.amazonaws.fsx#IpAddress": { "type": "string", "traits": { @@ -3184,6 +3367,16 @@ } } }, + "com.amazonaws.fsx#Region": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 1, + "max": 20 + }, + "smithy.api#pattern": "^[a-z0-9-]{1,20}$" + } + }, "com.amazonaws.fsx#ReportFormat": { "type": "string", "traits": { @@ -3359,13 +3552,13 @@ "DnsIps": { "target": "com.amazonaws.fsx#DnsIps", "traits": { - "smithy.api#documentation": "A list of up to two IP addresses of DNS servers or domain controllers in the\n self-managed AD directory. The IP addresses need to be either in the same VPC CIDR range\n as the one in which your Amazon FSx file system is being created, or in the private IP version 4\n (IPv4) address ranges, as specified in RFC 1918:
\n10.0.0.0 - 10.255.255.255 (10/8 prefix)
\n172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
\n192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
\nA list of up to two IP addresses of DNS servers or domain controllers in the\n self-managed AD directory.
", "smithy.api#required": {} } } }, "traits": { - "smithy.api#documentation": "The configuration that Amazon FSx uses to join the Windows File Server instance to\n your self-managed (including on-premises) Microsoft Active Directory (AD)\n directory.
" + "smithy.api#documentation": "The configuration that Amazon FSx uses to join the Windows File Server instance to\n your self-managed (including on-premises) Microsoft Active Directory (AD)\n directory. For more information, see \n \n Using Amazon FSx with your self-managed Microsoft Active Directory.
" } }, "com.amazonaws.fsx#SelfManagedActiveDirectoryConfigurationUpdates": { @@ -3414,6 +3607,14 @@ { "value": "TOTAL_USER_INITIATED_BACKUPS", "name": "TOTAL_USER_INITIATED_BACKUPS" + }, + { + "value": "TOTAL_USER_TAGS", + "name": "TOTAL_USER_TAGS" + }, + { + "value": "TOTAL_IN_PROGRESS_COPY_BACKUPS", + "name": "TOTAL_IN_PROGRESS_COPY_BACKUPS" } ] } @@ -3437,6 +3638,31 @@ "smithy.api#error": "client" } }, + "com.amazonaws.fsx#SourceBackupId": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 12, + "max": 128 + }, + "smithy.api#pattern": "^(backup-[0-9a-f]{8,})$" + } + }, + "com.amazonaws.fsx#SourceBackupUnavailable": { + "type": "structure", + "members": { + "Message": { + "target": "com.amazonaws.fsx#ErrorMessage" + }, + "BackupId": { + "target": "com.amazonaws.fsx#BackupId" + } + }, + "traits": { + "smithy.api#documentation": "The request was rejected because the lifecycle status of the \n source backup is not AVAILABLE
.
The ID for an existing Microsoft Active Directory instance that the file system should join when\n it's created.
" + "smithy.api#documentation": "The ID for an existing AWS Managed Microsoft Active Directory instance that the file system is joined to.
" } }, "SelfManagedActiveDirectoryConfiguration": { @@ -3970,7 +4196,7 @@ "PreferredSubnetId": { "target": "com.amazonaws.fsx#SubnetId", "traits": { - "smithy.api#documentation": "For MULTI_AZ_1
deployment types, it specifies the ID of the subnet where the preferred file server is located. \n Must be one of the two subnet IDs specified in SubnetIds
property.\n Amazon FSx serves traffic from this subnet except in the event of a failover to the secondary file server.
For SINGLE_AZ_1
and SINGLE_AZ_2
deployment types, this value is the same as that for SubnetIDs
.\n For more information, see \n Availability and Durability: Single-AZ and Multi-AZ File Systems\n
For MULTI_AZ_1
deployment types, it specifies the ID of the subnet where the preferred file server is located. \n Must be one of the two subnet IDs specified in SubnetIds
property.\n Amazon FSx serves traffic from this subnet except in the event of a failover to the secondary file server.
For SINGLE_AZ_1
and SINGLE_AZ_2
deployment types, this value is the same as that for SubnetIDs
.\n For more information, see \n Availability and durability: Single-AZ and Multi-AZ file systems.
The throughput of an Amazon FSx file system, measured in megabytes per\n second.
" + "smithy.api#documentation": "The throughput of the Amazon FSx file system, measured in megabytes per\n second.
" } }, "MaintenanceOperationsInProgress": { diff --git a/codegen/sdk-codegen/aws-models/lightsail.2016-11-28.json b/codegen/sdk-codegen/aws-models/lightsail.2016-11-28.json index dbc385f66f3..74ca4b21d88 100644 --- a/codegen/sdk-codegen/aws-models/lightsail.2016-11-28.json +++ b/codegen/sdk-codegen/aws-models/lightsail.2016-11-28.json @@ -4184,7 +4184,7 @@ "relationalDatabaseName": { "target": "com.amazonaws.lightsail#ResourceName", "traits": { - "smithy.api#documentation": "The name to use for your new database.
\nConstraints:
\nMust contain from 2 to 255 alphanumeric characters, or hyphens.
\nThe first and last character must be a letter or number.
\nThe name to use for your new Lightsail database resource.
\nConstraints:
\nMust contain from 2 to 255 alphanumeric characters, or hyphens.
\nThe first and last character must be a letter or number.
\nThe name of the master database created when the Lightsail database resource is\n created.
\nConstraints:
\nMust contain from 1 to 64 alphanumeric characters.
\nCannot be a word reserved by the specified database engine
\nThe meaning of this parameter differs according to the database engine you use.
\n\n MySQL\n
\nThe name of the database to create when the Lightsail database resource is created. If\n this parameter isn't specified, no database is created in the database resource.
\nConstraints:
\nMust contain 1 to 64 letters or numbers.
\nMust begin with a letter. Subsequent characters can be letters, underscores, or digits\n (0- 9).
\nCan't be a word reserved by the specified database engine.
\nFor more information about reserved words in MySQL, see the Keywords and Reserved\n Words articles for MySQL 5.6, MySQL 5.7, and MySQL 8.0.
\n\n PostgreSQL\n
\nThe name of the database to create when the Lightsail database resource is created. If\n this parameter isn't specified, a database named postgres
is created in the\n database resource.
Constraints:
\nMust contain 1 to 63 letters or numbers.
\nMust begin with a letter. Subsequent characters can be letters, underscores, or digits\n (0- 9).
\nCan't be a word reserved by the specified database engine.
\nFor more information about reserved words in PostgreSQL, see the SQL Key Words\n articles for PostgreSQL 9.6, PostgreSQL\n 10, PostgreSQL 11, and PostgreSQL\n 12.
\nThe master user name for your new database.
\nConstraints:
\nMaster user name is required.
\nMust contain from 1 to 16 alphanumeric characters.
\nThe first character must be a letter.
\nCannot be a reserved word for the database engine you choose.
\nFor more information about reserved words in MySQL 5.6 or 5.7, see the Keywords and\n Reserved Words articles for MySQL 5.6 or MySQL 5.7\n respectively.
\nThe name for the master user.
\n\n MySQL\n
\nConstraints:
\nRequired for MySQL.
\nMust be 1 to 16 letters or numbers. Can contain underscores.
\nFirst character must be a letter.
\nCan't be a reserved word for the chosen database engine.
\nFor more information about reserved words in MySQL 5.6 or 5.7, see the Keywords and\n Reserved Words articles for MySQL 5.6, MySQL 5.7, or MySQL 8.0.
\n\n PostgreSQL\n
\nConstraints:
\nRequired for PostgreSQL.
\nMust be 1 to 63 letters or numbers. Can contain underscores.
\nFirst character must be a letter.
\nCan't be a reserved word for the chosen database engine.
\nFor more information about reserved words in MySQL 5.6 or 5.7, see the Keywords and\n Reserved Words articles for PostgreSQL\n 9.6, PostgreSQL 10, PostgreSQL\n 11, and PostgreSQL\n 12.
\nThe password for the master user of your new database. The password can include any\n printable ASCII character except \"/\", \"\"\", or \"@\".
\nConstraints: Must contain 8 to 41 characters.
" + "smithy.api#documentation": "The password for the master user. The password can include any printable ASCII character\n except \"/\", \"\"\", or \"@\". It cannot contain spaces.
\n\n MySQL\n
\nConstraints: Must contain from 8 to 41 characters.
\n\n PostgreSQL\n
\nConstraints: Must contain from 8 to 128 characters.
" } }, "preferredBackupWindow": { @@ -17641,14 +17641,14 @@ "relationalDatabaseName": { "target": "com.amazonaws.lightsail#ResourceName", "traits": { - "smithy.api#documentation": "The name of your database to update.
", + "smithy.api#documentation": "The name of your Lightsail database resource to update.
", "smithy.api#required": {} } }, "masterUserPassword": { "target": "com.amazonaws.lightsail#SensitiveString", "traits": { - "smithy.api#documentation": "The password for the master user of your database. The password can include any printable\n ASCII character except \"/\", \"\"\", or \"@\".
\nConstraints: Must contain 8 to 41 characters.
" + "smithy.api#documentation": "The password for the master user. The password can include any printable ASCII character\n except \"/\", \"\"\", or \"@\".
\nMySQL\n
\nConstraints: Must contain from 8 to 41 characters.
\n\n PostgreSQL\n
\nConstraints: Must contain from 8 to 128 characters.
" } }, "rotateMasterUserPassword": { diff --git a/codegen/sdk-codegen/aws-models/mediaconnect.2018-11-14.json b/codegen/sdk-codegen/aws-models/mediaconnect.2018-11-14.json index e78c8d0b08e..2d05708d3b2 100644 --- a/codegen/sdk-codegen/aws-models/mediaconnect.2018-11-14.json +++ b/codegen/sdk-codegen/aws-models/mediaconnect.2018-11-14.json @@ -661,6 +661,158 @@ "method": "GET", "uri": "/v1/flows/{FlowArn}", "code": 200 + }, + "smithy.waiters#waitable": { + "FlowActive": { + "documentation": "Wait until a flow is active", + "acceptors": [ + { + "state": "success", + "matcher": { + "output": { + "path": "Flow.Status", + "expected": "ACTIVE", + "comparator": "stringEquals" + } + } + }, + { + "state": "retry", + "matcher": { + "output": { + "path": "Flow.Status", + "expected": "STARTING", + "comparator": "stringEquals" + } + } + }, + { + "state": "retry", + "matcher": { + "output": { + "path": "Flow.Status", + "expected": "UPDATING", + "comparator": "stringEquals" + } + } + }, + { + "state": "retry", + "matcher": { + "errorType": "InternalServerErrorException" + } + }, + { + "state": "retry", + "matcher": { + "errorType": "ServiceUnavailableException" + } + }, + { + "state": "failure", + "matcher": { + "output": { + "path": "Flow.Status", + "expected": "ERROR", + "comparator": "stringEquals" + } + } + } + ], + "minDelay": 3 + }, + "FlowDeleted": { + "documentation": "Wait until a flow is deleted", + "acceptors": [ + { + "state": "success", + "matcher": { + "errorType": "NotFoundException" + } + }, + { + "state": "retry", + "matcher": { + "output": { + "path": "Flow.Status", + "expected": "DELETING", + "comparator": "stringEquals" + } + } + }, + { + "state": "retry", + "matcher": { + "errorType": "InternalServerErrorException" + } + }, + { + "state": "retry", + "matcher": { + "errorType": "ServiceUnavailableException" + } + }, + { + "state": "failure", + "matcher": { + "output": { + "path": "Flow.Status", + "expected": "ERROR", + "comparator": "stringEquals" + } + } + } + ], + "minDelay": 3 + }, + "FlowStandby": { + "documentation": "Wait until a flow is in standby mode", + "acceptors": [ + { + "state": "success", + "matcher": { + "output": { + "path": "Flow.Status", + "expected": "STANDBY", + "comparator": "stringEquals" + } + } + }, + { + "state": "retry", + "matcher": { + "output": { + "path": "Flow.Status", + "expected": "STOPPING", + "comparator": "stringEquals" + } + } + }, + { + "state": "retry", + "matcher": { + "errorType": "InternalServerErrorException" + } + }, + { + "state": "retry", + "matcher": { + "errorType": "ServiceUnavailableException" + } + }, + { + "state": "failure", + "matcher": { + "output": { + "path": "Flow.Status", + "expected": "ERROR", + "comparator": "stringEquals" + } + } + } + ], + "minDelay": 3 + } } } }, @@ -1988,6 +2140,13 @@ "smithy.api#jsonName": "entitlementArn" } }, + "ListenerAddress": { + "target": "com.amazonaws.mediaconnect#__string", + "traits": { + "smithy.api#documentation": "The IP address that the receiver requires in order to establish a connection with the flow. For public networking, the ListenerAddress is represented by the elastic IP address of the flow. For private networking, the ListenerAddress is represented by the elastic network interface IP address of the VPC. This field applies only to outputs that use the Zixi pull or SRT listener protocol.", + "smithy.api#jsonName": "listenerAddress" + } + }, "MediaLiveInputArn": { "target": "com.amazonaws.mediaconnect#__string", "traits": { diff --git a/codegen/sdk-codegen/aws-models/rds.2014-10-31.json b/codegen/sdk-codegen/aws-models/rds.2014-10-31.json index e1699e58200..1064297be12 100644 --- a/codegen/sdk-codegen/aws-models/rds.2014-10-31.json +++ b/codegen/sdk-codegen/aws-models/rds.2014-10-31.json @@ -2053,7 +2053,7 @@ "PreferredBackupWindow": { "target": "com.amazonaws.rds#String", "traits": { - "smithy.api#documentation": "The daily time range during which automated backups are created\n if automated backups are enabled\n using the BackupRetentionPeriod
parameter.\n
The default is a 30-minute window selected at random from an\n 8-hour block of time for each AWS Region. \n To see the time blocks available, see \n \n Adjusting the Preferred DB Cluster Maintenance Window in the Amazon Aurora User Guide.\n
\nConstraints:
\nMust be in the format hh24:mi-hh24:mi
.
Must be in Universal Coordinated Time (UTC).
\nMust not conflict with the preferred maintenance window.
\nMust be at least 30 minutes.
\nThe daily time range during which automated backups are created\n if automated backups are enabled\n using the BackupRetentionPeriod
parameter.\n
The default is a 30-minute window selected at random from an\n 8-hour block of time for each AWS Region. \n To view the time blocks available, see \n \n Backup window in the Amazon Aurora User Guide.\n
\nConstraints:
\nMust be in the format hh24:mi-hh24:mi
.
Must be in Universal Coordinated Time (UTC).
\nMust not conflict with the preferred maintenance window.
\nMust be at least 30 minutes.
\n\n The daily time range during which automated backups are created\n if automated backups are enabled,\n using the BackupRetentionPeriod
parameter.\n For more information, see The Backup Window in the Amazon RDS User Guide.\n
\n Amazon Aurora\n
\nNot applicable. The daily time range for creating automated backups is managed by\n the DB cluster.
\n \n\n The default is a 30-minute window selected at random from an\n 8-hour block of time for each AWS Region. \n To see the time blocks available, see \n \n Adjusting the Preferred DB Instance Maintenance Window in the Amazon RDS User Guide.\n
\n \nConstraints:
\nMust be in the format hh24:mi-hh24:mi
.
Must be in Universal Coordinated Time (UTC).
\nMust not conflict with the preferred maintenance window.
\nMust be at least 30 minutes.
\n\n The daily time range during which automated backups are created\n if automated backups are enabled,\n using the BackupRetentionPeriod
parameter.\n The default is a 30-minute window selected at random from an\n 8-hour block of time for each AWS Region. For more information, see Backup window in the Amazon RDS User Guide.\n
\n Amazon Aurora\n
\nNot applicable. The daily time range for creating automated backups is managed by\n the DB cluster.
\n \nConstraints:
\nMust be in the format hh24:mi-hh24:mi
.
Must be in Universal Coordinated Time (UTC).
\nMust not conflict with the preferred maintenance window.
\nMust be at least 30 minutes.
\nThe list of identifiers of the event sources for which events are returned. If not specified, then all sources are included in the response. \n An identifier must begin with a letter and must contain only ASCII letters, digits, and hyphens. It can't end with a hyphen or contain two consecutive hyphens.
\nConstraints:
\nIf a SourceIds
value is supplied, SourceType
must also be provided.
If the source type is a DB instance, a DBInstanceIdentifier
value must be supplied.
If the source type is a DB cluster, a DBClusterIdentifier
value must be supplied.
If the source type is a DB parameter group, a DBParameterGroupName
value must be supplied.
If the source type is a DB security group, a DBSecurityGroupName
value must be supplied.
If the source type is a DB snapshot, a DBSnapshotIdentifier
value must be supplied.
If the source type is a DB cluster snapshot, a DBClusterSnapshotIdentifier
value must be supplied.
The list of identifiers of the event sources for which events are returned. If not specified, then all sources are included in the response. \n An identifier must begin with a letter and must contain only ASCII letters, digits, and hyphens. It can't end with a hyphen or contain two consecutive hyphens.
\nConstraints:
\nIf SourceIds
are supplied, SourceType
must also be provided.
If the source type is a DB instance, a DBInstanceIdentifier
value must be supplied.
If the source type is a DB cluster, a DBClusterIdentifier
value must be supplied.
If the source type is a DB parameter group, a DBParameterGroupName
value must be supplied.
If the source type is a DB security group, a DBSecurityGroupName
value must be supplied.
If the source type is a DB snapshot, a DBSnapshotIdentifier
value must be supplied.
If the source type is a DB cluster snapshot, a DBClusterSnapshotIdentifier
value must be supplied.
Initiates the failover process for an Aurora global database (GlobalCluster).
\nA failover for an Aurora global database promotes one of secondary read-only DB clusters to be\n the primary DB cluster and demotes the primary DB cluster to being a secondary (read-only) DB cluster. In other words,\n the role of the current primary DB cluster and the selected (target) DB cluster are switched. The selected\n secondary DB cluster assumes full read/write capabilities for the Aurora global database.
\nFor more information about failing over an Amazon Aurora global database, see\n Managed planned failover for Amazon Aurora global\n databases in the Amazon Aurora User Guide.\n
\nThis action applies to GlobalCluster (Aurora global databases) only. Use this action only on\n healthy Aurora global databases with running Aurora DB clusters and no Region-wide outages, to test disaster recovery scenarios or to\n reconfigure your Aurora global database topology.\n
\nInitiates the failover process for an Aurora global database (GlobalCluster).
\nA failover for an Aurora global database promotes one of secondary read-only DB clusters to be\n the primary DB cluster and demotes the primary DB cluster to being a secondary (read-only) DB cluster. In other words,\n the role of the current primary DB cluster and the selected (target) DB cluster are switched. The selected\n secondary DB cluster assumes full read/write capabilities for the Aurora global database.
\nFor more information about failing over an Amazon Aurora global database, see\n Managed planned failover for Amazon Aurora global\n databases in the Amazon Aurora User Guide.\n
\nThis action applies to GlobalCluster (Aurora global databases) only. Use this action only on\n healthy Aurora global databases with running Aurora DB clusters and no Region-wide outages, to test disaster recovery scenarios or to\n reconfigure your Aurora global database topology.\n
\nThe daily time range during which automated backups are created\n if automated backups are enabled,\n using the BackupRetentionPeriod
parameter.\n
The default is a 30-minute window selected at random from an\n 8-hour block of time for each AWS Region. \n To see the time blocks available, see \n \n Adjusting the Preferred DB Cluster Maintenance Window in the Amazon Aurora User Guide.\n
\nConstraints:
\nMust be in the format hh24:mi-hh24:mi
.
Must be in Universal Coordinated Time (UTC).
\nMust not conflict with the preferred maintenance window.
\nMust be at least 30 minutes.
\nThe daily time range during which automated backups are created\n if automated backups are enabled,\n using the BackupRetentionPeriod
parameter.\n
The default is a 30-minute window selected at random from an\n 8-hour block of time for each AWS Region. \n To view the time blocks available, see \n \n Backup window in the Amazon Aurora User Guide.\n
\nConstraints:
\nMust be in the format hh24:mi-hh24:mi
.
Must be in Universal Coordinated Time (UTC).
\nMust not conflict with the preferred maintenance window.
\nMust be at least 30 minutes.
\nThe number of days to retain automated backups. Setting this parameter to a positive number enables backups. Setting this parameter to 0 disables automated backups.
\nChanging this parameter can result in an outage if you change from 0 to a non-zero value or from a non-zero value to 0. \n These changes are applied during the next maintenance window\n unless the ApplyImmediately
parameter is enabled for this request. If you change the parameter from one non-zero value to another \n non-zero value, the change is asynchronously applied as soon as possible.
\n Amazon Aurora\n
\nNot applicable. The retention period for automated backups is managed by the DB\n cluster. For more information, see ModifyDBCluster
.
Default: Uses existing setting
\nConstraints:
\nMust be a value from 0 to 35
\nCan be specified for a MySQL read replica only if the source is running MySQL 5.6 or\n later
\nCan be specified for a PostgreSQL read replica only if the source is running PostgreSQL\n 9.3.5
\nCan't be set to 0 if the DB instance is a source to read replicas
\nThe number of days to retain automated backups. Setting this parameter to a positive number enables backups. Setting this parameter to 0 disables automated backups.
\nEnabling and disabling backups can result in a brief I/O suspension that lasts from a few seconds to a few minutes, depending on the size and class of your DB instance.
\nThese changes are applied during the next maintenance window unless the ApplyImmediately
parameter is enabled\n for this request. If you change the parameter from one non-zero value to another non-zero value, the change is asynchronously\n applied as soon as possible.
\n Amazon Aurora\n
\nNot applicable. The retention period for automated backups is managed by the DB\n cluster. For more information, see ModifyDBCluster
.
Default: Uses existing setting
\nConstraints:
\nMust be a value from 0 to 35
\nCan be specified for a MySQL read replica only if the source is running MySQL 5.6 or\n later
\nCan be specified for a PostgreSQL read replica only if the source is running PostgreSQL\n 9.3.5
\nCan't be set to 0 if the DB instance is a source to read replicas
\n\n The daily time range during which automated backups are created\n if automated backups are enabled,\n as determined by the BackupRetentionPeriod
parameter. \n Changing this parameter doesn't result in an outage and the change is asynchronously applied as soon as possible.\n
\n Amazon Aurora\n
\nNot applicable. The daily time range for creating automated backups is managed by\n the DB cluster. For more information, see ModifyDBCluster
.
Constraints:
\nMust be in the format hh24:mi-hh24:mi
\nMust be in Universal Time Coordinated (UTC)
\nMust not conflict with the preferred maintenance window
\nMust be at least 30 minutes
\n\n The daily time range during which automated backups are created\n if automated backups are enabled,\n as determined by the BackupRetentionPeriod
parameter. \n Changing this parameter doesn't result in an outage and the change is asynchronously applied as soon as possible. \n The default is a 30-minute window selected at random from an\n 8-hour block of time for each AWS Region. For more information, see Backup window in the Amazon RDS User Guide.\n
\n Amazon Aurora\n
\nNot applicable. The daily time range for creating automated backups is managed by\n the DB cluster. For more information, see ModifyDBCluster
.
Constraints:
\nMust be in the format hh24:mi-hh24:mi
\nMust be in Universal Time Coordinated (UTC)
\nMust not conflict with the preferred maintenance window
\nMust be at least 30 minutes
\nThe weekly time range (in UTC) during which system maintenance can occur, which\n might result in an outage. Changing this parameter doesn't result in an outage, except\n in the following situation, and the change is asynchronously applied as soon as\n possible. If there are pending actions that cause a reboot, and the maintenance window\n is changed to include the current time, then changing this parameter will cause a reboot\n of the DB instance. If moving this window to the current time, there must be at least 30\n minutes between the current time and end of the window to ensure pending changes are\n applied.
\nDefault: Uses existing setting
\nFormat: ddd:hh24:mi-ddd:hh24:mi
\nValid Days: Mon | Tue | Wed | Thu | Fri | Sat | Sun
\nConstraints: Must be at least 30 minutes
" + "smithy.api#documentation": "The weekly time range (in UTC) during which system maintenance can occur, which\n might result in an outage. Changing this parameter doesn't result in an outage, except\n in the following situation, and the change is asynchronously applied as soon as\n possible. If there are pending actions that cause a reboot, and the maintenance window\n is changed to include the current time, then changing this parameter will cause a reboot\n of the DB instance. If moving this window to the current time, there must be at least 30\n minutes between the current time and end of the window to ensure pending changes are\n applied.
\nFor more information, see Amazon RDS Maintenance Window in the Amazon RDS User Guide.\n
\nDefault: Uses existing setting
\nFormat: ddd:hh24:mi-ddd:hh24:mi
\nValid Days: Mon | Tue | Wed | Thu | Fri | Sat | Sun
\nConstraints: Must be at least 30 minutes
" } }, "MultiAZ": { @@ -16371,7 +16371,7 @@ "PreferredBackupWindow": { "target": "com.amazonaws.rds#String", "traits": { - "smithy.api#documentation": "The daily time range during which automated backups are created\n if automated backups are enabled\n using the BackupRetentionPeriod
parameter.\n
The default is a 30-minute window selected at random from an\n 8-hour block of time for each AWS Region. \n To see the time blocks available, see \n \n Adjusting the Preferred Maintenance Window in the Amazon Aurora User Guide.\n
\nConstraints:
\nMust be in the format hh24:mi-hh24:mi
.
Must be in Universal Coordinated Time (UTC).
\nMust not conflict with the preferred maintenance window.
\nMust be at least 30 minutes.
\nThe daily time range during which automated backups are created\n if automated backups are enabled\n using the BackupRetentionPeriod
parameter.\n
The default is a 30-minute window selected at random from an\n 8-hour block of time for each AWS Region. \n To view the time blocks available, see \n \n Backup window in the Amazon Aurora User Guide.\n
\nConstraints:
\nMust be in the format hh24:mi-hh24:mi
.
Must be in Universal Coordinated Time (UTC).
\nMust not conflict with the preferred maintenance window.
\nMust be at least 30 minutes.
\nThe time range each day \n during which automated backups are created \n if automated backups are enabled. \n For more information, see The Backup Window in the Amazon RDS User Guide.\n
\n \nConstraints:
\nMust be in the format hh24:mi-hh24:mi
.
Must be in Universal Coordinated Time (UTC).
\nMust not conflict with the preferred maintenance window.
\nMust be at least 30 minutes.
\nThe time range each day \n during which automated backups are created \n if automated backups are enabled. \n For more information, see Backup window in the Amazon RDS User Guide.\n
\n \nConstraints:
\nMust be in the format hh24:mi-hh24:mi
.
Must be in Universal Coordinated Time (UTC).
\nMust not conflict with the preferred maintenance window.
\nMust be at least 30 minutes.
\nRevokes ingress from a DBSecurityGroup for previously authorized IP ranges or EC2 or VPC Security Groups. Required parameters for this API are one of CIDRIP, EC2SecurityGroupId for VPC, or (EC2SecurityGroupOwnerId and either EC2SecurityGroupName or EC2SecurityGroupId).
" + "smithy.api#documentation": "Revokes ingress from a DBSecurityGroup for previously authorized IP ranges or EC2 or VPC security groups. Required parameters for this API are one of CIDRIP, EC2SecurityGroupId for VPC, or (EC2SecurityGroupOwnerId and either EC2SecurityGroupName or EC2SecurityGroupId).
" } }, "com.amazonaws.rds#RevokeDBSecurityGroupIngressMessage": { @@ -17957,7 +17957,7 @@ "SecondsUntilAutoPause": { "target": "com.amazonaws.rds#IntegerOptional", "traits": { - "smithy.api#documentation": "The time, in seconds, before an Aurora DB cluster in serverless
mode is paused.
The time, in seconds, before an Aurora DB cluster in serverless
mode is paused.
Specify a value between 300 and 86,400 seconds.
" } }, "TimeoutAction": { diff --git a/codegen/sdk-codegen/aws-models/redshift.2012-12-01.json b/codegen/sdk-codegen/aws-models/redshift.2012-12-01.json index 06898cdb45c..f53f59524f2 100644 --- a/codegen/sdk-codegen/aws-models/redshift.2012-12-01.json +++ b/codegen/sdk-codegen/aws-models/redshift.2012-12-01.json @@ -199,6 +199,64 @@ ] } }, + "com.amazonaws.redshift#AquaConfiguration": { + "type": "structure", + "members": { + "AquaStatus": { + "target": "com.amazonaws.redshift#AquaStatus", + "traits": { + "smithy.api#documentation": "The value indicates the status of AQUA on the cluster. Possible values include the following.
\nenabled - AQUA is enabled.
\ndisabled - AQUA is not enabled.
\napplying - AQUA status is being applied.
\nThe value represents how the cluster is configured to use AQUA. Possible values include the following.
\nenabled - Use AQUA if it is available for the current AWS Region and Amazon Redshift node type.
\ndisabled - Don't use AQUA.
\nauto - Amazon Redshift determines whether to use AQUA.
\nThe AQUA (Advanced Query Accelerator) configuration of the cluster.
" + } + }, + "com.amazonaws.redshift#AquaConfigurationStatus": { + "type": "string", + "traits": { + "smithy.api#enum": [ + { + "value": "enabled", + "name": "ENABLED" + }, + { + "value": "disabled", + "name": "DISABLED" + }, + { + "value": "auto", + "name": "AUTO" + } + ] + } + }, + "com.amazonaws.redshift#AquaStatus": { + "type": "string", + "traits": { + "smithy.api#enum": [ + { + "value": "enabled", + "name": "ENABLED" + }, + { + "value": "disabled", + "name": "DISABLED" + }, + { + "value": "applying", + "name": "APPLYING" + } + ] + } + }, "com.amazonaws.redshift#AssociatedClusterList": { "type": "list", "member": { @@ -1030,6 +1088,12 @@ "traits": { "smithy.api#documentation": "The total storage capacity of the cluster in megabytes.
" } + }, + "AquaConfiguration": { + "target": "com.amazonaws.redshift#AquaConfiguration", + "traits": { + "smithy.api#documentation": "The AQUA (Advanced Query Accelerator) configuration of the cluster.
" + } } }, "traits": { @@ -2231,6 +2295,12 @@ "traits": { "smithy.api#documentation": "The option to enable relocation for an Amazon Redshift cluster between Availability Zones after the cluster is created.
" } + }, + "AquaConfigurationStatus": { + "target": "com.amazonaws.redshift#AquaConfigurationStatus", + "traits": { + "smithy.api#documentation": "The value represents how the cluster is configured to use AQUA (Advanced Query Accelerator) when it is created. Possible values include the following.
\nenabled - Use AQUA if it is available for the current AWS Region and Amazon Redshift node type.
\ndisabled - Don't use AQUA.
\nauto - Amazon Redshift determines whether to use AQUA.
\nCreates an HSM client certificate that an Amazon Redshift cluster will use to connect to\n the client's HSM in order to store and retrieve the keys used to encrypt the cluster\n databases.
\nThe command returns a public key, which you must store in the HSM. In addition to\n creating the HSM certificate, you must create an Amazon Redshift HSM configuration that\n provides a cluster the information needed to store and use encryption keys in the HSM.\n For more information, go to Hardware Security Modules\n in the Amazon Redshift Cluster Management Guide.
" + "smithy.api#documentation": "Creates an HSM client certificate that an Amazon Redshift cluster will use to connect to\n the client's HSM in order to store and retrieve the keys used to encrypt the cluster\n databases.
\nThe command returns a public key, which you must store in the HSM. In addition to\n creating the HSM certificate, you must create an Amazon Redshift HSM configuration that\n provides a cluster the information needed to store and use encryption keys in the HSM.\n For more information, go to Hardware Security Modules\n in the Amazon Redshift Cluster Management Guide.
" } }, "com.amazonaws.redshift#CreateHsmClientCertificateMessage": { @@ -7611,6 +7681,55 @@ ] } }, + "com.amazonaws.redshift#ModifyAquaConfiguration": { + "type": "operation", + "input": { + "target": "com.amazonaws.redshift#ModifyAquaInputMessage" + }, + "output": { + "target": "com.amazonaws.redshift#ModifyAquaOutputMessage" + }, + "errors": [ + { + "target": "com.amazonaws.redshift#ClusterNotFoundFault" + }, + { + "target": "com.amazonaws.redshift#UnsupportedOperationFault" + } + ], + "traits": { + "smithy.api#documentation": "Modifies whether a cluster can use AQUA (Advanced Query Accelerator).
" + } + }, + "com.amazonaws.redshift#ModifyAquaInputMessage": { + "type": "structure", + "members": { + "ClusterIdentifier": { + "target": "com.amazonaws.redshift#String", + "traits": { + "smithy.api#documentation": "The identifier of the cluster to be modified.
", + "smithy.api#required": {} + } + }, + "AquaConfigurationStatus": { + "target": "com.amazonaws.redshift#AquaConfigurationStatus", + "traits": { + "smithy.api#documentation": "The new value of AQUA configuration status. Possible values include the following.
\nenabled - Use AQUA if it is available for the current AWS Region and Amazon Redshift node type.
\ndisabled - Don't use AQUA.
\nauto - Amazon Redshift determines whether to use AQUA.
\nThe updated AQUA configuration of the cluster.
" + } + } + } + }, "com.amazonaws.redshift#ModifyCluster": { "type": "operation", "input": { @@ -9468,6 +9587,9 @@ { "target": "com.amazonaws.redshift#GetReservedNodeExchangeOfferings" }, + { + "target": "com.amazonaws.redshift#ModifyAquaConfiguration" + }, { "target": "com.amazonaws.redshift#ModifyCluster" }, @@ -10401,6 +10523,12 @@ "traits": { "smithy.api#documentation": "The option to enable relocation for an Amazon Redshift cluster between Availability Zones after the cluster is restored.
" } + }, + "AquaConfigurationStatus": { + "target": "com.amazonaws.redshift#AquaConfigurationStatus", + "traits": { + "smithy.api#documentation": "The value represents how the cluster is configured to use AQUA (Advanced Query Accelerator) after the cluster is restored. Possible values include the following.
\nenabled - Use AQUA if it is available for the current AWS Region and Amazon Redshift node type.
\ndisabled - Don't use AQUA.
\nauto - Amazon Redshift determines whether to use AQUA.
\nThe name of the table to create as a result of the current request.
", "smithy.api#required": {} } + }, + "EnableCaseSensitiveIdentifier": { + "target": "com.amazonaws.redshift#BooleanOptional", + "traits": { + "smithy.api#documentation": "Indicates whether name identifiers for database, schema, and table are case sensitive. \n If true
, the names are case sensitive. \n If false
(default), the names are not case sensitive.
The type of limit that would be exceeded.
" + } }, "Limit": { - "target": "com.amazonaws.shield#LimitNumber" + "target": "com.amazonaws.shield#LimitNumber", + "traits": { + "smithy.api#documentation": "The threshold that would be exceeded.
" + } } }, "traits": { - "smithy.api#documentation": "Exception that indicates that the operation would exceed a limit.
\n\n Type
is the type of limit that would be exceeded.
\n Limit
is the threshold that would be exceeded.
Exception that indicates that the operation would exceed a limit.
", "smithy.api#error": "client" } }, diff --git a/codegen/sdk-codegen/aws-models/sts.2011-06-15.json b/codegen/sdk-codegen/aws-models/sts.2011-06-15.json index 1346efc4538..d8f31494636 100644 --- a/codegen/sdk-codegen/aws-models/sts.2011-06-15.json +++ b/codegen/sdk-codegen/aws-models/sts.2011-06-15.json @@ -100,7 +100,7 @@ } ], "traits": { - "smithy.api#documentation": "Returns a set of temporary security credentials that you can use to access AWS\n resources that you might not normally have access to. These temporary credentials consist\n of an access key ID, a secret access key, and a security token. Typically, you use\n AssumeRole
within your account or for cross-account access. For a\n comparison of AssumeRole
with other API operations that produce temporary\n credentials, see Requesting Temporary Security\n Credentials and Comparing the\n AWS STS API operations in the IAM User Guide.
You cannot use AWS account root user credentials to call AssumeRole
.\n You must use credentials for an IAM user or an IAM role to call\n AssumeRole
.
For cross-account access, imagine that you own multiple accounts and need to access\n resources in each account. You could create long-term credentials in each account to access\n those resources. However, managing all those credentials and remembering which one can\n access which account can be time consuming. Instead, you can create one set of long-term\n credentials in one account. Then use temporary security credentials to access all the other\n accounts by assuming roles in those accounts. For more information about roles, see IAM Roles in the\n IAM User Guide.
\n\n Session Duration\n
\nBy default, the temporary security credentials created by AssumeRole
last\n for one hour. However, you can use the optional DurationSeconds
parameter to\n specify the duration of your session. You can provide a value from 900 seconds (15 minutes)\n up to the maximum session duration setting for the role. This setting can have a value from\n 1 hour to 12 hours. To learn how to view the maximum value for your role, see View the\n Maximum Session Duration Setting for a Role in the\n IAM User Guide. The maximum session duration limit applies when\n you use the AssumeRole*
API operations or the assume-role*
CLI\n commands. However the limit does not apply when you use those operations to create a\n console URL. For more information, see Using IAM Roles in the\n IAM User Guide.
\n Permissions\n
\nThe temporary security credentials created by AssumeRole
can be used to\n make API calls to any AWS service with the following exception: You cannot call the\n AWS STS GetFederationToken
or GetSessionToken
API\n operations.
(Optional) You can pass inline or managed session policies to\n this operation. You can pass a single JSON policy document to use as an inline session\n policy. You can also specify up to 10 managed policies to use as managed session policies.\n The plain text that you use for both inline and managed session policies can't exceed 2,048\n characters. Passing policies to this operation returns new \n temporary credentials. The resulting session's permissions are the intersection of the \n role's identity-based policy and the session policies. You can use the role's temporary \n credentials in subsequent AWS API calls to access resources in the account that owns \n the role. You cannot use session policies to grant more permissions than those allowed \n by the identity-based policy of the role that is being assumed. For more information, see\n Session\n Policies in the IAM User Guide.
\nTo assume a role from a different account, your AWS account must be trusted by the\n role. The trust relationship is defined in the role's trust policy when the role is\n created. That trust policy states which accounts are allowed to delegate that access to\n users in the account.
\nA user who wants to access a role in a different account must also have permissions that\n are delegated from the user account administrator. The administrator must attach a policy\n that allows the user to call AssumeRole
for the ARN of the role in the other\n account. If the user is in the same account as the role, then you can do either of the\n following:
Attach a policy to the user (identical to the previous user in a different\n account).
\nAdd the user as a principal directly in the role's trust policy.
\nIn this case, the trust policy acts as an IAM resource-based policy. Users in the same\n account as the role do not need explicit permission to assume the role. For more\n information about trust policies and resource-based policies, see IAM Policies in\n the IAM User Guide.
\n\n Tags\n
\n(Optional) You can pass tag key-value pairs to your session. These tags are called\n session tags. For more information about session tags, see Passing Session Tags in STS in the\n IAM User Guide.
\nAn administrator must grant you the permissions necessary to pass session tags. The\n administrator can also create granular permissions to allow you to pass only specific\n session tags. For more information, see Tutorial: Using Tags\n for Attribute-Based Access Control in the\n IAM User Guide.
\nYou can set the session tags as transitive. Transitive tags persist during role\n chaining. For more information, see Chaining Roles\n with Session Tags in the IAM User Guide.
\n\n Using MFA with AssumeRole\n
\n(Optional) You can include multi-factor authentication (MFA) information when you call\n AssumeRole
. This is useful for cross-account scenarios to ensure that the\n user that assumes the role has been authenticated with an AWS MFA device. In that\n scenario, the trust policy of the role being assumed includes a condition that tests for\n MFA authentication. If the caller does not include valid MFA information, the request to\n assume the role is denied. The condition in a trust policy that tests for MFA\n authentication might look like the following example.
\n \"Condition\": {\"Bool\": {\"aws:MultiFactorAuthPresent\": true}}
\n
For more information, see Configuring MFA-Protected API Access\n in the IAM User Guide guide.
\nTo use MFA with AssumeRole
, you pass values for the\n SerialNumber
and TokenCode
parameters. The\n SerialNumber
value identifies the user's hardware or virtual MFA device.\n The TokenCode
is the time-based one-time password (TOTP) that the MFA device\n produces.
Returns a set of temporary security credentials that you can use to access AWS\n resources that you might not normally have access to. These temporary credentials\n consist of an access key ID, a secret access key, and a security token. Typically, you\n use AssumeRole
within your account or for cross-account access. For a\n comparison of AssumeRole
with other API operations that produce temporary\n credentials, see Requesting Temporary Security\n Credentials and Comparing\n the AWS STS API operations in the\n IAM User Guide.
\n Permissions\n
\nThe temporary security credentials created by AssumeRole
can be used to\n make API calls to any AWS service with the following exception: You cannot call the\n AWS STS GetFederationToken
or GetSessionToken
API\n operations.
(Optional) You can pass inline or managed session policies to\n this operation. You can pass a single JSON policy document to use as an inline session\n policy. You can also specify up to 10 managed policies to use as managed session policies.\n The plaintext that you use for both inline and managed session policies can't exceed 2,048\n characters. Passing policies to this operation returns new \n temporary credentials. The resulting session's permissions are the intersection of the \n role's identity-based policy and the session policies. You can use the role's temporary \n credentials in subsequent AWS API calls to access resources in the account that owns \n the role. You cannot use session policies to grant more permissions than those allowed \n by the identity-based policy of the role that is being assumed. For more information, see\n Session\n Policies in the IAM User Guide.
\nTo assume a role from a different account, your AWS account must be trusted by the\n role. The trust relationship is defined in the role's trust policy when the role is\n created. That trust policy states which accounts are allowed to delegate that access to\n users in the account.
\nA user who wants to access a role in a different account must also have permissions that\n are delegated from the user account administrator. The administrator must attach a policy\n that allows the user to call AssumeRole
for the ARN of the role in the other\n account. If the user is in the same account as the role, then you can do either of the\n following:
Attach a policy to the user (identical to the previous user in a different\n account).
\nAdd the user as a principal directly in the role's trust policy.
\nIn this case, the trust policy acts as an IAM resource-based policy. Users in the same\n account as the role do not need explicit permission to assume the role. For more\n information about trust policies and resource-based policies, see IAM Policies in\n the IAM User Guide.
\n\n Tags\n
\n(Optional) You can pass tag key-value pairs to your session. These tags are called\n session tags. For more information about session tags, see Passing Session Tags in STS in the\n IAM User Guide.
\nAn administrator must grant you the permissions necessary to pass session tags. The\n administrator can also create granular permissions to allow you to pass only specific\n session tags. For more information, see Tutorial: Using Tags\n for Attribute-Based Access Control in the\n IAM User Guide.
\nYou can set the session tags as transitive. Transitive tags persist during role\n chaining. For more information, see Chaining Roles\n with Session Tags in the IAM User Guide.
\n\n Using MFA with AssumeRole\n
\n(Optional) You can include multi-factor authentication (MFA) information when you call\n AssumeRole
. This is useful for cross-account scenarios to ensure that the\n user that assumes the role has been authenticated with an AWS MFA device. In that\n scenario, the trust policy of the role being assumed includes a condition that tests for\n MFA authentication. If the caller does not include valid MFA information, the request to\n assume the role is denied. The condition in a trust policy that tests for MFA\n authentication might look like the following example.
\n \"Condition\": {\"Bool\": {\"aws:MultiFactorAuthPresent\": true}}
\n
For more information, see Configuring MFA-Protected API Access\n in the IAM User Guide guide.
\nTo use MFA with AssumeRole
, you pass values for the\n SerialNumber
and TokenCode
parameters. The\n SerialNumber
value identifies the user's hardware or virtual MFA device.\n The TokenCode
is the time-based one-time password (TOTP) that the MFA device\n produces.
The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as\n managed session policies. The policies must exist in the same account as the role.
\nThis parameter is optional. You can provide up to 10 managed policy ARNs. However, the\n plain text that you use for both inline and managed session policies can't exceed 2,048\n characters. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS\n Service Namespaces in the AWS General Reference.
\n \nAn AWS conversion compresses the passed session policies and session tags into a\n packed binary format that has a separate limit. Your request can fail for this limit\n even if your plain text meets the other requirements. The PackedPolicySize
\n response element indicates by percentage how close the policies and tags for your\n request are to the upper size limit.\n
Passing policies to this operation returns new \n temporary credentials. The resulting session's permissions are the intersection of the \n role's identity-based policy and the session policies. You can use the role's temporary \n credentials in subsequent AWS API calls to access resources in the account that owns \n the role. You cannot use session policies to grant more permissions than those allowed \n by the identity-based policy of the role that is being assumed. For more information, see\n Session\n Policies in the IAM User Guide.
" + "smithy.api#documentation": "The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as\n managed session policies. The policies must exist in the same account as the role.
\nThis parameter is optional. You can provide up to 10 managed policy ARNs. However, the\n plaintext that you use for both inline and managed session policies can't exceed 2,048\n characters. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS\n Service Namespaces in the AWS General Reference.
\nAn AWS conversion compresses the passed session policies and session tags into a\n packed binary format that has a separate limit. Your request can fail for this limit\n even if your plaintext meets the other requirements. The PackedPolicySize
\n response element indicates by percentage how close the policies and tags for your\n request are to the upper size limit.\n
Passing policies to this operation returns new \n temporary credentials. The resulting session's permissions are the intersection of the \n role's identity-based policy and the session policies. You can use the role's temporary \n credentials in subsequent AWS API calls to access resources in the account that owns \n the role. You cannot use session policies to grant more permissions than those allowed \n by the identity-based policy of the role that is being assumed. For more information, see\n Session\n Policies in the IAM User Guide.
" } }, "Policy": { "target": "com.amazonaws.sts#sessionPolicyDocumentType", "traits": { - "smithy.api#documentation": "An IAM policy in JSON format that you want to use as an inline session policy.
\nThis parameter is optional. Passing policies to this operation returns new \n temporary credentials. The resulting session's permissions are the intersection of the \n role's identity-based policy and the session policies. You can use the role's temporary \n credentials in subsequent AWS API calls to access resources in the account that owns \n the role. You cannot use session policies to grant more permissions than those allowed \n by the identity-based policy of the role that is being assumed. For more information, see\n Session\n Policies in the IAM User Guide.
\nThe plain text that you use for both inline and managed session policies can't exceed\n 2,048 characters. The JSON policy characters can be any ASCII character from the space\n character to the end of the valid character list (\\u0020 through \\u00FF). It can also\n include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)\n characters.
\n \nAn AWS conversion compresses the passed session policies and session tags into a\n packed binary format that has a separate limit. Your request can fail for this limit\n even if your plain text meets the other requirements. The PackedPolicySize
\n response element indicates by percentage how close the policies and tags for your\n request are to the upper size limit.\n
An IAM policy in JSON format that you want to use as an inline session policy.
\nThis parameter is optional. Passing policies to this operation returns new \n temporary credentials. The resulting session's permissions are the intersection of the \n role's identity-based policy and the session policies. You can use the role's temporary \n credentials in subsequent AWS API calls to access resources in the account that owns \n the role. You cannot use session policies to grant more permissions than those allowed \n by the identity-based policy of the role that is being assumed. For more information, see\n Session\n Policies in the IAM User Guide.
\nThe plaintext that you use for both inline and managed session policies can't exceed\n 2,048 characters. The JSON policy characters can be any ASCII character from the space\n character to the end of the valid character list (\\u0020 through \\u00FF). It can also\n include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)\n characters.
\nAn AWS conversion compresses the passed session policies and session tags into a\n packed binary format that has a separate limit. Your request can fail for this limit\n even if your plaintext meets the other requirements. The PackedPolicySize
\n response element indicates by percentage how close the policies and tags for your\n request are to the upper size limit.\n
The duration, in seconds, of the role session. The value can range from 900 seconds (15\n minutes) up to the maximum session duration setting for the role. This setting can have a\n value from 1 hour to 12 hours. If you specify a value higher than this setting, the\n operation fails. For example, if you specify a session duration of 12 hours, but your\n administrator set the maximum session duration to 6 hours, your operation fails. To learn\n how to view the maximum value for your role, see View the\n Maximum Session Duration Setting for a Role in the\n IAM User Guide.
\nBy default, the value is set to 3600
seconds.
The DurationSeconds
parameter is separate from the duration of a console\n session that you might request using the returned credentials. The request to the\n federation endpoint for a console sign-in token takes a SessionDuration
\n parameter that specifies the maximum length of the console session. For more\n information, see Creating a URL\n that Enables Federated Users to Access the AWS Management Console in the\n IAM User Guide.
The duration, in seconds, of the role session. The value specified can can range from\n 900 seconds (15 minutes) up to the maximum session duration that is set for the role. The\n maximum session duration setting can have a value from 1 hour to 12 hours. If you specify a\n value higher than this setting or the administrator setting (whichever is lower), the\n operation fails. For example, if you specify a session duration of 12 hours, but your\n administrator set the maximum session duration to 6 hours, your operation fails. To learn\n how to view the maximum value for your role, see View the\n Maximum Session Duration Setting for a Role in the\n IAM User Guide.
\nBy default, the value is set to 3600
seconds.
The DurationSeconds
parameter is separate from the duration of a console\n session that you might request using the returned credentials. The request to the\n federation endpoint for a console sign-in token takes a SessionDuration
\n parameter that specifies the maximum length of the console session. For more\n information, see Creating a URL\n that Enables Federated Users to Access the AWS Management Console in the\n IAM User Guide.
A list of session tags that you want to pass. Each session tag consists of a key name\n and an associated value. For more information about session tags, see Tagging AWS STS\n Sessions in the IAM User Guide.
\nThis parameter is optional. You can pass up to 50 session tags. The plain text session\n tag keys can’t exceed 128 characters, and the values can’t exceed 256 characters. For these\n and additional limits, see IAM\n and STS Character Limits in the IAM User Guide.
\n \nAn AWS conversion compresses the passed session policies and session tags into a\n packed binary format that has a separate limit. Your request can fail for this limit\n even if your plain text meets the other requirements. The PackedPolicySize
\n response element indicates by percentage how close the policies and tags for your\n request are to the upper size limit.\n
You can pass a session tag with the same key as a tag that is already attached to the\n role. When you do, session tags override a role tag with the same key.
\nTag key–value pairs are not case sensitive, but case is preserved. This means that you\n cannot have separate Department
and department
tag keys. Assume\n that the role has the Department
=Marketing
tag and you pass the\n department
=engineering
session tag. Department
\n and department
are not saved as separate tags, and the session tag passed in\n the request takes precedence over the role tag.
Additionally, if you used temporary credentials to perform this operation, the new\n session inherits any transitive session tags from the calling session. If you pass a\n session tag with the same key as an inherited tag, the operation fails. To view the\n inherited tags for a session, see the AWS CloudTrail logs. For more information, see Viewing Session Tags in CloudTrail in the\n IAM User Guide.
" + "smithy.api#documentation": "A list of session tags that you want to pass. Each session tag consists of a key name\n and an associated value. For more information about session tags, see Tagging AWS STS\n Sessions in the IAM User Guide.
\nThis parameter is optional. You can pass up to 50 session tags. The plaintext session\n tag keys can’t exceed 128 characters, and the values can’t exceed 256 characters. For these\n and additional limits, see IAM\n and STS Character Limits in the IAM User Guide.
\n \nAn AWS conversion compresses the passed session policies and session tags into a\n packed binary format that has a separate limit. Your request can fail for this limit\n even if your plaintext meets the other requirements. The PackedPolicySize
\n response element indicates by percentage how close the policies and tags for your\n request are to the upper size limit.\n
You can pass a session tag with the same key as a tag that is already\n attached to the role. When you do, session tags override a role tag with the same key.
\nTag key–value pairs are not case sensitive, but case is preserved. This means that you\n cannot have separate Department
and department
tag keys. Assume\n that the role has the Department
=Marketing
tag and you pass the\n department
=engineering
session tag. Department
\n and department
are not saved as separate tags, and the session tag passed in\n the request takes precedence over the role tag.
Additionally, if you used temporary credentials to perform this operation, the new\n session inherits any transitive session tags from the calling session. If you pass a\n session tag with the same key as an inherited tag, the operation fails. To view the\n inherited tags for a session, see the AWS CloudTrail logs. For more information, see Viewing Session Tags in CloudTrail in the\n IAM User Guide.
" } }, "TransitiveTagKeys": { @@ -165,7 +165,13 @@ "TokenCode": { "target": "com.amazonaws.sts#tokenCodeType", "traits": { - "smithy.api#documentation": "The value provided by the MFA device, if the trust policy of the role being assumed\n requires MFA (that is, if the policy includes a condition that tests for MFA). If the role\n being assumed requires MFA and if the TokenCode
value is missing or expired,\n the AssumeRole
call returns an \"access denied\" error.
The format for this parameter, as described by its regex pattern, is a sequence of six\n numeric digits.
" + "smithy.api#documentation": "The value provided by the MFA device, if the trust policy of the role being assumed\n requires MFA. (In other words, if the policy includes a condition that tests for MFA). If\n the role being assumed requires MFA and if the TokenCode
value is missing or\n expired, the AssumeRole
call returns an \"access denied\" error.
The format for this parameter, as described by its regex pattern, is a sequence of six\n numeric digits.
" + } + }, + "SourceIdentity": { + "target": "com.amazonaws.sts#sourceIdentityType", + "traits": { + "smithy.api#documentation": "The source identity specified by the principal that is calling the\n AssumeRole
operation.
You can require users to specify a source identity when they assume a role. You do this\n by using the sts:SourceIdentity
condition key in a role trust policy. You can\n use source identity information in AWS CloudTrail logs to determine who took actions with a role.\n You can use the aws:SourceIdentity
condition key to further control access to\n AWS resources based on the value of source identity. For more information about using\n source identity, see Monitor and control\n actions taken with assumed roles in the\n IAM User Guide.
The regex used to validate this parameter is a string of characters consisting of upper-\n and lower-case alphanumeric characters with no spaces. You can also include underscores or\n any of the following characters: =,.@-. You cannot use a value that begins with the text\n aws:
. This prefix is reserved for AWS internal\n use.
A percentage value that indicates the packed size of the session policies and session \n tags combined passed in the request. The request fails if the packed size is greater than 100 percent, \n which means the policies and tags exceeded the allowed space.
" } + }, + "SourceIdentity": { + "target": "com.amazonaws.sts#sourceIdentityType", + "traits": { + "smithy.api#documentation": "The source identity specified by the principal that is calling the\n AssumeRole
operation.
You can require users to specify a source identity when they assume a role. You do this\n by using the sts:SourceIdentity
condition key in a role trust policy. You can\n use source identity information in AWS CloudTrail logs to determine who took actions with a role.\n You can use the aws:SourceIdentity
condition key to further control access to\n AWS resources based on the value of source identity. For more information about using\n source identity, see Monitor and control\n actions taken with assumed roles in the\n IAM User Guide.
The regex used to validate this parameter is a string of characters consisting of upper-\n and lower-case alphanumeric characters with no spaces. You can also include underscores or\n any of the following characters: =,.@-
" + } } }, "traits": { @@ -225,7 +237,7 @@ } ], "traits": { - "smithy.api#documentation": "Returns a set of temporary security credentials for users who have been authenticated\n via a SAML authentication response. This operation provides a mechanism for tying an\n enterprise identity store or directory to role-based AWS access without user-specific\n credentials or configuration. For a comparison of AssumeRoleWithSAML
with the\n other API operations that produce temporary credentials, see Requesting Temporary Security\n Credentials and Comparing the\n AWS STS API operations in the IAM User Guide.
The temporary security credentials returned by this operation consist of an access key\n ID, a secret access key, and a security token. Applications can use these temporary\n security credentials to sign calls to AWS services.
\n\n Session Duration\n
\nBy default, the temporary security credentials created by\n AssumeRoleWithSAML
last for one hour. However, you can use the optional\n DurationSeconds
parameter to specify the duration of your session. Your\n role session lasts for the duration that you specify, or until the time specified in the\n SAML authentication response's SessionNotOnOrAfter
value, whichever is\n shorter. You can provide a DurationSeconds
value from 900 seconds (15 minutes)\n up to the maximum session duration setting for the role. This setting can have a value from\n 1 hour to 12 hours. To learn how to view the maximum value for your role, see View the\n Maximum Session Duration Setting for a Role in the\n IAM User Guide. The maximum session duration limit applies when\n you use the AssumeRole*
API operations or the assume-role*
CLI\n commands. However the limit does not apply when you use those operations to create a\n console URL. For more information, see Using IAM Roles in the\n IAM User Guide.
\n Permissions\n
\nThe temporary security credentials created by AssumeRoleWithSAML
can be\n used to make API calls to any AWS service with the following exception: you cannot call\n the STS GetFederationToken
or GetSessionToken
API\n operations.
(Optional) You can pass inline or managed session policies to\n this operation. You can pass a single JSON policy document to use as an inline session\n policy. You can also specify up to 10 managed policies to use as managed session policies.\n The plain text that you use for both inline and managed session policies can't exceed 2,048\n characters. Passing policies to this operation returns new \n temporary credentials. The resulting session's permissions are the intersection of the \n role's identity-based policy and the session policies. You can use the role's temporary \n credentials in subsequent AWS API calls to access resources in the account that owns \n the role. You cannot use session policies to grant more permissions than those allowed \n by the identity-based policy of the role that is being assumed. For more information, see\n Session\n Policies in the IAM User Guide.
\nCalling AssumeRoleWithSAML
does not require the use of AWS security\n credentials. The identity of the caller is validated by using keys in the metadata document\n that is uploaded for the SAML provider entity for your identity provider.
Calling AssumeRoleWithSAML
can result in an entry in your AWS CloudTrail logs.\n The entry includes the value in the NameID
element of the SAML assertion.\n We recommend that you use a NameIDType
that is not associated with any\n personally identifiable information (PII). For example, you could instead use the\n persistent identifier\n (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
).
\n Tags\n
\n(Optional) You can configure your IdP to pass attributes into your SAML assertion as\n session tags. Each session tag consists of a key name and an associated value. For more\n information about session tags, see Passing Session Tags in STS in the\n IAM User Guide.
\nYou can pass up to 50 session tags. The plain text session tag keys can’t exceed 128\n characters and the values can’t exceed 256 characters. For these and additional limits, see\n IAM\n and STS Character Limits in the IAM User Guide.
\n \nAn AWS conversion compresses the passed session policies and session tags into a\n packed binary format that has a separate limit. Your request can fail for this limit\n even if your plain text meets the other requirements. The PackedPolicySize
\n response element indicates by percentage how close the policies and tags for your\n request are to the upper size limit.\n
You can pass a session tag with the same key as a tag that is attached to the role. When\n you do, session tags override the role's tags with the same key.
\nAn administrator must grant you the permissions necessary to pass session tags. The\n administrator can also create granular permissions to allow you to pass only specific\n session tags. For more information, see Tutorial: Using Tags\n for Attribute-Based Access Control in the\n IAM User Guide.
\nYou can set the session tags as transitive. Transitive tags persist during role\n chaining. For more information, see Chaining Roles\n with Session Tags in the IAM User Guide.
\n\n SAML Configuration\n
\nBefore your application can call AssumeRoleWithSAML
, you must configure\n your SAML identity provider (IdP) to issue the claims required by AWS. Additionally, you\n must use AWS Identity and Access Management (IAM) to create a SAML provider entity in your AWS account that\n represents your identity provider. You must also create an IAM role that specifies this\n SAML provider in its trust policy.
For more information, see the following resources:
\n\n About\n SAML 2.0-based Federation in the IAM User Guide.\n
\n\n Creating SAML Identity Providers in the\n IAM User Guide.
\n\n Configuring\n a Relying Party and Claims in the IAM User Guide.\n
\n\n Creating a Role for SAML 2.0 Federation in the\n IAM User Guide.
\nReturns a set of temporary security credentials for users who have been authenticated\n via a SAML authentication response. This operation provides a mechanism for tying an\n enterprise identity store or directory to role-based AWS access without user-specific\n credentials or configuration. For a comparison of AssumeRoleWithSAML
with the\n other API operations that produce temporary credentials, see Requesting Temporary Security\n Credentials and Comparing the\n AWS STS API operations in the IAM User Guide.
The temporary security credentials returned by this operation consist of an access key\n ID, a secret access key, and a security token. Applications can use these temporary\n security credentials to sign calls to AWS services.
\n\n Session Duration\n
\nBy default, the temporary security credentials created by\n AssumeRoleWithSAML
last for one hour. However, you can use the optional\n DurationSeconds
parameter to specify the duration of your session. Your\n role session lasts for the duration that you specify, or until the time specified in the\n SAML authentication response's SessionNotOnOrAfter
value, whichever is\n shorter. You can provide a DurationSeconds
value from 900 seconds (15 minutes)\n up to the maximum session duration setting for the role. This setting can have a value from\n 1 hour to 12 hours. To learn how to view the maximum value for your role, see View the\n Maximum Session Duration Setting for a Role in the\n IAM User Guide. The maximum session duration limit applies when\n you use the AssumeRole*
API operations or the assume-role*
CLI\n commands. However the limit does not apply when you use those operations to create a\n console URL. For more information, see Using IAM Roles in the\n IAM User Guide.
\n Role chaining limits your AWS CLI or AWS API\n role session to a maximum of one hour. When you use the AssumeRole
API\n operation to assume a role, you can specify the duration of your role session with\n the DurationSeconds
parameter. You can specify a parameter value of up\n to 43200 seconds (12 hours), depending on the maximum session duration setting for\n your role. However, if you assume a role using role chaining and provide a\n DurationSeconds
parameter value greater than one hour, the\n operation fails.
\n Permissions\n
\nThe temporary security credentials created by AssumeRoleWithSAML
can be\n used to make API calls to any AWS service with the following exception: you cannot call\n the STS GetFederationToken
or GetSessionToken
API\n operations.
(Optional) You can pass inline or managed session policies to\n this operation. You can pass a single JSON policy document to use as an inline session\n policy. You can also specify up to 10 managed policies to use as managed session policies.\n The plaintext that you use for both inline and managed session policies can't exceed 2,048\n characters. Passing policies to this operation returns new \n temporary credentials. The resulting session's permissions are the intersection of the \n role's identity-based policy and the session policies. You can use the role's temporary \n credentials in subsequent AWS API calls to access resources in the account that owns \n the role. You cannot use session policies to grant more permissions than those allowed \n by the identity-based policy of the role that is being assumed. For more information, see\n Session\n Policies in the IAM User Guide.
\nCalling AssumeRoleWithSAML
does not require the use of AWS security\n credentials. The identity of the caller is validated by using keys in the metadata document\n that is uploaded for the SAML provider entity for your identity provider.
Calling AssumeRoleWithSAML
can result in an entry in your AWS CloudTrail logs.\n The entry includes the value in the NameID
element of the SAML assertion.\n We recommend that you use a NameIDType
that is not associated with any\n personally identifiable information (PII). For example, you could instead use the\n persistent identifier\n (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
).
\n Tags\n
\n(Optional) You can configure your IdP to pass attributes into your SAML assertion as\n session tags. Each session tag consists of a key name and an associated value. For more\n information about session tags, see Passing Session Tags in STS in the\n IAM User Guide.
\nYou can pass up to 50 session tags. The plaintext session tag keys can’t exceed 128\n characters and the values can’t exceed 256 characters. For these and additional limits, see\n IAM\n and STS Character Limits in the IAM User Guide.
\n \nAn AWS conversion compresses the passed session policies and session tags into a\n packed binary format that has a separate limit. Your request can fail for this limit\n even if your plaintext meets the other requirements. The PackedPolicySize
\n response element indicates by percentage how close the policies and tags for your\n request are to the upper size limit.\n
You can pass a session tag with the same key as a tag that is\n attached to the role. When you do, session tags override the role's tags with the same\n key.
\nAn administrator must grant you the permissions necessary to pass session tags. The\n administrator can also create granular permissions to allow you to pass only specific\n session tags. For more information, see Tutorial: Using Tags\n for Attribute-Based Access Control in the\n IAM User Guide.
\nYou can set the session tags as transitive. Transitive tags persist during role\n chaining. For more information, see Chaining Roles\n with Session Tags in the IAM User Guide.
\n\n SAML Configuration\n
\nBefore your application can call AssumeRoleWithSAML
, you must configure\n your SAML identity provider (IdP) to issue the claims required by AWS. Additionally, you\n must use AWS Identity and Access Management (IAM) to create a SAML provider entity in your AWS account that\n represents your identity provider. You must also create an IAM role that specifies this\n SAML provider in its trust policy.
For more information, see the following resources:
\n\n About\n SAML 2.0-based Federation in the IAM User Guide.\n
\n\n Creating SAML Identity Providers in the\n IAM User Guide.
\n\n Configuring\n a Relying Party and Claims in the IAM User Guide.\n
\n\n Creating a Role for SAML 2.0 Federation in the\n IAM User Guide.
\nThe base-64 encoded SAML authentication response provided by the IdP.
\nFor more information, see Configuring a Relying Party and\n Adding Claims in the IAM User Guide.
", + "smithy.api#documentation": "The base64 encoded SAML authentication response provided by the IdP.
\nFor more information, see Configuring a Relying Party and\n Adding Claims in the IAM User Guide.
", "smithy.api#required": {} } }, "PolicyArns": { "target": "com.amazonaws.sts#policyDescriptorListType", "traits": { - "smithy.api#documentation": "The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as\n managed session policies. The policies must exist in the same account as the role.
\nThis parameter is optional. You can provide up to 10 managed policy ARNs. However, the\n plain text that you use for both inline and managed session policies can't exceed 2,048\n characters. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS\n Service Namespaces in the AWS General Reference.
\nAn AWS conversion compresses the passed session policies and session tags into a\n packed binary format that has a separate limit. Your request can fail for this limit\n even if your plain text meets the other requirements. The PackedPolicySize
\n response element indicates by percentage how close the policies and tags for your\n request are to the upper size limit.\n
Passing policies to this operation returns new \n temporary credentials. The resulting session's permissions are the intersection of the \n role's identity-based policy and the session policies. You can use the role's temporary \n credentials in subsequent AWS API calls to access resources in the account that owns \n the role. You cannot use session policies to grant more permissions than those allowed \n by the identity-based policy of the role that is being assumed. For more information, see\n Session\n Policies in the IAM User Guide.
" + "smithy.api#documentation": "The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as\n managed session policies. The policies must exist in the same account as the role.
\nThis parameter is optional. You can provide up to 10 managed policy ARNs. However, the\n plaintext that you use for both inline and managed session policies can't exceed 2,048\n characters. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS\n Service Namespaces in the AWS General Reference.
\nAn AWS conversion compresses the passed session policies and session tags into a\n packed binary format that has a separate limit. Your request can fail for this limit\n even if your plaintext meets the other requirements. The PackedPolicySize
\n response element indicates by percentage how close the policies and tags for your\n request are to the upper size limit.\n
Passing policies to this operation returns new \n temporary credentials. The resulting session's permissions are the intersection of the \n role's identity-based policy and the session policies. You can use the role's temporary \n credentials in subsequent AWS API calls to access resources in the account that owns \n the role. You cannot use session policies to grant more permissions than those allowed \n by the identity-based policy of the role that is being assumed. For more information, see\n Session\n Policies in the IAM User Guide.
" } }, "Policy": { "target": "com.amazonaws.sts#sessionPolicyDocumentType", "traits": { - "smithy.api#documentation": "An IAM policy in JSON format that you want to use as an inline session policy.
\nThis parameter is optional. Passing policies to this operation returns new \n temporary credentials. The resulting session's permissions are the intersection of the \n role's identity-based policy and the session policies. You can use the role's temporary \n credentials in subsequent AWS API calls to access resources in the account that owns \n the role. You cannot use session policies to grant more permissions than those allowed \n by the identity-based policy of the role that is being assumed. For more information, see\n Session\n Policies in the IAM User Guide.
\nThe plain text that you use for both inline and managed session policies can't exceed\n 2,048 characters. The JSON policy characters can be any ASCII character from the space\n character to the end of the valid character list (\\u0020 through \\u00FF). It can also\n include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)\n characters.
\nAn AWS conversion compresses the passed session policies and session tags into a\n packed binary format that has a separate limit. Your request can fail for this limit\n even if your plain text meets the other requirements. The PackedPolicySize
\n response element indicates by percentage how close the policies and tags for your\n request are to the upper size limit.\n
An IAM policy in JSON format that you want to use as an inline session policy.
\nThis parameter is optional. Passing policies to this operation returns new \n temporary credentials. The resulting session's permissions are the intersection of the \n role's identity-based policy and the session policies. You can use the role's temporary \n credentials in subsequent AWS API calls to access resources in the account that owns \n the role. You cannot use session policies to grant more permissions than those allowed \n by the identity-based policy of the role that is being assumed. For more information, see\n Session\n Policies in the IAM User Guide.
\nThe plaintext that you use for both inline and managed session policies can't exceed\n 2,048 characters. The JSON policy characters can be any ASCII character from the space\n character to the end of the valid character list (\\u0020 through \\u00FF). It can also\n include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)\n characters.
\nAn AWS conversion compresses the passed session policies and session tags into a\n packed binary format that has a separate limit. Your request can fail for this limit\n even if your plaintext meets the other requirements. The PackedPolicySize
\n response element indicates by percentage how close the policies and tags for your\n request are to the upper size limit.\n
A hash value based on the concatenation of the Issuer
response value, the\n AWS account ID, and the friendly name (the last part of the ARN) of the SAML provider in\n IAM. The combination of NameQualifier
and Subject
can be used\n to uniquely identify a federated user.
The following pseudocode shows how the hash value is calculated:
\n\n BASE64 ( SHA1 ( \"https://example.com/saml\" + \"123456789012\" + \"/MySAMLIdP\" ) )
\n
A hash value based on the concatenation of the following:
\nThe Issuer
response value.
The AWS account ID.
\nThe friendly name (the last part of the ARN) of the SAML provider in IAM.
\nThe combination of NameQualifier
and Subject
can be used to\n uniquely identify a federated user.
The following pseudocode shows how the hash value is calculated:
\n\n BASE64 ( SHA1 ( \"https://example.com/saml\" + \"123456789012\" + \"/MySAMLIdP\" ) )
\n
The value in the SourceIdentity
attribute in the SAML assertion.
You can require users to set a source identity value when they assume a role. You do\n this by using the sts:SourceIdentity
condition key in a role trust policy.\n That way, actions that are taken with the role are associated with that user. After the\n source identity is set, the value cannot be changed. It is present in the request for all\n actions that are taken by the role and persists across chained\n role sessions. You can configure your SAML identity provider to use an attribute\n associated with your users, like user name or email, as the source identity when calling\n AssumeRoleWithSAML
. You do this by adding an attribute to the SAML\n assertion. For more information about using source identity, see Monitor and control\n actions taken with assumed roles in the\n IAM User Guide.
The regex used to validate this parameter is a string of characters \n consisting of upper- and lower-case alphanumeric characters with no spaces. You can \n also include underscores or any of the following characters: =,.@-
" } } }, @@ -360,7 +378,7 @@ } ], "traits": { - "smithy.api#documentation": "Returns a set of temporary security credentials for users who have been authenticated in\n a mobile or web application with a web identity provider. Example providers include Amazon Cognito,\n Login with Amazon, Facebook, Google, or any OpenID Connect-compatible identity\n provider.
\nFor mobile applications, we recommend that you use Amazon Cognito. You can use Amazon Cognito with the\n AWS SDK for iOS Developer Guide and the AWS SDK for Android Developer Guide to uniquely\n identify a user. You can also supply the user with a consistent identity throughout the\n lifetime of an application.
\nTo learn more about Amazon Cognito, see Amazon Cognito Overview in\n AWS SDK for Android Developer Guide and Amazon Cognito Overview in the\n AWS SDK for iOS Developer Guide.
\nCalling AssumeRoleWithWebIdentity
does not require the use of AWS\n security credentials. Therefore, you can distribute an application (for example, on mobile\n devices) that requests temporary security credentials without including long-term AWS\n credentials in the application. You also don't need to deploy server-based proxy services\n that use long-term AWS credentials. Instead, the identity of the caller is validated by\n using a token from the web identity provider. For a comparison of\n AssumeRoleWithWebIdentity
with the other API operations that produce\n temporary credentials, see Requesting Temporary Security\n Credentials and Comparing the\n AWS STS API operations in the IAM User Guide.
The temporary security credentials returned by this API consist of an access key ID, a\n secret access key, and a security token. Applications can use these temporary security\n credentials to sign calls to AWS service API operations.
\n\n Session Duration\n
\nBy default, the temporary security credentials created by\n AssumeRoleWithWebIdentity
last for one hour. However, you can use the\n optional DurationSeconds
parameter to specify the duration of your session.\n You can provide a value from 900 seconds (15 minutes) up to the maximum session duration\n setting for the role. This setting can have a value from 1 hour to 12 hours. To learn how\n to view the maximum value for your role, see View the\n Maximum Session Duration Setting for a Role in the\n IAM User Guide. The maximum session duration limit applies when\n you use the AssumeRole*
API operations or the assume-role*
CLI\n commands. However the limit does not apply when you use those operations to create a\n console URL. For more information, see Using IAM Roles in the\n IAM User Guide.
\n Permissions\n
\nThe temporary security credentials created by AssumeRoleWithWebIdentity
can\n be used to make API calls to any AWS service with the following exception: you cannot\n call the STS GetFederationToken
or GetSessionToken
API\n operations.
(Optional) You can pass inline or managed session policies to\n this operation. You can pass a single JSON policy document to use as an inline session\n policy. You can also specify up to 10 managed policies to use as managed session policies.\n The plain text that you use for both inline and managed session policies can't exceed 2,048\n characters. Passing policies to this operation returns new \n temporary credentials. The resulting session's permissions are the intersection of the \n role's identity-based policy and the session policies. You can use the role's temporary \n credentials in subsequent AWS API calls to access resources in the account that owns \n the role. You cannot use session policies to grant more permissions than those allowed \n by the identity-based policy of the role that is being assumed. For more information, see\n Session\n Policies in the IAM User Guide.
\n\n Tags\n
\n(Optional) You can configure your IdP to pass attributes into your web identity token as\n session tags. Each session tag consists of a key name and an associated value. For more\n information about session tags, see Passing Session Tags in STS in the\n IAM User Guide.
\nYou can pass up to 50 session tags. The plain text session tag keys can’t exceed 128\n characters and the values can’t exceed 256 characters. For these and additional limits, see\n IAM\n and STS Character Limits in the IAM User Guide.
\n \nAn AWS conversion compresses the passed session policies and session tags into a\n packed binary format that has a separate limit. Your request can fail for this limit\n even if your plain text meets the other requirements. The PackedPolicySize
\n response element indicates by percentage how close the policies and tags for your\n request are to the upper size limit.\n
You can pass a session tag with the same key as a tag that is attached to the role. When\n you do, the session tag overrides the role tag with the same key.
\nAn administrator must grant you the permissions necessary to pass session tags. The\n administrator can also create granular permissions to allow you to pass only specific\n session tags. For more information, see Tutorial: Using Tags\n for Attribute-Based Access Control in the\n IAM User Guide.
\nYou can set the session tags as transitive. Transitive tags persist during role\n chaining. For more information, see Chaining Roles\n with Session Tags in the IAM User Guide.
\n\n Identities\n
\nBefore your application can call AssumeRoleWithWebIdentity
, you must have\n an identity token from a supported identity provider and create a role that the application\n can assume. The role that your application assumes must trust the identity provider that is\n associated with the identity token. In other words, the identity provider must be specified\n in the role's trust policy.
Calling AssumeRoleWithWebIdentity
can result in an entry in your\n AWS CloudTrail logs. The entry includes the Subject of\n the provided Web Identity Token. We recommend that you avoid using any personally\n identifiable information (PII) in this field. For example, you could instead use a GUID\n or a pairwise identifier, as suggested\n in the OIDC specification.
For more information about how to use web identity federation and the\n AssumeRoleWithWebIdentity
API, see the following resources:
\n Using Web Identity Federation API Operations for Mobile Apps and Federation Through a Web-based Identity Provider.
\n\n \n Web Identity Federation Playground. Walk through the process of\n authenticating through Login with Amazon, Facebook, or Google, getting temporary\n security credentials, and then using those credentials to make a request to AWS.\n
\n\n AWS SDK for iOS Developer Guide and AWS SDK for Android Developer Guide. These toolkits\n contain sample apps that show how to invoke the identity providers. The toolkits then\n show how to use the information from these providers to get and use temporary\n security credentials.
\n\n Web Identity\n Federation with Mobile Applications. This article discusses web identity\n federation and shows an example of how to use web identity federation to get access\n to content in Amazon S3.
\nReturns a set of temporary security credentials for users who have been authenticated in\n a mobile or web application with a web identity provider. Example providers include Amazon Cognito,\n Login with Amazon, Facebook, Google, or any OpenID Connect-compatible identity\n provider.
\nFor mobile applications, we recommend that you use Amazon Cognito. You can use Amazon Cognito with the\n AWS SDK for iOS Developer Guide and the AWS SDK for Android Developer Guide to uniquely\n identify a user. You can also supply the user with a consistent identity throughout the\n lifetime of an application.
\nTo learn more about Amazon Cognito, see Amazon Cognito Overview in\n AWS SDK for Android Developer Guide and Amazon Cognito Overview in the\n AWS SDK for iOS Developer Guide.
\nCalling AssumeRoleWithWebIdentity
does not require the use of AWS\n security credentials. Therefore, you can distribute an application (for example, on mobile\n devices) that requests temporary security credentials without including long-term AWS\n credentials in the application. You also don't need to deploy server-based proxy services\n that use long-term AWS credentials. Instead, the identity of the caller is validated by\n using a token from the web identity provider. For a comparison of\n AssumeRoleWithWebIdentity
with the other API operations that produce\n temporary credentials, see Requesting Temporary Security\n Credentials and Comparing the\n AWS STS API operations in the IAM User Guide.
The temporary security credentials returned by this API consist of an access key ID, a\n secret access key, and a security token. Applications can use these temporary security\n credentials to sign calls to AWS service API operations.
\n\n Session Duration\n
\nBy default, the temporary security credentials created by\n AssumeRoleWithWebIdentity
last for one hour. However, you can use the\n optional DurationSeconds
parameter to specify the duration of your session.\n You can provide a value from 900 seconds (15 minutes) up to the maximum session duration\n setting for the role. This setting can have a value from 1 hour to 12 hours. To learn how\n to view the maximum value for your role, see View the\n Maximum Session Duration Setting for a Role in the\n IAM User Guide. The maximum session duration limit applies when\n you use the AssumeRole*
API operations or the assume-role*
CLI\n commands. However the limit does not apply when you use those operations to create a\n console URL. For more information, see Using IAM Roles in the\n IAM User Guide.
\n Permissions\n
\nThe temporary security credentials created by AssumeRoleWithWebIdentity
can\n be used to make API calls to any AWS service with the following exception: you cannot\n call the STS GetFederationToken
or GetSessionToken
API\n operations.
(Optional) You can pass inline or managed session policies to\n this operation. You can pass a single JSON policy document to use as an inline session\n policy. You can also specify up to 10 managed policies to use as managed session policies.\n The plaintext that you use for both inline and managed session policies can't exceed 2,048\n characters. Passing policies to this operation returns new \n temporary credentials. The resulting session's permissions are the intersection of the \n role's identity-based policy and the session policies. You can use the role's temporary \n credentials in subsequent AWS API calls to access resources in the account that owns \n the role. You cannot use session policies to grant more permissions than those allowed \n by the identity-based policy of the role that is being assumed. For more information, see\n Session\n Policies in the IAM User Guide.
\n\n Tags\n
\n(Optional) You can configure your IdP to pass attributes into your web identity token as\n session tags. Each session tag consists of a key name and an associated value. For more\n information about session tags, see Passing Session Tags in STS in the\n IAM User Guide.
\nYou can pass up to 50 session tags. The plaintext session tag keys can’t exceed 128\n characters and the values can’t exceed 256 characters. For these and additional limits, see\n IAM\n and STS Character Limits in the IAM User Guide.
\n \nAn AWS conversion compresses the passed session policies and session tags into a\n packed binary format that has a separate limit. Your request can fail for this limit\n even if your plaintext meets the other requirements. The PackedPolicySize
\n response element indicates by percentage how close the policies and tags for your\n request are to the upper size limit.\n
You can pass a session tag with the same key as a tag that is\n attached to the role. When you do, the session tag overrides the role tag with the same\n key.
\nAn administrator must grant you the permissions necessary to pass session tags. The\n administrator can also create granular permissions to allow you to pass only specific\n session tags. For more information, see Tutorial: Using Tags\n for Attribute-Based Access Control in the\n IAM User Guide.
\nYou can set the session tags as transitive. Transitive tags persist during role\n chaining. For more information, see Chaining Roles\n with Session Tags in the IAM User Guide.
\n\n Identities\n
\nBefore your application can call AssumeRoleWithWebIdentity
, you must have\n an identity token from a supported identity provider and create a role that the application\n can assume. The role that your application assumes must trust the identity provider that is\n associated with the identity token. In other words, the identity provider must be specified\n in the role's trust policy.
Calling AssumeRoleWithWebIdentity
can result in an entry in your\n AWS CloudTrail logs. The entry includes the Subject of\n the provided web identity token. We recommend that you avoid using any personally\n identifiable information (PII) in this field. For example, you could instead use a GUID\n or a pairwise identifier, as suggested\n in the OIDC specification.
For more information about how to use web identity federation and the\n AssumeRoleWithWebIdentity
API, see the following resources:
\n Using Web Identity Federation API Operations for Mobile Apps and Federation Through a Web-based Identity Provider.
\n\n Web Identity Federation Playground. Walk through the process of\n authenticating through Login with Amazon, Facebook, or Google, getting temporary\n security credentials, and then using those credentials to make a request to AWS.\n
\n\n AWS SDK for iOS Developer Guide and AWS SDK for Android Developer Guide. These toolkits\n contain sample apps that show how to invoke the identity providers. The toolkits then\n show how to use the information from these providers to get and use temporary\n security credentials.
\n\n Web Identity\n Federation with Mobile Applications. This article discusses web identity\n federation and shows an example of how to use web identity federation to get access\n to content in Amazon S3.
\nThe Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as\n managed session policies. The policies must exist in the same account as the role.
\nThis parameter is optional. You can provide up to 10 managed policy ARNs. However, the\n plain text that you use for both inline and managed session policies can't exceed 2,048\n characters. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS\n Service Namespaces in the AWS General Reference.
\nAn AWS conversion compresses the passed session policies and session tags into a\n packed binary format that has a separate limit. Your request can fail for this limit\n even if your plain text meets the other requirements. The PackedPolicySize
\n response element indicates by percentage how close the policies and tags for your\n request are to the upper size limit.\n
Passing policies to this operation returns new \n temporary credentials. The resulting session's permissions are the intersection of the \n role's identity-based policy and the session policies. You can use the role's temporary \n credentials in subsequent AWS API calls to access resources in the account that owns \n the role. You cannot use session policies to grant more permissions than those allowed \n by the identity-based policy of the role that is being assumed. For more information, see\n Session\n Policies in the IAM User Guide.
" + "smithy.api#documentation": "The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as\n managed session policies. The policies must exist in the same account as the role.
\nThis parameter is optional. You can provide up to 10 managed policy ARNs. However, the\n plaintext that you use for both inline and managed session policies can't exceed 2,048\n characters. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS\n Service Namespaces in the AWS General Reference.
\nAn AWS conversion compresses the passed session policies and session tags into a\n packed binary format that has a separate limit. Your request can fail for this limit\n even if your plaintext meets the other requirements. The PackedPolicySize
\n response element indicates by percentage how close the policies and tags for your\n request are to the upper size limit.\n
Passing policies to this operation returns new \n temporary credentials. The resulting session's permissions are the intersection of the \n role's identity-based policy and the session policies. You can use the role's temporary \n credentials in subsequent AWS API calls to access resources in the account that owns \n the role. You cannot use session policies to grant more permissions than those allowed \n by the identity-based policy of the role that is being assumed. For more information, see\n Session\n Policies in the IAM User Guide.
" } }, "Policy": { "target": "com.amazonaws.sts#sessionPolicyDocumentType", "traits": { - "smithy.api#documentation": "An IAM policy in JSON format that you want to use as an inline session policy.
\nThis parameter is optional. Passing policies to this operation returns new \n temporary credentials. The resulting session's permissions are the intersection of the \n role's identity-based policy and the session policies. You can use the role's temporary \n credentials in subsequent AWS API calls to access resources in the account that owns \n the role. You cannot use session policies to grant more permissions than those allowed \n by the identity-based policy of the role that is being assumed. For more information, see\n Session\n Policies in the IAM User Guide.
\nThe plain text that you use for both inline and managed session policies can't exceed\n 2,048 characters. The JSON policy characters can be any ASCII character from the space\n character to the end of the valid character list (\\u0020 through \\u00FF). It can also\n include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)\n characters.
\nAn AWS conversion compresses the passed session policies and session tags into a\n packed binary format that has a separate limit. Your request can fail for this limit\n even if your plain text meets the other requirements. The PackedPolicySize
\n response element indicates by percentage how close the policies and tags for your\n request are to the upper size limit.\n
An IAM policy in JSON format that you want to use as an inline session policy.
\nThis parameter is optional. Passing policies to this operation returns new \n temporary credentials. The resulting session's permissions are the intersection of the \n role's identity-based policy and the session policies. You can use the role's temporary \n credentials in subsequent AWS API calls to access resources in the account that owns \n the role. You cannot use session policies to grant more permissions than those allowed \n by the identity-based policy of the role that is being assumed. For more information, see\n Session\n Policies in the IAM User Guide.
\nThe plaintext that you use for both inline and managed session policies can't exceed\n 2,048 characters. The JSON policy characters can be any ASCII character from the space\n character to the end of the valid character list (\\u0020 through \\u00FF). It can also\n include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)\n characters.
\nAn AWS conversion compresses the passed session policies and session tags into a\n packed binary format that has a separate limit. Your request can fail for this limit\n even if your plaintext meets the other requirements. The PackedPolicySize
\n response element indicates by percentage how close the policies and tags for your\n request are to the upper size limit.\n
The intended audience (also known as client ID) of the web identity token. This is\n traditionally the client identifier issued to the application that requested the web\n identity token.
" } + }, + "SourceIdentity": { + "target": "com.amazonaws.sts#sourceIdentityType", + "traits": { + "smithy.api#documentation": "The value of the source identity that is returned in the JSON web token (JWT) from the\n identity provider.
\nYou can require users to set a source identity value when they assume a role. You do\n this by using the sts:SourceIdentity
condition key in a role trust policy.\n That way, actions that are taken with the role are associated with that user. After the\n source identity is set, the value cannot be changed. It is present in the request for all\n actions that are taken by the role and persists across chained\n role sessions. You can configure your identity provider to use an attribute\n associated with your users, like user name or email, as the source identity when calling\n AssumeRoleWithWebIdentity
. You do this by adding a claim to the JSON web\n token. To learn more about OIDC tokens and claims, see Using Tokens with User Pools in the Amazon Cognito Developer Guide.\n For more information about using source identity, see Monitor and control\n actions taken with assumed roles in the\n IAM User Guide.
The regex used to validate this parameter is a string of characters \n consisting of upper- and lower-case alphanumeric characters with no spaces. You can \n also include underscores or any of the following characters: =,.@-
" + } } }, "traits": { @@ -605,7 +629,7 @@ "target": "com.amazonaws.sts#GetAccessKeyInfoResponse" }, "traits": { - "smithy.api#documentation": "Returns the account identifier for the specified access key ID.
\nAccess keys consist of two parts: an access key ID (for example,\n AKIAIOSFODNN7EXAMPLE
) and a secret access key (for example,\n wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
). For more information about\n access keys, see Managing Access Keys for IAM\n Users in the IAM User Guide.
When you pass an access key ID to this operation, it returns the ID of the AWS account\n to which the keys belong. Access key IDs beginning with AKIA
are long-term\n credentials for an IAM user or the AWS account root user. Access key IDs beginning with\n ASIA
are temporary credentials that are created using STS operations. If\n the account in the response belongs to you, you can sign in as the root user and review\n your root user access keys. Then, you can pull a credentials report to\n learn which IAM user owns the keys. To learn who requested the temporary credentials for\n an ASIA
access key, view the STS events in your CloudTrail logs in the\n IAM User Guide.
This operation does not indicate the state of the access key. The key might be active,\n inactive, or deleted. Active keys might not have permissions to perform an operation.\n Providing a deleted access key might return an error that the key doesn't exist.
" + "smithy.api#documentation": "Returns the account identifier for the specified access key ID.
\nAccess keys consist of two parts: an access key ID (for example,\n AKIAIOSFODNN7EXAMPLE
) and a secret access key (for example,\n wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
). For more information about\n access keys, see Managing Access Keys for IAM\n Users in the IAM User Guide.
When you pass an access key ID to this operation, it returns the ID of the AWS\n account to which the keys belong. Access key IDs beginning with AKIA
are\n long-term credentials for an IAM user or the AWS account root user. Access key IDs\n beginning with ASIA
are temporary credentials that are created using STS\n operations. If the account in the response belongs to you, you can sign in as the root\n user and review your root user access keys. Then, you can pull a credentials report to learn which IAM user owns the keys. To learn who\n requested the temporary credentials for an ASIA
access key, view the STS\n events in your CloudTrail logs in the\n IAM User Guide.
This operation does not indicate the state of the access key. The key might be active,\n inactive, or deleted. Active keys might not have permissions to perform an operation.\n Providing a deleted access key might return an error that the key doesn't exist.
" } }, "com.amazonaws.sts#GetAccessKeyInfoRequest": { @@ -614,7 +638,7 @@ "AccessKeyId": { "target": "com.amazonaws.sts#accessKeyIdType", "traits": { - "smithy.api#documentation": "The identifier of an access key.
\nThis parameter allows (through its regex pattern) a string of characters that can\n consist of any upper- or lowercase letter or digit.
", + "smithy.api#documentation": "The identifier of an access key.
\nThis parameter allows (through its regex pattern) a string of characters that can\n consist of any upper- or lowercase letter or digit.
", "smithy.api#required": {} } } @@ -640,7 +664,7 @@ "target": "com.amazonaws.sts#GetCallerIdentityResponse" }, "traits": { - "smithy.api#documentation": "Returns details about the IAM user or role whose credentials are used to call the\n operation.
\nNo permissions are required to perform this operation. If an administrator adds a\n policy to your IAM user or role that explicitly denies access to the\n sts:GetCallerIdentity
action, you can still perform this operation.\n Permissions are not required because the same information is returned when an IAM user\n or role is denied access. To view an example response, see I Am Not Authorized to Perform: iam:DeleteVirtualMFADevice in the\n IAM User Guide.
Returns details about the IAM user or role whose credentials are used to call the\n operation.
\nNo permissions are required to perform this operation. If an administrator adds a\n policy to your IAM user or role that explicitly denies access to the\n sts:GetCallerIdentity
action, you can still perform this operation.\n Permissions are not required because the same information is returned when an IAM\n user or role is denied access. To view an example response, see I Am Not Authorized to Perform: iam:DeleteVirtualMFADevice in the\n IAM User Guide.
Returns a set of temporary security credentials (consisting of an access key ID, a\n secret access key, and a security token) for a federated user. A typical use is in a proxy\n application that gets temporary security credentials on behalf of distributed applications\n inside a corporate network. You must call the GetFederationToken
operation\n using the long-term security credentials of an IAM user. As a result, this call is\n appropriate in contexts where those credentials can be safely stored, usually in a\n server-based application. For a comparison of GetFederationToken
with the\n other API operations that produce temporary credentials, see Requesting Temporary Security\n Credentials and Comparing the\n AWS STS API operations in the IAM User Guide.
You can create a mobile-based or browser-based app that can authenticate users using\n a web identity provider like Login with Amazon, Facebook, Google, or an OpenID\n Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or\n AssumeRoleWithWebIdentity
. For more information, see Federation Through a Web-based Identity Provider in the\n IAM User Guide.
You can also call GetFederationToken
using the security credentials of an\n AWS account root user, but we do not recommend it. Instead, we recommend that you create\n an IAM user for the purpose of the proxy application. Then attach a policy to the IAM\n user that limits federated users to only the actions and resources that they need to\n access. For more information, see IAM Best Practices in the\n IAM User Guide.
\n Session duration\n
\nThe temporary credentials are valid for the specified duration, from 900 seconds (15\n minutes) up to a maximum of 129,600 seconds (36 hours). The default session duration is\n 43,200 seconds (12 hours). Temporary credentials that are obtained by using AWS account\n root user credentials have a maximum duration of 3,600 seconds (1 hour).
\n\n Permissions\n
\nYou can use the temporary credentials created by GetFederationToken
in any\n AWS service except the following:
You cannot call any IAM operations using the AWS CLI or the AWS API.
\nYou cannot call any STS operations except GetCallerIdentity
.
You must pass an inline or managed session policy to\n this operation. You can pass a single JSON policy document to use as an inline session\n policy. You can also specify up to 10 managed policies to use as managed session policies.\n The plain text that you use for both inline and managed session policies can't exceed 2,048\n characters.
\nThough the session policy parameters are optional, if you do not pass a policy, then the\n resulting federated user session has no permissions. When you pass session policies, the\n session permissions are the intersection of the IAM user policies and the session\n policies that you pass. This gives you a way to further restrict the permissions for a\n federated user. You cannot use session policies to grant more permissions than those that\n are defined in the permissions policy of the IAM user. For more information, see Session\n Policies in the IAM User Guide. For information about\n using GetFederationToken
to create temporary security credentials, see GetFederationToken—Federation Through a Custom Identity Broker.
You can use the credentials to access a resource that has a resource-based policy. If\n that policy specifically references the federated user session in the\n Principal
element of the policy, the session has the permissions allowed by\n the policy. These permissions are granted in addition to the permissions granted by the\n session policies.
\n Tags\n
\n(Optional) You can pass tag key-value pairs to your session. These are called session\n tags. For more information about session tags, see Passing Session Tags in STS in the\n IAM User Guide.
\nAn administrator must grant you the permissions necessary to pass session tags. The\n administrator can also create granular permissions to allow you to pass only specific\n session tags. For more information, see Tutorial: Using Tags\n for Attribute-Based Access Control in the\n IAM User Guide.
\nTag key–value pairs are not case sensitive, but case is preserved. This means that you\n cannot have separate Department
and department
tag keys. Assume\n that the user that you are federating has the\n Department
=Marketing
tag and you pass the\n department
=engineering
session tag. Department
\n and department
are not saved as separate tags, and the session tag passed in\n the request takes precedence over the user tag.
Returns a set of temporary security credentials (consisting of an access key ID, a\n secret access key, and a security token) for a federated user. A typical use is in a proxy\n application that gets temporary security credentials on behalf of distributed applications\n inside a corporate network. You must call the GetFederationToken
operation\n using the long-term security credentials of an IAM user. As a result, this call is\n appropriate in contexts where those credentials can be safely stored, usually in a\n server-based application. For a comparison of GetFederationToken
with the\n other API operations that produce temporary credentials, see Requesting Temporary Security\n Credentials and Comparing the\n AWS STS API operations in the IAM User Guide.
You can create a mobile-based or browser-based app that can authenticate users using\n a web identity provider like Login with Amazon, Facebook, Google, or an OpenID\n Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or\n AssumeRoleWithWebIdentity
. For more information, see Federation Through a Web-based Identity Provider in the\n IAM User Guide.
You can also call GetFederationToken
using the security credentials of an\n AWS account root user, but we do not recommend it. Instead, we recommend that you create\n an IAM user for the purpose of the proxy application. Then attach a policy to the IAM\n user that limits federated users to only the actions and resources that they need to\n access. For more information, see IAM Best Practices in the\n IAM User Guide.
\n Session duration\n
\nThe temporary credentials are valid for the specified duration, from 900 seconds (15\n minutes) up to a maximum of 129,600 seconds (36 hours). The default session duration is\n 43,200 seconds (12 hours). Temporary credentials that are obtained by using AWS account\n root user credentials have a maximum duration of 3,600 seconds (1 hour).
\n\n Permissions\n
\nYou can use the temporary credentials created by GetFederationToken
in any\n AWS service except the following:
You cannot call any IAM operations using the AWS CLI or the AWS API.
\nYou cannot call any STS operations except GetCallerIdentity
.
You must pass an inline or managed session policy to\n this operation. You can pass a single JSON policy document to use as an inline session\n policy. You can also specify up to 10 managed policies to use as managed session policies.\n The plaintext that you use for both inline and managed session policies can't exceed 2,048\n characters.
\nThough the session policy parameters are optional, if you do not pass a policy, then the\n resulting federated user session has no permissions. When you pass session policies, the\n session permissions are the intersection of the IAM user policies and the session\n policies that you pass. This gives you a way to further restrict the permissions for a\n federated user. You cannot use session policies to grant more permissions than those that\n are defined in the permissions policy of the IAM user. For more information, see Session\n Policies in the IAM User Guide. For information about\n using GetFederationToken
to create temporary security credentials, see GetFederationToken—Federation Through a Custom Identity Broker.
You can use the credentials to access a resource that has a resource-based policy. If\n that policy specifically references the federated user session in the\n Principal
element of the policy, the session has the permissions allowed by\n the policy. These permissions are granted in addition to the permissions granted by the\n session policies.
\n Tags\n
\n(Optional) You can pass tag key-value pairs to your session. These are called session\n tags. For more information about session tags, see Passing Session Tags in STS in the\n IAM User Guide.
\nYou can create a mobile-based or browser-based app that can authenticate users\n using a web identity provider like Login with Amazon, Facebook, Google, or an OpenID\n Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or\n AssumeRoleWithWebIdentity
. For more information, see Federation Through a Web-based Identity Provider in the\n IAM User Guide.
You can also call GetFederationToken
using the security credentials of an\n AWS account root user, but we do not recommend it. Instead, we recommend that you\n create an IAM user for the purpose of the proxy application. Then attach a policy to\n the IAM user that limits federated users to only the actions and resources that they\n need to access. For more information, see IAM Best Practices in the\n IAM User Guide.
\n Session duration\n
\nThe temporary credentials are valid for the specified duration, from 900 seconds (15\n minutes) up to a maximum of 129,600 seconds (36 hours). The default session duration is\n 43,200 seconds (12 hours). Temporary credentials that are obtained by using AWS\n account root user credentials have a maximum duration of 3,600 seconds (1 hour).
\n\n Permissions\n
\nYou can use the temporary credentials created by GetFederationToken
in\n any AWS service except the following:
You cannot call any IAM operations using the AWS CLI or the AWS API.\n
\nYou cannot call any STS operations except\n GetCallerIdentity
.
You must pass an inline or managed session policy to\n this operation. You can pass a single JSON policy document to use as an inline session\n policy. You can also specify up to 10 managed policies to use as managed session\n policies. The plain text that you use for both inline and managed session policies can't\n exceed 2,048 characters.
\nThough the session policy parameters are optional, if you do not pass a policy, then\n the resulting federated user session has no permissions. When you pass session policies,\n the session permissions are the intersection of the IAM user policies and the session\n policies that you pass. This gives you a way to further restrict the permissions for a\n federated user. You cannot use session policies to grant more permissions than those\n that are defined in the permissions policy of the IAM user. For more information, see\n Session Policies\n in the IAM User Guide. For information about using\n GetFederationToken
to create temporary security credentials, see GetFederationToken—Federation Through a Custom Identity Broker.
You can use the credentials to access a resource that has a resource-based policy. If\n that policy specifically references the federated user session in the\n Principal
element of the policy, the session has the permissions\n allowed by the policy. These permissions are granted in addition to the permissions\n granted by the session policies.
\n Tags\n
\n(Optional) You can pass tag key-value pairs to your session. These are called session\n tags. For more information about session tags, see Passing Session Tags in STS in\n the IAM User Guide.
\nAn administrator must grant you the permissions necessary to pass session tags. The\n administrator can also create granular permissions to allow you to pass only specific\n session tags. For more information, see Tutorial: Using\n Tags for Attribute-Based Access Control in the\n IAM User Guide.
\nTag key–value pairs are not case sensitive, but case is preserved. This means that you\n cannot have separate Department
and department
tag keys.\n Assume that the user that you are federating has the\n Department
=Marketing
tag and you pass the\n department
=engineering
session tag.\n Department
and department
are not saved as separate tags,\n and the session tag passed in the request takes precedence over the user tag.
An IAM policy in JSON format that you want to use as an inline session policy.
\nYou must pass an inline or managed session policy to\n this operation. You can pass a single JSON policy document to use as an inline session\n policy. You can also specify up to 10 managed policies to use as managed session\n policies.
\nThis parameter is optional. However, if you do not pass any session policies, then the\n resulting federated user session has no permissions.
\nWhen you pass session policies, the session permissions are the intersection of the\n IAM user policies and the session policies that you pass. This gives you a way to further\n restrict the permissions for a federated user. You cannot use session policies to grant\n more permissions than those that are defined in the permissions policy of the IAM user.\n For more information, see Session Policies in\n the IAM User Guide.
\nThe resulting credentials can be used to access a resource that has a resource-based\n policy. If that policy specifically references the federated user session in the\n Principal
element of the policy, the session has the permissions allowed by\n the policy. These permissions are granted in addition to the permissions that are granted\n by the session policies.
The plain text that you use for both inline and managed session policies can't exceed\n 2,048 characters. The JSON policy characters can be any ASCII character from the space\n character to the end of the valid character list (\\u0020 through \\u00FF). It can also\n include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)\n characters.
\nAn AWS conversion compresses the passed session policies and session tags into a\n packed binary format that has a separate limit. Your request can fail for this limit\n even if your plain text meets the other requirements. The PackedPolicySize
\n response element indicates by percentage how close the policies and tags for your\n request are to the upper size limit.\n
An IAM policy in JSON format that you want to use as an inline session policy.
\nYou must pass an inline or managed session policy to\n this operation. You can pass a single JSON policy document to use as an inline session\n policy. You can also specify up to 10 managed policies to use as managed session\n policies.
\nThis parameter is optional. However, if you do not pass any session policies, then the\n resulting federated user session has no permissions.
\nWhen you pass session policies, the session permissions are the intersection of the\n IAM user policies and the session policies that you pass. This gives you a way to further\n restrict the permissions for a federated user. You cannot use session policies to grant\n more permissions than those that are defined in the permissions policy of the IAM user.\n For more information, see Session Policies in\n the IAM User Guide.
\nThe resulting credentials can be used to access a resource that has a resource-based\n policy. If that policy specifically references the federated user session in the\n Principal
element of the policy, the session has the permissions allowed by\n the policy. These permissions are granted in addition to the permissions that are granted\n by the session policies.
The plaintext that you use for both inline and managed session policies can't exceed\n 2,048 characters. The JSON policy characters can be any ASCII character from the space\n character to the end of the valid character list (\\u0020 through \\u00FF). It can also\n include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)\n characters.
\nAn AWS conversion compresses the passed session policies and session tags into a\n packed binary format that has a separate limit. Your request can fail for this limit\n even if your plaintext meets the other requirements. The PackedPolicySize
\n response element indicates by percentage how close the policies and tags for your\n request are to the upper size limit.\n
The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as a\n managed session policy. The policies must exist in the same account as the IAM user that\n is requesting federated access.
\nYou must pass an inline or managed session policy to\n this operation. You can pass a single JSON policy document to use as an inline session\n policy. You can also specify up to 10 managed policies to use as managed session policies.\n The plain text that you use for both inline and managed session policies can't exceed 2,048\n characters. You can provide up to 10 managed policy ARNs. For more information about ARNs,\n see Amazon\n Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.
\nThis parameter is optional. However, if you do not pass any session policies, then the\n resulting federated user session has no permissions.
\nWhen you pass session policies, the session permissions are the intersection of the\n IAM user policies and the session policies that you pass. This gives you a way to further\n restrict the permissions for a federated user. You cannot use session policies to grant\n more permissions than those that are defined in the permissions policy of the IAM user.\n For more information, see Session Policies in\n the IAM User Guide.
\nThe resulting credentials can be used to access a resource that has a resource-based\n policy. If that policy specifically references the federated user session in the\n Principal
element of the policy, the session has the permissions allowed by\n the policy. These permissions are granted in addition to the permissions that are granted\n by the session policies.
An AWS conversion compresses the passed session policies and session tags into a\n packed binary format that has a separate limit. Your request can fail for this limit\n even if your plain text meets the other requirements. The PackedPolicySize
\n response element indicates by percentage how close the policies and tags for your\n request are to the upper size limit.\n
The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as a\n managed session policy. The policies must exist in the same account as the IAM user that\n is requesting federated access.
\nYou must pass an inline or managed session policy to\n this operation. You can pass a single JSON policy document to use as an inline session\n policy. You can also specify up to 10 managed policies to use as managed session policies.\n The plaintext that you use for both inline and managed session policies can't exceed 2,048\n characters. You can provide up to 10 managed policy ARNs. For more information about ARNs,\n see Amazon\n Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.
\nThis parameter is optional. However, if you do not pass any session policies, then the\n resulting federated user session has no permissions.
\nWhen you pass session policies, the session permissions are the intersection of the\n IAM user policies and the session policies that you pass. This gives you a way to further\n restrict the permissions for a federated user. You cannot use session policies to grant\n more permissions than those that are defined in the permissions policy of the IAM user.\n For more information, see Session Policies in\n the IAM User Guide.
\nThe resulting credentials can be used to access a resource that has a resource-based\n policy. If that policy specifically references the federated user session in the\n Principal
element of the policy, the session has the permissions allowed by\n the policy. These permissions are granted in addition to the permissions that are granted\n by the session policies.
An AWS conversion compresses the passed session policies and session tags into a\n packed binary format that has a separate limit. Your request can fail for this limit\n even if your plaintext meets the other requirements. The PackedPolicySize
\n response element indicates by percentage how close the policies and tags for your\n request are to the upper size limit.\n
A list of session tags. Each session tag consists of a key name and an associated value.\n For more information about session tags, see Passing Session Tags in STS in the\n IAM User Guide.
\nThis parameter is optional. You can pass up to 50 session tags. The plain text session\n tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. For these\n and additional limits, see IAM\n and STS Character Limits in the IAM User Guide.
\n \nAn AWS conversion compresses the passed session policies and session tags into a\n packed binary format that has a separate limit. Your request can fail for this limit\n even if your plain text meets the other requirements. The PackedPolicySize
\n response element indicates by percentage how close the policies and tags for your\n request are to the upper size limit.\n
You can pass a session tag with the same key as a tag that is already attached to the\n user you are federating. When you do, session tags override a user tag with the same key.
\nTag key–value pairs are not case sensitive, but case is preserved. This means that you\n cannot have separate Department
and department
tag keys. Assume\n that the role has the Department
=Marketing
tag and you pass the\n department
=engineering
session tag. Department
\n and department
are not saved as separate tags, and the session tag passed in\n the request takes precedence over the role tag.
A list of session tags. Each session tag consists of a key name and an associated value.\n For more information about session tags, see Passing Session Tags in STS in the\n IAM User Guide.
\nThis parameter is optional. You can pass up to 50 session tags. The plaintext session\n tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. For these\n and additional limits, see IAM\n and STS Character Limits in the IAM User Guide.
\n \nAn AWS conversion compresses the passed session policies and session tags into a\n packed binary format that has a separate limit. Your request can fail for this limit\n even if your plaintext meets the other requirements. The PackedPolicySize
\n response element indicates by percentage how close the policies and tags for your\n request are to the upper size limit.\n
You can pass a session tag with the same key as a tag that is already\n attached to the user you are federating. When you do, session tags override a user tag with\n the same key.
\nTag key–value pairs are not case sensitive, but case is preserved. This means that you\n cannot have separate Department
and department
tag keys. Assume\n that the role has the Department
=Marketing
tag and you pass the\n department
=engineering
session tag. Department
\n and department
are not saved as separate tags, and the session tag passed in\n the request takes precedence over the role tag.
The duration, in seconds, that the credentials should remain valid. Acceptable durations\n for IAM user sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours),\n with 43,200 seconds (12 hours) as the default. Sessions for AWS account owners are\n restricted to a maximum of 3,600 seconds (one hour). If the duration is longer than one\n hour, the session for AWS account owners defaults to one hour.
" + "smithy.api#documentation": "The duration, in seconds, that the credentials should remain valid. Acceptable\n durations for IAM user sessions range from 900 seconds (15 minutes) to 129,600 seconds\n (36 hours), with 43,200 seconds (12 hours) as the default. Sessions for AWS account\n owners are restricted to a maximum of 3,600 seconds (one hour). If the duration is\n longer than one hour, the session for AWS account owners defaults to one hour.
" } }, "SerialNumber": { "target": "com.amazonaws.sts#serialNumberType", "traits": { - "smithy.api#documentation": "The identification number of the MFA device that is associated with the IAM user who\n is making the GetSessionToken
call. Specify this value if the IAM user has a\n policy that requires MFA authentication. The value is either the serial number for a\n hardware device (such as GAHT12345678
) or an Amazon Resource Name (ARN) for a\n virtual device (such as arn:aws:iam::123456789012:mfa/user
). You can find the\n device for an IAM user by going to the AWS Management Console and viewing the user's security\n credentials.
The regex used to validate this parameter is a string of \n characters consisting of upper- and lower-case alphanumeric characters with no spaces. \n You can also include underscores or any of the following characters: =,.@:/-
" + "smithy.api#documentation": "The identification number of the MFA device that is associated with the IAM user who\n is making the GetSessionToken
call. Specify this value if the IAM user\n has a policy that requires MFA authentication. The value is either the serial number for\n a hardware device (such as GAHT12345678
) or an Amazon Resource Name (ARN)\n for a virtual device (such as arn:aws:iam::123456789012:mfa/user
). You can\n find the device for an IAM user by going to the AWS Management Console and viewing the user's\n security credentials.
The regex used to validate this parameter is a string of \n characters consisting of upper- and lower-case alphanumeric characters with no spaces. \n You can also include underscores or any of the following characters: =,.@:/-
" } }, "TokenCode": { "target": "com.amazonaws.sts#tokenCodeType", "traits": { - "smithy.api#documentation": "The value provided by the MFA device, if MFA is required. If any policy requires the\n IAM user to submit an MFA code, specify this value. If MFA authentication is required,\n the user must provide a code when requesting a set of temporary security credentials. A\n user who fails to provide the code receives an \"access denied\" response when requesting\n resources that require MFA authentication.
\nThe format for this parameter, as described by its regex pattern, is a sequence of six\n numeric digits.
" + "smithy.api#documentation": "The value provided by the MFA device, if MFA is required. If any policy requires the\n IAM user to submit an MFA code, specify this value. If MFA authentication is required,\n the user must provide a code when requesting a set of temporary security credentials. A\n user who fails to provide the code receives an \"access denied\" response when requesting\n resources that require MFA authentication.
\nThe format for this parameter, as described by its regex pattern, is a sequence of six\n numeric digits.
" } } } @@ -804,7 +828,7 @@ "Credentials": { "target": "com.amazonaws.sts#Credentials", "traits": { - "smithy.api#documentation": "The temporary security credentials, which include an access key ID, a secret access key,\n and a security (or session) token.
\nThe size of the security token that STS API operations return is not fixed. We\n strongly recommend that you make no assumptions about the maximum size.
\nThe temporary security credentials, which include an access key ID, a secret access\n key, and a security (or session) token.
\n \nThe size of the security token that STS API operations return is not fixed. We\n strongly recommend that you make no assumptions about the maximum size.
\n