The DetectEntities operation is deprecated. You should use the DetectEntitiesV2 operation instead.
Inspects the clinical text for a variety of medical entities and returns specific information about them such as entity category, location, and confidence score on that information .
", "DetectEntitiesV2": "Inspects the clinical text for a variety of medical entities and returns specific information about them such as entity category, location, and confidence score on that information. Amazon Comprehend Medical only detects medical entities in English language texts.
The DetectEntitiesV2 operation replaces the DetectEntities operation. This new action uses a different model for determining the entities in your medical text and changes the way that some entities are returned in the output. You should use the DetectEntitiesV2 operation in all new applications.
The DetectEntitiesV2 operation returns the Acuity and Direction entities as attributes instead of types.
Inspects the clinical text for protected health information (PHI) entities and returns the entity category, location, and confidence score for each entity. Amazon Comprehend Medical only detects entities in English language texts.
", - "InferICD10CM": "InferICD10CM detects medical conditions as entities listed in a patient record and links those entities to normalized concept identifiers in the ICD-10-CM knowledge base from the Centers for Disease Control. Amazon Comprehend Medical only detects medical entities in English language texts.
", - "InferRxNorm": "InferRxNorm detects medications as entities listed in a patient record and links to the normalized concept identifiers in the RxNorm database from the National Library of Medicine. Amazon Comprehend Medical only detects medical entities in English language texts.
", + "InferICD10CM": "InferICD10CM detects medical conditions as entities listed in a patient record and links those entities to normalized concept identifiers in the ICD-10-CM knowledge base from the Centers for Disease Control. Amazon Comprehend Medical only detects medical entities in English language texts.
", + "InferRxNorm": "InferRxNorm detects medications as entities listed in a patient record and links to the normalized concept identifiers in the RxNorm database from the National Library of Medicine. Amazon Comprehend Medical only detects medical entities in English language texts.
", "ListEntitiesDetectionV2Jobs": "Gets a list of medical entity detection jobs that you have submitted.
", "ListICD10CMInferenceJobs": "Gets a list of InferICD10CM jobs that you have submitted.
", "ListPHIDetectionJobs": "Gets a list of protected health information (PHI) detection jobs that you have submitted.
", @@ -264,7 +264,14 @@ "ICD10CMEntityType": { "base": null, "refs": { - "ICD10CMEntity$Type": "Describes the specific type of entity with category of entities. InferICD10CM detects entities of the type DX_NAME.
The category of attribute. Can be either of DX_NAME or TIME_EXPRESSION.
Describes the specific type of entity with category of entities. InferICD10CM detects entities of the type DX_NAME and TIME_EXPRESSION.
The type of relationship between the entity and attribute. Type for the relationship can be either of OVERLAP or SYSTEM_ORGAN_SITE.
The input properties for an entities detection job. This includes the name of the S3 bucket and the path to the files to be analyzed. See batch-manifest for more information.
", + "base": "The input properties for an entities detection job. This includes the name of the S3 bucket and the path to the files to be analyzed.
", "refs": { "ComprehendMedicalAsyncJobProperties$InputDataConfig": "The input data configuration that you supplied when you created the detection job.
", "StartEntitiesDetectionV2JobRequest$InputDataConfig": "Specifies the format and location of the input data for the job.
", diff --git a/models/apis/lightsail/2016-11-28/docs-2.json b/models/apis/lightsail/2016-11-28/docs-2.json index 2fe71607579..8e9c6b5863c 100644 --- a/models/apis/lightsail/2016-11-28/docs-2.json +++ b/models/apis/lightsail/2016-11-28/docs-2.json @@ -3277,7 +3277,7 @@ "CreateLoadBalancerRequest$certificateName": "The name of the SSL/TLS certificate.
If you specify certificateName, then certificateDomainName is required (and vice-versa).
The load balancer name where you want to create the SSL/TLS certificate.
", "CreateLoadBalancerTlsCertificateRequest$certificateName": "The SSL/TLS certificate name.
You can have up to 10 certificates in your account at one time. Each Lightsail load balancer can have up to 2 certificates associated with it at one time. There is also an overall limit to the number of certificates that can be issue in a 365-day period. For more information, see Limits.
", - "CreateRelationalDatabaseFromSnapshotRequest$relationalDatabaseName": "The name to use for your new database.
Constraints:
Must contain from 2 to 255 alphanumeric characters, or hyphens.
The first and last character must be a letter or number.
The name to use for your new Lightsail database resource.
Constraints:
Must contain from 2 to 255 alphanumeric characters, or hyphens.
The first and last character must be a letter or number.
The name of the database snapshot from which to create your new database.
", "CreateRelationalDatabaseFromSnapshotRequest$sourceRelationalDatabaseName": "The name of the source database.
", "CreateRelationalDatabaseRequest$relationalDatabaseName": "The name to use for your new Lightsail database resource.
Constraints:
Must contain from 2 to 255 alphanumeric characters, or hyphens.
The first and last character must be a letter or number.
The name of the distribution to update.
Use the GetDistributions action to get a list of distribution names that you can specify.
The name of the load balancer that you want to modify (e.g., my-load-balancer.
The name of your database for which to update parameters.
", - "UpdateRelationalDatabaseRequest$relationalDatabaseName": "The name of your database to update.
" + "UpdateRelationalDatabaseRequest$relationalDatabaseName": "The name of your Lightsail database resource to update.
" } }, "ResourceNameList": { @@ -3451,9 +3451,9 @@ "SensitiveString": { "base": null, "refs": { - "CreateRelationalDatabaseRequest$masterUserPassword": "The password for the master user of your new database. The password can include any printable ASCII character except \"/\", \"\"\", or \"@\".
Constraints: Must contain 8 to 41 characters.
", + "CreateRelationalDatabaseRequest$masterUserPassword": "The password for the master user. The password can include any printable ASCII character except \"/\", \"\"\", or \"@\". It cannot contain spaces.
MySQL
Constraints: Must contain from 8 to 41 characters.
PostgreSQL
Constraints: Must contain from 8 to 128 characters.
", "GetRelationalDatabaseMasterUserPasswordResult$masterUserPassword": "The master user password for the password version specified.
The password for the master user of your database. The password can include any printable ASCII character except \"/\", \"\"\", or \"@\".
Constraints: Must contain 8 to 41 characters.
" + "UpdateRelationalDatabaseRequest$masterUserPassword": "The password for the master user. The password can include any printable ASCII character except \"/\", \"\"\", or \"@\".
MySQL
Constraints: Must contain from 8 to 41 characters.
PostgreSQL
Constraints: Must contain from 8 to 128 characters.
" } }, "SerialNumber": { @@ -3959,8 +3959,8 @@ "CreateRelationalDatabaseRequest$availabilityZone": "The Availability Zone in which to create your new database. Use the us-east-2a case-sensitive format.
You can get a list of Availability Zones by using the get regions operation. Be sure to add the include relational database Availability Zones parameter to your request.
The blueprint ID for your new database. A blueprint describes the major engine version of a database.
You can get a list of database blueprints IDs by using the get relational database blueprints operation.
The bundle ID for your new database. A bundle describes the performance specifications for your database.
You can get a list of database bundle IDs by using the get relational database bundles operation.
The name of the master database created when the Lightsail database resource is created.
Constraints:
Must contain from 1 to 64 alphanumeric characters.
Cannot be a word reserved by the specified database engine
The master user name for your new database.
Constraints:
Master user name is required.
Must contain from 1 to 16 alphanumeric characters.
The first character must be a letter.
Cannot be a reserved word for the database engine you choose.
For more information about reserved words in MySQL 5.6 or 5.7, see the Keywords and Reserved Words articles for MySQL 5.6 or MySQL 5.7 respectively.
The meaning of this parameter differs according to the database engine you use.
MySQL
The name of the database to create when the Lightsail database resource is created. If this parameter isn't specified, no database is created in the database resource.
Constraints:
Must contain 1 to 64 letters or numbers.
Must begin with a letter. Subsequent characters can be letters, underscores, or digits (0- 9).
Can't be a word reserved by the specified database engine.
For more information about reserved words in MySQL, see the Keywords and Reserved Words articles for MySQL 5.6, MySQL 5.7, and MySQL 8.0.
PostgreSQL
The name of the database to create when the Lightsail database resource is created. If this parameter isn't specified, a database named postgres is created in the database resource.
Constraints:
Must contain 1 to 63 letters or numbers.
Must begin with a letter. Subsequent characters can be letters, underscores, or digits (0- 9).
Can't be a word reserved by the specified database engine.
For more information about reserved words in PostgreSQL, see the SQL Key Words articles for PostgreSQL 9.6, PostgreSQL 10, PostgreSQL 11, and PostgreSQL 12.
The name for the master user.
MySQL
Constraints:
Required for MySQL.
Must be 1 to 16 letters or numbers. Can contain underscores.
First character must be a letter.
Can't be a reserved word for the chosen database engine.
For more information about reserved words in MySQL 5.6 or 5.7, see the Keywords and Reserved Words articles for MySQL 5.6, MySQL 5.7, or MySQL 8.0.
PostgreSQL
Constraints:
Required for PostgreSQL.
Must be 1 to 63 letters or numbers. Can contain underscores.
First character must be a letter.
Can't be a reserved word for the chosen database engine.
For more information about reserved words in MySQL 5.6 or 5.7, see the Keywords and Reserved Words articles for PostgreSQL 9.6, PostgreSQL 10, PostgreSQL 11, and PostgreSQL 12.
The daily time range during which automated backups are created for your new database if automated backups are enabled.
The default is a 30-minute window selected at random from an 8-hour block of time for each AWS Region. For more information about the preferred backup window time blocks for each region, see the Working With Backups guide in the Amazon Relational Database Service (Amazon RDS) documentation.
Constraints:
Must be in the hh24:mi-hh24:mi format.
Example: 16:00-16:30
Specified in Coordinated Universal Time (UTC).
Must not conflict with the preferred maintenance window.
Must be at least 30 minutes.
The weekly time range during which system maintenance can occur on your new database.
The default is a 30-minute window selected at random from an 8-hour block of time for each AWS Region, occurring on a random day of the week.
Constraints:
Must be in the ddd:hh24:mi-ddd:hh24:mi format.
Valid days: Mon, Tue, Wed, Thu, Fri, Sat, Sun.
Must be at least 30 minutes.
Specified in Coordinated Universal Time (UTC).
Example: Tue:17:00-Tue:17:30
The name of the container image to delete from the container service.
Use the GetContainerImages action to get the name of the container images that are registered to a container service.
Container images sourced from your Lightsail container service, that are registered and stored on your service, start with a colon (:). For example, :container-service-1.mystaticwebsite.1. Container images sourced from a public registry like Docker Hub don't start with a colon. For example, nginx:latest or nginx.
You can call DescribeValidDBInstanceModifications to learn what modifications you can make to your DB instance. You can use this information when you call ModifyDBInstance.
Downloads all or a portion of the specified log file, up to 1 MB in size.
", "FailoverDBCluster": "Forces a failover for a DB cluster.
A failover for a DB cluster promotes one of the Aurora Replicas (read-only instances) in the DB cluster to be the primary instance (the cluster writer).
Amazon Aurora will automatically fail over to an Aurora Replica, if one exists, when the primary instance fails. You can force a failover when you want to simulate a failure of a primary instance for testing. Because each instance in a DB cluster has its own endpoint address, you will need to clean up and re-establish any existing connections that use those endpoint addresses when the failover is complete.
For more information on Amazon Aurora, see What Is Amazon Aurora? in the Amazon Aurora User Guide.
This action only applies to Aurora DB clusters.
Initiates the failover process for an Aurora global database (GlobalCluster).
A failover for an Aurora global database promotes one of secondary read-only DB clusters to be the primary DB cluster and demotes the primary DB cluster to being a secondary (read-only) DB cluster. In other words, the role of the current primary DB cluster and the selected (target) DB cluster are switched. The selected secondary DB cluster assumes full read/write capabilities for the Aurora global database.
For more information about failing over an Amazon Aurora global database, see Managed planned failover for Amazon Aurora global databases in the Amazon Aurora User Guide.
This action applies to GlobalCluster (Aurora global databases) only. Use this action only on healthy Aurora global databases with running Aurora DB clusters and no Region-wide outages, to test disaster recovery scenarios or to reconfigure your Aurora global database topology.
Initiates the failover process for an Aurora global database (GlobalCluster).
A failover for an Aurora global database promotes one of secondary read-only DB clusters to be the primary DB cluster and demotes the primary DB cluster to being a secondary (read-only) DB cluster. In other words, the role of the current primary DB cluster and the selected (target) DB cluster are switched. The selected secondary DB cluster assumes full read/write capabilities for the Aurora global database.
For more information about failing over an Amazon Aurora global database, see Managed planned failover for Amazon Aurora global databases in the Amazon Aurora User Guide.
This action applies to GlobalCluster (Aurora global databases) only. Use this action only on healthy Aurora global databases with running Aurora DB clusters and no Region-wide outages, to test disaster recovery scenarios or to reconfigure your Aurora global database topology.
Imports the installation media for a DB engine that requires an on-premises customer provided license, such as SQL Server.
", "ListTagsForResource": "Lists all tags on an Amazon RDS resource.
For an overview on tagging an Amazon RDS resource, see Tagging Amazon RDS Resources in the Amazon RDS User Guide.
", "ModifyCertificates": "Override the system-default Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate for Amazon RDS for new DB instances temporarily, or remove the override.
By using this operation, you can specify an RDS-approved SSL/TLS certificate for new DB instances that is different from the default certificate provided by RDS. You can also use this operation to remove the override, so that new DB instances use the default certificate provided by RDS.
You might need to override the default certificate in the following situations:
You already migrated your applications to support the latest certificate authority (CA) certificate, but the new CA certificate is not yet the RDS default CA certificate for the specified AWS Region.
RDS has already moved to a new default CA certificate for the specified AWS Region, but you are still in the process of supporting the new CA certificate. In this case, you temporarily need additional time to finish your application changes.
For more information about rotating your SSL/TLS certificate for RDS DB engines, see Rotating Your SSL/TLS Certificate in the Amazon RDS User Guide.
For more information about rotating your SSL/TLS certificate for Aurora DB engines, see Rotating Your SSL/TLS Certificate in the Amazon Aurora User Guide.
", @@ -129,7 +129,7 @@ "RestoreDBInstanceFromDBSnapshot": "Creates a new DB instance from a DB snapshot. The target database is created from the source database restore point with most of the source's original configuration, including the default security group and DB parameter group. By default, the new DB instance is created as a Single-AZ deployment, except when the instance is a SQL Server instance that has an option group associated with mirroring. In this case, the instance becomes a Multi-AZ deployment, not a Single-AZ deployment.
If you want to replace your original DB instance with the new, restored DB instance, then rename your original DB instance before you call the RestoreDBInstanceFromDBSnapshot action. RDS doesn't allow two DB instances with the same name. After you have renamed your original DB instance with a different identifier, then you can pass the original name of the DB instance as the DBInstanceIdentifier in the call to the RestoreDBInstanceFromDBSnapshot action. The result is that you replace the original DB instance with the DB instance created from the snapshot.
If you are restoring from a shared manual DB snapshot, the DBSnapshotIdentifier must be the ARN of the shared DB snapshot.
This command doesn't apply to Aurora MySQL and Aurora PostgreSQL. For Aurora, use RestoreDBClusterFromSnapshot.
Amazon Relational Database Service (Amazon RDS) supports importing MySQL databases by using backup files. You can create a backup of your on-premises database, store it on Amazon Simple Storage Service (Amazon S3), and then restore the backup file onto a new Amazon RDS DB instance running MySQL. For more information, see Importing Data into an Amazon RDS MySQL DB Instance in the Amazon RDS User Guide.
", "RestoreDBInstanceToPointInTime": "Restores a DB instance to an arbitrary point in time. You can restore to any point in time before the time identified by the LatestRestorableTime property. You can restore to a point up to the number of days specified by the BackupRetentionPeriod property.
The target database is created with most of the original configuration, but in a system-selected Availability Zone, with the default security group, the default subnet group, and the default DB parameter group. By default, the new DB instance is created as a single-AZ deployment except when the instance is a SQL Server instance that has an option group that is associated with mirroring; in this case, the instance becomes a mirrored deployment and not a single-AZ deployment.
This command doesn't apply to Aurora MySQL and Aurora PostgreSQL. For Aurora, use RestoreDBClusterToPointInTime.
Revokes ingress from a DBSecurityGroup for previously authorized IP ranges or EC2 or VPC Security Groups. Required parameters for this API are one of CIDRIP, EC2SecurityGroupId for VPC, or (EC2SecurityGroupOwnerId and either EC2SecurityGroupName or EC2SecurityGroupId).
", + "RevokeDBSecurityGroupIngress": "Revokes ingress from a DBSecurityGroup for previously authorized IP ranges or EC2 or VPC security groups. Required parameters for this API are one of CIDRIP, EC2SecurityGroupId for VPC, or (EC2SecurityGroupOwnerId and either EC2SecurityGroupName or EC2SecurityGroupId).
", "StartActivityStream": "Starts a database activity stream to monitor activity on the database. For more information, see Database Activity Streams in the Amazon Aurora User Guide.
", "StartDBCluster": "Starts an Amazon Aurora DB cluster that was stopped using the AWS console, the stop-db-cluster AWS CLI command, or the StopDBCluster action.
For more information, see Stopping and Starting an Aurora Cluster in the Amazon Aurora User Guide.
This action only applies to Aurora DB clusters.
Starts an Amazon RDS DB instance that was stopped using the AWS console, the stop-db-instance AWS CLI command, or the StopDBInstance action.
For more information, see Starting an Amazon RDS DB instance That Was Previously Stopped in the Amazon RDS User Guide.
This command doesn't apply to Aurora MySQL and Aurora PostgreSQL. For Aurora DB clusters, use StartDBCluster instead.
The number of days for which automated backups are retained. You must specify a minimum value of 1.
Default: 1
Constraints:
Must be a value from 1 to 35
The port number on which the DB cluster accepts connections.
Constraints: Value must be 1150-65535
Default: The same port as the original DB cluster.
", "ModifyDBInstanceMessage$AllocatedStorage": "The new amount of storage (in gibibytes) to allocate for the DB instance.
For MariaDB, MySQL, Oracle, and PostgreSQL, the value supplied must be at least 10% greater than the current value. Values that are not at least 10% greater than the existing value are rounded up so that they are 10% greater than the current value.
For the valid values for allocated storage for each engine, see CreateDBInstance.
The number of days to retain automated backups. Setting this parameter to a positive number enables backups. Setting this parameter to 0 disables automated backups.
Changing this parameter can result in an outage if you change from 0 to a non-zero value or from a non-zero value to 0. These changes are applied during the next maintenance window unless the ApplyImmediately parameter is enabled for this request. If you change the parameter from one non-zero value to another non-zero value, the change is asynchronously applied as soon as possible.
Amazon Aurora
Not applicable. The retention period for automated backups is managed by the DB cluster. For more information, see ModifyDBCluster.
Default: Uses existing setting
Constraints:
Must be a value from 0 to 35
Can be specified for a MySQL read replica only if the source is running MySQL 5.6 or later
Can be specified for a PostgreSQL read replica only if the source is running PostgreSQL 9.3.5
Can't be set to 0 if the DB instance is a source to read replicas
The number of days to retain automated backups. Setting this parameter to a positive number enables backups. Setting this parameter to 0 disables automated backups.
Enabling and disabling backups can result in a brief I/O suspension that lasts from a few seconds to a few minutes, depending on the size and class of your DB instance.
These changes are applied during the next maintenance window unless the ApplyImmediately parameter is enabled for this request. If you change the parameter from one non-zero value to another non-zero value, the change is asynchronously applied as soon as possible.
Amazon Aurora
Not applicable. The retention period for automated backups is managed by the DB cluster. For more information, see ModifyDBCluster.
Default: Uses existing setting
Constraints:
Must be a value from 0 to 35
Can be specified for a MySQL read replica only if the source is running MySQL 5.6 or later
Can be specified for a PostgreSQL read replica only if the source is running PostgreSQL 9.3.5
Can't be set to 0 if the DB instance is a source to read replicas
The new Provisioned IOPS (I/O operations per second) value for the RDS instance.
Changing this setting doesn't result in an outage and the change is applied during the next maintenance window unless the ApplyImmediately parameter is enabled for this request. If you are migrating from Provisioned IOPS to standard storage, set this value to 0. The DB instance will require a reboot for the change in storage type to take effect.
If you choose to migrate your DB instance from using standard storage to using Provisioned IOPS, or from using Provisioned IOPS to using standard storage, the process can take time. The duration of the migration depends on several factors such as database load, storage size, storage type (standard or Provisioned IOPS), amount of IOPS provisioned (if any), and the number of prior scale storage operations. Typical migration times are under 24 hours, but the process can take up to several days in some cases. During the migration, the DB instance is available for use, but might experience performance degradation. While the migration takes place, nightly backups for the instance are suspended. No other Amazon RDS operations can take place for the instance, including modifying the instance, rebooting the instance, deleting the instance, creating a read replica for the instance, and creating a DB snapshot of the instance.
Constraints: For MariaDB, MySQL, Oracle, and PostgreSQL, the value supplied must be at least 10% greater than the current value. Values that are not at least 10% greater than the existing value are rounded up so that they are 10% greater than the current value.
Default: Uses existing setting
", "ModifyDBInstanceMessage$MonitoringInterval": "The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the DB instance. To disable collecting Enhanced Monitoring metrics, specify 0. The default is 0.
If MonitoringRoleArn is specified, then you must also set MonitoringInterval to a value other than 0.
Valid Values: 0, 1, 5, 10, 15, 30, 60
The port number on which the database accepts connections.
The value of the DBPortNumber parameter must not match any of the port values specified for options in the option group for the DB instance.
Your database will restart when you change the DBPortNumber value regardless of the value of the ApplyImmediately parameter.
MySQL
Default: 3306
Valid values: 1150-65535
MariaDB
Default: 3306
Valid values: 1150-65535
PostgreSQL
Default: 5432
Valid values: 1150-65535
Type: Integer
Oracle
Default: 1521
Valid values: 1150-65535
SQL Server
Default: 1433
Valid values: 1150-65535 except 1234, 1434, 3260, 3343, 3389, 47001, and 49152-49156.
Amazon Aurora
Default: 3306
Valid values: 1150-65535
The upper limit to which Amazon RDS can automatically scale the storage of the DB instance.
For more information about this setting, including limitations that apply to it, see Managing capacity automatically with Amazon RDS storage autoscaling in the Amazon RDS User Guide.
", "ScalingConfiguration$MinCapacity": "The minimum capacity for an Aurora DB cluster in serverless DB engine mode.
For Aurora MySQL, valid capacity values are 1, 2, 4, 8, 16, 32, 64, 128, and 256.
For Aurora PostgreSQL, valid capacity values are 2, 4, 8, 16, 32, 64, 192, and 384.
The minimum capacity must be less than or equal to the maximum capacity.
", "ScalingConfiguration$MaxCapacity": "The maximum capacity for an Aurora DB cluster in serverless DB engine mode.
For Aurora MySQL, valid capacity values are 1, 2, 4, 8, 16, 32, 64, 128, and 256.
For Aurora PostgreSQL, valid capacity values are 2, 4, 8, 16, 32, 64, 192, and 384.
The maximum capacity must be greater than or equal to the minimum capacity.
", - "ScalingConfiguration$SecondsUntilAutoPause": "The time, in seconds, before an Aurora DB cluster in serverless mode is paused.
The time, in seconds, before an Aurora DB cluster in serverless mode is paused.
Specify a value between 300 and 86,400 seconds.
", "ScalingConfigurationInfo$MinCapacity": "The maximum capacity for the Aurora DB cluster in serverless DB engine mode.
The maximum capacity for an Aurora DB cluster in serverless DB engine mode.
The remaining amount of time, in seconds, before the Aurora DB cluster in serverless mode is paused. A DB cluster can be paused only when it's idle (it has no connections).
The list of identifiers of the event sources for which events are returned. If not specified, then all sources are included in the response. An identifier must begin with a letter and must contain only ASCII letters, digits, and hyphens. It can't end with a hyphen or contain two consecutive hyphens.
Constraints:
If a SourceIds value is supplied, SourceType must also be provided.
If the source type is a DB instance, a DBInstanceIdentifier value must be supplied.
If the source type is a DB cluster, a DBClusterIdentifier value must be supplied.
If the source type is a DB parameter group, a DBParameterGroupName value must be supplied.
If the source type is a DB security group, a DBSecurityGroupName value must be supplied.
If the source type is a DB snapshot, a DBSnapshotIdentifier value must be supplied.
If the source type is a DB cluster snapshot, a DBClusterSnapshotIdentifier value must be supplied.
The list of identifiers of the event sources for which events are returned. If not specified, then all sources are included in the response. An identifier must begin with a letter and must contain only ASCII letters, digits, and hyphens. It can't end with a hyphen or contain two consecutive hyphens.
Constraints:
If SourceIds are supplied, SourceType must also be provided.
If the source type is a DB instance, a DBInstanceIdentifier value must be supplied.
If the source type is a DB cluster, a DBClusterIdentifier value must be supplied.
If the source type is a DB parameter group, a DBParameterGroupName value must be supplied.
If the source type is a DB security group, a DBSecurityGroupName value must be supplied.
If the source type is a DB snapshot, a DBSnapshotIdentifier value must be supplied.
If the source type is a DB cluster snapshot, a DBClusterSnapshotIdentifier value must be supplied.
A list of source IDs for the RDS event notification subscription.
" } }, @@ -3691,7 +3691,7 @@ "CreateDBClusterMessage$MasterUsername": "The name of the master user for the DB cluster.
Constraints:
Must be 1 to 16 letters or numbers.
First character must be a letter.
Can't be a reserved word for the chosen database engine.
The password for the master database user. This password can contain any printable ASCII character except \"/\", \"\"\", or \"@\".
Constraints: Must contain from 8 to 41 characters.
", "CreateDBClusterMessage$OptionGroupName": "A value that indicates that the DB cluster should be associated with the specified option group.
Permanent options can't be removed from an option group. The option group can't be removed from a DB cluster once it is associated with a DB cluster.
", - "CreateDBClusterMessage$PreferredBackupWindow": "The daily time range during which automated backups are created if automated backups are enabled using the BackupRetentionPeriod parameter.
The default is a 30-minute window selected at random from an 8-hour block of time for each AWS Region. To see the time blocks available, see Adjusting the Preferred DB Cluster Maintenance Window in the Amazon Aurora User Guide.
Constraints:
Must be in the format hh24:mi-hh24:mi.
Must be in Universal Coordinated Time (UTC).
Must not conflict with the preferred maintenance window.
Must be at least 30 minutes.
The daily time range during which automated backups are created if automated backups are enabled using the BackupRetentionPeriod parameter.
The default is a 30-minute window selected at random from an 8-hour block of time for each AWS Region. To view the time blocks available, see Backup window in the Amazon Aurora User Guide.
Constraints:
Must be in the format hh24:mi-hh24:mi.
Must be in Universal Coordinated Time (UTC).
Must not conflict with the preferred maintenance window.
Must be at least 30 minutes.
The weekly time range during which system maintenance can occur, in Universal Coordinated Time (UTC).
Format: ddd:hh24:mi-ddd:hh24:mi
The default is a 30-minute window selected at random from an 8-hour block of time for each AWS Region, occurring on a random day of the week. To see the time blocks available, see Adjusting the Preferred DB Cluster Maintenance Window in the Amazon Aurora User Guide.
Valid Days: Mon, Tue, Wed, Thu, Fri, Sat, Sun.
Constraints: Minimum 30-minute window.
", "CreateDBClusterMessage$ReplicationSourceIdentifier": "The Amazon Resource Name (ARN) of the source DB instance or DB cluster if this DB cluster is created as a read replica.
", "CreateDBClusterMessage$KmsKeyId": "The AWS KMS key identifier for an encrypted DB cluster.
The AWS KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the AWS KMS customer master key (CMK). To use a CMK in a different AWS account, specify the key ARN or alias ARN.
When a CMK isn't specified in KmsKeyId:
If ReplicationSourceIdentifier identifies an encrypted source, then Amazon RDS will use the CMK used to encrypt the source. Otherwise, Amazon RDS will use your default CMK.
If the StorageEncrypted parameter is enabled and ReplicationSourceIdentifier isn't specified, then Amazon RDS will use your default CMK.
There is a default CMK for your AWS account. Your AWS account has a different default CMK for each AWS Region.
If you create a read replica of an encrypted DB cluster in another AWS Region, you must set KmsKeyId to a AWS KMS key identifier that is valid in the destination AWS Region. This CMK is used to encrypt the read replica in that AWS Region.
A DB subnet group to associate with this DB instance.
If there is no DB subnet group, then it is a non-VPC DB instance.
", "CreateDBInstanceMessage$PreferredMaintenanceWindow": "The time range each week during which system maintenance can occur, in Universal Coordinated Time (UTC). For more information, see Amazon RDS Maintenance Window.
Format: ddd:hh24:mi-ddd:hh24:mi
The default is a 30-minute window selected at random from an 8-hour block of time for each AWS Region, occurring on a random day of the week.
Valid Days: Mon, Tue, Wed, Thu, Fri, Sat, Sun.
Constraints: Minimum 30-minute window.
", "CreateDBInstanceMessage$DBParameterGroupName": "The name of the DB parameter group to associate with this DB instance. If you do not specify a value, then the default DB parameter group for the specified DB engine and version is used.
Constraints:
Must be 1 to 255 letters, numbers, or hyphens.
First character must be a letter
Can't end with a hyphen or contain two consecutive hyphens
The daily time range during which automated backups are created if automated backups are enabled, using the BackupRetentionPeriod parameter. For more information, see The Backup Window in the Amazon RDS User Guide.
Amazon Aurora
Not applicable. The daily time range for creating automated backups is managed by the DB cluster.
The default is a 30-minute window selected at random from an 8-hour block of time for each AWS Region. To see the time blocks available, see Adjusting the Preferred DB Instance Maintenance Window in the Amazon RDS User Guide.
Constraints:
Must be in the format hh24:mi-hh24:mi.
Must be in Universal Coordinated Time (UTC).
Must not conflict with the preferred maintenance window.
Must be at least 30 minutes.
The daily time range during which automated backups are created if automated backups are enabled, using the BackupRetentionPeriod parameter. The default is a 30-minute window selected at random from an 8-hour block of time for each AWS Region. For more information, see Backup window in the Amazon RDS User Guide.
Amazon Aurora
Not applicable. The daily time range for creating automated backups is managed by the DB cluster.
Constraints:
Must be in the format hh24:mi-hh24:mi.
Must be in Universal Coordinated Time (UTC).
Must not conflict with the preferred maintenance window.
Must be at least 30 minutes.
The version number of the database engine to use.
For a list of valid engine versions, use the DescribeDBEngineVersions action.
The following are the database engines and links to information about the major and minor versions that are available with Amazon RDS. Not every database engine is available for every AWS Region.
Amazon Aurora
Not applicable. The version number of the database engine to be used by the DB instance is managed by the DB cluster.
MariaDB
See MariaDB on Amazon RDS Versions in the Amazon RDS User Guide.
Microsoft SQL Server
See Microsoft SQL Server Versions on Amazon RDS in the Amazon RDS User Guide.
MySQL
See MySQL on Amazon RDS Versions in the Amazon RDS User Guide.
Oracle
See Oracle Database Engine Release Notes in the Amazon RDS User Guide.
PostgreSQL
See Amazon RDS for PostgreSQL versions and extensions in the Amazon RDS User Guide.
", "CreateDBInstanceMessage$LicenseModel": "License model information for this DB instance.
Valid values: license-included | bring-your-own-license | general-public-license
A value that indicates that the DB instance should be associated with the specified option group.
Permanent options, such as the TDE option for Oracle Advanced Security TDE, can't be removed from an option group. Also, that option group can't be removed from a DB instance once it is associated with a DB instance
", @@ -4189,7 +4189,7 @@ "ModifyDBClusterMessage$DBClusterParameterGroupName": "The name of the DB cluster parameter group to use for the DB cluster.
", "ModifyDBClusterMessage$MasterUserPassword": "The new password for the master database user. This password can contain any printable ASCII character except \"/\", \"\"\", or \"@\".
Constraints: Must contain from 8 to 41 characters.
", "ModifyDBClusterMessage$OptionGroupName": "A value that indicates that the DB cluster should be associated with the specified option group. Changing this parameter doesn't result in an outage except in the following case, and the change is applied during the next maintenance window unless the ApplyImmediately is enabled for this request. If the parameter change results in an option group that enables OEM, this change can cause a brief (sub-second) period during which new connections are rejected but existing connections are not interrupted.
Permanent options can't be removed from an option group. The option group can't be removed from a DB cluster once it is associated with a DB cluster.
", - "ModifyDBClusterMessage$PreferredBackupWindow": "The daily time range during which automated backups are created if automated backups are enabled, using the BackupRetentionPeriod parameter.
The default is a 30-minute window selected at random from an 8-hour block of time for each AWS Region. To see the time blocks available, see Adjusting the Preferred DB Cluster Maintenance Window in the Amazon Aurora User Guide.
Constraints:
Must be in the format hh24:mi-hh24:mi.
Must be in Universal Coordinated Time (UTC).
Must not conflict with the preferred maintenance window.
Must be at least 30 minutes.
The daily time range during which automated backups are created if automated backups are enabled, using the BackupRetentionPeriod parameter.
The default is a 30-minute window selected at random from an 8-hour block of time for each AWS Region. To view the time blocks available, see Backup window in the Amazon Aurora User Guide.
Constraints:
Must be in the format hh24:mi-hh24:mi.
Must be in Universal Coordinated Time (UTC).
Must not conflict with the preferred maintenance window.
Must be at least 30 minutes.
The weekly time range during which system maintenance can occur, in Universal Coordinated Time (UTC).
Format: ddd:hh24:mi-ddd:hh24:mi
The default is a 30-minute window selected at random from an 8-hour block of time for each AWS Region, occurring on a random day of the week. To see the time blocks available, see Adjusting the Preferred DB Cluster Maintenance Window in the Amazon Aurora User Guide.
Valid Days: Mon, Tue, Wed, Thu, Fri, Sat, Sun.
Constraints: Minimum 30-minute window.
", "ModifyDBClusterMessage$EngineVersion": "The version number of the database engine to which you want to upgrade. Changing this parameter results in an outage. The change is applied during the next maintenance window unless ApplyImmediately is enabled.
To list all of the available engine versions for aurora (for MySQL 5.6-compatible Aurora), use the following command:
aws rds describe-db-engine-versions --engine aurora --query \"DBEngineVersions[].EngineVersion\"
To list all of the available engine versions for aurora-mysql (for MySQL 5.7-compatible Aurora), use the following command:
aws rds describe-db-engine-versions --engine aurora-mysql --query \"DBEngineVersions[].EngineVersion\"
To list all of the available engine versions for aurora-postgresql, use the following command:
aws rds describe-db-engine-versions --engine aurora-postgresql --query \"DBEngineVersions[].EngineVersion\"
The name of the DB parameter group to apply to all instances of the DB cluster.
When you apply a parameter group using the DBInstanceParameterGroupName parameter, the DB cluster isn't rebooted automatically. Also, parameter changes aren't applied during the next maintenance window but instead are applied immediately.
Default: The existing name setting
Constraints:
The DB parameter group must be in the same DB parameter group family as this DB cluster.
The DBInstanceParameterGroupName parameter is only valid in combination with the AllowMajorVersionUpgrade parameter.
The new DB subnet group for the DB instance. You can use this parameter to move your DB instance to a different VPC. If your DB instance isn't in a VPC, you can also use this parameter to move your DB instance into a VPC. For more information, see Working with a DB instance in a VPC in the Amazon RDS User Guide.
Changing the subnet group causes an outage during the change. The change is applied during the next maintenance window, unless you enable ApplyImmediately.
Constraints: If supplied, must match the name of an existing DBSubnetGroup.
Example: mySubnetGroup
The new password for the master user. The password can include any printable ASCII character except \"/\", \"\"\", or \"@\".
Changing this parameter doesn't result in an outage and the change is asynchronously applied as soon as possible. Between the time of the request and the completion of the request, the MasterUserPassword element exists in the PendingModifiedValues element of the operation response.
Amazon Aurora
Not applicable. The password for the master user is managed by the DB cluster. For more information, see ModifyDBCluster.
Default: Uses existing setting
MariaDB
Constraints: Must contain from 8 to 41 characters.
Microsoft SQL Server
Constraints: Must contain from 8 to 128 characters.
MySQL
Constraints: Must contain from 8 to 41 characters.
Oracle
Constraints: Must contain from 8 to 30 characters.
PostgreSQL
Constraints: Must contain from 8 to 128 characters.
Amazon RDS API actions never return the password, so this action provides a way to regain access to a primary instance user if the password is lost. This includes restoring privileges that might have been accidentally revoked.
The name of the DB parameter group to apply to the DB instance. Changing this setting doesn't result in an outage. The parameter group name itself is changed immediately, but the actual parameter changes are not applied until you reboot the instance without failover. In this case, the DB instance isn't rebooted automatically and the parameter changes isn't applied during the next maintenance window.
Default: Uses existing setting
Constraints: The DB parameter group must be in the same DB parameter group family as this DB instance.
", - "ModifyDBInstanceMessage$PreferredBackupWindow": " The daily time range during which automated backups are created if automated backups are enabled, as determined by the BackupRetentionPeriod parameter. Changing this parameter doesn't result in an outage and the change is asynchronously applied as soon as possible.
Amazon Aurora
Not applicable. The daily time range for creating automated backups is managed by the DB cluster. For more information, see ModifyDBCluster.
Constraints:
Must be in the format hh24:mi-hh24:mi
Must be in Universal Time Coordinated (UTC)
Must not conflict with the preferred maintenance window
Must be at least 30 minutes
The weekly time range (in UTC) during which system maintenance can occur, which might result in an outage. Changing this parameter doesn't result in an outage, except in the following situation, and the change is asynchronously applied as soon as possible. If there are pending actions that cause a reboot, and the maintenance window is changed to include the current time, then changing this parameter will cause a reboot of the DB instance. If moving this window to the current time, there must be at least 30 minutes between the current time and end of the window to ensure pending changes are applied.
Default: Uses existing setting
Format: ddd:hh24:mi-ddd:hh24:mi
Valid Days: Mon | Tue | Wed | Thu | Fri | Sat | Sun
Constraints: Must be at least 30 minutes
", + "ModifyDBInstanceMessage$PreferredBackupWindow": " The daily time range during which automated backups are created if automated backups are enabled, as determined by the BackupRetentionPeriod parameter. Changing this parameter doesn't result in an outage and the change is asynchronously applied as soon as possible. The default is a 30-minute window selected at random from an 8-hour block of time for each AWS Region. For more information, see Backup window in the Amazon RDS User Guide.
Amazon Aurora
Not applicable. The daily time range for creating automated backups is managed by the DB cluster. For more information, see ModifyDBCluster.
Constraints:
Must be in the format hh24:mi-hh24:mi
Must be in Universal Time Coordinated (UTC)
Must not conflict with the preferred maintenance window
Must be at least 30 minutes
The weekly time range (in UTC) during which system maintenance can occur, which might result in an outage. Changing this parameter doesn't result in an outage, except in the following situation, and the change is asynchronously applied as soon as possible. If there are pending actions that cause a reboot, and the maintenance window is changed to include the current time, then changing this parameter will cause a reboot of the DB instance. If moving this window to the current time, there must be at least 30 minutes between the current time and end of the window to ensure pending changes are applied.
For more information, see Amazon RDS Maintenance Window in the Amazon RDS User Guide.
Default: Uses existing setting
Format: ddd:hh24:mi-ddd:hh24:mi
Valid Days: Mon | Tue | Wed | Thu | Fri | Sat | Sun
Constraints: Must be at least 30 minutes
", "ModifyDBInstanceMessage$EngineVersion": " The version number of the database engine to upgrade to. Changing this parameter results in an outage and the change is applied during the next maintenance window unless the ApplyImmediately parameter is enabled for this request.
For major version upgrades, if a nondefault DB parameter group is currently in use, a new DB parameter group in the DB parameter group family for the new engine version must be specified. The new DB parameter group can be the default for that DB parameter group family.
If you specify only a major version, Amazon RDS will update the DB instance to the default minor version if the current minor version is lower. For information about valid engine versions, see CreateDBInstance, or call DescribeDBEngineVersions.
The license model for the DB instance.
Valid values: license-included | bring-your-own-license | general-public-license
A value that indicates the DB instance should be associated with the specified option group. Changing this parameter doesn't result in an outage except in the following case and the change is applied during the next maintenance window unless the ApplyImmediately parameter is enabled for this request. If the parameter change results in an option group that enables OEM, this change can cause a brief (sub-second) period during which new connections are rejected but existing connections are not interrupted.
Permanent options, such as the TDE option for Oracle Advanced Security TDE, can't be removed from an option group, and that option group can't be removed from a DB instance once it is associated with a DB instance
", @@ -4357,7 +4357,7 @@ "RestoreDBClusterFromS3Message$MasterUsername": "The name of the master user for the restored DB cluster.
Constraints:
Must be 1 to 16 letters or numbers.
First character must be a letter.
Can't be a reserved word for the chosen database engine.
The password for the master database user. This password can contain any printable ASCII character except \"/\", \"\"\", or \"@\".
Constraints: Must contain from 8 to 41 characters.
", "RestoreDBClusterFromS3Message$OptionGroupName": "A value that indicates that the restored DB cluster should be associated with the specified option group.
Permanent options can't be removed from an option group. An option group can't be removed from a DB cluster once it is associated with a DB cluster.
", - "RestoreDBClusterFromS3Message$PreferredBackupWindow": "The daily time range during which automated backups are created if automated backups are enabled using the BackupRetentionPeriod parameter.
The default is a 30-minute window selected at random from an 8-hour block of time for each AWS Region. To see the time blocks available, see Adjusting the Preferred Maintenance Window in the Amazon Aurora User Guide.
Constraints:
Must be in the format hh24:mi-hh24:mi.
Must be in Universal Coordinated Time (UTC).
Must not conflict with the preferred maintenance window.
Must be at least 30 minutes.
The daily time range during which automated backups are created if automated backups are enabled using the BackupRetentionPeriod parameter.
The default is a 30-minute window selected at random from an 8-hour block of time for each AWS Region. To view the time blocks available, see Backup window in the Amazon Aurora User Guide.
Constraints:
Must be in the format hh24:mi-hh24:mi.
Must be in Universal Coordinated Time (UTC).
Must not conflict with the preferred maintenance window.
Must be at least 30 minutes.
The weekly time range during which system maintenance can occur, in Universal Coordinated Time (UTC).
Format: ddd:hh24:mi-ddd:hh24:mi
The default is a 30-minute window selected at random from an 8-hour block of time for each AWS Region, occurring on a random day of the week. To see the time blocks available, see Adjusting the Preferred Maintenance Window in the Amazon Aurora User Guide.
Valid Days: Mon, Tue, Wed, Thu, Fri, Sat, Sun.
Constraints: Minimum 30-minute window.
", "RestoreDBClusterFromS3Message$KmsKeyId": "The AWS KMS key identifier for an encrypted DB cluster.
The AWS KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the AWS KMS customer master key (CMK). To use a CMK in a different AWS account, specify the key ARN or alias ARN.
If the StorageEncrypted parameter is enabled, and you do not specify a value for the KmsKeyId parameter, then Amazon RDS will use your default CMK. There is a default CMK for your AWS account. Your AWS account has a different default CMK for each AWS Region.
The identifier for the database engine that was backed up to create the files stored in the Amazon S3 bucket.
Valid values: mysql
A DB subnet group to associate with this DB instance.
", "RestoreDBInstanceFromS3Message$PreferredMaintenanceWindow": "The time range each week during which system maintenance can occur, in Universal Coordinated Time (UTC). For more information, see Amazon RDS Maintenance Window in the Amazon RDS User Guide.
Constraints:
Must be in the format ddd:hh24:mi-ddd:hh24:mi.
Valid Days: Mon, Tue, Wed, Thu, Fri, Sat, Sun.
Must be in Universal Coordinated Time (UTC).
Must not conflict with the preferred backup window.
Must be at least 30 minutes.
The name of the DB parameter group to associate with this DB instance.
If you do not specify a value for DBParameterGroupName, then the default DBParameterGroup for the specified DB engine is used.
The time range each day during which automated backups are created if automated backups are enabled. For more information, see The Backup Window in the Amazon RDS User Guide.
Constraints:
Must be in the format hh24:mi-hh24:mi.
Must be in Universal Coordinated Time (UTC).
Must not conflict with the preferred maintenance window.
Must be at least 30 minutes.
The time range each day during which automated backups are created if automated backups are enabled. For more information, see Backup window in the Amazon RDS User Guide.
Constraints:
Must be in the format hh24:mi-hh24:mi.
Must be in Universal Coordinated Time (UTC).
Must not conflict with the preferred maintenance window.
Must be at least 30 minutes.
The version number of the database engine to use. Choose the latest minor version of your database engine. For information about engine versions, see CreateDBInstance, or call DescribeDBEngineVersions.
The license model for this DB instance. Use general-public-license.
The name of the option group to associate with this DB instance. If this argument is omitted, the default option group for the specified engine is used.
", diff --git a/models/apis/redshift/2012-12-01/api-2.json b/models/apis/redshift/2012-12-01/api-2.json index cf16d2e5055..b400289bb59 100644 --- a/models/apis/redshift/2012-12-01/api-2.json +++ b/models/apis/redshift/2012-12-01/api-2.json @@ -1220,6 +1220,22 @@ {"shape":"DependentServiceUnavailableFault"} ] }, + "ModifyAquaConfiguration":{ + "name":"ModifyAquaConfiguration", + "http":{ + "method":"POST", + "requestUri":"/" + }, + "input":{"shape":"ModifyAquaInputMessage"}, + "output":{ + "shape":"ModifyAquaOutputMessage", + "resultWrapper":"ModifyAquaConfigurationResult" + }, + "errors":[ + {"shape":"ClusterNotFoundFault"}, + {"shape":"UnsupportedOperationFault"} + ] + }, "ModifyCluster":{ "name":"ModifyCluster", "http":{ @@ -1797,6 +1813,29 @@ "resize-cluster" ] }, + "AquaConfiguration":{ + "type":"structure", + "members":{ + "AquaStatus":{"shape":"AquaStatus"}, + "AquaConfigurationStatus":{"shape":"AquaConfigurationStatus"} + } + }, + "AquaConfigurationStatus":{ + "type":"string", + "enum":[ + "enabled", + "disabled", + "auto" + ] + }, + "AquaStatus":{ + "type":"string", + "enum":[ + "enabled", + "disabled", + "applying" + ] + }, "AssociatedClusterList":{ "type":"list", "member":{ @@ -2066,7 +2105,8 @@ "ResizeInfo":{"shape":"ResizeInfo"}, "AvailabilityZoneRelocationStatus":{"shape":"String"}, "ClusterNamespaceArn":{"shape":"String"}, - "TotalStorageCapacityInMegaBytes":{"shape":"LongOptional"} + "TotalStorageCapacityInMegaBytes":{"shape":"LongOptional"}, + "AquaConfiguration":{"shape":"AquaConfiguration"} }, "wrapper":true }, @@ -2565,7 +2605,8 @@ "IamRoles":{"shape":"IamRoleArnList"}, "MaintenanceTrackName":{"shape":"String"}, "SnapshotScheduleIdentifier":{"shape":"String"}, - "AvailabilityZoneRelocation":{"shape":"BooleanOptional"} + "AvailabilityZoneRelocation":{"shape":"BooleanOptional"}, + "AquaConfigurationStatus":{"shape":"AquaConfigurationStatus"} } }, "CreateClusterParameterGroupMessage":{ @@ -4210,6 +4251,20 @@ "high-performance" ] }, + "ModifyAquaInputMessage":{ + "type":"structure", + "required":["ClusterIdentifier"], + "members":{ + "ClusterIdentifier":{"shape":"String"}, + "AquaConfigurationStatus":{"shape":"AquaConfigurationStatus"} + } + }, + "ModifyAquaOutputMessage":{ + "type":"structure", + "members":{ + "AquaConfiguration":{"shape":"AquaConfiguration"} + } + }, "ModifyClusterDbRevisionMessage":{ "type":"structure", "required":[ @@ -4903,7 +4958,8 @@ "MaintenanceTrackName":{"shape":"String"}, "SnapshotScheduleIdentifier":{"shape":"String"}, "NumberOfNodes":{"shape":"IntegerOptional"}, - "AvailabilityZoneRelocation":{"shape":"BooleanOptional"} + "AvailabilityZoneRelocation":{"shape":"BooleanOptional"}, + "AquaConfigurationStatus":{"shape":"AquaConfigurationStatus"} } }, "RestoreFromClusterSnapshotResult":{ diff --git a/models/apis/redshift/2012-12-01/docs-2.json b/models/apis/redshift/2012-12-01/docs-2.json index 3030803b646..eaf17e605b6 100644 --- a/models/apis/redshift/2012-12-01/docs-2.json +++ b/models/apis/redshift/2012-12-01/docs-2.json @@ -75,6 +75,7 @@ "EnableSnapshotCopy": "Enables the automatic copy of snapshots from one region to another region for a specified cluster.
", "GetClusterCredentials": "Returns a database user name and temporary password with temporary authorization to log on to an Amazon Redshift database. The action returns the database user name prefixed with IAM: if AutoCreate is False or IAMA: if AutoCreate is True. You can optionally specify one or more database user groups that the user will join at log on. By default, the temporary credentials expire in 900 seconds. You can optionally specify a duration between 900 seconds (15 minutes) and 3600 seconds (60 minutes). For more information, see Using IAM Authentication to Generate Database User Credentials in the Amazon Redshift Cluster Management Guide.
The AWS Identity and Access Management (IAM)user or role that executes GetClusterCredentials must have an IAM policy attached that allows access to all necessary actions and resources. For more information about permissions, see Resource Policies for GetClusterCredentials in the Amazon Redshift Cluster Management Guide.
If the DbGroups parameter is specified, the IAM policy must allow the redshift:JoinGroup action with access to the listed dbgroups.
In addition, if the AutoCreate parameter is set to True, then the policy must include the redshift:CreateClusterUser privilege.
If the DbName parameter is specified, the IAM policy must allow access to the resource dbname for the specified database name.
Returns an array of DC2 ReservedNodeOfferings that matches the payment type, term, and usage price of the given DC1 reserved node.
", + "ModifyAquaConfiguration": "Modifies whether a cluster can use AQUA (Advanced Query Accelerator).
", "ModifyCluster": "Modifies the settings for a cluster.
You can also change node type and the number of nodes to scale up or down the cluster. When resizing a cluster, you must specify both the number of nodes and the node type even if one of the parameters does not change.
You can add another security or parameter group, or change the master user password. Resetting a cluster password or modifying the security groups associated with a cluster do not need a reboot. However, modifying a parameter group requires a reboot for parameters to take effect. For more information about managing clusters, go to Amazon Redshift Clusters in the Amazon Redshift Cluster Management Guide.
", "ModifyClusterDbRevision": "Modifies the database revision of a cluster. The database revision is a unique revision of the database running in a cluster.
", "ModifyClusterIamRoles": "Modifies the list of AWS Identity and Access Management (IAM) roles that can be used by the cluster to access other AWS services.
A cluster can have up to 10 IAM roles associated at any time.
", @@ -152,6 +153,28 @@ "DescribeNodeConfigurationOptionsMessage$ActionType": "The action type to evaluate for possible node configurations. Specify \"restore-cluster\" to get configuration combinations based on an existing snapshot. Specify \"recommend-node-config\" to get configuration recommendations based on an existing cluster or snapshot. Specify \"resize-cluster\" to get configuration combinations for elastic resize based on an existing cluster.
" } }, + "AquaConfiguration": { + "base": "The AQUA (Advanced Query Accelerator) configuration of the cluster.
", + "refs": { + "Cluster$AquaConfiguration": "The AQUA (Advanced Query Accelerator) configuration of the cluster.
", + "ModifyAquaOutputMessage$AquaConfiguration": "The updated AQUA configuration of the cluster.
" + } + }, + "AquaConfigurationStatus": { + "base": null, + "refs": { + "AquaConfiguration$AquaConfigurationStatus": "The value represents how the cluster is configured to use AQUA. Possible values include the following.
enabled - Use AQUA if it is available for the current AWS Region and Amazon Redshift node type.
disabled - Don't use AQUA.
auto - Amazon Redshift determines whether to use AQUA.
The value represents how the cluster is configured to use AQUA (Advanced Query Accelerator) when it is created. Possible values include the following.
enabled - Use AQUA if it is available for the current AWS Region and Amazon Redshift node type.
disabled - Don't use AQUA.
auto - Amazon Redshift determines whether to use AQUA.
The new value of AQUA configuration status. Possible values include the following.
enabled - Use AQUA if it is available for the current AWS Region and Amazon Redshift node type.
disabled - Don't use AQUA.
auto - Amazon Redshift determines whether to use AQUA.
The value represents how the cluster is configured to use AQUA (Advanced Query Accelerator) after the cluster is restored. Possible values include the following.
enabled - Use AQUA if it is available for the current AWS Region and Amazon Redshift node type.
disabled - Don't use AQUA.
auto - Amazon Redshift determines whether to use AQUA.
The value indicates the status of AQUA on the cluster. Possible values include the following.
enabled - AQUA is enabled.
disabled - AQUA is not enabled.
applying - AQUA status is being applied.
The category of the node configuration recommendation.
" } }, + "ModifyAquaInputMessage": { + "base": null, + "refs": { + } + }, + "ModifyAquaOutputMessage": { + "base": null, + "refs": { + } + }, "ModifyClusterDbRevisionMessage": { "base": null, "refs": { @@ -2780,6 +2813,7 @@ "LoggingStatus$LastFailureMessage": "The message indicating that logs failed to be delivered.
", "MaintenanceTrack$MaintenanceTrackName": "The name of the maintenance track. Possible values are current and trailing.
The version number for the cluster release.
", + "ModifyAquaInputMessage$ClusterIdentifier": "The identifier of the cluster to be modified.
", "ModifyClusterDbRevisionMessage$ClusterIdentifier": "The unique identifier of a cluster whose database revision you want to modify.
Example: examplecluster
The identifier of the database revision. You can retrieve this value from the response to the DescribeClusterDbRevisions request.
", "ModifyClusterIamRolesMessage$ClusterIdentifier": "The unique identifier of the cluster for which you want to associate or disassociate IAM roles.
", diff --git a/models/apis/sts/2011-06-15/api-2.json b/models/apis/sts/2011-06-15/api-2.json index a9e29231ebf..e6aa451763c 100644 --- a/models/apis/sts/2011-06-15/api-2.json +++ b/models/apis/sts/2011-06-15/api-2.json @@ -161,7 +161,8 @@ "TransitiveTagKeys":{"shape":"tagKeyListType"}, "ExternalId":{"shape":"externalIdType"}, "SerialNumber":{"shape":"serialNumberType"}, - "TokenCode":{"shape":"tokenCodeType"} + "TokenCode":{"shape":"tokenCodeType"}, + "SourceIdentity":{"shape":"sourceIdentityType"} } }, "AssumeRoleResponse":{ @@ -169,7 +170,8 @@ "members":{ "Credentials":{"shape":"Credentials"}, "AssumedRoleUser":{"shape":"AssumedRoleUser"}, - "PackedPolicySize":{"shape":"nonNegativeIntegerType"} + "PackedPolicySize":{"shape":"nonNegativeIntegerType"}, + "SourceIdentity":{"shape":"sourceIdentityType"} } }, "AssumeRoleWithSAMLRequest":{ @@ -198,7 +200,8 @@ "SubjectType":{"shape":"SubjectType"}, "Issuer":{"shape":"Issuer"}, "Audience":{"shape":"Audience"}, - "NameQualifier":{"shape":"NameQualifier"} + "NameQualifier":{"shape":"NameQualifier"}, + "SourceIdentity":{"shape":"sourceIdentityType"} } }, "AssumeRoleWithWebIdentityRequest":{ @@ -226,7 +229,8 @@ "AssumedRoleUser":{"shape":"AssumedRoleUser"}, "PackedPolicySize":{"shape":"nonNegativeIntegerType"}, "Provider":{"shape":"Issuer"}, - "Audience":{"shape":"Audience"} + "Audience":{"shape":"Audience"}, + "SourceIdentity":{"shape":"sourceIdentityType"} } }, "AssumedRoleUser":{ @@ -549,6 +553,12 @@ "min":1, "pattern":"[\\u0009\\u000A\\u000D\\u0020-\\u00FF]+" }, + "sourceIdentityType":{ + "type":"string", + "max":64, + "min":2, + "pattern":"[\\w+=,.@-]*" + }, "tagKeyListType":{ "type":"list", "member":{"shape":"tagKeyType"}, diff --git a/models/apis/sts/2011-06-15/docs-2.json b/models/apis/sts/2011-06-15/docs-2.json index 155d03bb161..f0f6c11e51d 100644 --- a/models/apis/sts/2011-06-15/docs-2.json +++ b/models/apis/sts/2011-06-15/docs-2.json @@ -2,13 +2,13 @@ "version": "2.0", "service": "AWS Security Token Service (STS) enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users). This guide provides descriptions of the STS API. For more information about using this service, see Temporary Security Credentials.
", "operations": { - "AssumeRole": "Returns a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to. These temporary credentials consist of an access key ID, a secret access key, and a security token. Typically, you use AssumeRole within your account or for cross-account access. For a comparison of AssumeRole with other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS API operations in the IAM User Guide.
You cannot use AWS account root user credentials to call AssumeRole. You must use credentials for an IAM user or an IAM role to call AssumeRole.
For cross-account access, imagine that you own multiple accounts and need to access resources in each account. You could create long-term credentials in each account to access those resources. However, managing all those credentials and remembering which one can access which account can be time consuming. Instead, you can create one set of long-term credentials in one account. Then use temporary security credentials to access all the other accounts by assuming roles in those accounts. For more information about roles, see IAM Roles in the IAM User Guide.
Session Duration
By default, the temporary security credentials created by AssumeRole last for one hour. However, you can use the optional DurationSeconds parameter to specify the duration of your session. You can provide a value from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide. The maximum session duration limit applies when you use the AssumeRole* API operations or the assume-role* CLI commands. However the limit does not apply when you use those operations to create a console URL. For more information, see Using IAM Roles in the IAM User Guide.
Permissions
The temporary security credentials created by AssumeRole can be used to make API calls to any AWS service with the following exception: You cannot call the AWS STS GetFederationToken or GetSessionToken API operations.
(Optional) You can pass inline or managed session policies to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plain text that you use for both inline and managed session policies can't exceed 2,048 characters. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
To assume a role from a different account, your AWS account must be trusted by the role. The trust relationship is defined in the role's trust policy when the role is created. That trust policy states which accounts are allowed to delegate that access to users in the account.
A user who wants to access a role in a different account must also have permissions that are delegated from the user account administrator. The administrator must attach a policy that allows the user to call AssumeRole for the ARN of the role in the other account. If the user is in the same account as the role, then you can do either of the following:
Attach a policy to the user (identical to the previous user in a different account).
Add the user as a principal directly in the role's trust policy.
In this case, the trust policy acts as an IAM resource-based policy. Users in the same account as the role do not need explicit permission to assume the role. For more information about trust policies and resource-based policies, see IAM Policies in the IAM User Guide.
Tags
(Optional) You can pass tag key-value pairs to your session. These tags are called session tags. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide.
You can set the session tags as transitive. Transitive tags persist during role chaining. For more information, see Chaining Roles with Session Tags in the IAM User Guide.
Using MFA with AssumeRole
(Optional) You can include multi-factor authentication (MFA) information when you call AssumeRole. This is useful for cross-account scenarios to ensure that the user that assumes the role has been authenticated with an AWS MFA device. In that scenario, the trust policy of the role being assumed includes a condition that tests for MFA authentication. If the caller does not include valid MFA information, the request to assume the role is denied. The condition in a trust policy that tests for MFA authentication might look like the following example.
\"Condition\": {\"Bool\": {\"aws:MultiFactorAuthPresent\": true}}
For more information, see Configuring MFA-Protected API Access in the IAM User Guide guide.
To use MFA with AssumeRole, you pass values for the SerialNumber and TokenCode parameters. The SerialNumber value identifies the user's hardware or virtual MFA device. The TokenCode is the time-based one-time password (TOTP) that the MFA device produces.
Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response. This operation provides a mechanism for tying an enterprise identity store or directory to role-based AWS access without user-specific credentials or configuration. For a comparison of AssumeRoleWithSAML with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS API operations in the IAM User Guide.
The temporary security credentials returned by this operation consist of an access key ID, a secret access key, and a security token. Applications can use these temporary security credentials to sign calls to AWS services.
Session Duration
By default, the temporary security credentials created by AssumeRoleWithSAML last for one hour. However, you can use the optional DurationSeconds parameter to specify the duration of your session. Your role session lasts for the duration that you specify, or until the time specified in the SAML authentication response's SessionNotOnOrAfter value, whichever is shorter. You can provide a DurationSeconds value from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide. The maximum session duration limit applies when you use the AssumeRole* API operations or the assume-role* CLI commands. However the limit does not apply when you use those operations to create a console URL. For more information, see Using IAM Roles in the IAM User Guide.
Permissions
The temporary security credentials created by AssumeRoleWithSAML can be used to make API calls to any AWS service with the following exception: you cannot call the STS GetFederationToken or GetSessionToken API operations.
(Optional) You can pass inline or managed session policies to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plain text that you use for both inline and managed session policies can't exceed 2,048 characters. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
Calling AssumeRoleWithSAML does not require the use of AWS security credentials. The identity of the caller is validated by using keys in the metadata document that is uploaded for the SAML provider entity for your identity provider.
Calling AssumeRoleWithSAML can result in an entry in your AWS CloudTrail logs. The entry includes the value in the NameID element of the SAML assertion. We recommend that you use a NameIDType that is not associated with any personally identifiable information (PII). For example, you could instead use the persistent identifier (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent).
Tags
(Optional) You can configure your IdP to pass attributes into your SAML assertion as session tags. Each session tag consists of a key name and an associated value. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
You can pass up to 50 session tags. The plain text session tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.
An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plain text meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
You can pass a session tag with the same key as a tag that is attached to the role. When you do, session tags override the role's tags with the same key.
An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide.
You can set the session tags as transitive. Transitive tags persist during role chaining. For more information, see Chaining Roles with Session Tags in the IAM User Guide.
SAML Configuration
Before your application can call AssumeRoleWithSAML, you must configure your SAML identity provider (IdP) to issue the claims required by AWS. Additionally, you must use AWS Identity and Access Management (IAM) to create a SAML provider entity in your AWS account that represents your identity provider. You must also create an IAM role that specifies this SAML provider in its trust policy.
For more information, see the following resources:
About SAML 2.0-based Federation in the IAM User Guide.
Creating SAML Identity Providers in the IAM User Guide.
Configuring a Relying Party and Claims in the IAM User Guide.
Creating a Role for SAML 2.0 Federation in the IAM User Guide.
Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider. Example providers include Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible identity provider.
For mobile applications, we recommend that you use Amazon Cognito. You can use Amazon Cognito with the AWS SDK for iOS Developer Guide and the AWS SDK for Android Developer Guide to uniquely identify a user. You can also supply the user with a consistent identity throughout the lifetime of an application.
To learn more about Amazon Cognito, see Amazon Cognito Overview in AWS SDK for Android Developer Guide and Amazon Cognito Overview in the AWS SDK for iOS Developer Guide.
Calling AssumeRoleWithWebIdentity does not require the use of AWS security credentials. Therefore, you can distribute an application (for example, on mobile devices) that requests temporary security credentials without including long-term AWS credentials in the application. You also don't need to deploy server-based proxy services that use long-term AWS credentials. Instead, the identity of the caller is validated by using a token from the web identity provider. For a comparison of AssumeRoleWithWebIdentity with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS API operations in the IAM User Guide.
The temporary security credentials returned by this API consist of an access key ID, a secret access key, and a security token. Applications can use these temporary security credentials to sign calls to AWS service API operations.
Session Duration
By default, the temporary security credentials created by AssumeRoleWithWebIdentity last for one hour. However, you can use the optional DurationSeconds parameter to specify the duration of your session. You can provide a value from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide. The maximum session duration limit applies when you use the AssumeRole* API operations or the assume-role* CLI commands. However the limit does not apply when you use those operations to create a console URL. For more information, see Using IAM Roles in the IAM User Guide.
Permissions
The temporary security credentials created by AssumeRoleWithWebIdentity can be used to make API calls to any AWS service with the following exception: you cannot call the STS GetFederationToken or GetSessionToken API operations.
(Optional) You can pass inline or managed session policies to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plain text that you use for both inline and managed session policies can't exceed 2,048 characters. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
Tags
(Optional) You can configure your IdP to pass attributes into your web identity token as session tags. Each session tag consists of a key name and an associated value. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
You can pass up to 50 session tags. The plain text session tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.
An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plain text meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
You can pass a session tag with the same key as a tag that is attached to the role. When you do, the session tag overrides the role tag with the same key.
An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide.
You can set the session tags as transitive. Transitive tags persist during role chaining. For more information, see Chaining Roles with Session Tags in the IAM User Guide.
Identities
Before your application can call AssumeRoleWithWebIdentity, you must have an identity token from a supported identity provider and create a role that the application can assume. The role that your application assumes must trust the identity provider that is associated with the identity token. In other words, the identity provider must be specified in the role's trust policy.
Calling AssumeRoleWithWebIdentity can result in an entry in your AWS CloudTrail logs. The entry includes the Subject of the provided Web Identity Token. We recommend that you avoid using any personally identifiable information (PII) in this field. For example, you could instead use a GUID or a pairwise identifier, as suggested in the OIDC specification.
For more information about how to use web identity federation and the AssumeRoleWithWebIdentity API, see the following resources:
Using Web Identity Federation API Operations for Mobile Apps and Federation Through a Web-based Identity Provider.
Web Identity Federation Playground. Walk through the process of authenticating through Login with Amazon, Facebook, or Google, getting temporary security credentials, and then using those credentials to make a request to AWS.
AWS SDK for iOS Developer Guide and AWS SDK for Android Developer Guide. These toolkits contain sample apps that show how to invoke the identity providers. The toolkits then show how to use the information from these providers to get and use temporary security credentials.
Web Identity Federation with Mobile Applications. This article discusses web identity federation and shows an example of how to use web identity federation to get access to content in Amazon S3.
Returns a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to. These temporary credentials consist of an access key ID, a secret access key, and a security token. Typically, you use AssumeRole within your account or for cross-account access. For a comparison of AssumeRole with other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS API operations in the IAM User Guide.
Permissions
The temporary security credentials created by AssumeRole can be used to make API calls to any AWS service with the following exception: You cannot call the AWS STS GetFederationToken or GetSessionToken API operations.
(Optional) You can pass inline or managed session policies to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
To assume a role from a different account, your AWS account must be trusted by the role. The trust relationship is defined in the role's trust policy when the role is created. That trust policy states which accounts are allowed to delegate that access to users in the account.
A user who wants to access a role in a different account must also have permissions that are delegated from the user account administrator. The administrator must attach a policy that allows the user to call AssumeRole for the ARN of the role in the other account. If the user is in the same account as the role, then you can do either of the following:
Attach a policy to the user (identical to the previous user in a different account).
Add the user as a principal directly in the role's trust policy.
In this case, the trust policy acts as an IAM resource-based policy. Users in the same account as the role do not need explicit permission to assume the role. For more information about trust policies and resource-based policies, see IAM Policies in the IAM User Guide.
Tags
(Optional) You can pass tag key-value pairs to your session. These tags are called session tags. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide.
You can set the session tags as transitive. Transitive tags persist during role chaining. For more information, see Chaining Roles with Session Tags in the IAM User Guide.
Using MFA with AssumeRole
(Optional) You can include multi-factor authentication (MFA) information when you call AssumeRole. This is useful for cross-account scenarios to ensure that the user that assumes the role has been authenticated with an AWS MFA device. In that scenario, the trust policy of the role being assumed includes a condition that tests for MFA authentication. If the caller does not include valid MFA information, the request to assume the role is denied. The condition in a trust policy that tests for MFA authentication might look like the following example.
\"Condition\": {\"Bool\": {\"aws:MultiFactorAuthPresent\": true}}
For more information, see Configuring MFA-Protected API Access in the IAM User Guide guide.
To use MFA with AssumeRole, you pass values for the SerialNumber and TokenCode parameters. The SerialNumber value identifies the user's hardware or virtual MFA device. The TokenCode is the time-based one-time password (TOTP) that the MFA device produces.
Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response. This operation provides a mechanism for tying an enterprise identity store or directory to role-based AWS access without user-specific credentials or configuration. For a comparison of AssumeRoleWithSAML with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS API operations in the IAM User Guide.
The temporary security credentials returned by this operation consist of an access key ID, a secret access key, and a security token. Applications can use these temporary security credentials to sign calls to AWS services.
Session Duration
By default, the temporary security credentials created by AssumeRoleWithSAML last for one hour. However, you can use the optional DurationSeconds parameter to specify the duration of your session. Your role session lasts for the duration that you specify, or until the time specified in the SAML authentication response's SessionNotOnOrAfter value, whichever is shorter. You can provide a DurationSeconds value from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide. The maximum session duration limit applies when you use the AssumeRole* API operations or the assume-role* CLI commands. However the limit does not apply when you use those operations to create a console URL. For more information, see Using IAM Roles in the IAM User Guide.
Role chaining limits your AWS CLI or AWS API role session to a maximum of one hour. When you use the AssumeRole API operation to assume a role, you can specify the duration of your role session with the DurationSeconds parameter. You can specify a parameter value of up to 43200 seconds (12 hours), depending on the maximum session duration setting for your role. However, if you assume a role using role chaining and provide a DurationSeconds parameter value greater than one hour, the operation fails.
Permissions
The temporary security credentials created by AssumeRoleWithSAML can be used to make API calls to any AWS service with the following exception: you cannot call the STS GetFederationToken or GetSessionToken API operations.
(Optional) You can pass inline or managed session policies to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
Calling AssumeRoleWithSAML does not require the use of AWS security credentials. The identity of the caller is validated by using keys in the metadata document that is uploaded for the SAML provider entity for your identity provider.
Calling AssumeRoleWithSAML can result in an entry in your AWS CloudTrail logs. The entry includes the value in the NameID element of the SAML assertion. We recommend that you use a NameIDType that is not associated with any personally identifiable information (PII). For example, you could instead use the persistent identifier (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent).
Tags
(Optional) You can configure your IdP to pass attributes into your SAML assertion as session tags. Each session tag consists of a key name and an associated value. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
You can pass up to 50 session tags. The plaintext session tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.
An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
You can pass a session tag with the same key as a tag that is attached to the role. When you do, session tags override the role's tags with the same key.
An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide.
You can set the session tags as transitive. Transitive tags persist during role chaining. For more information, see Chaining Roles with Session Tags in the IAM User Guide.
SAML Configuration
Before your application can call AssumeRoleWithSAML, you must configure your SAML identity provider (IdP) to issue the claims required by AWS. Additionally, you must use AWS Identity and Access Management (IAM) to create a SAML provider entity in your AWS account that represents your identity provider. You must also create an IAM role that specifies this SAML provider in its trust policy.
For more information, see the following resources:
About SAML 2.0-based Federation in the IAM User Guide.
Creating SAML Identity Providers in the IAM User Guide.
Configuring a Relying Party and Claims in the IAM User Guide.
Creating a Role for SAML 2.0 Federation in the IAM User Guide.
Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider. Example providers include Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible identity provider.
For mobile applications, we recommend that you use Amazon Cognito. You can use Amazon Cognito with the AWS SDK for iOS Developer Guide and the AWS SDK for Android Developer Guide to uniquely identify a user. You can also supply the user with a consistent identity throughout the lifetime of an application.
To learn more about Amazon Cognito, see Amazon Cognito Overview in AWS SDK for Android Developer Guide and Amazon Cognito Overview in the AWS SDK for iOS Developer Guide.
Calling AssumeRoleWithWebIdentity does not require the use of AWS security credentials. Therefore, you can distribute an application (for example, on mobile devices) that requests temporary security credentials without including long-term AWS credentials in the application. You also don't need to deploy server-based proxy services that use long-term AWS credentials. Instead, the identity of the caller is validated by using a token from the web identity provider. For a comparison of AssumeRoleWithWebIdentity with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS API operations in the IAM User Guide.
The temporary security credentials returned by this API consist of an access key ID, a secret access key, and a security token. Applications can use these temporary security credentials to sign calls to AWS service API operations.
Session Duration
By default, the temporary security credentials created by AssumeRoleWithWebIdentity last for one hour. However, you can use the optional DurationSeconds parameter to specify the duration of your session. You can provide a value from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide. The maximum session duration limit applies when you use the AssumeRole* API operations or the assume-role* CLI commands. However the limit does not apply when you use those operations to create a console URL. For more information, see Using IAM Roles in the IAM User Guide.
Permissions
The temporary security credentials created by AssumeRoleWithWebIdentity can be used to make API calls to any AWS service with the following exception: you cannot call the STS GetFederationToken or GetSessionToken API operations.
(Optional) You can pass inline or managed session policies to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
Tags
(Optional) You can configure your IdP to pass attributes into your web identity token as session tags. Each session tag consists of a key name and an associated value. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
You can pass up to 50 session tags. The plaintext session tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.
An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
You can pass a session tag with the same key as a tag that is attached to the role. When you do, the session tag overrides the role tag with the same key.
An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide.
You can set the session tags as transitive. Transitive tags persist during role chaining. For more information, see Chaining Roles with Session Tags in the IAM User Guide.
Identities
Before your application can call AssumeRoleWithWebIdentity, you must have an identity token from a supported identity provider and create a role that the application can assume. The role that your application assumes must trust the identity provider that is associated with the identity token. In other words, the identity provider must be specified in the role's trust policy.
Calling AssumeRoleWithWebIdentity can result in an entry in your AWS CloudTrail logs. The entry includes the Subject of the provided web identity token. We recommend that you avoid using any personally identifiable information (PII) in this field. For example, you could instead use a GUID or a pairwise identifier, as suggested in the OIDC specification.
For more information about how to use web identity federation and the AssumeRoleWithWebIdentity API, see the following resources:
Using Web Identity Federation API Operations for Mobile Apps and Federation Through a Web-based Identity Provider.
Web Identity Federation Playground. Walk through the process of authenticating through Login with Amazon, Facebook, or Google, getting temporary security credentials, and then using those credentials to make a request to AWS.
AWS SDK for iOS Developer Guide and AWS SDK for Android Developer Guide. These toolkits contain sample apps that show how to invoke the identity providers. The toolkits then show how to use the information from these providers to get and use temporary security credentials.
Web Identity Federation with Mobile Applications. This article discusses web identity federation and shows an example of how to use web identity federation to get access to content in Amazon S3.
Decodes additional information about the authorization status of a request from an encoded message returned in response to an AWS request.
For example, if a user is not authorized to perform an operation that he or she has requested, the request returns a Client.UnauthorizedOperation response (an HTTP 403 response). Some AWS operations additionally return an encoded message that can provide details about this authorization failure.
Only certain AWS operations return an encoded authorization message. The documentation for an individual operation indicates whether that operation returns an encoded message in addition to returning an HTTP code.
The message is encoded because the details of the authorization status can constitute privileged information that the user who requested the operation should not see. To decode an authorization status message, a user must be granted permissions via an IAM policy to request the DecodeAuthorizationMessage (sts:DecodeAuthorizationMessage) action.
The decoded message includes the following type of information:
Whether the request was denied due to an explicit deny or due to the absence of an explicit allow. For more information, see Determining Whether a Request is Allowed or Denied in the IAM User Guide.
The principal who made the request.
The requested action.
The requested resource.
The values of condition keys in the context of the user's request.
Returns the account identifier for the specified access key ID.
Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). For more information about access keys, see Managing Access Keys for IAM Users in the IAM User Guide.
When you pass an access key ID to this operation, it returns the ID of the AWS account to which the keys belong. Access key IDs beginning with AKIA are long-term credentials for an IAM user or the AWS account root user. Access key IDs beginning with ASIA are temporary credentials that are created using STS operations. If the account in the response belongs to you, you can sign in as the root user and review your root user access keys. Then, you can pull a credentials report to learn which IAM user owns the keys. To learn who requested the temporary credentials for an ASIA access key, view the STS events in your CloudTrail logs in the IAM User Guide.
This operation does not indicate the state of the access key. The key might be active, inactive, or deleted. Active keys might not have permissions to perform an operation. Providing a deleted access key might return an error that the key doesn't exist.
", "GetCallerIdentity": "Returns details about the IAM user or role whose credentials are used to call the operation.
No permissions are required to perform this operation. If an administrator adds a policy to your IAM user or role that explicitly denies access to the sts:GetCallerIdentity action, you can still perform this operation. Permissions are not required because the same information is returned when an IAM user or role is denied access. To view an example response, see I Am Not Authorized to Perform: iam:DeleteVirtualMFADevice in the IAM User Guide.
Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user. A typical use is in a proxy application that gets temporary security credentials on behalf of distributed applications inside a corporate network. You must call the GetFederationToken operation using the long-term security credentials of an IAM user. As a result, this call is appropriate in contexts where those credentials can be safely stored, usually in a server-based application. For a comparison of GetFederationToken with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS API operations in the IAM User Guide.
You can create a mobile-based or browser-based app that can authenticate users using a web identity provider like Login with Amazon, Facebook, Google, or an OpenID Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or AssumeRoleWithWebIdentity. For more information, see Federation Through a Web-based Identity Provider in the IAM User Guide.
You can also call GetFederationToken using the security credentials of an AWS account root user, but we do not recommend it. Instead, we recommend that you create an IAM user for the purpose of the proxy application. Then attach a policy to the IAM user that limits federated users to only the actions and resources that they need to access. For more information, see IAM Best Practices in the IAM User Guide.
Session duration
The temporary credentials are valid for the specified duration, from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default session duration is 43,200 seconds (12 hours). Temporary credentials that are obtained by using AWS account root user credentials have a maximum duration of 3,600 seconds (1 hour).
Permissions
You can use the temporary credentials created by GetFederationToken in any AWS service except the following:
You cannot call any IAM operations using the AWS CLI or the AWS API.
You cannot call any STS operations except GetCallerIdentity.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plain text that you use for both inline and managed session policies can't exceed 2,048 characters.
Though the session policy parameters are optional, if you do not pass a policy, then the resulting federated user session has no permissions. When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide. For information about using GetFederationToken to create temporary security credentials, see GetFederationToken—Federation Through a Custom Identity Broker.
You can use the credentials to access a resource that has a resource-based policy. If that policy specifically references the federated user session in the Principal element of the policy, the session has the permissions allowed by the policy. These permissions are granted in addition to the permissions granted by the session policies.
Tags
(Optional) You can pass tag key-value pairs to your session. These are called session tags. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide.
Tag key–value pairs are not case sensitive, but case is preserved. This means that you cannot have separate Department and department tag keys. Assume that the user that you are federating has the Department=Marketing tag and you pass the department=engineering session tag. Department and department are not saved as separate tags, and the session tag passed in the request takes precedence over the user tag.
Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user. A typical use is in a proxy application that gets temporary security credentials on behalf of distributed applications inside a corporate network. You must call the GetFederationToken operation using the long-term security credentials of an IAM user. As a result, this call is appropriate in contexts where those credentials can be safely stored, usually in a server-based application. For a comparison of GetFederationToken with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS API operations in the IAM User Guide.
You can create a mobile-based or browser-based app that can authenticate users using a web identity provider like Login with Amazon, Facebook, Google, or an OpenID Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or AssumeRoleWithWebIdentity. For more information, see Federation Through a Web-based Identity Provider in the IAM User Guide.
You can also call GetFederationToken using the security credentials of an AWS account root user, but we do not recommend it. Instead, we recommend that you create an IAM user for the purpose of the proxy application. Then attach a policy to the IAM user that limits federated users to only the actions and resources that they need to access. For more information, see IAM Best Practices in the IAM User Guide.
Session duration
The temporary credentials are valid for the specified duration, from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default session duration is 43,200 seconds (12 hours). Temporary credentials that are obtained by using AWS account root user credentials have a maximum duration of 3,600 seconds (1 hour).
Permissions
You can use the temporary credentials created by GetFederationToken in any AWS service except the following:
You cannot call any IAM operations using the AWS CLI or the AWS API.
You cannot call any STS operations except GetCallerIdentity.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters.
Though the session policy parameters are optional, if you do not pass a policy, then the resulting federated user session has no permissions. When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide. For information about using GetFederationToken to create temporary security credentials, see GetFederationToken—Federation Through a Custom Identity Broker.
You can use the credentials to access a resource that has a resource-based policy. If that policy specifically references the federated user session in the Principal element of the policy, the session has the permissions allowed by the policy. These permissions are granted in addition to the permissions granted by the session policies.
Tags
(Optional) You can pass tag key-value pairs to your session. These are called session tags. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
You can create a mobile-based or browser-based app that can authenticate users using a web identity provider like Login with Amazon, Facebook, Google, or an OpenID Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or AssumeRoleWithWebIdentity. For more information, see Federation Through a Web-based Identity Provider in the IAM User Guide.
You can also call GetFederationToken using the security credentials of an AWS account root user, but we do not recommend it. Instead, we recommend that you create an IAM user for the purpose of the proxy application. Then attach a policy to the IAM user that limits federated users to only the actions and resources that they need to access. For more information, see IAM Best Practices in the IAM User Guide.
Session duration
The temporary credentials are valid for the specified duration, from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default session duration is 43,200 seconds (12 hours). Temporary credentials that are obtained by using AWS account root user credentials have a maximum duration of 3,600 seconds (1 hour).
Permissions
You can use the temporary credentials created by GetFederationToken in any AWS service except the following:
You cannot call any IAM operations using the AWS CLI or the AWS API.
You cannot call any STS operations except GetCallerIdentity.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plain text that you use for both inline and managed session policies can't exceed 2,048 characters.
Though the session policy parameters are optional, if you do not pass a policy, then the resulting federated user session has no permissions. When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide. For information about using GetFederationToken to create temporary security credentials, see GetFederationToken—Federation Through a Custom Identity Broker.
You can use the credentials to access a resource that has a resource-based policy. If that policy specifically references the federated user session in the Principal element of the policy, the session has the permissions allowed by the policy. These permissions are granted in addition to the permissions granted by the session policies.
Tags
(Optional) You can pass tag key-value pairs to your session. These are called session tags. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide.
Tag key–value pairs are not case sensitive, but case is preserved. This means that you cannot have separate Department and department tag keys. Assume that the user that you are federating has the Department=Marketing tag and you pass the department=engineering session tag. Department and department are not saved as separate tags, and the session tag passed in the request takes precedence over the user tag.
Returns a set of temporary credentials for an AWS account or IAM user. The credentials consist of an access key ID, a secret access key, and a security token. Typically, you use GetSessionToken if you want to use MFA to protect programmatic calls to specific AWS API operations like Amazon EC2 StopInstances. MFA-enabled IAM users would need to call GetSessionToken and submit an MFA code that is associated with their MFA device. Using the temporary security credentials that are returned from the call, IAM users can then make programmatic calls to API operations that require MFA authentication. If you do not supply a correct MFA code, then the API returns an access denied error. For a comparison of GetSessionToken with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS API operations in the IAM User Guide.
Session Duration
The GetSessionToken operation must be called by using the long-term AWS security credentials of the AWS account root user or an IAM user. Credentials that are created by IAM users are valid for the duration that you specify. This duration can range from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours), with a default of 43,200 seconds (12 hours). Credentials based on account credentials can range from 900 seconds (15 minutes) up to 3,600 seconds (1 hour), with a default of 1 hour.
Permissions
The temporary security credentials created by GetSessionToken can be used to make API calls to any AWS service with the following exceptions:
You cannot call any IAM API operations unless MFA authentication information is included in the request.
You cannot call any STS API except AssumeRole or GetCallerIdentity.
We recommend that you do not call GetSessionToken with AWS account root user credentials. Instead, follow our best practices by creating one or more IAM users, giving them the necessary permissions, and using IAM users for everyday interaction with AWS.
The credentials that are returned by GetSessionToken are based on permissions associated with the user whose credentials were used to call the operation. If GetSessionToken is called using AWS account root user credentials, the temporary credentials have root user permissions. Similarly, if GetSessionToken is called using the credentials of an IAM user, the temporary credentials have the same permissions as the IAM user.
For more information about using GetSessionToken to create temporary credentials, go to Temporary Credentials for Users in Untrusted Environments in the IAM User Guide.
A hash value based on the concatenation of the Issuer response value, the AWS account ID, and the friendly name (the last part of the ARN) of the SAML provider in IAM. The combination of NameQualifier and Subject can be used to uniquely identify a federated user.
The following pseudocode shows how the hash value is calculated:
BASE64 ( SHA1 ( \"https://example.com/saml\" + \"123456789012\" + \"/MySAMLIdP\" ) )
A hash value based on the concatenation of the following:
The Issuer response value.
The AWS account ID.
The friendly name (the last part of the ARN) of the SAML provider in IAM.
The combination of NameQualifier and Subject can be used to uniquely identify a federated user.
The following pseudocode shows how the hash value is calculated:
BASE64 ( SHA1 ( \"https://example.com/saml\" + \"123456789012\" + \"/MySAMLIdP\" ) )
The base-64 encoded SAML authentication response provided by the IdP.
For more information, see Configuring a Relying Party and Adding Claims in the IAM User Guide.
" + "AssumeRoleWithSAMLRequest$SAMLAssertion": "The base64 encoded SAML authentication response provided by the IdP.
For more information, see Configuring a Relying Party and Adding Claims in the IAM User Guide.
" } }, "Subject": { @@ -342,10 +342,10 @@ "policyDescriptorListType": { "base": null, "refs": { - "AssumeRoleRequest$PolicyArns": "The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as managed session policies. The policies must exist in the same account as the role.
This parameter is optional. You can provide up to 10 managed policy ARNs. However, the plain text that you use for both inline and managed session policies can't exceed 2,048 characters. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.
An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plain text meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
", - "AssumeRoleWithSAMLRequest$PolicyArns": "The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as managed session policies. The policies must exist in the same account as the role.
This parameter is optional. You can provide up to 10 managed policy ARNs. However, the plain text that you use for both inline and managed session policies can't exceed 2,048 characters. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.
An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plain text meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
", - "AssumeRoleWithWebIdentityRequest$PolicyArns": "The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as managed session policies. The policies must exist in the same account as the role.
This parameter is optional. You can provide up to 10 managed policy ARNs. However, the plain text that you use for both inline and managed session policies can't exceed 2,048 characters. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.
An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plain text meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
", - "GetFederationTokenRequest$PolicyArns": "The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as a managed session policy. The policies must exist in the same account as the IAM user that is requesting federated access.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plain text that you use for both inline and managed session policies can't exceed 2,048 characters. You can provide up to 10 managed policy ARNs. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.
This parameter is optional. However, if you do not pass any session policies, then the resulting federated user session has no permissions.
When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide.
The resulting credentials can be used to access a resource that has a resource-based policy. If that policy specifically references the federated user session in the Principal element of the policy, the session has the permissions allowed by the policy. These permissions are granted in addition to the permissions that are granted by the session policies.
An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plain text meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as managed session policies. The policies must exist in the same account as the role.
This parameter is optional. You can provide up to 10 managed policy ARNs. However, the plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.
An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
", + "AssumeRoleWithSAMLRequest$PolicyArns": "The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as managed session policies. The policies must exist in the same account as the role.
This parameter is optional. You can provide up to 10 managed policy ARNs. However, the plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.
An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
", + "AssumeRoleWithWebIdentityRequest$PolicyArns": "The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as managed session policies. The policies must exist in the same account as the role.
This parameter is optional. You can provide up to 10 managed policy ARNs. However, the plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.
An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
", + "GetFederationTokenRequest$PolicyArns": "The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as a managed session policy. The policies must exist in the same account as the IAM user that is requesting federated access.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. You can provide up to 10 managed policy ARNs. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.
This parameter is optional. However, if you do not pass any session policies, then the resulting federated user session has no permissions.
When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide.
The resulting credentials can be used to access a resource that has a resource-based policy. If that policy specifically references the federated user session in the Principal element of the policy, the session has the permissions allowed by the policy. These permissions are granted in addition to the permissions that are granted by the session policies.
An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. If you specify a value higher than this setting, the operation fails. For example, if you specify a session duration of 12 hours, but your administrator set the maximum session duration to 6 hours, your operation fails. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide.
By default, the value is set to 3600 seconds.
The DurationSeconds parameter is separate from the duration of a console session that you might request using the returned credentials. The request to the federation endpoint for a console sign-in token takes a SessionDuration parameter that specifies the maximum length of the console session. For more information, see Creating a URL that Enables Federated Users to Access the AWS Management Console in the IAM User Guide.
The duration, in seconds, of the role session. The value specified can can range from 900 seconds (15 minutes) up to the maximum session duration that is set for the role. The maximum session duration setting can have a value from 1 hour to 12 hours. If you specify a value higher than this setting or the administrator setting (whichever is lower), the operation fails. For example, if you specify a session duration of 12 hours, but your administrator set the maximum session duration to 6 hours, your operation fails. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide.
By default, the value is set to 3600 seconds.
The DurationSeconds parameter is separate from the duration of a console session that you might request using the returned credentials. The request to the federation endpoint for a console sign-in token takes a SessionDuration parameter that specifies the maximum length of the console session. For more information, see Creating a URL that Enables Federated Users to Access the AWS Management Console in the IAM User Guide.
The duration, in seconds, of the role session. Your role session lasts for the duration that you specify for the DurationSeconds parameter, or until the time specified in the SAML authentication response's SessionNotOnOrAfter value, whichever is shorter. You can provide a DurationSeconds value from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. If you specify a value higher than this setting, the operation fails. For example, if you specify a session duration of 12 hours, but your administrator set the maximum session duration to 6 hours, your operation fails. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide.
By default, the value is set to 3600 seconds.
The DurationSeconds parameter is separate from the duration of a console session that you might request using the returned credentials. The request to the federation endpoint for a console sign-in token takes a SessionDuration parameter that specifies the maximum length of the console session. For more information, see Creating a URL that Enables Federated Users to Access the AWS Management Console in the IAM User Guide.
The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. If you specify a value higher than this setting, the operation fails. For example, if you specify a session duration of 12 hours, but your administrator set the maximum session duration to 6 hours, your operation fails. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide.
By default, the value is set to 3600 seconds.
The DurationSeconds parameter is separate from the duration of a console session that you might request using the returned credentials. The request to the federation endpoint for a console sign-in token takes a SessionDuration parameter that specifies the maximum length of the console session. For more information, see Creating a URL that Enables Federated Users to Access the AWS Management Console in the IAM User Guide.
An IAM policy in JSON format that you want to use as an inline session policy.
This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
The plain text that you use for both inline and managed session policies can't exceed 2,048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list (\\u0020 through \\u00FF). It can also include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plain text meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
An IAM policy in JSON format that you want to use as an inline session policy.
This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
The plain text that you use for both inline and managed session policies can't exceed 2,048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list (\\u0020 through \\u00FF). It can also include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plain text meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
An IAM policy in JSON format that you want to use as an inline session policy.
This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
The plain text that you use for both inline and managed session policies can't exceed 2,048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list (\\u0020 through \\u00FF). It can also include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plain text meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
An IAM policy in JSON format that you want to use as an inline session policy.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies.
This parameter is optional. However, if you do not pass any session policies, then the resulting federated user session has no permissions.
When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide.
The resulting credentials can be used to access a resource that has a resource-based policy. If that policy specifically references the federated user session in the Principal element of the policy, the session has the permissions allowed by the policy. These permissions are granted in addition to the permissions that are granted by the session policies.
The plain text that you use for both inline and managed session policies can't exceed 2,048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list (\\u0020 through \\u00FF). It can also include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plain text meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
An IAM policy in JSON format that you want to use as an inline session policy.
This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list (\\u0020 through \\u00FF). It can also include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
An IAM policy in JSON format that you want to use as an inline session policy.
This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list (\\u0020 through \\u00FF). It can also include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
An IAM policy in JSON format that you want to use as an inline session policy.
This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list (\\u0020 through \\u00FF). It can also include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
An IAM policy in JSON format that you want to use as an inline session policy.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies.
This parameter is optional. However, if you do not pass any session policies, then the resulting federated user session has no permissions.
When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide.
The resulting credentials can be used to access a resource that has a resource-based policy. If that policy specifically references the federated user session in the Principal element of the policy, the session has the permissions allowed by the policy. These permissions are granted in addition to the permissions that are granted by the session policies.
The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list (\\u0020 through \\u00FF). It can also include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
The source identity specified by the principal that is calling the AssumeRole operation.
You can require users to specify a source identity when they assume a role. You do this by using the sts:SourceIdentity condition key in a role trust policy. You can use source identity information in AWS CloudTrail logs to determine who took actions with a role. You can use the aws:SourceIdentity condition key to further control access to AWS resources based on the value of source identity. For more information about using source identity, see Monitor and control actions taken with assumed roles in the IAM User Guide.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-. You cannot use a value that begins with the text aws:. This prefix is reserved for AWS internal use.
The source identity specified by the principal that is calling the AssumeRole operation.
You can require users to specify a source identity when they assume a role. You do this by using the sts:SourceIdentity condition key in a role trust policy. You can use source identity information in AWS CloudTrail logs to determine who took actions with a role. You can use the aws:SourceIdentity condition key to further control access to AWS resources based on the value of source identity. For more information about using source identity, see Monitor and control actions taken with assumed roles in the IAM User Guide.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
", + "AssumeRoleWithSAMLResponse$SourceIdentity": "The value in the SourceIdentity attribute in the SAML assertion.
You can require users to set a source identity value when they assume a role. You do this by using the sts:SourceIdentity condition key in a role trust policy. That way, actions that are taken with the role are associated with that user. After the source identity is set, the value cannot be changed. It is present in the request for all actions that are taken by the role and persists across chained role sessions. You can configure your SAML identity provider to use an attribute associated with your users, like user name or email, as the source identity when calling AssumeRoleWithSAML. You do this by adding an attribute to the SAML assertion. For more information about using source identity, see Monitor and control actions taken with assumed roles in the IAM User Guide.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
", + "AssumeRoleWithWebIdentityResponse$SourceIdentity": "The value of the source identity that is returned in the JSON web token (JWT) from the identity provider.
You can require users to set a source identity value when they assume a role. You do this by using the sts:SourceIdentity condition key in a role trust policy. That way, actions that are taken with the role are associated with that user. After the source identity is set, the value cannot be changed. It is present in the request for all actions that are taken by the role and persists across chained role sessions. You can configure your identity provider to use an attribute associated with your users, like user name or email, as the source identity when calling AssumeRoleWithWebIdentity. You do this by adding a claim to the JSON web token. To learn more about OIDC tokens and claims, see Using Tokens with User Pools in the Amazon Cognito Developer Guide. For more information about using source identity, see Monitor and control actions taken with assumed roles in the IAM User Guide.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
" } }, "tagKeyListType": { @@ -401,8 +410,8 @@ "tagListType": { "base": null, "refs": { - "AssumeRoleRequest$Tags": "A list of session tags that you want to pass. Each session tag consists of a key name and an associated value. For more information about session tags, see Tagging AWS STS Sessions in the IAM User Guide.
This parameter is optional. You can pass up to 50 session tags. The plain text session tag keys can’t exceed 128 characters, and the values can’t exceed 256 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.
An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plain text meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
You can pass a session tag with the same key as a tag that is already attached to the role. When you do, session tags override a role tag with the same key.
Tag key–value pairs are not case sensitive, but case is preserved. This means that you cannot have separate Department and department tag keys. Assume that the role has the Department=Marketing tag and you pass the department=engineering session tag. Department and department are not saved as separate tags, and the session tag passed in the request takes precedence over the role tag.
Additionally, if you used temporary credentials to perform this operation, the new session inherits any transitive session tags from the calling session. If you pass a session tag with the same key as an inherited tag, the operation fails. To view the inherited tags for a session, see the AWS CloudTrail logs. For more information, see Viewing Session Tags in CloudTrail in the IAM User Guide.
", - "GetFederationTokenRequest$Tags": "A list of session tags. Each session tag consists of a key name and an associated value. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
This parameter is optional. You can pass up to 50 session tags. The plain text session tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.
An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plain text meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
You can pass a session tag with the same key as a tag that is already attached to the user you are federating. When you do, session tags override a user tag with the same key.
Tag key–value pairs are not case sensitive, but case is preserved. This means that you cannot have separate Department and department tag keys. Assume that the role has the Department=Marketing tag and you pass the department=engineering session tag. Department and department are not saved as separate tags, and the session tag passed in the request takes precedence over the role tag.
A list of session tags that you want to pass. Each session tag consists of a key name and an associated value. For more information about session tags, see Tagging AWS STS Sessions in the IAM User Guide.
This parameter is optional. You can pass up to 50 session tags. The plaintext session tag keys can’t exceed 128 characters, and the values can’t exceed 256 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.
An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
You can pass a session tag with the same key as a tag that is already attached to the role. When you do, session tags override a role tag with the same key.
Tag key–value pairs are not case sensitive, but case is preserved. This means that you cannot have separate Department and department tag keys. Assume that the role has the Department=Marketing tag and you pass the department=engineering session tag. Department and department are not saved as separate tags, and the session tag passed in the request takes precedence over the role tag.
Additionally, if you used temporary credentials to perform this operation, the new session inherits any transitive session tags from the calling session. If you pass a session tag with the same key as an inherited tag, the operation fails. To view the inherited tags for a session, see the AWS CloudTrail logs. For more information, see Viewing Session Tags in CloudTrail in the IAM User Guide.
", + "GetFederationTokenRequest$Tags": "A list of session tags. Each session tag consists of a key name and an associated value. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
This parameter is optional. You can pass up to 50 session tags. The plaintext session tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.
An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
You can pass a session tag with the same key as a tag that is already attached to the user you are federating. When you do, session tags override a user tag with the same key.
Tag key–value pairs are not case sensitive, but case is preserved. This means that you cannot have separate Department and department tag keys. Assume that the role has the Department=Marketing tag and you pass the department=engineering session tag. Department and department are not saved as separate tags, and the session tag passed in the request takes precedence over the role tag.
The value provided by the MFA device, if the trust policy of the role being assumed requires MFA (that is, if the policy includes a condition that tests for MFA). If the role being assumed requires MFA and if the TokenCode value is missing or expired, the AssumeRole call returns an \"access denied\" error.
The format for this parameter, as described by its regex pattern, is a sequence of six numeric digits.
", + "AssumeRoleRequest$TokenCode": "The value provided by the MFA device, if the trust policy of the role being assumed requires MFA. (In other words, if the policy includes a condition that tests for MFA). If the role being assumed requires MFA and if the TokenCode value is missing or expired, the AssumeRole call returns an \"access denied\" error.
The format for this parameter, as described by its regex pattern, is a sequence of six numeric digits.
", "GetSessionTokenRequest$TokenCode": "The value provided by the MFA device, if MFA is required. If any policy requires the IAM user to submit an MFA code, specify this value. If MFA authentication is required, the user must provide a code when requesting a set of temporary security credentials. A user who fails to provide the code receives an \"access denied\" response when requesting resources that require MFA authentication.
The format for this parameter, as described by its regex pattern, is a sequence of six numeric digits.
" } }, diff --git a/service/comprehendmedical/api.go b/service/comprehendmedical/api.go index 0d1d1c541a5..33a820a0234 100644 --- a/service/comprehendmedical/api.go +++ b/service/comprehendmedical/api.go @@ -3014,6 +3014,9 @@ type ICD10CMAttribute struct { // begins. The offset returns the UTF-8 code point in the string. BeginOffset *int64 `type:"integer"` + // The category of attribute. Can be either of DX_NAME or TIME_EXPRESSION. + Category *string `type:"string" enum:"ICD10CMEntityType"` + // The 0-based character offset in the input text that shows where the attribute // ends. The offset returns the UTF-8 code point in the string. EndOffset *int64 `type:"integer"` @@ -3026,6 +3029,10 @@ type ICD10CMAttribute struct { // is correctly related to this entity. RelationshipScore *float64 `type:"float"` + // The type of relationship between the entity and attribute. Type for the relationship + // can be either of OVERLAP or SYSTEM_ORGAN_SITE. + RelationshipType *string `type:"string" enum:"ICD10CMRelationshipType"` + // The level of confidence that Amazon Comprehend Medical has that the segment // of text is correctly recognized as an attribute. Score *float64 `type:"float"` @@ -3057,6 +3064,12 @@ func (s *ICD10CMAttribute) SetBeginOffset(v int64) *ICD10CMAttribute { return s } +// SetCategory sets the Category field's value. +func (s *ICD10CMAttribute) SetCategory(v string) *ICD10CMAttribute { + s.Category = &v + return s +} + // SetEndOffset sets the EndOffset field's value. func (s *ICD10CMAttribute) SetEndOffset(v int64) *ICD10CMAttribute { s.EndOffset = &v @@ -3075,6 +3088,12 @@ func (s *ICD10CMAttribute) SetRelationshipScore(v float64) *ICD10CMAttribute { return s } +// SetRelationshipType sets the RelationshipType field's value. +func (s *ICD10CMAttribute) SetRelationshipType(v string) *ICD10CMAttribute { + s.RelationshipType = &v + return s +} + // SetScore sets the Score field's value. func (s *ICD10CMAttribute) SetScore(v float64) *ICD10CMAttribute { s.Score = &v @@ -3189,7 +3208,7 @@ type ICD10CMEntity struct { Traits []*ICD10CMTrait `type:"list"` // Describes the specific type of entity with category of entities. InferICD10CM - // detects entities of the type DX_NAME. + // detects entities of the type DX_NAME and TIME_EXPRESSION. Type *string `type:"string" enum:"ICD10CMEntityType"` } @@ -3479,8 +3498,7 @@ func (s *InferRxNormOutput) SetPaginationToken(v string) *InferRxNormOutput { } // The input properties for an entities detection job. This includes the name -// of the S3 bucket and the path to the files to be analyzed. See batch-manifest -// for more information. +// of the S3 bucket and the path to the files to be analyzed. type InputDataConfig struct { _ struct{} `type:"structure"` @@ -5895,6 +5913,12 @@ const ( // ICD10CMAttributeTypeQuantity is a ICD10CMAttributeType enum value ICD10CMAttributeTypeQuantity = "QUANTITY" + + // ICD10CMAttributeTypeTimeToDxName is a ICD10CMAttributeType enum value + ICD10CMAttributeTypeTimeToDxName = "TIME_TO_DX_NAME" + + // ICD10CMAttributeTypeTimeExpression is a ICD10CMAttributeType enum value + ICD10CMAttributeTypeTimeExpression = "TIME_EXPRESSION" ) // ICD10CMAttributeType_Values returns all elements of the ICD10CMAttributeType enum @@ -5905,6 +5929,8 @@ func ICD10CMAttributeType_Values() []string { ICD10CMAttributeTypeSystemOrganSite, ICD10CMAttributeTypeQuality, ICD10CMAttributeTypeQuantity, + ICD10CMAttributeTypeTimeToDxName, + ICD10CMAttributeTypeTimeExpression, } } @@ -5923,12 +5949,32 @@ func ICD10CMEntityCategory_Values() []string { const ( // ICD10CMEntityTypeDxName is a ICD10CMEntityType enum value ICD10CMEntityTypeDxName = "DX_NAME" + + // ICD10CMEntityTypeTimeExpression is a ICD10CMEntityType enum value + ICD10CMEntityTypeTimeExpression = "TIME_EXPRESSION" ) // ICD10CMEntityType_Values returns all elements of the ICD10CMEntityType enum func ICD10CMEntityType_Values() []string { return []string{ ICD10CMEntityTypeDxName, + ICD10CMEntityTypeTimeExpression, + } +} + +const ( + // ICD10CMRelationshipTypeOverlap is a ICD10CMRelationshipType enum value + ICD10CMRelationshipTypeOverlap = "OVERLAP" + + // ICD10CMRelationshipTypeSystemOrganSite is a ICD10CMRelationshipType enum value + ICD10CMRelationshipTypeSystemOrganSite = "SYSTEM_ORGAN_SITE" +) + +// ICD10CMRelationshipType_Values returns all elements of the ICD10CMRelationshipType enum +func ICD10CMRelationshipType_Values() []string { + return []string{ + ICD10CMRelationshipTypeOverlap, + ICD10CMRelationshipTypeSystemOrganSite, } } diff --git a/service/lightsail/api.go b/service/lightsail/api.go index bee9902bfae..c95536e2b80 100644 --- a/service/lightsail/api.go +++ b/service/lightsail/api.go @@ -20776,7 +20776,7 @@ type CreateRelationalDatabaseFromSnapshotInput struct { // that is smaller than the bundle of the source database. RelationalDatabaseBundleId *string `locationName:"relationalDatabaseBundleId" type:"string"` - // The name to use for your new database. + // The name to use for your new Lightsail database resource. // // Constraints: // @@ -20935,38 +20935,97 @@ type CreateRelationalDatabaseInput struct { // to your request. AvailabilityZone *string `locationName:"availabilityZone" type:"string"` - // The name of the master database created when the Lightsail database resource - // is created. + // The meaning of this parameter differs according to the database engine you + // use. + // + // MySQL + // + // The name of the database to create when the Lightsail database resource is + // created. If this parameter isn't specified, no database is created in the + // database resource. + // + // Constraints: + // + // * Must contain 1 to 64 letters or numbers. + // + // * Must begin with a letter. Subsequent characters can be letters, underscores, + // or digits (0- 9). + // + // * Can't be a word reserved by the specified database engine. For more + // information about reserved words in MySQL, see the Keywords and Reserved + // Words articles for MySQL 5.6 (https://dev.mysql.com/doc/refman/5.6/en/keywords.html), + // MySQL 5.7 (https://dev.mysql.com/doc/refman/5.7/en/keywords.html), and + // MySQL 8.0 (https://dev.mysql.com/doc/refman/8.0/en/keywords.html). + // + // PostgreSQL + // + // The name of the database to create when the Lightsail database resource is + // created. If this parameter isn't specified, a database named postgres is + // created in the database resource. // // Constraints: // - // * Must contain from 1 to 64 alphanumeric characters. + // * Must contain 1 to 63 letters or numbers. + // + // * Must begin with a letter. Subsequent characters can be letters, underscores, + // or digits (0- 9). // - // * Cannot be a word reserved by the specified database engine + // * Can't be a word reserved by the specified database engine. For more + // information about reserved words in PostgreSQL, see the SQL Key Words + // articles for PostgreSQL 9.6 (https://www.postgresql.org/docs/9.6/sql-keywords-appendix.html), + // PostgreSQL 10 (https://www.postgresql.org/docs/10/sql-keywords-appendix.html), + // PostgreSQL 11 (https://www.postgresql.org/docs/11/sql-keywords-appendix.html), + // and PostgreSQL 12 (https://www.postgresql.org/docs/12/sql-keywords-appendix.html). // // MasterDatabaseName is a required field MasterDatabaseName *string `locationName:"masterDatabaseName" type:"string" required:"true"` - // The password for the master user of your new database. The password can include - // any printable ASCII character except "/", """, or "@". + // The password for the master user. The password can include any printable + // ASCII character except "/", """, or "@". It cannot contain spaces. + // + // MySQL // - // Constraints: Must contain 8 to 41 characters. + // Constraints: Must contain from 8 to 41 characters. + // + // PostgreSQL + // + // Constraints: Must contain from 8 to 128 characters. MasterUserPassword *string `locationName:"masterUserPassword" type:"string" sensitive:"true"` - // The master user name for your new database. + // The name for the master user. + // + // MySQL // // Constraints: // - // * Master user name is required. + // * Required for MySQL. + // + // * Must be 1 to 16 letters or numbers. Can contain underscores. // - // * Must contain from 1 to 16 alphanumeric characters. + // * First character must be a letter. // - // * The first character must be a letter. + // * Can't be a reserved word for the chosen database engine. For more information + // about reserved words in MySQL 5.6 or 5.7, see the Keywords and Reserved + // Words articles for MySQL 5.6 (https://dev.mysql.com/doc/refman/5.6/en/keywords.html), + // MySQL 5.7 (https://dev.mysql.com/doc/refman/5.7/en/keywords.html), or + // MySQL 8.0 (https://dev.mysql.com/doc/refman/8.0/en/keywords.html). + // + // PostgreSQL + // + // Constraints: // - // * Cannot be a reserved word for the database engine you choose. For more - // information about reserved words in MySQL 5.6 or 5.7, see the Keywords - // and Reserved Words articles for MySQL 5.6 (https://dev.mysql.com/doc/refman/5.6/en/keywords.html) - // or MySQL 5.7 (https://dev.mysql.com/doc/refman/5.7/en/keywords.html) respectively. + // * Required for PostgreSQL. + // + // * Must be 1 to 63 letters or numbers. Can contain underscores. + // + // * First character must be a letter. + // + // * Can't be a reserved word for the chosen database engine. For more information + // about reserved words in MySQL 5.6 or 5.7, see the Keywords and Reserved + // Words articles for PostgreSQL 9.6 (https://www.postgresql.org/docs/9.6/sql-keywords-appendix.html), + // PostgreSQL 10 (https://www.postgresql.org/docs/10/sql-keywords-appendix.html), + // PostgreSQL 11 (https://www.postgresql.org/docs/11/sql-keywords-appendix.html), + // and PostgreSQL 12 (https://www.postgresql.org/docs/12/sql-keywords-appendix.html). // // MasterUsername is a required field MasterUsername *string `locationName:"masterUsername" type:"string" required:"true"` @@ -35751,10 +35810,16 @@ type UpdateRelationalDatabaseInput struct { // in an outage. EnableBackupRetention *bool `locationName:"enableBackupRetention" type:"boolean"` - // The password for the master user of your database. The password can include - // any printable ASCII character except "/", """, or "@". + // The password for the master user. The password can include any printable + // ASCII character except "/", """, or "@". + // + // MySQL + // + // Constraints: Must contain from 8 to 41 characters. + // + // PostgreSQL // - // Constraints: Must contain 8 to 41 characters. + // Constraints: Must contain from 8 to 128 characters. MasterUserPassword *string `locationName:"masterUserPassword" type:"string" sensitive:"true"` // The daily time range during which automated backups are created for your @@ -35795,7 +35860,7 @@ type UpdateRelationalDatabaseInput struct { // resources in the same region as your database. PubliclyAccessible *bool `locationName:"publiclyAccessible" type:"boolean"` - // The name of your database to update. + // The name of your Lightsail database resource to update. // // RelationalDatabaseName is a required field RelationalDatabaseName *string `locationName:"relationalDatabaseName" type:"string" required:"true"` diff --git a/service/rds/api.go b/service/rds/api.go index a68d2f7cada..cb9b9c35f4e 100644 --- a/service/rds/api.go +++ b/service/rds/api.go @@ -10093,7 +10093,7 @@ func (c *RDS) FailoverGlobalClusterRequest(input *FailoverGlobalClusterInput) (r // the Aurora global database. // // For more information about failing over an Amazon Aurora global database, -// see Managed planned failover for Amazon Aurora global databases (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-global-database-disaster-recovery.managed-failover) +// see Managed planned failover for Amazon Aurora global databases (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-global-database-disaster-recovery.html#aurora-global-database-disaster-recovery.managed-failover) // in the Amazon Aurora User Guide. // // This action applies to GlobalCluster (Aurora global databases) only. Use @@ -14113,7 +14113,7 @@ func (c *RDS) RevokeDBSecurityGroupIngressRequest(input *RevokeDBSecurityGroupIn // RevokeDBSecurityGroupIngress API operation for Amazon Relational Database Service. // // Revokes ingress from a DBSecurityGroup for previously authorized IP ranges -// or EC2 or VPC Security Groups. Required parameters for this API are one of +// or EC2 or VPC security groups. Required parameters for this API are one of // CIDRIP, EC2SecurityGroupId for VPC, or (EC2SecurityGroupOwnerId and either // EC2SecurityGroupName or EC2SecurityGroupId). // @@ -18024,8 +18024,8 @@ type CreateDBClusterInput struct { // backups are enabled using the BackupRetentionPeriod parameter. // // The default is a 30-minute window selected at random from an 8-hour block - // of time for each AWS Region. To see the time blocks available, see Adjusting - // the Preferred DB Cluster Maintenance Window (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_UpgradeDBInstance.Maintenance.html#AdjustingTheMaintenanceWindow.Aurora) + // of time for each AWS Region. To view the time blocks available, see Backup + // window (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Managing.Backups.html#Aurora.Managing.Backups.BackupWindow) // in the Amazon Aurora User Guide. // // Constraints: @@ -19235,8 +19235,9 @@ type CreateDBInstanceInput struct { Port *int64 `type:"integer"` // The daily time range during which automated backups are created if automated - // backups are enabled, using the BackupRetentionPeriod parameter. For more - // information, see The Backup Window (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html#USER_WorkingWithAutomatedBackups.BackupWindow) + // backups are enabled, using the BackupRetentionPeriod parameter. The default + // is a 30-minute window selected at random from an 8-hour block of time for + // each AWS Region. For more information, see Backup window (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html#USER_WorkingWithAutomatedBackups.BackupWindow) // in the Amazon RDS User Guide. // // Amazon Aurora @@ -19244,11 +19245,6 @@ type CreateDBInstanceInput struct { // Not applicable. The daily time range for creating automated backups is managed // by the DB cluster. // - // The default is a 30-minute window selected at random from an 8-hour block - // of time for each AWS Region. To see the time blocks available, see Adjusting - // the Preferred DB Instance Maintenance Window (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.Maintenance.html#AdjustingTheMaintenanceWindow) - // in the Amazon RDS User Guide. - // // Constraints: // // * Must be in the format hh24:mi-hh24:mi. @@ -21081,7 +21077,7 @@ type CreateEventSubscriptionInput struct { // // Constraints: // - // * If a SourceIds value is supplied, SourceType must also be provided. + // * If SourceIds are supplied, SourceType must also be provided. // // * If the source type is a DB instance, a DBInstanceIdentifier value must // be supplied. @@ -34408,8 +34404,8 @@ type ModifyDBClusterInput struct { // backups are enabled, using the BackupRetentionPeriod parameter. // // The default is a 30-minute window selected at random from an 8-hour block - // of time for each AWS Region. To see the time blocks available, see Adjusting - // the Preferred DB Cluster Maintenance Window (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_UpgradeDBInstance.Maintenance.html#AdjustingTheMaintenanceWindow.Aurora) + // of time for each AWS Region. To view the time blocks available, see Backup + // window (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Managing.Backups.html#Aurora.Managing.Backups.BackupWindow) // in the Amazon Aurora User Guide. // // Constraints: @@ -34862,11 +34858,14 @@ type ModifyDBInstanceInput struct { // a positive number enables backups. Setting this parameter to 0 disables automated // backups. // - // Changing this parameter can result in an outage if you change from 0 to a - // non-zero value or from a non-zero value to 0. These changes are applied during - // the next maintenance window unless the ApplyImmediately parameter is enabled - // for this request. If you change the parameter from one non-zero value to - // another non-zero value, the change is asynchronously applied as soon as possible. + // Enabling and disabling backups can result in a brief I/O suspension that + // lasts from a few seconds to a few minutes, depending on the size and class + // of your DB instance. + // + // These changes are applied during the next maintenance window unless the ApplyImmediately + // parameter is enabled for this request. If you change the parameter from one + // non-zero value to another non-zero value, the change is asynchronously applied + // as soon as possible. // // Amazon Aurora // @@ -35258,7 +35257,10 @@ type ModifyDBInstanceInput struct { // The daily time range during which automated backups are created if automated // backups are enabled, as determined by the BackupRetentionPeriod parameter. // Changing this parameter doesn't result in an outage and the change is asynchronously - // applied as soon as possible. + // applied as soon as possible. The default is a 30-minute window selected at + // random from an 8-hour block of time for each AWS Region. For more information, + // see Backup window (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html#USER_WorkingWithAutomatedBackups.BackupWindow) + // in the Amazon RDS User Guide. // // Amazon Aurora // @@ -35285,6 +35287,9 @@ type ModifyDBInstanceInput struct { // to the current time, there must be at least 30 minutes between the current // time and end of the window to ensure pending changes are applied. // + // For more information, see Amazon RDS Maintenance Window (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.Maintenance.html#Concepts.DBMaintenance) + // in the Amazon RDS User Guide. + // // Default: Uses existing setting // // Format: ddd:hh24:mi-ddd:hh24:mi @@ -39762,8 +39767,8 @@ type RestoreDBClusterFromS3Input struct { // backups are enabled using the BackupRetentionPeriod parameter. // // The default is a 30-minute window selected at random from an 8-hour block - // of time for each AWS Region. To see the time blocks available, see Adjusting - // the Preferred Maintenance Window (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_UpgradeDBInstance.Maintenance.html#AdjustingTheMaintenanceWindow.Aurora) + // of time for each AWS Region. To view the time blocks available, see Backup + // window (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Managing.Backups.html#Aurora.Managing.Backups.BackupWindow) // in the Amazon Aurora User Guide. // // Constraints: @@ -41530,7 +41535,7 @@ type RestoreDBInstanceFromS3Input struct { Port *int64 `type:"integer"` // The time range each day during which automated backups are created if automated - // backups are enabled. For more information, see The Backup Window (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html#USER_WorkingWithAutomatedBackups.BackupWindow) + // backups are enabled. For more information, see Backup window (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html#USER_WorkingWithAutomatedBackups.BackupWindow) // in the Amazon RDS User Guide. // // Constraints: @@ -42680,6 +42685,8 @@ type ScalingConfiguration struct { MinCapacity *int64 `type:"integer"` // The time, in seconds, before an Aurora DB cluster in serverless mode is paused. + // + // Specify a value between 300 and 86,400 seconds. SecondsUntilAutoPause *int64 `type:"integer"` // The action to take when the timeout is reached, either ForceApplyCapacityChange diff --git a/service/redshift/api.go b/service/redshift/api.go index c6f4f95cd2a..d8dcea9296b 100644 --- a/service/redshift/api.go +++ b/service/redshift/api.go @@ -8254,6 +8254,88 @@ func (c *Redshift) GetReservedNodeExchangeOfferingsPagesWithContext(ctx aws.Cont return p.Err() } +const opModifyAquaConfiguration = "ModifyAquaConfiguration" + +// ModifyAquaConfigurationRequest generates a "aws/request.Request" representing the +// client's request for the ModifyAquaConfiguration operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See ModifyAquaConfiguration for more information on using the ModifyAquaConfiguration +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the ModifyAquaConfigurationRequest method. +// req, resp := client.ModifyAquaConfigurationRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/redshift-2012-12-01/ModifyAquaConfiguration +func (c *Redshift) ModifyAquaConfigurationRequest(input *ModifyAquaConfigurationInput) (req *request.Request, output *ModifyAquaConfigurationOutput) { + op := &request.Operation{ + Name: opModifyAquaConfiguration, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &ModifyAquaConfigurationInput{} + } + + output = &ModifyAquaConfigurationOutput{} + req = c.newRequest(op, input, output) + return +} + +// ModifyAquaConfiguration API operation for Amazon Redshift. +// +// Modifies whether a cluster can use AQUA (Advanced Query Accelerator). +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon Redshift's +// API operation ModifyAquaConfiguration for usage and error information. +// +// Returned Error Codes: +// * ErrCodeClusterNotFoundFault "ClusterNotFound" +// The ClusterIdentifier parameter does not refer to an existing cluster. +// +// * ErrCodeUnsupportedOperationFault "UnsupportedOperation" +// The requested operation isn't supported. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/redshift-2012-12-01/ModifyAquaConfiguration +func (c *Redshift) ModifyAquaConfiguration(input *ModifyAquaConfigurationInput) (*ModifyAquaConfigurationOutput, error) { + req, out := c.ModifyAquaConfigurationRequest(input) + return out, req.Send() +} + +// ModifyAquaConfigurationWithContext is the same as ModifyAquaConfiguration with the addition of +// the ability to pass a context and additional request options. +// +// See ModifyAquaConfiguration for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *Redshift) ModifyAquaConfigurationWithContext(ctx aws.Context, input *ModifyAquaConfigurationInput, opts ...request.Option) (*ModifyAquaConfigurationOutput, error) { + req, out := c.ModifyAquaConfigurationRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + const opModifyCluster = "ModifyCluster" // ModifyClusterRequest generates a "aws/request.Request" representing the @@ -10951,6 +11033,54 @@ func (s *AccountWithRestoreAccess) SetAccountId(v string) *AccountWithRestoreAcc return s } +// The AQUA (Advanced Query Accelerator) configuration of the cluster. +type AquaConfiguration struct { + _ struct{} `type:"structure"` + + // The value represents how the cluster is configured to use AQUA. Possible + // values include the following. + // + // * enabled - Use AQUA if it is available for the current AWS Region and + // Amazon Redshift node type. + // + // * disabled - Don't use AQUA. + // + // * auto - Amazon Redshift determines whether to use AQUA. + AquaConfigurationStatus *string `type:"string" enum:"AquaConfigurationStatus"` + + // The value indicates the status of AQUA on the cluster. Possible values include + // the following. + // + // * enabled - AQUA is enabled. + // + // * disabled - AQUA is not enabled. + // + // * applying - AQUA status is being applied. + AquaStatus *string `type:"string" enum:"AquaStatus"` +} + +// String returns the string representation +func (s AquaConfiguration) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s AquaConfiguration) GoString() string { + return s.String() +} + +// SetAquaConfigurationStatus sets the AquaConfigurationStatus field's value. +func (s *AquaConfiguration) SetAquaConfigurationStatus(v string) *AquaConfiguration { + s.AquaConfigurationStatus = &v + return s +} + +// SetAquaStatus sets the AquaStatus field's value. +func (s *AquaConfiguration) SetAquaStatus(v string) *AquaConfiguration { + s.AquaStatus = &v + return s +} + // Describes an attribute value. type AttributeValueTarget struct { _ struct{} `type:"structure"` @@ -11751,6 +11881,9 @@ type Cluster struct { // be applied automatically to the cluster during the maintenance window. AllowVersionUpgrade *bool `type:"boolean"` + // The AQUA (Advanced Query Accelerator) configuration of the cluster. + AquaConfiguration *AquaConfiguration `type:"structure"` + // The number of days that automatic cluster snapshots are retained. AutomatedSnapshotRetentionPeriod *int64 `type:"integer"` @@ -12015,6 +12148,12 @@ func (s *Cluster) SetAllowVersionUpgrade(v bool) *Cluster { return s } +// SetAquaConfiguration sets the AquaConfiguration field's value. +func (s *Cluster) SetAquaConfiguration(v *AquaConfiguration) *Cluster { + s.AquaConfiguration = v + return s +} + // SetAutomatedSnapshotRetentionPeriod sets the AutomatedSnapshotRetentionPeriod field's value. func (s *Cluster) SetAutomatedSnapshotRetentionPeriod(v int64) *Cluster { s.AutomatedSnapshotRetentionPeriod = &v @@ -13071,6 +13210,17 @@ type CreateClusterInput struct { // Default: true AllowVersionUpgrade *bool `type:"boolean"` + // The value represents how the cluster is configured to use AQUA (Advanced + // Query Accelerator) when it is created. Possible values include the following. + // + // * enabled - Use AQUA if it is available for the current AWS Region and + // Amazon Redshift node type. + // + // * disabled - Don't use AQUA. + // + // * auto - Amazon Redshift determines whether to use AQUA. + AquaConfigurationStatus *string `type:"string" enum:"AquaConfigurationStatus"` + // The number of days that automated snapshots are retained. If the value is // 0, automated snapshots are disabled. Even if automated snapshots are disabled, // you can still create manual snapshots when you want with CreateClusterSnapshot. @@ -13392,6 +13542,12 @@ func (s *CreateClusterInput) SetAllowVersionUpgrade(v bool) *CreateClusterInput return s } +// SetAquaConfigurationStatus sets the AquaConfigurationStatus field's value. +func (s *CreateClusterInput) SetAquaConfigurationStatus(v string) *CreateClusterInput { + s.AquaConfigurationStatus = &v + return s +} + // SetAutomatedSnapshotRetentionPeriod sets the AutomatedSnapshotRetentionPeriod field's value. func (s *CreateClusterInput) SetAutomatedSnapshotRetentionPeriod(v int64) *CreateClusterInput { s.AutomatedSnapshotRetentionPeriod = &v @@ -21590,6 +21746,83 @@ func (s *MaintenanceTrack) SetUpdateTargets(v []*UpdateTarget) *MaintenanceTrack return s } +type ModifyAquaConfigurationInput struct { + _ struct{} `type:"structure"` + + // The new value of AQUA configuration status. Possible values include the following. + // + // * enabled - Use AQUA if it is available for the current AWS Region and + // Amazon Redshift node type. + // + // * disabled - Don't use AQUA. + // + // * auto - Amazon Redshift determines whether to use AQUA. + AquaConfigurationStatus *string `type:"string" enum:"AquaConfigurationStatus"` + + // The identifier of the cluster to be modified. + // + // ClusterIdentifier is a required field + ClusterIdentifier *string `type:"string" required:"true"` +} + +// String returns the string representation +func (s ModifyAquaConfigurationInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ModifyAquaConfigurationInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *ModifyAquaConfigurationInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "ModifyAquaConfigurationInput"} + if s.ClusterIdentifier == nil { + invalidParams.Add(request.NewErrParamRequired("ClusterIdentifier")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetAquaConfigurationStatus sets the AquaConfigurationStatus field's value. +func (s *ModifyAquaConfigurationInput) SetAquaConfigurationStatus(v string) *ModifyAquaConfigurationInput { + s.AquaConfigurationStatus = &v + return s +} + +// SetClusterIdentifier sets the ClusterIdentifier field's value. +func (s *ModifyAquaConfigurationInput) SetClusterIdentifier(v string) *ModifyAquaConfigurationInput { + s.ClusterIdentifier = &v + return s +} + +type ModifyAquaConfigurationOutput struct { + _ struct{} `type:"structure"` + + // The updated AQUA configuration of the cluster. + AquaConfiguration *AquaConfiguration `type:"structure"` +} + +// String returns the string representation +func (s ModifyAquaConfigurationOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ModifyAquaConfigurationOutput) GoString() string { + return s.String() +} + +// SetAquaConfiguration sets the AquaConfiguration field's value. +func (s *ModifyAquaConfigurationOutput) SetAquaConfiguration(v *AquaConfiguration) *ModifyAquaConfigurationOutput { + s.AquaConfiguration = v + return s +} + type ModifyClusterDbRevisionInput struct { _ struct{} `type:"structure"` @@ -24749,6 +24982,18 @@ type RestoreFromClusterSnapshotInput struct { // Default: true AllowVersionUpgrade *bool `type:"boolean"` + // The value represents how the cluster is configured to use AQUA (Advanced + // Query Accelerator) after the cluster is restored. Possible values include + // the following. + // + // * enabled - Use AQUA if it is available for the current AWS Region and + // Amazon Redshift node type. + // + // * disabled - Don't use AQUA. + // + // * auto - Amazon Redshift determines whether to use AQUA. + AquaConfigurationStatus *string `type:"string" enum:"AquaConfigurationStatus"` + // The number of days that automated snapshots are retained. If the value is // 0, automated snapshots are disabled. Even if automated snapshots are disabled, // you can still create manual snapshots when you want with CreateClusterSnapshot. @@ -24978,6 +25223,12 @@ func (s *RestoreFromClusterSnapshotInput) SetAllowVersionUpgrade(v bool) *Restor return s } +// SetAquaConfigurationStatus sets the AquaConfigurationStatus field's value. +func (s *RestoreFromClusterSnapshotInput) SetAquaConfigurationStatus(v string) *RestoreFromClusterSnapshotInput { + s.AquaConfigurationStatus = &v + return s +} + // SetAutomatedSnapshotRetentionPeriod sets the AutomatedSnapshotRetentionPeriod field's value. func (s *RestoreFromClusterSnapshotInput) SetAutomatedSnapshotRetentionPeriod(v int64) *RestoreFromClusterSnapshotInput { s.AutomatedSnapshotRetentionPeriod = &v @@ -27322,6 +27573,46 @@ func ActionType_Values() []string { } } +const ( + // AquaConfigurationStatusEnabled is a AquaConfigurationStatus enum value + AquaConfigurationStatusEnabled = "enabled" + + // AquaConfigurationStatusDisabled is a AquaConfigurationStatus enum value + AquaConfigurationStatusDisabled = "disabled" + + // AquaConfigurationStatusAuto is a AquaConfigurationStatus enum value + AquaConfigurationStatusAuto = "auto" +) + +// AquaConfigurationStatus_Values returns all elements of the AquaConfigurationStatus enum +func AquaConfigurationStatus_Values() []string { + return []string{ + AquaConfigurationStatusEnabled, + AquaConfigurationStatusDisabled, + AquaConfigurationStatusAuto, + } +} + +const ( + // AquaStatusEnabled is a AquaStatus enum value + AquaStatusEnabled = "enabled" + + // AquaStatusDisabled is a AquaStatus enum value + AquaStatusDisabled = "disabled" + + // AquaStatusApplying is a AquaStatus enum value + AquaStatusApplying = "applying" +) + +// AquaStatus_Values returns all elements of the AquaStatus enum +func AquaStatus_Values() []string { + return []string{ + AquaStatusEnabled, + AquaStatusDisabled, + AquaStatusApplying, + } +} + const ( // AuthorizationStatusAuthorized is a AuthorizationStatus enum value AuthorizationStatusAuthorized = "Authorized" diff --git a/service/redshift/redshiftiface/interface.go b/service/redshift/redshiftiface/interface.go index 66ab05defde..25704ac9411 100644 --- a/service/redshift/redshiftiface/interface.go +++ b/service/redshift/redshiftiface/interface.go @@ -427,6 +427,10 @@ type RedshiftAPI interface { GetReservedNodeExchangeOfferingsPages(*redshift.GetReservedNodeExchangeOfferingsInput, func(*redshift.GetReservedNodeExchangeOfferingsOutput, bool) bool) error GetReservedNodeExchangeOfferingsPagesWithContext(aws.Context, *redshift.GetReservedNodeExchangeOfferingsInput, func(*redshift.GetReservedNodeExchangeOfferingsOutput, bool) bool, ...request.Option) error + ModifyAquaConfiguration(*redshift.ModifyAquaConfigurationInput) (*redshift.ModifyAquaConfigurationOutput, error) + ModifyAquaConfigurationWithContext(aws.Context, *redshift.ModifyAquaConfigurationInput, ...request.Option) (*redshift.ModifyAquaConfigurationOutput, error) + ModifyAquaConfigurationRequest(*redshift.ModifyAquaConfigurationInput) (*request.Request, *redshift.ModifyAquaConfigurationOutput) + ModifyCluster(*redshift.ModifyClusterInput) (*redshift.ModifyClusterOutput, error) ModifyClusterWithContext(aws.Context, *redshift.ModifyClusterInput, ...request.Option) (*redshift.ModifyClusterOutput, error) ModifyClusterRequest(*redshift.ModifyClusterInput) (*request.Request, *redshift.ModifyClusterOutput) diff --git a/service/sts/api.go b/service/sts/api.go index bfc4372f9fd..17c46378899 100644 --- a/service/sts/api.go +++ b/service/sts/api.go @@ -65,34 +65,6 @@ func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, o // and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) // in the IAM User Guide. // -// You cannot use AWS account root user credentials to call AssumeRole. You -// must use credentials for an IAM user or an IAM role to call AssumeRole. -// -// For cross-account access, imagine that you own multiple accounts and need -// to access resources in each account. You could create long-term credentials -// in each account to access those resources. However, managing all those credentials -// and remembering which one can access which account can be time consuming. -// Instead, you can create one set of long-term credentials in one account. -// Then use temporary security credentials to access all the other accounts -// by assuming roles in those accounts. For more information about roles, see -// IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) -// in the IAM User Guide. -// -// Session Duration -// -// By default, the temporary security credentials created by AssumeRole last -// for one hour. However, you can use the optional DurationSeconds parameter -// to specify the duration of your session. You can provide a value from 900 -// seconds (15 minutes) up to the maximum session duration setting for the role. -// This setting can have a value from 1 hour to 12 hours. To learn how to view -// the maximum value for your role, see View the Maximum Session Duration Setting -// for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) -// in the IAM User Guide. The maximum session duration limit applies when you -// use the AssumeRole* API operations or the assume-role* CLI commands. However -// the limit does not apply when you use those operations to create a console -// URL. For more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) -// in the IAM User Guide. -// // Permissions // // The temporary security credentials created by AssumeRole can be used to make @@ -102,7 +74,7 @@ func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, o // (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // to this operation. You can pass a single JSON policy document to use as an // inline session policy. You can also specify up to 10 managed policies to -// use as managed session policies. The plain text that you use for both inline +// use as managed session policies. The plaintext that you use for both inline // and managed session policies can't exceed 2,048 characters. Passing policies // to this operation returns new temporary credentials. The resulting session's // permissions are the intersection of the role's identity-based policy and @@ -308,6 +280,15 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re // URL. For more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) // in the IAM User Guide. // +// Role chaining (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining) +// limits your AWS CLI or AWS API role session to a maximum of one hour. When +// you use the AssumeRole API operation to assume a role, you can specify the +// duration of your role session with the DurationSeconds parameter. You can +// specify a parameter value of up to 43200 seconds (12 hours), depending on +// the maximum session duration setting for your role. However, if you assume +// a role using role chaining and provide a DurationSeconds parameter value +// greater than one hour, the operation fails. +// // Permissions // // The temporary security credentials created by AssumeRoleWithSAML can be used @@ -317,7 +298,7 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re // (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // to this operation. You can pass a single JSON policy document to use as an // inline session policy. You can also specify up to 10 managed policies to -// use as managed session policies. The plain text that you use for both inline +// use as managed session policies. The plaintext that you use for both inline // and managed session policies can't exceed 2,048 characters. Passing policies // to this operation returns new temporary credentials. The resulting session's // permissions are the intersection of the role's identity-based policy and @@ -346,16 +327,16 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re // in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) // in the IAM User Guide. // -// You can pass up to 50 session tags. The plain text session tag keys can’t +// You can pass up to 50 session tags. The plaintext session tag keys can’t // exceed 128 characters and the values can’t exceed 256 characters. For these // and additional limits, see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) // in the IAM User Guide. // // An AWS conversion compresses the passed session policies and session tags // into a packed binary format that has a separate limit. Your request can fail -// for this limit even if your plain text meets the other requirements. The -// PackedPolicySize response element indicates by percentage how close the policies -// and tags for your request are to the upper size limit. +// for this limit even if your plaintext meets the other requirements. The PackedPolicySize +// response element indicates by percentage how close the policies and tags +// for your request are to the upper size limit. // // You can pass a session tag with the same key as a tag that is attached to // the role. When you do, session tags override the role's tags with the same @@ -564,7 +545,7 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI // (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // to this operation. You can pass a single JSON policy document to use as an // inline session policy. You can also specify up to 10 managed policies to -// use as managed session policies. The plain text that you use for both inline +// use as managed session policies. The plaintext that you use for both inline // and managed session policies can't exceed 2,048 characters. Passing policies // to this operation returns new temporary credentials. The resulting session's // permissions are the intersection of the role's identity-based policy and @@ -583,16 +564,16 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI // in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) // in the IAM User Guide. // -// You can pass up to 50 session tags. The plain text session tag keys can’t +// You can pass up to 50 session tags. The plaintext session tag keys can’t // exceed 128 characters and the values can’t exceed 256 characters. For these // and additional limits, see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) // in the IAM User Guide. // // An AWS conversion compresses the passed session policies and session tags // into a packed binary format that has a separate limit. Your request can fail -// for this limit even if your plain text meets the other requirements. The -// PackedPolicySize response element indicates by percentage how close the policies -// and tags for your request are to the upper size limit. +// for this limit even if your plaintext meets the other requirements. The PackedPolicySize +// response element indicates by percentage how close the policies and tags +// for your request are to the upper size limit. // // You can pass a session tag with the same key as a tag that is attached to // the role. When you do, the session tag overrides the role tag with the same @@ -619,7 +600,7 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI // // Calling AssumeRoleWithWebIdentity can result in an entry in your AWS CloudTrail // logs. The entry includes the Subject (http://openid.net/specs/openid-connect-core-1_0.html#Claims) -// of the provided Web Identity Token. We recommend that you avoid using any +// of the provided web identity token. We recommend that you avoid using any // personally identifiable information (PII) in this field. For example, you // could instead use a GUID or a pairwise identifier, as suggested in the OIDC // specification (http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes). @@ -1108,6 +1089,70 @@ func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *re // You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // to this operation. You can pass a single JSON policy document to use as an // inline session policy. You can also specify up to 10 managed policies to +// use as managed session policies. The plaintext that you use for both inline +// and managed session policies can't exceed 2,048 characters. +// +// Though the session policy parameters are optional, if you do not pass a policy, +// then the resulting federated user session has no permissions. When you pass +// session policies, the session permissions are the intersection of the IAM +// user policies and the session policies that you pass. This gives you a way +// to further restrict the permissions for a federated user. You cannot use +// session policies to grant more permissions than those that are defined in +// the permissions policy of the IAM user. For more information, see Session +// Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) +// in the IAM User Guide. For information about using GetFederationToken to +// create temporary security credentials, see GetFederationToken—Federation +// Through a Custom Identity Broker (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken). +// +// You can use the credentials to access a resource that has a resource-based +// policy. If that policy specifically references the federated user session +// in the Principal element of the policy, the session has the permissions allowed +// by the policy. These permissions are granted in addition to the permissions +// granted by the session policies. +// +// Tags +// +// (Optional) You can pass tag key-value pairs to your session. These are called +// session tags. For more information about session tags, see Passing Session +// Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) +// in the IAM User Guide. +// +// You can create a mobile-based or browser-based app that can authenticate +// users using a web identity provider like Login with Amazon, Facebook, Google, +// or an OpenID Connect-compatible identity provider. In this case, we recommend +// that you use Amazon Cognito (http://aws.amazon.com/cognito/) or AssumeRoleWithWebIdentity. +// For more information, see Federation Through a Web-based Identity Provider +// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity) +// in the IAM User Guide. +// +// You can also call GetFederationToken using the security credentials of an +// AWS account root user, but we do not recommend it. Instead, we recommend +// that you create an IAM user for the purpose of the proxy application. Then +// attach a policy to the IAM user that limits federated users to only the actions +// and resources that they need to access. For more information, see IAM Best +// Practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) +// in the IAM User Guide. +// +// Session duration +// +// The temporary credentials are valid for the specified duration, from 900 +// seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default +// session duration is 43,200 seconds (12 hours). Temporary credentials that +// are obtained by using AWS account root user credentials have a maximum duration +// of 3,600 seconds (1 hour). +// +// Permissions +// +// You can use the temporary credentials created by GetFederationToken in any +// AWS service except the following: +// +// * You cannot call any IAM operations using the AWS CLI or the AWS API. +// +// * You cannot call any STS operations except GetCallerIdentity. +// +// You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) +// to this operation. You can pass a single JSON policy document to use as an +// inline session policy. You can also specify up to 10 managed policies to // use as managed session policies. The plain text that you use for both inline // and managed session policies can't exceed 2,048 characters. // @@ -1338,14 +1383,15 @@ func (c *STS) GetSessionTokenWithContext(ctx aws.Context, input *GetSessionToken type AssumeRoleInput struct { _ struct{} `type:"structure"` - // The duration, in seconds, of the role session. The value can range from 900 - // seconds (15 minutes) up to the maximum session duration setting for the role. - // This setting can have a value from 1 hour to 12 hours. If you specify a value - // higher than this setting, the operation fails. For example, if you specify - // a session duration of 12 hours, but your administrator set the maximum session - // duration to 6 hours, your operation fails. To learn how to view the maximum - // value for your role, see View the Maximum Session Duration Setting for a - // Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) + // The duration, in seconds, of the role session. The value specified can can + // range from 900 seconds (15 minutes) up to the maximum session duration that + // is set for the role. The maximum session duration setting can have a value + // from 1 hour to 12 hours. If you specify a value higher than this setting + // or the administrator setting (whichever is lower), the operation fails. For + // example, if you specify a session duration of 12 hours, but your administrator + // set the maximum session duration to 6 hours, your operation fails. To learn + // how to view the maximum value for your role, see View the Maximum Session + // Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) // in the IAM User Guide. // // By default, the value is set to 3600 seconds. @@ -1387,17 +1433,17 @@ type AssumeRoleInput struct { // that is being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // in the IAM User Guide. // - // The plain text that you use for both inline and managed session policies - // can't exceed 2,048 characters. The JSON policy characters can be any ASCII - // character from the space character to the end of the valid character list - // (\u0020 through \u00FF). It can also include the tab (\u0009), linefeed (\u000A), - // and carriage return (\u000D) characters. + // The plaintext that you use for both inline and managed session policies can't + // exceed 2,048 characters. The JSON policy characters can be any ASCII character + // from the space character to the end of the valid character list (\u0020 through + // \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage + // return (\u000D) characters. // // An AWS conversion compresses the passed session policies and session tags // into a packed binary format that has a separate limit. Your request can fail - // for this limit even if your plain text meets the other requirements. The - // PackedPolicySize response element indicates by percentage how close the policies - // and tags for your request are to the upper size limit. + // for this limit even if your plaintext meets the other requirements. The PackedPolicySize + // response element indicates by percentage how close the policies and tags + // for your request are to the upper size limit. Policy *string `min:"1" type:"string"` // The Amazon Resource Names (ARNs) of the IAM managed policies that you want @@ -1405,16 +1451,16 @@ type AssumeRoleInput struct { // as the role. // // This parameter is optional. You can provide up to 10 managed policy ARNs. - // However, the plain text that you use for both inline and managed session - // policies can't exceed 2,048 characters. For more information about ARNs, - // see Amazon Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) + // However, the plaintext that you use for both inline and managed session policies + // can't exceed 2,048 characters. For more information about ARNs, see Amazon + // Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) // in the AWS General Reference. // // An AWS conversion compresses the passed session policies and session tags // into a packed binary format that has a separate limit. Your request can fail - // for this limit even if your plain text meets the other requirements. The - // PackedPolicySize response element indicates by percentage how close the policies - // and tags for your request are to the upper size limit. + // for this limit even if your plaintext meets the other requirements. The PackedPolicySize + // response element indicates by percentage how close the policies and tags + // for your request are to the upper size limit. // // Passing policies to this operation returns new temporary credentials. The // resulting session's permissions are the intersection of the role's identity-based @@ -1459,22 +1505,41 @@ type AssumeRoleInput struct { // also include underscores or any of the following characters: =,.@- SerialNumber *string `min:"9" type:"string"` + // The source identity specified by the principal that is calling the AssumeRole + // operation. + // + // You can require users to specify a source identity when they assume a role. + // You do this by using the sts:SourceIdentity condition key in a role trust + // policy. You can use source identity information in AWS CloudTrail logs to + // determine who took actions with a role. You can use the aws:SourceIdentity + // condition key to further control access to AWS resources based on the value + // of source identity. For more information about using source identity, see + // Monitor and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html) + // in the IAM User Guide. + // + // The regex used to validate this parameter is a string of characters consisting + // of upper- and lower-case alphanumeric characters with no spaces. You can + // also include underscores or any of the following characters: =,.@-. You cannot + // use a value that begins with the text aws:. This prefix is reserved for AWS + // internal use. + SourceIdentity *string `min:"2" type:"string"` + // A list of session tags that you want to pass. Each session tag consists of // a key name and an associated value. For more information about session tags, // see Tagging AWS STS Sessions (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) // in the IAM User Guide. // - // This parameter is optional. You can pass up to 50 session tags. The plain - // text session tag keys can’t exceed 128 characters, and the values can’t - // exceed 256 characters. For these and additional limits, see IAM and STS Character + // This parameter is optional. You can pass up to 50 session tags. The plaintext + // session tag keys can’t exceed 128 characters, and the values can’t exceed + // 256 characters. For these and additional limits, see IAM and STS Character // Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) // in the IAM User Guide. // // An AWS conversion compresses the passed session policies and session tags // into a packed binary format that has a separate limit. Your request can fail - // for this limit even if your plain text meets the other requirements. The - // PackedPolicySize response element indicates by percentage how close the policies - // and tags for your request are to the upper size limit. + // for this limit even if your plaintext meets the other requirements. The PackedPolicySize + // response element indicates by percentage how close the policies and tags + // for your request are to the upper size limit. // // You can pass a session tag with the same key as a tag that is already attached // to the role. When you do, session tags override a role tag with the same @@ -1495,9 +1560,10 @@ type AssumeRoleInput struct { Tags []*Tag `type:"list"` // The value provided by the MFA device, if the trust policy of the role being - // assumed requires MFA (that is, if the policy includes a condition that tests - // for MFA). If the role being assumed requires MFA and if the TokenCode value - // is missing or expired, the AssumeRole call returns an "access denied" error. + // assumed requires MFA. (In other words, if the policy includes a condition + // that tests for MFA). If the role being assumed requires MFA and if the TokenCode + // value is missing or expired, the AssumeRole call returns an "access denied" + // error. // // The format for this parameter, as described by its regex pattern, is a sequence // of six numeric digits. @@ -1554,6 +1620,9 @@ func (s *AssumeRoleInput) Validate() error { if s.SerialNumber != nil && len(*s.SerialNumber) < 9 { invalidParams.Add(request.NewErrParamMinLen("SerialNumber", 9)) } + if s.SourceIdentity != nil && len(*s.SourceIdentity) < 2 { + invalidParams.Add(request.NewErrParamMinLen("SourceIdentity", 2)) + } if s.TokenCode != nil && len(*s.TokenCode) < 6 { invalidParams.Add(request.NewErrParamMinLen("TokenCode", 6)) } @@ -1626,6 +1695,12 @@ func (s *AssumeRoleInput) SetSerialNumber(v string) *AssumeRoleInput { return s } +// SetSourceIdentity sets the SourceIdentity field's value. +func (s *AssumeRoleInput) SetSourceIdentity(v string) *AssumeRoleInput { + s.SourceIdentity = &v + return s +} + // SetTags sets the Tags field's value. func (s *AssumeRoleInput) SetTags(v []*Tag) *AssumeRoleInput { s.Tags = v @@ -1668,6 +1743,23 @@ type AssumeRoleOutput struct { // packed size is greater than 100 percent, which means the policies and tags // exceeded the allowed space. PackedPolicySize *int64 `type:"integer"` + + // The source identity specified by the principal that is calling the AssumeRole + // operation. + // + // You can require users to specify a source identity when they assume a role. + // You do this by using the sts:SourceIdentity condition key in a role trust + // policy. You can use source identity information in AWS CloudTrail logs to + // determine who took actions with a role. You can use the aws:SourceIdentity + // condition key to further control access to AWS resources based on the value + // of source identity. For more information about using source identity, see + // Monitor and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html) + // in the IAM User Guide. + // + // The regex used to validate this parameter is a string of characters consisting + // of upper- and lower-case alphanumeric characters with no spaces. You can + // also include underscores or any of the following characters: =,.@- + SourceIdentity *string `min:"2" type:"string"` } // String returns the string representation @@ -1698,6 +1790,12 @@ func (s *AssumeRoleOutput) SetPackedPolicySize(v int64) *AssumeRoleOutput { return s } +// SetSourceIdentity sets the SourceIdentity field's value. +func (s *AssumeRoleOutput) SetSourceIdentity(v string) *AssumeRoleOutput { + s.SourceIdentity = &v + return s +} + type AssumeRoleWithSAMLInput struct { _ struct{} `type:"structure"` @@ -1736,17 +1834,17 @@ type AssumeRoleWithSAMLInput struct { // that is being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // in the IAM User Guide. // - // The plain text that you use for both inline and managed session policies - // can't exceed 2,048 characters. The JSON policy characters can be any ASCII - // character from the space character to the end of the valid character list - // (\u0020 through \u00FF). It can also include the tab (\u0009), linefeed (\u000A), - // and carriage return (\u000D) characters. + // The plaintext that you use for both inline and managed session policies can't + // exceed 2,048 characters. The JSON policy characters can be any ASCII character + // from the space character to the end of the valid character list (\u0020 through + // \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage + // return (\u000D) characters. // // An AWS conversion compresses the passed session policies and session tags // into a packed binary format that has a separate limit. Your request can fail - // for this limit even if your plain text meets the other requirements. The - // PackedPolicySize response element indicates by percentage how close the policies - // and tags for your request are to the upper size limit. + // for this limit even if your plaintext meets the other requirements. The PackedPolicySize + // response element indicates by percentage how close the policies and tags + // for your request are to the upper size limit. Policy *string `min:"1" type:"string"` // The Amazon Resource Names (ARNs) of the IAM managed policies that you want @@ -1754,16 +1852,16 @@ type AssumeRoleWithSAMLInput struct { // as the role. // // This parameter is optional. You can provide up to 10 managed policy ARNs. - // However, the plain text that you use for both inline and managed session - // policies can't exceed 2,048 characters. For more information about ARNs, - // see Amazon Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) + // However, the plaintext that you use for both inline and managed session policies + // can't exceed 2,048 characters. For more information about ARNs, see Amazon + // Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) // in the AWS General Reference. // // An AWS conversion compresses the passed session policies and session tags // into a packed binary format that has a separate limit. Your request can fail - // for this limit even if your plain text meets the other requirements. The - // PackedPolicySize response element indicates by percentage how close the policies - // and tags for your request are to the upper size limit. + // for this limit even if your plaintext meets the other requirements. The PackedPolicySize + // response element indicates by percentage how close the policies and tags + // for your request are to the upper size limit. // // Passing policies to this operation returns new temporary credentials. The // resulting session's permissions are the intersection of the role's identity-based @@ -1786,7 +1884,7 @@ type AssumeRoleWithSAMLInput struct { // RoleArn is a required field RoleArn *string `min:"20" type:"string" required:"true"` - // The base-64 encoded SAML authentication response provided by the IdP. + // The base64 encoded SAML authentication response provided by the IdP. // // For more information, see Configuring a Relying Party and Adding Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html) // in the IAM User Guide. @@ -1908,10 +2006,17 @@ type AssumeRoleWithSAMLOutput struct { // The value of the Issuer element of the SAML assertion. Issuer *string `type:"string"` - // A hash value based on the concatenation of the Issuer response value, the - // AWS account ID, and the friendly name (the last part of the ARN) of the SAML - // provider in IAM. The combination of NameQualifier and Subject can be used - // to uniquely identify a federated user. + // A hash value based on the concatenation of the following: + // + // * The Issuer response value. + // + // * The AWS account ID. + // + // * The friendly name (the last part of the ARN) of the SAML provider in + // IAM. + // + // The combination of NameQualifier and Subject can be used to uniquely identify + // a federated user. // // The following pseudocode shows how the hash value is calculated: // @@ -1925,6 +2030,26 @@ type AssumeRoleWithSAMLOutput struct { // exceeded the allowed space. PackedPolicySize *int64 `type:"integer"` + // The value in the SourceIdentity attribute in the SAML assertion. + // + // You can require users to set a source identity value when they assume a role. + // You do this by using the sts:SourceIdentity condition key in a role trust + // policy. That way, actions that are taken with the role are associated with + // that user. After the source identity is set, the value cannot be changed. + // It is present in the request for all actions that are taken by the role and + // persists across chained role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining) + // sessions. You can configure your SAML identity provider to use an attribute + // associated with your users, like user name or email, as the source identity + // when calling AssumeRoleWithSAML. You do this by adding an attribute to the + // SAML assertion. For more information about using source identity, see Monitor + // and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html) + // in the IAM User Guide. + // + // The regex used to validate this parameter is a string of characters consisting + // of upper- and lower-case alphanumeric characters with no spaces. You can + // also include underscores or any of the following characters: =,.@- + SourceIdentity *string `min:"2" type:"string"` + // The value of the NameID element in the Subject element of the SAML assertion. Subject *string `type:"string"` @@ -1985,6 +2110,12 @@ func (s *AssumeRoleWithSAMLOutput) SetPackedPolicySize(v int64) *AssumeRoleWithS return s } +// SetSourceIdentity sets the SourceIdentity field's value. +func (s *AssumeRoleWithSAMLOutput) SetSourceIdentity(v string) *AssumeRoleWithSAMLOutput { + s.SourceIdentity = &v + return s +} + // SetSubject sets the Subject field's value. func (s *AssumeRoleWithSAMLOutput) SetSubject(v string) *AssumeRoleWithSAMLOutput { s.Subject = &v @@ -2032,17 +2163,17 @@ type AssumeRoleWithWebIdentityInput struct { // that is being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // in the IAM User Guide. // - // The plain text that you use for both inline and managed session policies - // can't exceed 2,048 characters. The JSON policy characters can be any ASCII - // character from the space character to the end of the valid character list - // (\u0020 through \u00FF). It can also include the tab (\u0009), linefeed (\u000A), - // and carriage return (\u000D) characters. + // The plaintext that you use for both inline and managed session policies can't + // exceed 2,048 characters. The JSON policy characters can be any ASCII character + // from the space character to the end of the valid character list (\u0020 through + // \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage + // return (\u000D) characters. // // An AWS conversion compresses the passed session policies and session tags // into a packed binary format that has a separate limit. Your request can fail - // for this limit even if your plain text meets the other requirements. The - // PackedPolicySize response element indicates by percentage how close the policies - // and tags for your request are to the upper size limit. + // for this limit even if your plaintext meets the other requirements. The PackedPolicySize + // response element indicates by percentage how close the policies and tags + // for your request are to the upper size limit. Policy *string `min:"1" type:"string"` // The Amazon Resource Names (ARNs) of the IAM managed policies that you want @@ -2050,16 +2181,16 @@ type AssumeRoleWithWebIdentityInput struct { // as the role. // // This parameter is optional. You can provide up to 10 managed policy ARNs. - // However, the plain text that you use for both inline and managed session - // policies can't exceed 2,048 characters. For more information about ARNs, - // see Amazon Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) + // However, the plaintext that you use for both inline and managed session policies + // can't exceed 2,048 characters. For more information about ARNs, see Amazon + // Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) // in the AWS General Reference. // // An AWS conversion compresses the passed session policies and session tags // into a packed binary format that has a separate limit. Your request can fail - // for this limit even if your plain text meets the other requirements. The - // PackedPolicySize response element indicates by percentage how close the policies - // and tags for your request are to the upper size limit. + // for this limit even if your plaintext meets the other requirements. The PackedPolicySize + // response element indicates by percentage how close the policies and tags + // for your request are to the upper size limit. // // Passing policies to this operation returns new temporary credentials. The // resulting session's permissions are the intersection of the role's identity-based @@ -2242,6 +2373,29 @@ type AssumeRoleWithWebIdentityOutput struct { // in the AssumeRoleWithWebIdentity request. Provider *string `type:"string"` + // The value of the source identity that is returned in the JSON web token (JWT) + // from the identity provider. + // + // You can require users to set a source identity value when they assume a role. + // You do this by using the sts:SourceIdentity condition key in a role trust + // policy. That way, actions that are taken with the role are associated with + // that user. After the source identity is set, the value cannot be changed. + // It is present in the request for all actions that are taken by the role and + // persists across chained role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining) + // sessions. You can configure your identity provider to use an attribute associated + // with your users, like user name or email, as the source identity when calling + // AssumeRoleWithWebIdentity. You do this by adding a claim to the JSON web + // token. To learn more about OIDC tokens and claims, see Using Tokens with + // User Pools (https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html) + // in the Amazon Cognito Developer Guide. For more information about using source + // identity, see Monitor and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html) + // in the IAM User Guide. + // + // The regex used to validate this parameter is a string of characters consisting + // of upper- and lower-case alphanumeric characters with no spaces. You can + // also include underscores or any of the following characters: =,.@- + SourceIdentity *string `min:"2" type:"string"` + // The unique user identifier that is returned by the identity provider. This // identifier is associated with the WebIdentityToken that was submitted with // the AssumeRoleWithWebIdentity call. The identifier is typically unique to @@ -2291,6 +2445,12 @@ func (s *AssumeRoleWithWebIdentityOutput) SetProvider(v string) *AssumeRoleWithW return s } +// SetSourceIdentity sets the SourceIdentity field's value. +func (s *AssumeRoleWithWebIdentityOutput) SetSourceIdentity(v string) *AssumeRoleWithWebIdentityOutput { + s.SourceIdentity = &v + return s +} + // SetSubjectFromWebIdentityToken sets the SubjectFromWebIdentityToken field's value. func (s *AssumeRoleWithWebIdentityOutput) SetSubjectFromWebIdentityToken(v string) *AssumeRoleWithWebIdentityOutput { s.SubjectFromWebIdentityToken = &v @@ -2682,17 +2842,17 @@ type GetFederationTokenInput struct { // by the policy. These permissions are granted in addition to the permissions // that are granted by the session policies. // - // The plain text that you use for both inline and managed session policies - // can't exceed 2,048 characters. The JSON policy characters can be any ASCII - // character from the space character to the end of the valid character list - // (\u0020 through \u00FF). It can also include the tab (\u0009), linefeed (\u000A), - // and carriage return (\u000D) characters. + // The plaintext that you use for both inline and managed session policies can't + // exceed 2,048 characters. The JSON policy characters can be any ASCII character + // from the space character to the end of the valid character list (\u0020 through + // \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage + // return (\u000D) characters. // // An AWS conversion compresses the passed session policies and session tags // into a packed binary format that has a separate limit. Your request can fail - // for this limit even if your plain text meets the other requirements. The - // PackedPolicySize response element indicates by percentage how close the policies - // and tags for your request are to the upper size limit. + // for this limit even if your plaintext meets the other requirements. The PackedPolicySize + // response element indicates by percentage how close the policies and tags + // for your request are to the upper size limit. Policy *string `min:"1" type:"string"` // The Amazon Resource Names (ARNs) of the IAM managed policies that you want @@ -2702,7 +2862,7 @@ type GetFederationTokenInput struct { // You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // to this operation. You can pass a single JSON policy document to use as an // inline session policy. You can also specify up to 10 managed policies to - // use as managed session policies. The plain text that you use for both inline + // use as managed session policies. The plaintext that you use for both inline // and managed session policies can't exceed 2,048 characters. You can provide // up to 10 managed policy ARNs. For more information about ARNs, see Amazon // Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) @@ -2727,9 +2887,9 @@ type GetFederationTokenInput struct { // // An AWS conversion compresses the passed session policies and session tags // into a packed binary format that has a separate limit. Your request can fail - // for this limit even if your plain text meets the other requirements. The - // PackedPolicySize response element indicates by percentage how close the policies - // and tags for your request are to the upper size limit. + // for this limit even if your plaintext meets the other requirements. The PackedPolicySize + // response element indicates by percentage how close the policies and tags + // for your request are to the upper size limit. PolicyArns []*PolicyDescriptorType `type:"list"` // A list of session tags. Each session tag consists of a key name and an associated @@ -2737,17 +2897,17 @@ type GetFederationTokenInput struct { // in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) // in the IAM User Guide. // - // This parameter is optional. You can pass up to 50 session tags. The plain - // text session tag keys can’t exceed 128 characters and the values can’t - // exceed 256 characters. For these and additional limits, see IAM and STS Character + // This parameter is optional. You can pass up to 50 session tags. The plaintext + // session tag keys can’t exceed 128 characters and the values can’t exceed + // 256 characters. For these and additional limits, see IAM and STS Character // Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) // in the IAM User Guide. // // An AWS conversion compresses the passed session policies and session tags // into a packed binary format that has a separate limit. Your request can fail - // for this limit even if your plain text meets the other requirements. The - // PackedPolicySize response element indicates by percentage how close the policies - // and tags for your request are to the upper size limit. + // for this limit even if your plaintext meets the other requirements. The PackedPolicySize + // response element indicates by percentage how close the policies and tags + // for your request are to the upper size limit. // // You can pass a session tag with the same key as a tag that is already attached // to the user you are federating. When you do, session tags override a user