Security Token Service (STS) enables you to request temporary, limited-privilege * credentials for users. This guide provides descriptions of the STS API. For * more information about using this service, see Temporary Security Credentials.
+ * @public */ export class STS extends STSClient implements STS {} createAggregatedClient(commands, STS); diff --git a/clients/client-sts/src/STSClient.ts b/clients/client-sts/src/STSClient.ts index 57ea410803c6..d90b40bf6d07 100644 --- a/clients/client-sts/src/STSClient.ts +++ b/clients/client-sts/src/STSClient.ts @@ -276,11 +276,11 @@ export type STSClientResolvedConfigType = __SmithyResolvedConfiguration<__HttpHa export interface STSClientResolvedConfig extends STSClientResolvedConfigType {} /** - * @public *Security Token Service (STS) enables you to request temporary, limited-privilege * credentials for users. This guide provides descriptions of the STS API. For * more information about using this service, see Temporary Security Credentials.
+ * @public */ export class STSClient extends __Client< __HttpHandlerOptions, diff --git a/clients/client-sts/src/commands/AssumeRoleCommand.ts b/clients/client-sts/src/commands/AssumeRoleCommand.ts index b1260b7d5bc1..fb5c16539452 100644 --- a/clients/client-sts/src/commands/AssumeRoleCommand.ts +++ b/clients/client-sts/src/commands/AssumeRoleCommand.ts @@ -27,7 +27,6 @@ export interface AssumeRoleCommandInput extends AssumeRoleRequest {} export interface AssumeRoleCommandOutput extends AssumeRoleResponse, __MetadataBearer {} /** - * @public *Returns a set of temporary security credentials that you can use to access Amazon Web Services
* resources. These temporary credentials consist of an access key ID, a secret access key,
* and a security token. Typically, you use AssumeRole within your account or for
@@ -206,6 +205,7 @@ export interface AssumeRoleCommandOutput extends AssumeRoleResponse, __MetadataB
* @throws {@link STSServiceException}
*
Base exception class for all service exceptions from STS service.
* + * @public * @example To assume a role * ```javascript * // diff --git a/clients/client-sts/src/commands/AssumeRoleWithSAMLCommand.ts b/clients/client-sts/src/commands/AssumeRoleWithSAMLCommand.ts index c654ba6a3b81..6befa8821baf 100644 --- a/clients/client-sts/src/commands/AssumeRoleWithSAMLCommand.ts +++ b/clients/client-sts/src/commands/AssumeRoleWithSAMLCommand.ts @@ -32,7 +32,6 @@ export interface AssumeRoleWithSAMLCommandInput extends AssumeRoleWithSAMLReques export interface AssumeRoleWithSAMLCommandOutput extends AssumeRoleWithSAMLResponse, __MetadataBearer {} /** - * @public *Returns a set of temporary security credentials for users who have been authenticated * via a SAML authentication response. This operation provides a mechanism for tying an * enterprise identity store or directory to role-based Amazon Web Services access without user-specific @@ -249,6 +248,7 @@ export interface AssumeRoleWithSAMLCommandOutput extends AssumeRoleWithSAMLRespo * @throws {@link STSServiceException} *
Base exception class for all service exceptions from STS service.
* + * @public * @example To assume a role using a SAML assertion * ```javascript * // diff --git a/clients/client-sts/src/commands/AssumeRoleWithWebIdentityCommand.ts b/clients/client-sts/src/commands/AssumeRoleWithWebIdentityCommand.ts index 7585de309bd2..603f9bfdaff5 100644 --- a/clients/client-sts/src/commands/AssumeRoleWithWebIdentityCommand.ts +++ b/clients/client-sts/src/commands/AssumeRoleWithWebIdentityCommand.ts @@ -32,7 +32,6 @@ export interface AssumeRoleWithWebIdentityCommandInput extends AssumeRoleWithWeb export interface AssumeRoleWithWebIdentityCommandOutput extends AssumeRoleWithWebIdentityResponse, __MetadataBearer {} /** - * @public *Returns a set of temporary security credentials for users who have been authenticated in * a mobile or web application with a web identity provider. Example providers include the * OAuth 2.0 providers Login with Amazon and Facebook, or any OpenID Connect-compatible @@ -258,6 +257,7 @@ export interface AssumeRoleWithWebIdentityCommandOutput extends AssumeRoleWithWe * @throws {@link STSServiceException} *
Base exception class for all service exceptions from STS service.
* + * @public * @example To assume a role as an OpenID Connect-federated user * ```javascript * // diff --git a/clients/client-sts/src/commands/DecodeAuthorizationMessageCommand.ts b/clients/client-sts/src/commands/DecodeAuthorizationMessageCommand.ts index 6aabf69050f4..dbf8a8a4b921 100644 --- a/clients/client-sts/src/commands/DecodeAuthorizationMessageCommand.ts +++ b/clients/client-sts/src/commands/DecodeAuthorizationMessageCommand.ts @@ -27,7 +27,6 @@ export interface DecodeAuthorizationMessageCommandInput extends DecodeAuthorizat export interface DecodeAuthorizationMessageCommandOutput extends DecodeAuthorizationMessageResponse, __MetadataBearer {} /** - * @public *Decodes additional information about the authorization status of a request from an * encoded message returned in response to an Amazon Web Services request.
*For example, if a user is not authorized to perform an operation that he or she has @@ -95,6 +94,7 @@ export interface DecodeAuthorizationMessageCommandOutput extends DecodeAuthoriza * @throws {@link STSServiceException} *
Base exception class for all service exceptions from STS service.
* + * @public * @example To decode information about an authorization status of a request * ```javascript * // diff --git a/clients/client-sts/src/commands/GetAccessKeyInfoCommand.ts b/clients/client-sts/src/commands/GetAccessKeyInfoCommand.ts index ee93dcee4f9c..dbff36a93e19 100644 --- a/clients/client-sts/src/commands/GetAccessKeyInfoCommand.ts +++ b/clients/client-sts/src/commands/GetAccessKeyInfoCommand.ts @@ -27,7 +27,6 @@ export interface GetAccessKeyInfoCommandInput extends GetAccessKeyInfoRequest {} export interface GetAccessKeyInfoCommandOutput extends GetAccessKeyInfoResponse, __MetadataBearer {} /** - * @public *Returns the account identifier for the specified access key ID.
*Access keys consist of two parts: an access key ID (for example,
* AKIAIOSFODNN7EXAMPLE) and a secret access key (for example,
@@ -71,6 +70,7 @@ export interface GetAccessKeyInfoCommandOutput extends GetAccessKeyInfoResponse,
* @throws {@link STSServiceException}
*
Base exception class for all service exceptions from STS service.
* + * @public */ export class GetAccessKeyInfoCommand extends $Command .classBuilder< diff --git a/clients/client-sts/src/commands/GetCallerIdentityCommand.ts b/clients/client-sts/src/commands/GetCallerIdentityCommand.ts index 0dd00a057973..b44c1238e7f6 100644 --- a/clients/client-sts/src/commands/GetCallerIdentityCommand.ts +++ b/clients/client-sts/src/commands/GetCallerIdentityCommand.ts @@ -27,7 +27,6 @@ export interface GetCallerIdentityCommandInput extends GetCallerIdentityRequest export interface GetCallerIdentityCommandOutput extends GetCallerIdentityResponse, __MetadataBearer {} /** - * @public *Returns details about the IAM user or role whose credentials are used to * call the operation.
*Base exception class for all service exceptions from STS service.
* + * @public * @example To get details about a calling IAM user * ```javascript * // This example shows a request and response made with the credentials for a user named Alice in the AWS account 123456789012. diff --git a/clients/client-sts/src/commands/GetFederationTokenCommand.ts b/clients/client-sts/src/commands/GetFederationTokenCommand.ts index d46b1fd28c7e..3657470924e1 100644 --- a/clients/client-sts/src/commands/GetFederationTokenCommand.ts +++ b/clients/client-sts/src/commands/GetFederationTokenCommand.ts @@ -31,7 +31,6 @@ export interface GetFederationTokenCommandInput extends GetFederationTokenReques export interface GetFederationTokenCommandOutput extends GetFederationTokenResponse, __MetadataBearer {} /** - * @public *Returns a set of temporary security credentials (consisting of an access key ID, a * secret access key, and a security token) for a user. A typical use is in a proxy * application that gets temporary security credentials on behalf of distributed applications @@ -192,6 +191,7 @@ export interface GetFederationTokenCommandOutput extends GetFederationTokenRespo * @throws {@link STSServiceException} *
Base exception class for all service exceptions from STS service.
* + * @public * @example To get temporary credentials for a role by using GetFederationToken * ```javascript * // diff --git a/clients/client-sts/src/commands/GetSessionTokenCommand.ts b/clients/client-sts/src/commands/GetSessionTokenCommand.ts index 087105ce7934..91a7d6148482 100644 --- a/clients/client-sts/src/commands/GetSessionTokenCommand.ts +++ b/clients/client-sts/src/commands/GetSessionTokenCommand.ts @@ -31,7 +31,6 @@ export interface GetSessionTokenCommandInput extends GetSessionTokenRequest {} export interface GetSessionTokenCommandOutput extends GetSessionTokenResponse, __MetadataBearer {} /** - * @public *Returns a set of temporary credentials for an Amazon Web Services account or IAM user.
* The credentials consist of an access key ID, a secret access key, and a security token.
* Typically, you use GetSessionToken if you want to use MFA to protect
@@ -131,6 +130,7 @@ export interface GetSessionTokenCommandOutput extends GetSessionTokenResponse, _
* @throws {@link STSServiceException}
*
Base exception class for all service exceptions from STS service.
* + * @public * @example To get temporary credentials for an IAM user or an AWS account * ```javascript * // diff --git a/clients/client-sts/src/models/models_0.ts b/clients/client-sts/src/models/models_0.ts index eb2f74749d46..be6eccec34d7 100644 --- a/clients/client-sts/src/models/models_0.ts +++ b/clients/client-sts/src/models/models_0.ts @@ -4,86 +4,86 @@ import { ExceptionOptionType as __ExceptionOptionType, SENSITIVE_STRING } from " import { STSServiceException as __BaseException } from "./STSServiceException"; /** - * @public *The identifiers for the temporary security credentials that the operation * returns.
+ * @public */ export interface AssumedRoleUser { /** - * @public *A unique identifier that contains the role ID and the role session name of the role that * is being assumed. The role ID is generated by Amazon Web Services when the role is created.
+ * @public */ AssumedRoleId: string | undefined; /** - * @public *The ARN of the temporary security credentials that are returned from the AssumeRole action. For more information about ARNs and how to use them in * policies, see IAM Identifiers in the * IAM User Guide.
+ * @public */ Arn: string | undefined; } /** - * @public *A reference to the IAM managed policy that is passed as a session policy for a role * session or a federated user session.
+ * @public */ export interface PolicyDescriptorType { /** - * @public *The Amazon Resource Name (ARN) of the IAM managed policy to use as a session policy * for the role. For more information about ARNs, see Amazon Resource Names (ARNs) and Amazon Web Services * Service Namespaces in the Amazon Web Services General Reference.
+ * @public */ arn?: string; } /** - * @public *Contains information about the provided context. This includes the signed and encrypted * trusted context assertion and the context provider ARN from which the trusted context * assertion was generated.
+ * @public */ export interface ProvidedContext { /** - * @public *The context provider ARN from which the trusted context assertion was generated.
+ * @public */ ProviderArn?: string; /** - * @public *The signed and encrypted trusted context assertion generated by the context provider. * The trusted context assertion is signed and encrypted by Amazon Web Services STS.
+ * @public */ ContextAssertion?: string; } /** - * @public *You can pass custom key-value pair attributes when you assume a role or federate a user. * These are called session tags. You can then use the session tags to control access to * resources. For more information, see Tagging Amazon Web Services STS Sessions in the * IAM User Guide.
+ * @public */ export interface Tag { /** - * @public *The key for a session tag.
*You can pass up to 50 session tags. The plain text session tag keys can’t exceed 128 * characters. For these and additional limits, see IAM * and STS Character Limits in the IAM User Guide.
+ * @public */ Key: string | undefined; /** - * @public *The value for a session tag.
*You can pass up to 50 session tags. The plain text session tag values can’t exceed 256 * characters. For these and additional limits, see IAM * and STS Character Limits in the IAM User Guide.
+ * @public */ Value: string | undefined; } @@ -93,13 +93,12 @@ export interface Tag { */ export interface AssumeRoleRequest { /** - * @public *The Amazon Resource Name (ARN) of the role to assume.
+ * @public */ RoleArn: string | undefined; /** - * @public *An identifier for the assumed role session.
*Use the role session name to uniquely identify a session when the same role is assumed * by different principals or for different reasons. In cross-account scenarios, the role @@ -110,11 +109,11 @@ export interface AssumeRoleRequest { *
The regex used to validate this parameter is a string of characters * consisting of upper- and lower-case alphanumeric characters with no spaces. You can * also include underscores or any of the following characters: =,.@-
+ * @public */ RoleSessionName: string | undefined; /** - * @public *The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as * managed session policies. The policies must exist in the same account as the role.
*This parameter is optional. You can provide up to 10 managed policy ARNs. However, the @@ -136,11 +135,11 @@ export interface AssumeRoleRequest { * by the identity-based policy of the role that is being assumed. For more information, see * Session * Policies in the IAM User Guide.
+ * @public */ PolicyArns?: PolicyDescriptorType[]; /** - * @public *An IAM policy in JSON format that you want to use as an inline session policy.
*This parameter is optional. Passing policies to this operation returns new
* temporary credentials. The resulting session's permissions are the intersection of the
@@ -162,11 +161,11 @@ export interface AssumeRoleRequest {
* PackedPolicySize response element indicates by percentage how close the
* policies and tags for your request are to the upper size limit.
The duration, in seconds, of the role session. The value specified can range from 900 * seconds (15 minutes) up to the maximum session duration set for the role. The maximum * session duration setting can have a value from 1 hour to 12 hours. If you specify a value @@ -192,11 +191,11 @@ export interface AssumeRoleRequest { * that Enables Federated Users to Access the Amazon Web Services Management Console in the * IAM User Guide.
* + * @public */ DurationSeconds?: number; /** - * @public *A list of session tags that you want to pass. Each session tag consists of a key name * and an associated value. For more information about session tags, see Tagging Amazon Web Services STS * Sessions in the IAM User Guide.
@@ -224,11 +223,11 @@ export interface AssumeRoleRequest { * session tag with the same key as an inherited tag, the operation fails. To view the * inherited tags for a session, see the CloudTrail logs. For more information, see Viewing Session Tags in CloudTrail in the * IAM User Guide. + * @public */ Tags?: Tag[]; /** - * @public *A list of keys for session tags that you want to set as transitive. If you set a tag key * as transitive, the corresponding key and value passes to subsequent sessions in a role * chain. For more information, see Chaining Roles @@ -237,11 +236,11 @@ export interface AssumeRoleRequest { * and session tags packed binary limit is not affected.
*If you choose not to specify a transitive tag key, then no tags are passed from this * session to any subsequent sessions.
+ * @public */ TransitiveTagKeys?: string[]; /** - * @public *A unique identifier that might be required when you assume a role in another account. If
* the administrator of the account to which the role belongs provided you with an external
* ID, then provide that value in the ExternalId parameter. This value can be any
@@ -255,11 +254,11 @@ export interface AssumeRoleRequest {
*
The regex used to validate this parameter is a string of * characters consisting of upper- and lower-case alphanumeric characters with no spaces. * You can also include underscores or any of the following characters: =,.@:/-
+ * @public */ ExternalId?: string; /** - * @public *The identification number of the MFA device that is associated with the user who is
* making the AssumeRole call. Specify this value if the trust policy of the role
* being assumed includes a condition that requires MFA authentication. The value is either
@@ -269,22 +268,22 @@ export interface AssumeRoleRequest {
*
The regex used to validate this parameter is a string of characters * consisting of upper- and lower-case alphanumeric characters with no spaces. You can * also include underscores or any of the following characters: =,.@-
+ * @public */ SerialNumber?: string; /** - * @public *The value provided by the MFA device, if the trust policy of the role being assumed
* requires MFA. (In other words, if the policy includes a condition that tests for MFA). If
* the role being assumed requires MFA and if the TokenCode value is missing or
* expired, the AssumeRole call returns an "access denied" error.
The format for this parameter, as described by its regex pattern, is a sequence of six * numeric digits.
+ * @public */ TokenCode?: string; /** - * @public *The source identity specified by the principal that is calling the
* AssumeRole operation.
You can require users to specify a source identity when they assume a role. You do this
@@ -299,11 +298,11 @@ export interface AssumeRoleRequest {
* and lower-case alphanumeric characters with no spaces. You can also include underscores or
* any of the following characters: =,.@-. You cannot use a value that begins with the text
* aws:. This prefix is reserved for Amazon Web Services internal use.
A list of previously acquired trusted context assertions in the format of a JSON array. * The trusted context assertion is signed and encrypted by Amazon Web Services STS.
*The following is an example of a ProvidedContext value that includes a
@@ -312,78 +311,78 @@ export interface AssumeRoleRequest {
*
* [\{"ProviderArn":"arn:aws:iam::aws:contextProvider/IdentityCenter","ContextAssertion":"trusted-context-assertion"\}]
*
Amazon Web Services credentials for API authentication.
+ * @public */ export interface Credentials { /** - * @public *The access key ID that identifies the temporary security credentials.
+ * @public */ AccessKeyId: string | undefined; /** - * @public *The secret access key that can be used to sign requests.
+ * @public */ SecretAccessKey: string | undefined; /** - * @public *The token that users must pass to the service API to use the temporary * credentials.
+ * @public */ SessionToken: string | undefined; /** - * @public *The date on which the current credentials expire.
+ * @public */ Expiration: Date | undefined; } /** - * @public *Contains the response to a successful AssumeRole request, including * temporary Amazon Web Services credentials that can be used to make Amazon Web Services requests.
+ * @public */ export interface AssumeRoleResponse { /** - * @public *The temporary security credentials, which include an access key ID, a secret access key, * and a security (or session) token.
*The size of the security token that STS API operations return is not fixed. We * strongly recommend that you make no assumptions about the maximum size.
*The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers that you
* can use to refer to the resulting temporary security credentials. For example, you can
* reference these credentials as a principal in a resource-based policy by using the ARN or
* assumed role ID. The ARN and ID include the RoleSessionName that you specified
* when you called AssumeRole.
A percentage value that indicates the packed size of the session policies and session * tags combined passed in the request. The request fails if the packed size is greater than 100 percent, * which means the policies and tags exceeded the allowed space.
+ * @public */ PackedPolicySize?: number; /** - * @public *The source identity specified by the principal that is calling the
* AssumeRole operation.
You can require users to specify a source identity when they assume a role. You do this @@ -397,14 +396,15 @@ export interface AssumeRoleResponse { *
The regex used to validate this parameter is a string of characters consisting of upper- * and lower-case alphanumeric characters with no spaces. You can also include underscores or * any of the following characters: =,.@-
+ * @public */ SourceIdentity?: string; } /** - * @public *The web identity token that was passed is expired or is not valid. Get a new identity * token from the identity provider and then retry the request.
+ * @public */ export class ExpiredTokenException extends __BaseException { readonly name: "ExpiredTokenException" = "ExpiredTokenException"; @@ -423,9 +423,9 @@ export class ExpiredTokenException extends __BaseException { } /** - * @public *The request was rejected because the policy document was malformed. The error message * describes the specific error.
+ * @public */ export class MalformedPolicyDocumentException extends __BaseException { readonly name: "MalformedPolicyDocumentException" = "MalformedPolicyDocumentException"; @@ -444,7 +444,6 @@ export class MalformedPolicyDocumentException extends __BaseException { } /** - * @public *The request was rejected because the total packed size of the session policies and * session tags combined was too large. An Amazon Web Services conversion compresses the session policy * document, session policy ARNs, and session tags into a packed binary format that has a @@ -454,6 +453,7 @@ export class MalformedPolicyDocumentException extends __BaseException { *
You could receive this error even though you meet other defined session policy and * session tag limits. For more information, see IAM and STS Entity * Character Limits in the IAM User Guide.
+ * @public */ export class PackedPolicyTooLargeException extends __BaseException { readonly name: "PackedPolicyTooLargeException" = "PackedPolicyTooLargeException"; @@ -472,12 +472,12 @@ export class PackedPolicyTooLargeException extends __BaseException { } /** - * @public *STS is not activated in the requested region for the account that is being asked to * generate credentials. The account administrator must use the IAM console to activate STS * in that region. For more information, see Activating and * Deactivating Amazon Web Services STS in an Amazon Web Services Region in the IAM User * Guide.
+ * @public */ export class RegionDisabledException extends __BaseException { readonly name: "RegionDisabledException" = "RegionDisabledException"; @@ -500,28 +500,27 @@ export class RegionDisabledException extends __BaseException { */ export interface AssumeRoleWithSAMLRequest { /** - * @public *The Amazon Resource Name (ARN) of the role that the caller is assuming.
+ * @public */ RoleArn: string | undefined; /** - * @public *The Amazon Resource Name (ARN) of the SAML provider in IAM that describes the * IdP.
+ * @public */ PrincipalArn: string | undefined; /** - * @public *The base64 encoded SAML authentication response provided by the IdP.
*For more information, see Configuring a Relying Party and * Adding Claims in the IAM User Guide.
+ * @public */ SAMLAssertion: string | undefined; /** - * @public *The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as * managed session policies. The policies must exist in the same account as the role.
*This parameter is optional. You can provide up to 10 managed policy ARNs. However, the @@ -543,11 +542,11 @@ export interface AssumeRoleWithSAMLRequest { * by the identity-based policy of the role that is being assumed. For more information, see * Session * Policies in the IAM User Guide.
+ * @public */ PolicyArns?: PolicyDescriptorType[]; /** - * @public *An IAM policy in JSON format that you want to use as an inline session policy.
*This parameter is optional. Passing policies to this operation returns new
* temporary credentials. The resulting session's permissions are the intersection of the
@@ -569,11 +568,11 @@ export interface AssumeRoleWithSAMLRequest {
* PackedPolicySize response element indicates by percentage how close the
* policies and tags for your request are to the upper size limit.
The duration, in seconds, of the role session. Your role session lasts for the duration
* that you specify for the DurationSeconds parameter, or until the time
* specified in the SAML authentication response's SessionNotOnOrAfter value,
@@ -595,51 +594,51 @@ export interface AssumeRoleWithSAMLRequest {
* that Enables Federated Users to Access the Amazon Web Services Management Console in the
* IAM User Guide.
Contains the response to a successful AssumeRoleWithSAML request, * including temporary Amazon Web Services credentials that can be used to make Amazon Web Services requests.
+ * @public */ export interface AssumeRoleWithSAMLResponse { /** - * @public *The temporary security credentials, which include an access key ID, a secret access key, * and a security (or session) token.
*The size of the security token that STS API operations return is not fixed. We * strongly recommend that you make no assumptions about the maximum size.
*The identifiers for the temporary security credentials that the operation * returns.
+ * @public */ AssumedRoleUser?: AssumedRoleUser; /** - * @public *A percentage value that indicates the packed size of the session policies and session * tags combined passed in the request. The request fails if the packed size is greater than 100 percent, * which means the policies and tags exceeded the allowed space.
+ * @public */ PackedPolicySize?: number; /** - * @public *The value of the NameID element in the Subject element of the
* SAML assertion.
The format of the name ID, as defined by the Format attribute in the
* NameID element of the SAML assertion. Typical examples of the format are
* transient or persistent.
urn:oasis:names:tc:SAML:2.0:nameid-format:transient is returned as
* transient. If the format includes any other prefix, the format is returned
* with no modifications.
+ * @public
*/
SubjectType?: string;
/**
- * @public
* The value of the Issuer element of the SAML assertion.
The value of the Recipient attribute of the
* SubjectConfirmationData element of the SAML assertion.
A hash value based on the concatenation of the following:
*
* BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP" ) )
*
The value in the SourceIdentity attribute in the SAML assertion.
You can require users to set a source identity value when they assume a role. You do
* this by using the sts:SourceIdentity condition key in a role trust policy.
@@ -704,16 +703,17 @@ export interface AssumeRoleWithSAMLResponse {
*
The regex used to validate this parameter is a string of characters * consisting of upper- and lower-case alphanumeric characters with no spaces. You can * also include underscores or any of the following characters: =,.@-
+ * @public */ SourceIdentity?: string; } /** - * @public *The identity provider (IdP) reported that authentication failed. This might be because * the claim is invalid.
*If this error is returned for the AssumeRoleWithWebIdentity operation, it
* can also mean that the claim has expired or has been explicitly revoked.
The web identity token that was passed could not be validated by Amazon Web Services. Get a new * identity token from the identity provider and then retry the request.
+ * @public */ export class InvalidIdentityTokenException extends __BaseException { readonly name: "InvalidIdentityTokenException" = "InvalidIdentityTokenException"; @@ -757,13 +757,12 @@ export class InvalidIdentityTokenException extends __BaseException { */ export interface AssumeRoleWithWebIdentityRequest { /** - * @public *The Amazon Resource Name (ARN) of the role that the caller is assuming.
+ * @public */ RoleArn: string | undefined; /** - * @public *An identifier for the assumed role session. Typically, you pass the name or identifier * that is associated with the user who is using your application. That way, the temporary * security credentials that your application will use are associated with that user. This @@ -772,32 +771,32 @@ export interface AssumeRoleWithWebIdentityRequest { *
The regex used to validate this parameter is a string of characters * consisting of upper- and lower-case alphanumeric characters with no spaces. You can * also include underscores or any of the following characters: =,.@-
+ * @public */ RoleSessionName: string | undefined; /** - * @public *The OAuth 2.0 access token or OpenID Connect ID token that is provided by the identity
* provider. Your application must get this token by authenticating the user who is using your
* application with a web identity provider before the application makes an
* AssumeRoleWithWebIdentity call. Only tokens with RSA algorithms (RS256) are
* supported.
The fully qualified host component of the domain name of the OAuth 2.0 identity * provider. Do not specify this value for an OpenID Connect identity provider.
*Currently www.amazon.com and graph.facebook.com are the only
* supported identity providers for OAuth 2.0 access tokens. Do not include URL schemes and
* port numbers.
Do not specify this value for OpenID Connect ID tokens.
+ * @public */ ProviderId?: string; /** - * @public *The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as * managed session policies. The policies must exist in the same account as the role.
*This parameter is optional. You can provide up to 10 managed policy ARNs. However, the @@ -819,11 +818,11 @@ export interface AssumeRoleWithWebIdentityRequest { * by the identity-based policy of the role that is being assumed. For more information, see * Session * Policies in the IAM User Guide.
+ * @public */ PolicyArns?: PolicyDescriptorType[]; /** - * @public *An IAM policy in JSON format that you want to use as an inline session policy.
*This parameter is optional. Passing policies to this operation returns new
* temporary credentials. The resulting session's permissions are the intersection of the
@@ -845,11 +844,11 @@ export interface AssumeRoleWithWebIdentityRequest {
* PackedPolicySize response element indicates by percentage how close the
* policies and tags for your request are to the upper size limit.
The duration, in seconds, of the role session. The value can range from 900 seconds (15 * minutes) up to the maximum session duration setting for the role. This setting can have a * value from 1 hour to 12 hours. If you specify a value higher than this setting, the @@ -868,75 +867,75 @@ export interface AssumeRoleWithWebIdentityRequest { * that Enables Federated Users to Access the Amazon Web Services Management Console in the * IAM User Guide.
* + * @public */ DurationSeconds?: number; } /** - * @public *Contains the response to a successful AssumeRoleWithWebIdentity * request, including temporary Amazon Web Services credentials that can be used to make Amazon Web Services requests.
+ * @public */ export interface AssumeRoleWithWebIdentityResponse { /** - * @public *The temporary security credentials, which include an access key ID, a secret access key, * and a security token.
*The size of the security token that STS API operations return is not fixed. We * strongly recommend that you make no assumptions about the maximum size.
*The unique user identifier that is returned by the identity provider. This identifier is
* associated with the WebIdentityToken that was submitted with the
* AssumeRoleWithWebIdentity call. The identifier is typically unique to the
* user and the application that acquired the WebIdentityToken (pairwise
* identifier). For OpenID Connect ID tokens, this field contains the value returned by the
* identity provider as the token's sub (Subject) claim.
The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers that you
* can use to refer to the resulting temporary security credentials. For example, you can
* reference these credentials as a principal in a resource-based policy by using the ARN or
* assumed role ID. The ARN and ID include the RoleSessionName that you specified
* when you called AssumeRole.
A percentage value that indicates the packed size of the session policies and session * tags combined passed in the request. The request fails if the packed size is greater than 100 percent, * which means the policies and tags exceeded the allowed space.
+ * @public */ PackedPolicySize?: number; /** - * @public * The issuing authority of the web identity token presented. For OpenID Connect ID
* tokens, this contains the value of the iss field. For OAuth 2.0 access tokens,
* this contains the value of the ProviderId parameter that was passed in the
* AssumeRoleWithWebIdentity request.
The intended audience (also known as client ID) of the web identity token. This is * traditionally the client identifier issued to the application that requested the web * identity token.
+ * @public */ Audience?: string; /** - * @public *The value of the source identity that is returned in the JSON web token (JWT) from the * identity provider.
*You can require users to set a source identity value when they assume a role. You do @@ -954,17 +953,18 @@ export interface AssumeRoleWithWebIdentityResponse { *
The regex used to validate this parameter is a string of characters * consisting of upper- and lower-case alphanumeric characters with no spaces. You can * also include underscores or any of the following characters: =,.@-
+ * @public */ SourceIdentity?: string; } /** - * @public *The request could not be fulfilled because the identity provider (IDP) that * was asked to verify the incoming identity token could not be reached. This is often a * transient error caused by network conditions. Retry the request a limited number of * times so that you don't exceed the request rate. If the error persists, the * identity provider might be down or not responding.
+ * @public */ export class IDPCommunicationErrorException extends __BaseException { readonly name: "IDPCommunicationErrorException" = "IDPCommunicationErrorException"; @@ -987,30 +987,30 @@ export class IDPCommunicationErrorException extends __BaseException { */ export interface DecodeAuthorizationMessageRequest { /** - * @public *The encoded message that was returned with the response.
+ * @public */ EncodedMessage: string | undefined; } /** - * @public *A document that contains additional information about the authorization status of a * request from an encoded message that is returned in response to an Amazon Web Services request.
+ * @public */ export interface DecodeAuthorizationMessageResponse { /** - * @public *The API returns a response with the decoded message.
+ * @public */ DecodedMessage?: string; } /** - * @public *The error returned if the message passed to DecodeAuthorizationMessage
* was invalid. This can happen if the token contains invalid characters, such as
* linebreaks.
The identifier of an access key.
*This parameter allows (through its regex pattern) a string of characters that can * consist of any upper- or lowercase letter or digit.
+ * @public */ AccessKeyId: string | undefined; } @@ -1046,8 +1046,8 @@ export interface GetAccessKeyInfoRequest { */ export interface GetAccessKeyInfoResponse { /** - * @public *The number used to identify the Amazon Web Services account.
+ * @public */ Account?: string; } @@ -1058,30 +1058,30 @@ export interface GetAccessKeyInfoResponse { export interface GetCallerIdentityRequest {} /** - * @public *Contains the response to a successful GetCallerIdentity request, * including information about the entity making the request.
+ * @public */ export interface GetCallerIdentityResponse { /** - * @public *The unique identifier of the calling entity. The exact value depends on the type of * entity that is making the call. The values returned are those listed in the aws:userid column in the Principal * table found on the Policy Variables reference * page in the IAM User Guide.
+ * @public */ UserId?: string; /** - * @public *The Amazon Web Services account ID number of the account that owns or contains the calling * entity.
+ * @public */ Account?: string; /** - * @public *The Amazon Web Services ARN associated with the calling entity.
+ * @public */ Arn?: string; } @@ -1091,18 +1091,17 @@ export interface GetCallerIdentityResponse { */ export interface GetFederationTokenRequest { /** - * @public *The name of the federated user. The name is used as an identifier for the temporary
* security credentials (such as Bob). For example, you can reference the
* federated user name in a resource-based policy, such as in an Amazon S3 bucket policy.
The regex used to validate this parameter is a string of characters * consisting of upper- and lower-case alphanumeric characters with no spaces. You can * also include underscores or any of the following characters: =,.@-
+ * @public */ Name: string | undefined; /** - * @public *An IAM policy in JSON format that you want to use as an inline session policy.
*You must pass an inline or managed session policy to
* this operation. You can pass a single JSON policy document to use as an inline session
@@ -1133,11 +1132,11 @@ export interface GetFederationTokenRequest {
* PackedPolicySize response element indicates by percentage how close the
* policies and tags for your request are to the upper size limit.
The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as a * managed session policy. The policies must exist in the same account as the IAM user that is requesting federated access.
*You must pass an inline or managed session policy to
@@ -1167,22 +1166,22 @@ export interface GetFederationTokenRequest {
* PackedPolicySize response element indicates by percentage how close the
* policies and tags for your request are to the upper size limit.
The duration, in seconds, that the session should last. Acceptable durations for * federation sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with * 43,200 seconds (12 hours) as the default. Sessions obtained using root user * credentials are restricted to a maximum of 3,600 seconds (one hour). If the specified * duration is longer than one hour, the session obtained by using root user * credentials defaults to one hour.
+ * @public */ DurationSeconds?: number; /** - * @public *A list of session tags. Each session tag consists of a key name and an associated value. * For more information about session tags, see Passing Session Tags in STS in the * IAM User Guide.
@@ -1205,62 +1204,63 @@ export interface GetFederationTokenRequest { *department=engineering session tag. Department
* and department are not saved as separate tags, and the session tag passed in
* the request takes precedence over the role tag.
+ * @public
*/
Tags?: Tag[];
}
/**
- * @public
* Identifiers for the federated user that is associated with the credentials.
+ * @public */ export interface FederatedUser { /** - * @public *The string that identifies the federated user associated with the credentials, similar * to the unique ID of an IAM user.
+ * @public */ FederatedUserId: string | undefined; /** - * @public *The ARN that specifies the federated user that is associated with the credentials. For * more information about ARNs and how to use them in policies, see IAM * Identifiers in the IAM User Guide.
+ * @public */ Arn: string | undefined; } /** - * @public *Contains the response to a successful GetFederationToken request, * including temporary Amazon Web Services credentials that can be used to make Amazon Web Services requests.
+ * @public */ export interface GetFederationTokenResponse { /** - * @public *The temporary security credentials, which include an access key ID, a secret access key, * and a security (or session) token.
*The size of the security token that STS API operations return is not fixed. We * strongly recommend that you make no assumptions about the maximum size.
*Identifiers for the federated user associated with the credentials (such as
* arn:aws:sts::123456789012:federated-user/Bob or
* 123456789012:Bob). You can use the federated user's ARN in your
* resource-based policies, such as an Amazon S3 bucket policy.
A percentage value that indicates the packed size of the session policies and session * tags combined passed in the request. The request fails if the packed size is greater than 100 percent, * which means the policies and tags exceeded the allowed space.
+ * @public */ PackedPolicySize?: number; } @@ -1270,17 +1270,16 @@ export interface GetFederationTokenResponse { */ export interface GetSessionTokenRequest { /** - * @public *The duration, in seconds, that the credentials should remain valid. Acceptable durations * for IAM user sessions range from 900 seconds (15 minutes) to 129,600 seconds * (36 hours), with 43,200 seconds (12 hours) as the default. Sessions for Amazon Web Services account * owners are restricted to a maximum of 3,600 seconds (one hour). If the duration is longer * than one hour, the session for Amazon Web Services account owners defaults to one hour.
+ * @public */ DurationSeconds?: number; /** - * @public *The identification number of the MFA device that is associated with the IAM user who is making the GetSessionToken call. Specify this value
* if the IAM user has a policy that requires MFA authentication. The value is
* either the serial number for a hardware device (such as GAHT12345678) or an
@@ -1289,11 +1288,11 @@ export interface GetSessionTokenRequest {
*
The regex used to validate this parameter is a string of * characters consisting of upper- and lower-case alphanumeric characters with no spaces. * You can also include underscores or any of the following characters: =,.@:/-
+ * @public */ SerialNumber?: string; /** - * @public *The value provided by the MFA device, if MFA is required. If any policy requires the * IAM user to submit an MFA code, specify this value. If MFA authentication * is required, the user must provide a code when requesting a set of temporary security @@ -1301,24 +1300,25 @@ export interface GetSessionTokenRequest { * requesting resources that require MFA authentication.
*The format for this parameter, as described by its regex pattern, is a sequence of six * numeric digits.
+ * @public */ TokenCode?: string; } /** - * @public *Contains the response to a successful GetSessionToken request, * including temporary Amazon Web Services credentials that can be used to make Amazon Web Services requests.
+ * @public */ export interface GetSessionTokenResponse { /** - * @public *The temporary security credentials, which include an access key ID, a secret access key, * and a security (or session) token.
*The size of the security token that STS API operations return is not fixed. We * strongly recommend that you make no assumptions about the maximum size.
*