Adds the specified user to the specified group.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Adds a user to a group. A user who is in a group can present a preferred-role claim to an identity pool, and populates a cognito:groups claim to their access and identity tokens.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Confirms user registration as an admin without using a confirmation code. Works on any user.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
This IAM-authenticated API operation provides a code that Amazon Cognito sent to your user when they signed up in your user pool. After your user enters their code, they confirm ownership of the email address or phone number that they provided, and their user account becomes active. Depending on your user pool configuration, your users will receive their confirmation code in an email or SMS message.
Local users who signed up in your user pool are the only type of user who can confirm sign-up with a code. Users who federate through an external identity provider (IdP) have already been confirmed by their IdP. Administrator-created users confirm their accounts when they respond to their invitation email message and choose a password.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Lists the groups that the user belongs to.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Lists the groups that a user belongs to.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Responds to an authentication challenge, as an administrator.
This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.
If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito Developer Guide.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Some API operations in a user pool generate a challenge, like a prompt for an MFA code, for device authentication that bypasses MFA, or for a custom authentication challenge. An AdminRespondToAuthChallenge API request provides the answer to that challenge, like a code or a secure remote password (SRP). The parameters of a response to an authentication challenge vary with the type of challenge.
For more information about custom authentication challenges, see Custom authentication challenge Lambda triggers.
This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.
If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito Developer Guide.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Signs out a user from all devices. AdminUserGlobalSignOut invalidates all identity, access and refresh tokens that Amazon Cognito has issued to a user. A user can still use a hosted UI cookie to retrieve new tokens for the duration of the 1-hour cookie validity period.
Your app isn't aware that a user's access token is revoked unless it attempts to authorize a user pools API request with an access token that contains the scope aws.cognito.signin.user.admin. Your app might otherwise accept access tokens until they expire.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Invalidates the identity, access, and refresh tokens that Amazon Cognito issued to a user. Call this operation with your administrative credentials when your user signs out of your app. This results in the following behavior.
Amazon Cognito no longer accepts token-authorized user operations that you authorize with a signed-out user's access tokens. For more information, see Using the Amazon Cognito user pools API and user pool endpoints.
Amazon Cognito returns an Access Token has been revoked error when your app attempts to authorize a user pools API request with a revoked access token that contains the scope aws.cognito.signin.user.admin.
Amazon Cognito no longer accepts a signed-out user's ID token in a GetId request to an identity pool with ServerSideTokenCheck enabled for its user pool IdP configuration in CognitoIdentityProvider.
Amazon Cognito no longer accepts a signed-out user's refresh tokens in refresh requests.
Other requests might be valid until your user's token expires.
Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.
Learn more
Confirms registration of a new user.
Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.
This public API operation provides a code that Amazon Cognito sent to your user when they signed up in your user pool via the SignUp API operation. After your user enters their code, they confirm ownership of the email address or phone number that they provided, and their user account becomes active. Depending on your user pool configuration, your users will receive their confirmation code in an email or SMS message.
Local users who signed up in your user pool are the only type of user who can confirm sign-up with a code. Users who federate through an external identity provider (IdP) have already been confirmed by their IdP. Administrator-created users, users created with the AdminCreateUser API operation, confirm their accounts when they respond to their invitation email message and choose a password. They do not receive a confirmation code. Instead, they receive a temporary password.
Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.
Signs out a user from all devices. GlobalSignOut invalidates all identity, access and refresh tokens that Amazon Cognito has issued to a user. A user can still use a hosted UI cookie to retrieve new tokens for the duration of the 1-hour cookie validity period.
Your app isn't aware that a user's access token is revoked unless it attempts to authorize a user pools API request with an access token that contains the scope aws.cognito.signin.user.admin. Your app might otherwise accept access tokens until they expire.
Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.
Invalidates the identity, access, and refresh tokens that Amazon Cognito issued to a user. Call this operation when your user signs out of your app. This results in the following behavior.
Amazon Cognito no longer accepts token-authorized user operations that you authorize with a signed-out user's access tokens. For more information, see Using the Amazon Cognito user pools API and user pool endpoints.
Amazon Cognito returns an Access Token has been revoked error when your app attempts to authorize a user pools API request with a revoked access token that contains the scope aws.cognito.signin.user.admin.
Amazon Cognito no longer accepts a signed-out user's ID token in a GetId request to an identity pool with ServerSideTokenCheck enabled for its user pool IdP configuration in CognitoIdentityProvider.
Amazon Cognito no longer accepts a signed-out user's refresh tokens in refresh requests.
Other requests might be valid until your user's token expires.
Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.
Responds to the authentication challenge.
Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.
This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.
If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito Developer Guide.
Some API operations in a user pool generate a challenge, like a prompt for an MFA code, for device authentication that bypasses MFA, or for a custom authentication challenge. A RespondToAuthChallenge API request provides the answer to that challenge, like a code or a secure remote password (SRP). The parameters of a response to an authentication challenge vary with the type of challenge.
For more information about custom authentication challenges, see Custom authentication challenge Lambda triggers.
Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.
This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.
If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito Developer Guide.
Allows a user to update a specific attribute (one at a time).
Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.
This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.
If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito Developer Guide.
With this operation, your users can update one or more of their attributes with their own credentials. You authorize this API request with the user's access token. To delete an attribute from your user, submit the attribute in your API request with a blank value. Custom attribute values in this request must include the custom: prefix.
Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito native and OIDC APIs.
This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.
If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito Developer Guide.
The username for the user.
" + "documentation":"The username of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If username isn't an alias attribute in your user pool, you can also use their sub in this request.
The group name.
" + "documentation":"The name of the group that you want to add your user to.
" } } }, @@ -2221,7 +2221,7 @@ }, "Username":{ "shape":"UsernameType", - "documentation":"The user name for which you want to confirm user registration.
" + "documentation":"The username of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If username isn't an alias attribute in your user pool, you can also use their sub in this request.
The user account expiration limit, in days, after which a new account that hasn't signed in is no longer usable. To reset the account after that time limit, you must call AdminCreateUser again, specifying \"RESEND\" for the MessageAction parameter. The default value for this parameter is 7.
If you set a value for TemporaryPasswordValidityDays in PasswordPolicy, that value will be used, and UnusedAccountValidityDays will be no longer be an available parameter for that user pool.
The user account expiration limit, in days, after which a new account that hasn't signed in is no longer usable. To reset the account after that time limit, you must call AdminCreateUser again, specifying \"RESEND\" for the MessageAction parameter. The default value for this parameter is 7.
If you set a value for TemporaryPasswordValidityDays in PasswordPolicy, that value will be used, and UnusedAccountValidityDays will be no longer be an available parameter for that user pool.
The user's validation data. This is an array of name-value pairs that contain user attributes and attribute values that you can use for custom validation, such as restricting the types of user accounts that can be registered. For example, you might choose to allow or disallow user sign-up based on the user's domain.
To configure custom validation, you must create a Pre Sign-up Lambda trigger for the user pool as described in the Amazon Cognito Developer Guide. The Lambda trigger receives the validation data and uses it in the validation process.
The user's validation data isn't persisted.
" + "documentation":"Temporary user attributes that contribute to the outcomes of your pre sign-up Lambda trigger. This set of key-value pairs are for custom validation of information that you collect from your users but don't need to retain.
Your Lambda function can analyze this additional data and act on it. Your function might perform external API operations like logging user attributes and validation data to Amazon CloudWatch Logs. Validation data might also affect the response that your function returns to Amazon Cognito, like automatically confirming the user if they sign up from within your network.
For more information about the pre sign-up Lambda trigger, see Pre sign-up Lambda trigger.
" }, "TemporaryPassword":{ "shape":"PasswordType", @@ -2329,7 +2329,7 @@ }, "Username":{ "shape":"UsernameType", - "documentation":"The user name of the user from which you would like to delete attributes.
" + "documentation":"The username of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If username isn't an alias attribute in your user pool, you can also use their sub in this request.
The user name of the user you want to delete.
" + "documentation":"The username of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If username isn't an alias attribute in your user pool, you can also use their sub in this request.
Represents the request to delete a user as an administrator.
" @@ -2397,7 +2397,7 @@ }, "Username":{ "shape":"UsernameType", - "documentation":"The user name of the user you want to disable.
" + "documentation":"The username of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If username isn't an alias attribute in your user pool, you can also use their sub in this request.
Represents the request to disable the user as an administrator.
" @@ -2421,7 +2421,7 @@ }, "Username":{ "shape":"UsernameType", - "documentation":"The user name of the user you want to enable.
" + "documentation":"The username of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If username isn't an alias attribute in your user pool, you can also use their sub in this request.
Represents the request that enables the user as an administrator.
" @@ -2446,7 +2446,7 @@ }, "Username":{ "shape":"UsernameType", - "documentation":"The user name.
" + "documentation":"The username of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If username isn't an alias attribute in your user pool, you can also use their sub in this request.
The user name.
" + "documentation":"The username of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If username isn't an alias attribute in your user pool, you can also use their sub in this request.
Represents the request to get the device, as an administrator.
" @@ -2502,7 +2502,7 @@ }, "Username":{ "shape":"UsernameType", - "documentation":"The user name of the user you want to retrieve.
" + "documentation":"The username of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If username isn't an alias attribute in your user pool, you can also use their sub in this request.
Represents the request to get the specified user as an administrator.
" @@ -2576,7 +2576,7 @@ }, "ClientMetadata":{ "shape":"ClientMetadataType", - "documentation":"A map of custom key-value pairs that you can provide as input for certain custom workflows that this action triggers.
You create custom workflows by assigning Lambda functions to user pool triggers. When you use the AdminInitiateAuth API action, Amazon Cognito invokes the Lambda functions that are specified for various triggers. The ClientMetadata value is passed as input to the functions for only the following triggers:
Pre signup
Pre authentication
User migration
When Amazon Cognito invokes the functions for these triggers, it passes a JSON payload, which the function receives as input. This payload contains a validationData attribute, which provides the data that you assigned to the ClientMetadata parameter in your AdminInitiateAuth request. In your function code in Lambda, you can process the validationData value to enhance your workflow for your specific needs.
When you use the AdminInitiateAuth API action, Amazon Cognito also invokes the functions for the following triggers, but it doesn't provide the ClientMetadata value as input:
Post authentication
Custom message
Pre token generation
Create auth challenge
Define auth challenge
Verify auth challenge
For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.
When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the following:
Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose.
Validate the ClientMetadata value.
Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive information.
A map of custom key-value pairs that you can provide as input for certain custom workflows that this action triggers.
You create custom workflows by assigning Lambda functions to user pool triggers. When you use the AdminInitiateAuth API action, Amazon Cognito invokes the Lambda functions that are specified for various triggers. The ClientMetadata value is passed as input to the functions for only the following triggers:
Pre signup
Pre authentication
User migration
When Amazon Cognito invokes the functions for these triggers, it passes a JSON payload, which the function receives as input. This payload contains a validationData attribute, which provides the data that you assigned to the ClientMetadata parameter in your AdminInitiateAuth request. In your function code in Lambda, you can process the validationData value to enhance your workflow for your specific needs.
When you use the AdminInitiateAuth API action, Amazon Cognito also invokes the functions for the following triggers, but it doesn't provide the ClientMetadata value as input:
Post authentication
Custom message
Pre token generation
Create auth challenge
Define auth challenge
For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.
When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the following:
Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose.
Validate the ClientMetadata value.
Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive information.
The name of the challenge that you're responding to with this call. This is returned in the AdminInitiateAuth response if you must pass another challenge.
MFA_SETUP: If MFA is required, users who don't have at least one of the MFA methods set up are presented with an MFA_SETUP challenge. The user must set up at least one MFA type to continue to authenticate.
SELECT_MFA_TYPE: Selects the MFA type. Valid MFA options are SMS_MFA for text SMS MFA, and SOFTWARE_TOKEN_MFA for time-based one-time password (TOTP) software token MFA.
SMS_MFA: Next challenge is to supply an SMS_MFA_CODE, delivered via SMS.
PASSWORD_VERIFIER: Next challenge is to supply PASSWORD_CLAIM_SIGNATURE, PASSWORD_CLAIM_SECRET_BLOCK, and TIMESTAMP after the client-side SRP calculations.
CUSTOM_CHALLENGE: This is returned if your custom authentication flow determines that the user should pass another challenge before tokens are issued.
DEVICE_SRP_AUTH: If device tracking was activated in your user pool and the previous challenges were passed, this challenge is returned so that Amazon Cognito can start tracking this device.
DEVICE_PASSWORD_VERIFIER: Similar to PASSWORD_VERIFIER, but for devices only.
ADMIN_NO_SRP_AUTH: This is returned if you must authenticate with USERNAME and PASSWORD directly. An app client must be enabled to use this flow.
NEW_PASSWORD_REQUIRED: For users who are required to change their passwords after successful first login. Respond to this challenge with NEW_PASSWORD and any required attributes that Amazon Cognito returned in the requiredAttributes parameter. You can also set values for attributes that aren't required by your user pool and that your app client can write. For more information, see AdminRespondToAuthChallenge.
In a NEW_PASSWORD_REQUIRED challenge response, you can't modify a required attribute that already has a value. In AdminRespondToAuthChallenge, set a value for any keys that Amazon Cognito returned in the requiredAttributes parameter, then use the AdminUpdateUserAttributes API operation to modify the value of any additional attributes.
MFA_SETUP: For users who are required to set up an MFA factor before they can sign in. The MFA types activated for the user pool will be listed in the challenge parameters MFA_CAN_SETUP value.
To set up software token MFA, use the session returned here from InitiateAuth as an input to AssociateSoftwareToken, and use the session returned by VerifySoftwareToken as an input to RespondToAuthChallenge with challenge name MFA_SETUP to complete sign-in. To set up SMS MFA, users will need help from an administrator to add a phone number to their account and then call InitiateAuth again to restart sign-in.
The name of the challenge that you're responding to with this call. This is returned in the AdminInitiateAuth response if you must pass another challenge.
MFA_SETUP: If MFA is required, users who don't have at least one of the MFA methods set up are presented with an MFA_SETUP challenge. The user must set up at least one MFA type to continue to authenticate.
SELECT_MFA_TYPE: Selects the MFA type. Valid MFA options are SMS_MFA for text SMS MFA, and SOFTWARE_TOKEN_MFA for time-based one-time password (TOTP) software token MFA.
SMS_MFA: Next challenge is to supply an SMS_MFA_CODE, delivered via SMS.
PASSWORD_VERIFIER: Next challenge is to supply PASSWORD_CLAIM_SIGNATURE, PASSWORD_CLAIM_SECRET_BLOCK, and TIMESTAMP after the client-side SRP calculations.
CUSTOM_CHALLENGE: This is returned if your custom authentication flow determines that the user should pass another challenge before tokens are issued.
DEVICE_SRP_AUTH: If device tracking was activated in your user pool and the previous challenges were passed, this challenge is returned so that Amazon Cognito can start tracking this device.
DEVICE_PASSWORD_VERIFIER: Similar to PASSWORD_VERIFIER, but for devices only.
ADMIN_NO_SRP_AUTH: This is returned if you must authenticate with USERNAME and PASSWORD directly. An app client must be enabled to use this flow.
NEW_PASSWORD_REQUIRED: For users who are required to change their passwords after successful first login. Respond to this challenge with NEW_PASSWORD and any required attributes that Amazon Cognito returned in the requiredAttributes parameter. You can also set values for attributes that aren't required by your user pool and that your app client can write. For more information, see AdminRespondToAuthChallenge.
In a NEW_PASSWORD_REQUIRED challenge response, you can't modify a required attribute that already has a value. In AdminRespondToAuthChallenge, set a value for any keys that Amazon Cognito returned in the requiredAttributes parameter, then use the AdminUpdateUserAttributes API operation to modify the value of any additional attributes.
MFA_SETUP: For users who are required to set up an MFA factor before they can sign in. The MFA types activated for the user pool will be listed in the challenge parameters MFAS_CAN_SETUP value.
To set up software token MFA, use the session returned here from InitiateAuth as an input to AssociateSoftwareToken, and use the session returned by VerifySoftwareToken as an input to RespondToAuthChallenge with challenge name MFA_SETUP to complete sign-in. To set up SMS MFA, users will need help from an administrator to add a phone number to their account and then call InitiateAuth again to restart sign-in.
The user name.
" + "documentation":"The username of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If username isn't an alias attribute in your user pool, you can also use their sub in this request.
The pagination token.
" + "documentation":"This API operation returns a limited number of results. The pagination token is an identifier that you can present in an additional API request with the same parameters. When you include the pagination token, Amazon Cognito returns the next set of items after the current list. Subsequent requests return a new pagination token. By use of this token, you can paginate through the full list of items.
" } }, "documentation":"Represents the request to list devices, as an administrator.
" @@ -2673,7 +2673,7 @@ }, "PaginationToken":{ "shape":"SearchPaginationTokenType", - "documentation":"The pagination token.
" + "documentation":"The identifier that Amazon Cognito returned with the previous request to this operation. When you include a pagination token in your request, Amazon Cognito returns the next set of items in the list. By use of this token, you can paginate through the full list of items.
" } }, "documentation":"Lists the device's response, as an administrator.
" @@ -2687,7 +2687,7 @@ "members":{ "Username":{ "shape":"UsernameType", - "documentation":"The username for the user.
" + "documentation":"The username of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If username isn't an alias attribute in your user pool, you can also use their sub in this request.
The user pool username or an alias.
" + "documentation":"The username of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If username isn't an alias attribute in your user pool, you can also use their sub in this request.
The username for the user.
" + "documentation":"The username of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If username isn't an alias attribute in your user pool, you can also use their sub in this request.
The user name of the user whose password you want to reset.
" + "documentation":"The username of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If username isn't an alias attribute in your user pool, you can also use their sub in this request.
The challenge responses. These are inputs corresponding to the value of ChallengeName, for example:
SMS_MFA: SMS_MFA_CODE, USERNAME, SECRET_HASH (if app client is configured with client secret).
PASSWORD_VERIFIER: PASSWORD_CLAIM_SIGNATURE, PASSWORD_CLAIM_SECRET_BLOCK, TIMESTAMP, USERNAME, SECRET_HASH (if app client is configured with client secret).
PASSWORD_VERIFIER requires DEVICE_KEY when signing in with a remembered device.
ADMIN_NO_SRP_AUTH: PASSWORD, USERNAME, SECRET_HASH (if app client is configured with client secret).
NEW_PASSWORD_REQUIRED: NEW_PASSWORD, USERNAME, SECRET_HASH (if app client is configured with client secret). To set any required attributes that Amazon Cognito returned as requiredAttributes in the AdminInitiateAuth response, add a userAttributes.attributename parameter. This parameter can also set values for writable attributes that aren't required by your user pool.
In a NEW_PASSWORD_REQUIRED challenge response, you can't modify a required attribute that already has a value. In AdminRespondToAuthChallenge, set a value for any keys that Amazon Cognito returned in the requiredAttributes parameter, then use the AdminUpdateUserAttributes API operation to modify the value of any additional attributes.
MFA_SETUP requires USERNAME, plus you must use the session value returned by VerifySoftwareToken in the Session parameter.
The value of the USERNAME attribute must be the user's actual username, not an alias (such as an email address or phone number). To make this simpler, the AdminInitiateAuth response includes the actual username value in the USERNAMEUSER_ID_FOR_SRP attribute. This happens even if you specified an alias in your call to AdminInitiateAuth.
For more information about SECRET_HASH, see Computing secret hash values. For information about DEVICE_KEY, see Working with user devices in your user pool.
The responses to the challenge that you received in the previous request. Each challenge has its own required response parameters. The following examples are partial JSON request bodies that highlight challenge-response parameters.
You must provide a SECRET_HASH parameter in all challenge responses to an app client that has a client secret.
\"ChallengeName\": \"SMS_MFA\", \"ChallengeResponses\": {\"SMS_MFA_CODE\": \"[SMS_code]\", \"USERNAME\": \"[username]\"}
\"ChallengeName\": \"PASSWORD_VERIFIER\", \"ChallengeResponses\": {\"PASSWORD_CLAIM_SIGNATURE\": \"[claim_signature]\", \"PASSWORD_CLAIM_SECRET_BLOCK\": \"[secret_block]\", \"TIMESTAMP\": [timestamp], \"USERNAME\": \"[username]\"}
Add \"DEVICE_KEY\" when you sign in with a remembered device.
\"ChallengeName\": \"CUSTOM_CHALLENGE\", \"ChallengeResponses\": {\"USERNAME\": \"[username]\", \"ANSWER\": \"[challenge_answer]\"}
Add \"DEVICE_KEY\" when you sign in with a remembered device.
\"ChallengeName\": \"NEW_PASSWORD_REQUIRED\", \"ChallengeResponses\": {\"NEW_PASSWORD\": \"[new_password]\", \"USERNAME\": \"[username]\"}
To set any required attributes that InitiateAuth returned in an requiredAttributes parameter, add \"userAttributes.[attribute_name]\": \"[attribute_value]\". This parameter can also set values for writable attributes that aren't required by your user pool.
In a NEW_PASSWORD_REQUIRED challenge response, you can't modify a required attribute that already has a value. In RespondToAuthChallenge, set a value for any keys that Amazon Cognito returned in the requiredAttributes parameter, then use the UpdateUserAttributes API operation to modify the value of any additional attributes.
\"ChallengeName\": \"SOFTWARE_TOKEN_MFA\", \"ChallengeResponses\": {\"USERNAME\": \"[username]\", \"SOFTWARE_TOKEN_MFA_CODE\": [authenticator_code]}
\"ChallengeName\": \"DEVICE_SRP_AUTH\", \"ChallengeResponses\": {\"USERNAME\": \"[username]\", \"DEVICE_KEY\": \"[device_key]\", \"SRP_A\": \"[srp_a]\"}
\"ChallengeName\": \"DEVICE_PASSWORD_VERIFIER\", \"ChallengeResponses\": {\"DEVICE_KEY\": \"[device_key]\", \"PASSWORD_CLAIM_SIGNATURE\": \"[claim_signature]\", \"PASSWORD_CLAIM_SECRET_BLOCK\": \"[secret_block]\", \"TIMESTAMP\": [timestamp], \"USERNAME\": \"[username]\"}
\"ChallengeName\": \"MFA_SETUP\", \"ChallengeResponses\": {\"USERNAME\": \"[username]\"}, \"SESSION\": \"[Session ID from VerifySoftwareToken]\"
\"ChallengeName\": \"SELECT_MFA_TYPE\", \"ChallengeResponses\": {\"USERNAME\": \"[username]\", \"ANSWER\": \"[SMS_MFA or SOFTWARE_TOKEN_MFA]\"}
For more information about SECRET_HASH, see Computing secret hash values. For information about DEVICE_KEY, see Working with user devices in your user pool.
The user pool username or alias.
" + "documentation":"The username of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If username isn't an alias attribute in your user pool, you can also use their sub in this request.
The user name of the user whose password you want to set.
" + "documentation":"The username of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If username isn't an alias attribute in your user pool, you can also use their sub in this request.
The user name of the user whose options you're setting.
" + "documentation":"The username of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If username isn't an alias attribute in your user pool, you can also use their sub in this request.
The user pool username.
" + "documentation":"The username of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If username isn't an alias attribute in your user pool, you can also use their sub in this request.
The user name.
" + "documentation":"The username of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If username isn't an alias attribute in your user pool, you can also use their sub in this request.
The user name of the user for whom you want to update user attributes.
" + "documentation":"The username of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If username isn't an alias attribute in your user pool, you can also use their sub in this request.
The user name.
" + "documentation":"The username of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If username isn't an alias attribute in your user pool, you can also use their sub in this request.
The request to sign out of all devices, as an administrator.
" @@ -3630,7 +3630,7 @@ }, "Username":{ "shape":"UsernameType", - "documentation":"The user name of the user for whom you want to enter a code to retrieve a forgotten password.
" + "documentation":"The username of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If username isn't an alias attribute in your user pool, you can also use their sub in this request.
The user name of the user whose registration you want to confirm.
" + "documentation":"The username of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If username isn't an alias attribute in your user pool, you can also use their sub in this request.
The read attributes.
" + "documentation":"The list of user attributes that you want your app client to have read-only access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a GetUser API request to retrieve and display your user's profile data.
When you don't specify the ReadAttributes for your app client, your app can read the values of email_verified, phone_number_verified, and the Standard attributes of your user pool. When your user pool has read access to these default attributes, ReadAttributes doesn't return any information. Amazon Cognito only populates ReadAttributes in the API response if you have specified your own custom set of read attributes.
The user pool attributes that the app client can write to.
If your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see Specifying IdP Attribute Mappings for Your user pool.
" + "documentation":"The list of user attributes that you want your app client to have write access to. After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list. An example of this kind of activity is when you present your user with a form to update their profile information and they change their last name. Your app then makes an UpdateUserAttributes API request and sets family_name to the new value.
When you don't specify the WriteAttributes for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes, WriteAttributes doesn't return any information. Amazon Cognito only populates WriteAttributes in the API response if you have specified your own custom set of write attributes.
If your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see Specifying IdP Attribute Mappings for Your user pool.
" }, "ExplicitAuthFlows":{ "shape":"ExplicitAuthFlowsListType", @@ -4179,14 +4179,14 @@ "members":{ "LambdaVersion":{ "shape":"CustomEmailSenderLambdaVersionType", - "documentation":"Signature of the \"request\" attribute in the \"event\" information Amazon Cognito passes to your custom email Lambda function. The only supported value is V1_0.
The user pool trigger version of the request that Amazon Cognito sends to your Lambda function. Higher-numbered versions add fields that support new features.
You must use a LambdaVersion of V1_0 with a custom sender function.
The Amazon Resource Name (ARN) of the Lambda function that Amazon Cognito activates to send email notifications to users.
" + "documentation":"The Amazon Resource Name (ARN) of the function that you want to assign to your Lambda trigger.
" } }, - "documentation":"A custom email sender Lambda configuration type.
" + "documentation":"The properties of a custom email sender Lambda trigger.
" }, "CustomEmailSenderLambdaVersionType":{ "type":"string", @@ -4201,14 +4201,14 @@ "members":{ "LambdaVersion":{ "shape":"CustomSMSSenderLambdaVersionType", - "documentation":"Signature of the \"request\" attribute in the \"event\" information that Amazon Cognito passes to your custom SMS Lambda function. The only supported value is V1_0.
The user pool trigger version of the request that Amazon Cognito sends to your Lambda function. Higher-numbered versions add fields that support new features.
You must use a LambdaVersion of V1_0 with a custom sender function.
The Amazon Resource Name (ARN) of the Lambda function that Amazon Cognito activates to send SMS notifications to users.
" + "documentation":"The Amazon Resource Name (ARN) of the function that you want to assign to your Lambda trigger.
" } }, - "documentation":"A custom SMS sender Lambda configuration type.
" + "documentation":"The properties of a custom SMS sender Lambda trigger.
" }, "CustomSMSSenderLambdaVersionType":{ "type":"string", @@ -4968,7 +4968,7 @@ }, "Username":{ "shape":"UsernameType", - "documentation":"The user name of the user for whom you want to enter a code to reset a forgotten password.
" + "documentation":"The username of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If username isn't an alias attribute in your user pool, you can also use their sub in this request.
A map of custom key-value pairs that you can provide as input for certain custom workflows that this action triggers.
You create custom workflows by assigning Lambda functions to user pool triggers. When you use the InitiateAuth API action, Amazon Cognito invokes the Lambda functions that are specified for various triggers. The ClientMetadata value is passed as input to the functions for only the following triggers:
Pre signup
Pre authentication
User migration
When Amazon Cognito invokes the functions for these triggers, it passes a JSON payload, which the function receives as input. This payload contains a validationData attribute, which provides the data that you assigned to the ClientMetadata parameter in your InitiateAuth request. In your function code in Lambda, you can process the validationData value to enhance your workflow for your specific needs.
When you use the InitiateAuth API action, Amazon Cognito also invokes the functions for the following triggers, but it doesn't provide the ClientMetadata value as input:
Post authentication
Custom message
Pre token generation
Create auth challenge
Define auth challenge
Verify auth challenge
For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.
When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the following:
Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose.
Validate the ClientMetadata value.
Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive information.
A map of custom key-value pairs that you can provide as input for certain custom workflows that this action triggers.
You create custom workflows by assigning Lambda functions to user pool triggers. When you use the InitiateAuth API action, Amazon Cognito invokes the Lambda functions that are specified for various triggers. The ClientMetadata value is passed as input to the functions for only the following triggers:
Pre signup
Pre authentication
User migration
When Amazon Cognito invokes the functions for these triggers, it passes a JSON payload, which the function receives as input. This payload contains a validationData attribute, which provides the data that you assigned to the ClientMetadata parameter in your InitiateAuth request. In your function code in Lambda, you can process the validationData value to enhance your workflow for your specific needs.
When you use the InitiateAuth API action, Amazon Cognito also invokes the functions for the following triggers, but it doesn't provide the ClientMetadata value as input:
Post authentication
Custom message
Pre token generation
Create auth challenge
Define auth challenge
For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.
When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the following:
Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose.
Validate the ClientMetadata value.
Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive information.
The name of the challenge that you're responding to with this call. This name is returned in the AdminInitiateAuth response if you must pass another challenge.
Valid values include the following:
All of the following challenges require USERNAME and SECRET_HASH (if applicable) in the parameters.
SMS_MFA: Next challenge is to supply an SMS_MFA_CODE, delivered via SMS.
PASSWORD_VERIFIER: Next challenge is to supply PASSWORD_CLAIM_SIGNATURE, PASSWORD_CLAIM_SECRET_BLOCK, and TIMESTAMP after the client-side SRP calculations.
CUSTOM_CHALLENGE: This is returned if your custom authentication flow determines that the user should pass another challenge before tokens are issued.
DEVICE_SRP_AUTH: If device tracking was activated on your user pool and the previous challenges were passed, this challenge is returned so that Amazon Cognito can start tracking this device.
DEVICE_PASSWORD_VERIFIER: Similar to PASSWORD_VERIFIER, but for devices only.
NEW_PASSWORD_REQUIRED: For users who are required to change their passwords after successful first login.
Respond to this challenge with NEW_PASSWORD and any required attributes that Amazon Cognito returned in the requiredAttributes parameter. You can also set values for attributes that aren't required by your user pool and that your app client can write. For more information, see RespondToAuthChallenge.
In a NEW_PASSWORD_REQUIRED challenge response, you can't modify a required attribute that already has a value. In RespondToAuthChallenge, set a value for any keys that Amazon Cognito returned in the requiredAttributes parameter, then use the UpdateUserAttributes API operation to modify the value of any additional attributes.
MFA_SETUP: For users who are required to setup an MFA factor before they can sign in. The MFA types activated for the user pool will be listed in the challenge parameters MFA_CAN_SETUP value.
To set up software token MFA, use the session returned here from InitiateAuth as an input to AssociateSoftwareToken. Use the session returned by VerifySoftwareToken as an input to RespondToAuthChallenge with challenge name MFA_SETUP to complete sign-in. To set up SMS MFA, an administrator should help the user to add a phone number to their account, and then the user should call InitiateAuth again to restart sign-in.
The name of the challenge that you're responding to with this call. This name is returned in the InitiateAuth response if you must pass another challenge.
Valid values include the following:
All of the following challenges require USERNAME and SECRET_HASH (if applicable) in the parameters.
SMS_MFA: Next challenge is to supply an SMS_MFA_CODE, delivered via SMS.
PASSWORD_VERIFIER: Next challenge is to supply PASSWORD_CLAIM_SIGNATURE, PASSWORD_CLAIM_SECRET_BLOCK, and TIMESTAMP after the client-side SRP calculations.
CUSTOM_CHALLENGE: This is returned if your custom authentication flow determines that the user should pass another challenge before tokens are issued.
DEVICE_SRP_AUTH: If device tracking was activated on your user pool and the previous challenges were passed, this challenge is returned so that Amazon Cognito can start tracking this device.
DEVICE_PASSWORD_VERIFIER: Similar to PASSWORD_VERIFIER, but for devices only.
NEW_PASSWORD_REQUIRED: For users who are required to change their passwords after successful first login.
Respond to this challenge with NEW_PASSWORD and any required attributes that Amazon Cognito returned in the requiredAttributes parameter. You can also set values for attributes that aren't required by your user pool and that your app client can write. For more information, see RespondToAuthChallenge.
In a NEW_PASSWORD_REQUIRED challenge response, you can't modify a required attribute that already has a value. In RespondToAuthChallenge, set a value for any keys that Amazon Cognito returned in the requiredAttributes parameter, then use the UpdateUserAttributes API operation to modify the value of any additional attributes.
MFA_SETUP: For users who are required to setup an MFA factor before they can sign in. The MFA types activated for the user pool will be listed in the challenge parameters MFAS_CAN_SETUP value.
To set up software token MFA, use the session returned here from InitiateAuth as an input to AssociateSoftwareToken. Use the session returned by VerifySoftwareToken as an input to RespondToAuthChallenge with challenge name MFA_SETUP to complete sign-in. To set up SMS MFA, an administrator should help the user to add a phone number to their account, and then the user should call InitiateAuth again to restart sign-in.
A Lambda trigger that is invoked before token generation.
" + "documentation":"The Amazon Resource Name (ARN) of the function that you want to assign to your Lambda trigger.
Set this parameter for legacy purposes. If you also set an ARN in PreTokenGenerationConfig, its value must be identical to PreTokenGeneration. For new instances of pre token generation triggers, set the LambdaArn of PreTokenGenerationConfig.
You can set
The detailed configuration of a pre token generation trigger. If you also set an ARN in PreTokenGeneration, its value must be identical to PreTokenGenerationConfig.
The pagination token for the list request.
" + "documentation":"This API operation returns a limited number of results. The pagination token is an identifier that you can present in an additional API request with the same parameters. When you include the pagination token, Amazon Cognito returns the next set of items after the current list. Subsequent requests return a new pagination token. By use of this token, you can paginate through the full list of items.
" } }, "documentation":"Represents the request to list the devices.
" @@ -5674,7 +5678,7 @@ }, "PaginationToken":{ "shape":"SearchPaginationTokenType", - "documentation":"The pagination token for the list device response.
" + "documentation":"The identifier that Amazon Cognito returned with the previous request to this operation. When you include a pagination token in your request, Amazon Cognito returns the next set of items in the list. By use of this token, you can paginate through the full list of items.
" } }, "documentation":"Represents the response to list devices.
" @@ -5824,7 +5828,7 @@ }, "PaginationToken":{ "shape":"PaginationKeyType", - "documentation":"An identifier that was returned from the previous call to ListUserImportJobs, which can be used to return the next set of import jobs in the list.
This API operation returns a limited number of results. The pagination token is an identifier that you can present in an additional API request with the same parameters. When you include the pagination token, Amazon Cognito returns the next set of items after the current list. Subsequent requests return a new pagination token. By use of this token, you can paginate through the full list of items.
" } }, "documentation":"Represents the request to list the user import jobs.
" @@ -5838,7 +5842,7 @@ }, "PaginationToken":{ "shape":"PaginationKeyType", - "documentation":"An identifier that can be used to return the next set of user import jobs in the list.
" + "documentation":"The identifier that Amazon Cognito returned with the previous request to this operation. When you include a pagination token in your request, Amazon Cognito returns the next set of items in the list. By use of this token, you can paginate through the full list of items.
" } }, "documentation":"Represents the response from the server to the request to list the user import jobs.
" @@ -5922,7 +5926,7 @@ }, "Limit":{ "shape":"QueryLimitType", - "documentation":"The limit of the request to list users.
" + "documentation":"The maximum number of users that you want to retrieve before pagination.
" }, "NextToken":{ "shape":"PaginationKey", @@ -5935,7 +5939,7 @@ "members":{ "Users":{ "shape":"UsersListType", - "documentation":"The users returned in the request to list users.
" + "documentation":"A list of users in the group, and their attributes.
" }, "NextToken":{ "shape":"PaginationKey", @@ -5953,7 +5957,7 @@ }, "AttributesToGet":{ "shape":"SearchedAttributeNamesListType", - "documentation":"A JSON array of user attribute names, for example given_name, that you want Amazon Cognito to include in the response for each user. When you don't provide an AttributesToGet parameter, Amazon Cognito returns all attributes for each user.
A JSON array of user attribute names, for example given_name, that you want Amazon Cognito to include in the response for each user. When you don't provide an AttributesToGet parameter, Amazon Cognito returns all attributes for each user.
Use AttributesToGet with required attributes in your user pool, or in conjunction with Filter. Amazon Cognito returns an error if not all users in the results have set a value for the attribute you request. Attributes that you can't filter on, including custom attributes, must have a value set in every user profile before an AttributesToGet parameter returns results.
An identifier that was returned from the previous call to this operation, which can be used to return the next set of items in the list.
" + "documentation":"This API operation returns a limited number of results. The pagination token is an identifier that you can present in an additional API request with the same parameters. When you include the pagination token, Amazon Cognito returns the next set of items after the current list. Subsequent requests return a new pagination token. By use of this token, you can paginate through the full list of items.
" }, "Filter":{ "shape":"UserFilterType", @@ -5979,7 +5983,7 @@ }, "PaginationToken":{ "shape":"SearchPaginationTokenType", - "documentation":"An identifier that was returned from the previous call to this operation, which can be used to return the next set of items in the list.
" + "documentation":"The identifier that Amazon Cognito returned with the previous request to this operation. When you include a pagination token in your request, Amazon Cognito returns the next set of items in the list. By use of this token, you can paginate through the full list of items.
" } }, "documentation":"The response from the request to list users.
" @@ -6240,7 +6244,7 @@ }, "TemporaryPasswordValidityDays":{ "shape":"TemporaryPasswordValidityDaysType", - "documentation":"The number of days a temporary password is valid in the password policy. If the user doesn't sign in during this time, an administrator must reset their password.
When you set TemporaryPasswordValidityDays for a user pool, you can no longer set a value for the legacy UnusedAccountValidityDays parameter in that user pool.
The number of days a temporary password is valid in the password policy. If the user doesn't sign in during this time, an administrator must reset their password. Defaults to 7. If you submit a value of 0, Amazon Cognito treats it as a null value and sets TemporaryPasswordValidityDays to its default value.
When you set TemporaryPasswordValidityDays for a user pool, you can no longer set a value for the legacy UnusedAccountValidityDays parameter in that user pool.
The password policy type.
" @@ -6272,6 +6276,31 @@ "max":2048, "min":0 }, + "PreTokenGenerationLambdaVersionType":{ + "type":"string", + "enum":[ + "V1_0", + "V2_0" + ] + }, + "PreTokenGenerationVersionConfigType":{ + "type":"structure", + "required":[ + "LambdaVersion", + "LambdaArn" + ], + "members":{ + "LambdaVersion":{ + "shape":"PreTokenGenerationLambdaVersionType", + "documentation":"The user pool trigger version of the request that Amazon Cognito sends to your Lambda function. Higher-numbered versions add fields that support new features.
" + }, + "LambdaArn":{ + "shape":"ArnType", + "documentation":"The Amazon Resource Name (ARN) of the function that you want to assign to your Lambda trigger.
This parameter and the PreTokenGeneration property of LambdaConfig have the same value. For new instances of pre token generation triggers, set LambdaArn.
The properties of a pre token generation Lambda trigger.
" + }, "PrecedenceType":{ "type":"integer", "min":0 @@ -6441,7 +6470,7 @@ }, "Username":{ "shape":"UsernameType", - "documentation":"The username attribute of the user to whom you want to resend a confirmation code.
The username of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If username isn't an alias attribute in your user pool, you can also use their sub in this request.
The challenge responses. These are inputs corresponding to the value of ChallengeName, for example:
SECRET_HASH (if app client is configured with client secret) applies to all of the inputs that follow (including SOFTWARE_TOKEN_MFA).
SMS_MFA: SMS_MFA_CODE, USERNAME.
PASSWORD_VERIFIER: PASSWORD_CLAIM_SIGNATURE, PASSWORD_CLAIM_SECRET_BLOCK, TIMESTAMP, USERNAME.
PASSWORD_VERIFIER requires DEVICE_KEY when you sign in with a remembered device.
NEW_PASSWORD_REQUIRED: NEW_PASSWORD, USERNAME, SECRET_HASH (if app client is configured with client secret). To set any required attributes that Amazon Cognito returned as requiredAttributes in the InitiateAuth response, add a userAttributes.attributename parameter. This parameter can also set values for writable attributes that aren't required by your user pool.
In a NEW_PASSWORD_REQUIRED challenge response, you can't modify a required attribute that already has a value. In RespondToAuthChallenge, set a value for any keys that Amazon Cognito returned in the requiredAttributes parameter, then use the UpdateUserAttributes API operation to modify the value of any additional attributes.
SOFTWARE_TOKEN_MFA: USERNAME and SOFTWARE_TOKEN_MFA_CODE are required attributes.
DEVICE_SRP_AUTH requires USERNAME, DEVICE_KEY, SRP_A (and SECRET_HASH).
DEVICE_PASSWORD_VERIFIER requires everything that PASSWORD_VERIFIER requires, plus DEVICE_KEY.
MFA_SETUP requires USERNAME, plus you must use the session value returned by VerifySoftwareToken in the Session parameter.
For more information about SECRET_HASH, see Computing secret hash values. For information about DEVICE_KEY, see Working with user devices in your user pool.
The responses to the challenge that you received in the previous request. Each challenge has its own required response parameters. The following examples are partial JSON request bodies that highlight challenge-response parameters.
You must provide a SECRET_HASH parameter in all challenge responses to an app client that has a client secret.
\"ChallengeName\": \"SMS_MFA\", \"ChallengeResponses\": {\"SMS_MFA_CODE\": \"[SMS_code]\", \"USERNAME\": \"[username]\"}
\"ChallengeName\": \"PASSWORD_VERIFIER\", \"ChallengeResponses\": {\"PASSWORD_CLAIM_SIGNATURE\": \"[claim_signature]\", \"PASSWORD_CLAIM_SECRET_BLOCK\": \"[secret_block]\", \"TIMESTAMP\": [timestamp], \"USERNAME\": \"[username]\"}
Add \"DEVICE_KEY\" when you sign in with a remembered device.
\"ChallengeName\": \"CUSTOM_CHALLENGE\", \"ChallengeResponses\": {\"USERNAME\": \"[username]\", \"ANSWER\": \"[challenge_answer]\"}
Add \"DEVICE_KEY\" when you sign in with a remembered device.
\"ChallengeName\": \"NEW_PASSWORD_REQUIRED\", \"ChallengeResponses\": {\"NEW_PASSWORD\": \"[new_password]\", \"USERNAME\": \"[username]\"}
To set any required attributes that InitiateAuth returned in an requiredAttributes parameter, add \"userAttributes.[attribute_name]\": \"[attribute_value]\". This parameter can also set values for writable attributes that aren't required by your user pool.
In a NEW_PASSWORD_REQUIRED challenge response, you can't modify a required attribute that already has a value. In RespondToAuthChallenge, set a value for any keys that Amazon Cognito returned in the requiredAttributes parameter, then use the UpdateUserAttributes API operation to modify the value of any additional attributes.
\"ChallengeName\": \"SOFTWARE_TOKEN_MFA\", \"ChallengeResponses\": {\"USERNAME\": \"[username]\", \"SOFTWARE_TOKEN_MFA_CODE\": [authenticator_code]}
\"ChallengeName\": \"DEVICE_SRP_AUTH\", \"ChallengeResponses\": {\"USERNAME\": \"[username]\", \"DEVICE_KEY\": \"[device_key]\", \"SRP_A\": \"[srp_a]\"}
\"ChallengeName\": \"DEVICE_PASSWORD_VERIFIER\", \"ChallengeResponses\": {\"DEVICE_KEY\": \"[device_key]\", \"PASSWORD_CLAIM_SIGNATURE\": \"[claim_signature]\", \"PASSWORD_CLAIM_SECRET_BLOCK\": \"[secret_block]\", \"TIMESTAMP\": [timestamp], \"USERNAME\": \"[username]\"}
\"ChallengeName\": \"MFA_SETUP\", \"ChallengeResponses\": {\"USERNAME\": \"[username]\"}, \"SESSION\": \"[Session ID from VerifySoftwareToken]\"
\"ChallengeName\": \"SELECT_MFA_TYPE\", \"ChallengeResponses\": {\"USERNAME\": \"[username]\", \"ANSWER\": \"[SMS_MFA or SOFTWARE_TOKEN_MFA]\"}
For more information about SECRET_HASH, see Computing secret hash values. For information about DEVICE_KEY, see Working with user devices in your user pool.
The name of your user pool attribute, for example username or custom:costcenter.
The name of your user pool attribute. When you create or update a user pool, adding a schema attribute creates a custom or developer-only attribute. When you add an attribute with a Name value of MyAttribute, Amazon Cognito creates the custom attribute custom:MyAttribute. When DeveloperOnlyAttribute is true, Amazon Cognito creates your attribute as dev:MyAttribute. In an operation that describes a user pool, Amazon Cognito returns this value as value for standard attributes, custom:value for custom attributes, and dev:value for developer-only attributes..
The data format of the values for your attribute.
" + "documentation":"The data format of the values for your attribute. When you choose an AttributeDataType, Amazon Cognito validates the input against the data type. A custom attribute value in your user's ID token is always a string, for example \"custom:isMember\" : \"true\" or \"custom:YearsAsMember\" : \"12\".
The user name of the user you want to register.
" + "documentation":"The username of the user that you want to sign up. The value of this parameter is typically a username, but can be any alias attribute in your user pool.
" }, "Password":{ "shape":"PasswordType", @@ -7019,7 +7048,7 @@ }, "ValidationData":{ "shape":"AttributeListType", - "documentation":"The validation data in the request to register a user.
" + "documentation":"Temporary user attributes that contribute to the outcomes of your pre sign-up Lambda trigger. This set of key-value pairs are for custom validation of information that you collect from your users but don't need to retain.
Your Lambda function can analyze this additional data and act on it. Your function might perform external API operations like logging user attributes and validation data to Amazon CloudWatch Logs. Validation data might also affect the response that your function returns to Amazon Cognito, like automatically confirming the user if they sign up from within your network.
For more information about the pre sign-up Lambda trigger, see Pre sign-up Lambda trigger.
" }, "AnalyticsMetadata":{ "shape":"AnalyticsMetadataType", @@ -7444,7 +7473,7 @@ }, "Username":{ "shape":"UsernameType", - "documentation":"The user pool username.
" + "documentation":"The username of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If username isn't an alias attribute in your user pool, you can also use their sub in this request.
The read-only attributes of the user pool.
" + "documentation":"The list of user attributes that you want your app client to have read-only access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a GetUser API request to retrieve and display your user's profile data.
When you don't specify the ReadAttributes for your app client, your app can read the values of email_verified, phone_number_verified, and the Standard attributes of your user pool. When your user pool has read access to these default attributes, ReadAttributes doesn't return any information. Amazon Cognito only populates ReadAttributes in the API response if you have specified your own custom set of read attributes.
The writeable attributes of the user pool.
" + "documentation":"The list of user attributes that you want your app client to have write access to. After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list. An example of this kind of activity is when you present your user with a form to update their profile information and they change their last name. Your app then makes an UpdateUserAttributes API request and sets family_name to the new value.
When you don't specify the WriteAttributes for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes, WriteAttributes doesn't return any information. Amazon Cognito only populates WriteAttributes in the API response if you have specified your own custom set of write attributes.
If your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see Specifying IdP Attribute Mappings for Your user pool.
" }, "ExplicitAuthFlows":{ "shape":"ExplicitAuthFlowsListType", @@ -8120,11 +8149,11 @@ }, "ReadAttributes":{ "shape":"ClientPermissionListType", - "documentation":"The Read-only attributes.
" + "documentation":"The list of user attributes that you want your app client to have read-only access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a GetUser API request to retrieve and display your user's profile data.
When you don't specify the ReadAttributes for your app client, your app can read the values of email_verified, phone_number_verified, and the Standard attributes of your user pool. When your user pool has read access to these default attributes, ReadAttributes doesn't return any information. Amazon Cognito only populates ReadAttributes in the API response if you have specified your own custom set of read attributes.
The writeable attributes.
" + "documentation":"The list of user attributes that you want your app client to have write access to. After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list. An example of this kind of activity is when you present your user with a form to update their profile information and they change their last name. Your app then makes an UpdateUserAttributes API request and sets family_name to the new value.
When you don't specify the WriteAttributes for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes, WriteAttributes doesn't return any information. Amazon Cognito only populates WriteAttributes in the API response if you have specified your own custom set of write attributes.
If your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see Specifying IdP Attribute Mappings for Your user pool.
" }, "ExplicitAuthFlows":{ "shape":"ExplicitAuthFlowsListType", @@ -8290,7 +8319,7 @@ }, "Status":{ "shape":"StatusType", - "documentation":"The status of a user pool.
", + "documentation":"This parameter is no longer used.
", "deprecated":true, "deprecatedMessage":"This property is no longer available." }, @@ -8609,5 +8638,5 @@ }, "WrappedBooleanType":{"type":"boolean"} }, - "documentation":"With the Amazon Cognito user pools API, you can set up user pools and app clients, and authenticate users. To authenticate users from third-party identity providers (IdPs) in this API, you can link IdP users to native user profiles. Learn more about the authentication and authorization of federated users in the Using the Amazon Cognito user pools API and user pool endpoints.
This API reference provides detailed information about API operations and object types in Amazon Cognito. At the bottom of the page for each API operation and object, under See Also, you can learn how to use it in an Amazon Web Services SDK in the language of your choice.
Along with resource management operations, the Amazon Cognito user pools API includes classes of operations and authorization models for client-side and server-side user operations. For more information, see Using the Amazon Cognito native and OIDC APIs in the Amazon Cognito Developer Guide.
You can also start reading about the CognitoIdentityProvider client in the following SDK guides.
To get started with an Amazon Web Services SDK, see Tools to Build on Amazon Web Services. For example actions and scenarios, see Code examples for Amazon Cognito Identity Provider using Amazon Web Services SDKs.
" + "documentation":"With the Amazon Cognito user pools API, you can configure user pools and authenticate users. To authenticate users from third-party identity providers (IdPs) in this API, you can link IdP users to native user profiles. Learn more about the authentication and authorization of federated users at Adding user pool sign-in through a third party and in the User pool federation endpoints and hosted UI reference.
This API reference provides detailed information about API operations and object types in Amazon Cognito.
Along with resource management operations, the Amazon Cognito user pools API includes classes of operations and authorization models for client-side and server-side authentication of users. You can interact with operations in the Amazon Cognito user pools API as any of the following subjects.
An administrator who wants to configure user pools, app clients, users, groups, or other user pool functions.
A server-side app, like a web application, that wants to use its Amazon Web Services privileges to manage, authenticate, or authorize a user.
A client-side app, like a mobile app, that wants to make unauthenticated requests to manage, authenticate, or authorize a user.
For more information, see Using the Amazon Cognito user pools API and user pool endpoints in the Amazon Cognito Developer Guide.
With your Amazon Web Services SDK, you can build the logic to support operational flows in every use case for this API. You can also make direct REST API requests to Amazon Cognito user pools service endpoints. The following links can get you started with the CognitoIdentityProvider client in other supported Amazon Web Services SDKs.
To get started with an Amazon Web Services SDK, see Tools to Build on Amazon Web Services. For example actions and scenarios, see Code examples for Amazon Cognito Identity Provider using Amazon Web Services SDKs.
" } diff --git a/botocore/data/eks/2017-11-01/paginators-1.json b/botocore/data/eks/2017-11-01/paginators-1.json index 2c7b3019dd..d13e0904f0 100644 --- a/botocore/data/eks/2017-11-01/paginators-1.json +++ b/botocore/data/eks/2017-11-01/paginators-1.json @@ -53,6 +53,28 @@ "limit_key": "maxResults", "output_token": "nextToken", "result_key": "associations" + }, + "ListAccessEntries": { + "input_token": "nextToken", + "limit_key": "maxResults", + "output_token": "nextToken", + "result_key": "accessEntries" + }, + "ListAccessPolicies": { + "input_token": "nextToken", + "limit_key": "maxResults", + "output_token": "nextToken", + "result_key": "accessPolicies" + }, + "ListAssociatedAccessPolicies": { + "input_token": "nextToken", + "limit_key": "maxResults", + "non_aggregate_keys": [ + "clusterName", + "principalArn" + ], + "output_token": "nextToken", + "result_key": "associatedAccessPolicies" } } } diff --git a/botocore/data/eks/2017-11-01/service-2.json b/botocore/data/eks/2017-11-01/service-2.json index db196354cf..4ab389f5aa 100644 --- a/botocore/data/eks/2017-11-01/service-2.json +++ b/botocore/data/eks/2017-11-01/service-2.json @@ -13,6 +13,22 @@ "uid":"eks-2017-11-01" }, "operations":{ + "AssociateAccessPolicy":{ + "name":"AssociateAccessPolicy", + "http":{ + "method":"POST", + "requestUri":"/clusters/{name}/access-entries/{principalArn}/access-policies" + }, + "input":{"shape":"AssociateAccessPolicyRequest"}, + "output":{"shape":"AssociateAccessPolicyResponse"}, + "errors":[ + {"shape":"ServerException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"InvalidRequestException"}, + {"shape":"InvalidParameterException"} + ], + "documentation":"Associates an access policy and its scope to an access entry. For more information about associating access policies, see Associating and disassociating access policies to and from access entries in the Amazon EKS User Guide.
" + }, "AssociateEncryptionConfig":{ "name":"AssociateEncryptionConfig", "http":{ @@ -29,7 +45,7 @@ {"shape":"ResourceNotFoundException"}, {"shape":"InvalidRequestException"} ], - "documentation":"Associate encryption configuration to an existing cluster.
You can use this API to enable encryption on existing clusters which do not have encryption already enabled. This allows you to implement a defense-in-depth security strategy without migrating applications to new Amazon EKS clusters.
" + "documentation":"Associates an encryption configuration to an existing cluster.
Use this API to enable encryption on existing clusters that don't already have encryption enabled. This allows you to implement a defense-in-depth security strategy without migrating applications to new Amazon EKS clusters.
" }, "AssociateIdentityProviderConfig":{ "name":"AssociateIdentityProviderConfig", @@ -47,7 +63,25 @@ {"shape":"ResourceNotFoundException"}, {"shape":"InvalidRequestException"} ], - "documentation":"Associate an identity provider configuration to a cluster.
If you want to authenticate identities using an identity provider, you can create an identity provider configuration and associate it to your cluster. After configuring authentication to your cluster you can create Kubernetes roles and clusterroles to assign permissions to the roles, and then bind the roles to the identities using Kubernetes rolebindings and clusterrolebindings. For more information see Using RBAC Authorization in the Kubernetes documentation.
Associates an identity provider configuration to a cluster.
If you want to authenticate identities using an identity provider, you can create an identity provider configuration and associate it to your cluster. After configuring authentication to your cluster you can create Kubernetes Role and ClusterRole objects, assign permissions to them, and then bind them to the identities using Kubernetes RoleBinding and ClusterRoleBinding objects. For more information see Using RBAC Authorization in the Kubernetes documentation.
Creates an access entry.
An access entry allows an IAM principal to access your cluster. Access entries can replace the need to maintain entries in the aws-auth ConfigMap for authentication. You have the following options for authorizing an IAM principal to access Kubernetes objects on your cluster: Kubernetes role-based access control (RBAC), Amazon EKS, or both. Kubernetes RBAC authorization requires you to create and manage Kubernetes Role, ClusterRole, RoleBinding, and ClusterRoleBinding objects, in addition to managing access entries. If you use Amazon EKS authorization exclusively, you don't need to create and manage Kubernetes Role, ClusterRole, RoleBinding, and ClusterRoleBinding objects.
For more information about access entries, see Access entries in the Amazon EKS User Guide.
" }, "CreateAddon":{ "name":"CreateAddon", @@ -84,7 +118,7 @@ {"shape":"ServiceUnavailableException"}, {"shape":"UnsupportedAvailabilityZoneException"} ], - "documentation":"Creates an Amazon EKS control plane.
The Amazon EKS control plane consists of control plane instances that run the Kubernetes software, such as etcd and the API server. The control plane runs in an account managed by Amazon Web Services, and the Kubernetes API is exposed by the Amazon EKS API server endpoint. Each Amazon EKS cluster control plane is single tenant and unique. It runs on its own set of Amazon EC2 instances.
The cluster control plane is provisioned across multiple Availability Zones and fronted by an Elastic Load Balancing Network Load Balancer. Amazon EKS also provisions elastic network interfaces in your VPC subnets to provide connectivity from the control plane instances to the nodes (for example, to support kubectl exec, logs, and proxy data flows).
Amazon EKS nodes run in your Amazon Web Services account and connect to your cluster's control plane over the Kubernetes API server endpoint and a certificate file that is created for your cluster.
You can use the endpointPublicAccess and endpointPrivateAccess parameters to enable or disable public and private access to your cluster's Kubernetes API server endpoint. By default, public access is enabled, and private access is disabled. For more information, see Amazon EKS Cluster Endpoint Access Control in the Amazon EKS User Guide .
You can use the logging parameter to enable or disable exporting the Kubernetes control plane logs for your cluster to CloudWatch Logs. By default, cluster control plane logs aren't exported to CloudWatch Logs. For more information, see Amazon EKS Cluster Control Plane Logs in the Amazon EKS User Guide .
CloudWatch Logs ingestion, archive storage, and data scanning rates apply to exported control plane logs. For more information, see CloudWatch Pricing.
In most cases, it takes several minutes to create a cluster. After you create an Amazon EKS cluster, you must configure your Kubernetes tooling to communicate with the API server and launch nodes into your cluster. For more information, see Managing Cluster Authentication and Launching Amazon EKS nodes in the Amazon EKS User Guide.
" + "documentation":"Creates an Amazon EKS control plane.
The Amazon EKS control plane consists of control plane instances that run the Kubernetes software, such as etcd and the API server. The control plane runs in an account managed by Amazon Web Services, and the Kubernetes API is exposed by the Amazon EKS API server endpoint. Each Amazon EKS cluster control plane is single tenant and unique. It runs on its own set of Amazon EC2 instances.
The cluster control plane is provisioned across multiple Availability Zones and fronted by an Elastic Load Balancing Network Load Balancer. Amazon EKS also provisions elastic network interfaces in your VPC subnets to provide connectivity from the control plane instances to the nodes (for example, to support kubectl exec, logs, and proxy data flows).
Amazon EKS nodes run in your Amazon Web Services account and connect to your cluster's control plane over the Kubernetes API server endpoint and a certificate file that is created for your cluster.
You can use the endpointPublicAccess and endpointPrivateAccess parameters to enable or disable public and private access to your cluster's Kubernetes API server endpoint. By default, public access is enabled, and private access is disabled. For more information, see Amazon EKS Cluster Endpoint Access Control in the Amazon EKS User Guide .
You can use the logging parameter to enable or disable exporting the Kubernetes control plane logs for your cluster to CloudWatch Logs. By default, cluster control plane logs aren't exported to CloudWatch Logs. For more information, see Amazon EKS Cluster Control Plane Logs in the Amazon EKS User Guide .
CloudWatch Logs ingestion, archive storage, and data scanning rates apply to exported control plane logs. For more information, see CloudWatch Pricing.
In most cases, it takes several minutes to create a cluster. After you create an Amazon EKS cluster, you must configure your Kubernetes tooling to communicate with the API server and launch nodes into your cluster. For more information, see Managing Cluster Authentication and Launching Amazon EKS nodes in the Amazon EKS User Guide.
" }, "CreateEksAnywhereSubscription":{ "name":"CreateEksAnywhereSubscription", @@ -119,7 +153,7 @@ {"shape":"ResourceLimitExceededException"}, {"shape":"UnsupportedAvailabilityZoneException"} ], - "documentation":"Creates an Fargate profile for your Amazon EKS cluster. You must have at least one Fargate profile in a cluster to be able to run pods on Fargate.
The Fargate profile allows an administrator to declare which pods run on Fargate and specify which pods run on which Fargate profile. This declaration is done through the profile’s selectors. Each profile can have up to five selectors that contain a namespace and labels. A namespace is required for every selector. The label field consists of multiple optional key-value pairs. Pods that match the selectors are scheduled on Fargate. If a to-be-scheduled pod matches any of the selectors in the Fargate profile, then that pod is run on Fargate.
When you create a Fargate profile, you must specify a pod execution role to use with the pods that are scheduled with the profile. This role is added to the cluster's Kubernetes Role Based Access Control (RBAC) for authorization so that the kubelet that is running on the Fargate infrastructure can register with your Amazon EKS cluster so that it can appear in your cluster as a node. The pod execution role also provides IAM permissions to the Fargate infrastructure to allow read access to Amazon ECR image repositories. For more information, see Pod Execution Role in the Amazon EKS User Guide.
Fargate profiles are immutable. However, you can create a new updated profile to replace an existing profile and then delete the original after the updated profile has finished creating.
If any Fargate profiles in a cluster are in the DELETING status, you must wait for that Fargate profile to finish deleting before you can create any other profiles in that cluster.
For more information, see Fargate Profile in the Amazon EKS User Guide.
" + "documentation":"Creates an Fargate profile for your Amazon EKS cluster. You must have at least one Fargate profile in a cluster to be able to run pods on Fargate.
The Fargate profile allows an administrator to declare which pods run on Fargate and specify which pods run on which Fargate profile. This declaration is done through the profile’s selectors. Each profile can have up to five selectors that contain a namespace and labels. A namespace is required for every selector. The label field consists of multiple optional key-value pairs. Pods that match the selectors are scheduled on Fargate. If a to-be-scheduled pod matches any of the selectors in the Fargate profile, then that pod is run on Fargate.
When you create a Fargate profile, you must specify a pod execution role to use with the pods that are scheduled with the profile. This role is added to the cluster's Kubernetes Role Based Access Control (RBAC) for authorization so that the kubelet that is running on the Fargate infrastructure can register with your Amazon EKS cluster so that it can appear in your cluster as a node. The pod execution role also provides IAM permissions to the Fargate infrastructure to allow read access to Amazon ECR image repositories. For more information, see Pod Execution Role in the Amazon EKS User Guide.
Fargate profiles are immutable. However, you can create a new updated profile to replace an existing profile and then delete the original after the updated profile has finished creating.
If any Fargate profiles in a cluster are in the DELETING status, you must wait for that Fargate profile to finish deleting before you can create any other profiles in that cluster.
For more information, see Fargate profile in the Amazon EKS User Guide.
" }, "CreateNodegroup":{ "name":"CreateNodegroup", @@ -138,7 +172,7 @@ {"shape":"ServerException"}, {"shape":"ServiceUnavailableException"} ], - "documentation":"Creates a managed node group for an Amazon EKS cluster. You can only create a node group for your cluster that is equal to the current Kubernetes version for the cluster.
An Amazon EKS managed node group is an Amazon EC2 Auto Scaling group and associated Amazon EC2 instances that are managed by Amazon Web Services for an Amazon EKS cluster. For more information, see Managed node groups in the Amazon EKS User Guide.
Windows AMI types are only supported for commercial Regions that support Windows Amazon EKS.
Creates a managed node group for an Amazon EKS cluster.
You can only create a node group for your cluster that is equal to the current Kubernetes version for the cluster. All node groups are created with the latest AMI release version for the respective minor Kubernetes version of the cluster, unless you deploy a custom AMI using a launch template. For more information about using launch templates, see Launch template support.
An Amazon EKS managed node group is an Amazon EC2 Auto Scaling group and associated Amazon EC2 instances that are managed by Amazon Web Services for an Amazon EKS cluster. For more information, see Managed node groups in the Amazon EKS User Guide.
Windows AMI types are only supported for commercial Amazon Web Services Regions that support Windows on Amazon EKS.
Creates an EKS Pod Identity association between a service account in an Amazon EKS cluster and an IAM role with EKS Pod Identity. Use EKS Pod Identity to give temporary IAM credentials to pods and the credentials are rotated automatically.
Amazon EKS Pod Identity associations provide the ability to manage credentials for your applications, similar to the way that 7EC2l instance profiles provide credentials to Amazon EC2 instances.
If a pod uses a service account that has an association, Amazon EKS sets environment variables in the containers of the pod. The environment variables configure the Amazon Web Services SDKs, including the Command Line Interface, to use the EKS Pod Identity credentials.
Pod Identity is a simpler method than IAM roles for service accounts, as this method doesn't use OIDC identity providers. Additionally, you can configure a role for Pod Identity once, and reuse it across clusters.
" + "documentation":"Creates an EKS Pod Identity association between a service account in an Amazon EKS cluster and an IAM role with EKS Pod Identity. Use EKS Pod Identity to give temporary IAM credentials to pods and the credentials are rotated automatically.
Amazon EKS Pod Identity associations provide the ability to manage credentials for your applications, similar to the way that Amazon EC2 instance profiles provide credentials to Amazon EC2 instances.
If a pod uses a service account that has an association, Amazon EKS sets environment variables in the containers of the pod. The environment variables configure the Amazon Web Services SDKs, including the Command Line Interface, to use the EKS Pod Identity credentials.
Pod Identity is a simpler method than IAM roles for service accounts, as this method doesn't use OIDC identity providers. Additionally, you can configure a role for Pod Identity once, and reuse it across clusters.
" + }, + "DeleteAccessEntry":{ + "name":"DeleteAccessEntry", + "http":{ + "method":"DELETE", + "requestUri":"/clusters/{name}/access-entries/{principalArn}" + }, + "input":{"shape":"DeleteAccessEntryRequest"}, + "output":{"shape":"DeleteAccessEntryResponse"}, + "errors":[ + {"shape":"ServerException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"InvalidRequestException"} + ], + "documentation":"Deletes an access entry.
Deleting an access entry of a type other than Standard can cause your cluster to function improperly. If you delete an access entry in error, you can recreate it.
Delete an Amazon EKS add-on.
When you remove the add-on, it will also be deleted from the cluster. You can always manually start an add-on on the cluster using the Kubernetes API.
" + "documentation":"Deletes an Amazon EKS add-on.
When you remove an add-on, it's deleted from the cluster. You can always manually start an add-on on the cluster using the Kubernetes API.
" }, "DeleteCluster":{ "name":"DeleteCluster", @@ -190,7 +239,7 @@ {"shape":"ServerException"}, {"shape":"ServiceUnavailableException"} ], - "documentation":"Deletes the Amazon EKS cluster control plane.
If you have active services in your cluster that are associated with a load balancer, you must delete those services before deleting the cluster so that the load balancers are deleted properly. Otherwise, you can have orphaned resources in your VPC that prevent you from being able to delete the VPC. For more information, see Deleting a Cluster in the Amazon EKS User Guide.
If you have managed node groups or Fargate profiles attached to the cluster, you must delete them first. For more information, see DeleteNodegroup and DeleteFargateProfile.
" + "documentation":"Deletes an Amazon EKS cluster control plane.
If you have active services in your cluster that are associated with a load balancer, you must delete those services before deleting the cluster so that the load balancers are deleted properly. Otherwise, you can have orphaned resources in your VPC that prevent you from being able to delete the VPC. For more information, see Deleting a cluster in the Amazon EKS User Guide.
If you have managed node groups or Fargate profiles attached to the cluster, you must delete them first. For more information, see DeleteNodgroup and DeleteFargateProfile.
Deletes an Fargate profile.
When you delete a Fargate profile, any pods running on Fargate that were created with the profile are deleted. If those pods match another Fargate profile, then they are scheduled on Fargate with that profile. If they no longer match any Fargate profiles, then they are not scheduled on Fargate and they may remain in a pending state.
Only one Fargate profile in a cluster can be in the DELETING status at a time. You must wait for a Fargate profile to finish deleting before you can delete any other profiles in that cluster.
Deletes an Fargate profile.
When you delete a Fargate profile, any Pod running on Fargate that was created with the profile is deleted. If the Pod matches another Fargate profile, then it is scheduled on Fargate with that profile. If it no longer matches any Fargate profiles, then it's not scheduled on Fargate and may remain in a pending state.
Only one Fargate profile in a cluster can be in the DELETING status at a time. You must wait for a Fargate profile to finish deleting before you can delete any other profiles in that cluster.
Deletes an Amazon EKS node group for a cluster.
" + "documentation":"Deletes a managed node group.
" }, "DeletePodIdentityAssociation":{ "name":"DeletePodIdentityAssociation", @@ -274,7 +323,22 @@ {"shape":"ServiceUnavailableException"}, {"shape":"AccessDeniedException"} ], - "documentation":"Deregisters a connected cluster to remove it from the Amazon EKS control plane.
" + "documentation":"Deregisters a connected cluster to remove it from the Amazon EKS control plane.
A connected cluster is a Kubernetes cluster that you've connected to your control plane using the Amazon EKS Connector.
" + }, + "DescribeAccessEntry":{ + "name":"DescribeAccessEntry", + "http":{ + "method":"GET", + "requestUri":"/clusters/{name}/access-entries/{principalArn}" + }, + "input":{"shape":"DescribeAccessEntryRequest"}, + "output":{"shape":"DescribeAccessEntryResponse"}, + "errors":[ + {"shape":"ServerException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"InvalidRequestException"} + ], + "documentation":"Describes an access entry.
" }, "DescribeAddon":{ "name":"DescribeAddon", @@ -321,7 +385,7 @@ {"shape":"ResourceNotFoundException"}, {"shape":"InvalidParameterException"} ], - "documentation":"Describes the versions for an add-on. Information such as the Kubernetes versions that you can use the add-on with, the owner, publisher, and the type of the add-on are returned.
Describes the versions for an add-on.
Information such as the Kubernetes versions that you can use the add-on with, the owner, publisher, and the type of the add-on are returned.
Returns descriptive information about an Amazon EKS cluster.
The API server endpoint and certificate authority data returned by this operation are required for kubelet and kubectl to communicate with your Kubernetes API server. For more information, see Create a kubeconfig for Amazon EKS.
The API server endpoint and certificate authority data aren't available until the cluster reaches the ACTIVE state.
Describes an Amazon EKS cluster.
The API server endpoint and certificate authority data returned by this operation are required for kubelet and kubectl to communicate with your Kubernetes API server. For more information, see Creating or updating a kubeconfig file for an Amazon EKS cluster.
The API server endpoint and certificate authority data aren't available until the cluster reaches the ACTIVE state.
Returns descriptive information about an Fargate profile.
" + "documentation":"Describes an Fargate profile.
" }, "DescribeIdentityProviderConfig":{ "name":"DescribeIdentityProviderConfig", @@ -386,7 +450,7 @@ {"shape":"ServerException"}, {"shape":"ServiceUnavailableException"} ], - "documentation":"Returns descriptive information about an identity provider configuration.
" + "documentation":"Describes an identity provider configuration.
" }, "DescribeNodegroup":{ "name":"DescribeNodegroup", @@ -403,7 +467,7 @@ {"shape":"ServerException"}, {"shape":"ServiceUnavailableException"} ], - "documentation":"Returns descriptive information about an Amazon EKS node group.
" + "documentation":"Describes a managed node group.
" }, "DescribePodIdentityAssociation":{ "name":"DescribePodIdentityAssociation", @@ -435,7 +499,22 @@ {"shape":"ServerException"}, {"shape":"ResourceNotFoundException"} ], - "documentation":"Returns descriptive information about an update against your Amazon EKS cluster or associated managed node group or Amazon EKS add-on.
When the status of the update is Succeeded, the update is complete. If an update fails, the status is Failed, and an error detail explains the reason for the failure.
Describes an update to an Amazon EKS resource.
When the status of the update is Succeeded, the update is complete. If an update fails, the status is Failed, and an error detail explains the reason for the failure.
Disassociates an access policy from an access entry.
" }, "DisassociateIdentityProviderConfig":{ "name":"DisassociateIdentityProviderConfig", @@ -453,7 +532,36 @@ {"shape":"ResourceNotFoundException"}, {"shape":"InvalidRequestException"} ], - "documentation":"Disassociates an identity provider configuration from a cluster. If you disassociate an identity provider from your cluster, users included in the provider can no longer access the cluster. However, you can still access the cluster with IAM principals.
" + "documentation":"Disassociates an identity provider configuration from a cluster.
If you disassociate an identity provider from your cluster, users included in the provider can no longer access the cluster. However, you can still access the cluster with IAM principals.
" + }, + "ListAccessEntries":{ + "name":"ListAccessEntries", + "http":{ + "method":"GET", + "requestUri":"/clusters/{name}/access-entries" + }, + "input":{"shape":"ListAccessEntriesRequest"}, + "output":{"shape":"ListAccessEntriesResponse"}, + "errors":[ + {"shape":"ServerException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"InvalidRequestException"}, + {"shape":"InvalidParameterException"} + ], + "documentation":"Lists the access entries for your cluster.
" + }, + "ListAccessPolicies":{ + "name":"ListAccessPolicies", + "http":{ + "method":"GET", + "requestUri":"/access-policies" + }, + "input":{"shape":"ListAccessPoliciesRequest"}, + "output":{"shape":"ListAccessPoliciesResponse"}, + "errors":[ + {"shape":"ServerException"} + ], + "documentation":"Lists the available access policies.
" }, "ListAddons":{ "name":"ListAddons", @@ -472,6 +580,21 @@ ], "documentation":"Lists the installed add-ons.
" }, + "ListAssociatedAccessPolicies":{ + "name":"ListAssociatedAccessPolicies", + "http":{ + "method":"GET", + "requestUri":"/clusters/{name}/access-entries/{principalArn}/access-policies" + }, + "input":{"shape":"ListAssociatedAccessPoliciesRequest"}, + "output":{"shape":"ListAssociatedAccessPoliciesResponse"}, + "errors":[ + {"shape":"ServerException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"InvalidRequestException"} + ], + "documentation":"Lists the access policies associated with an access entry.
" + }, "ListClusters":{ "name":"ListClusters", "http":{ @@ -486,7 +609,7 @@ {"shape":"ServerException"}, {"shape":"ServiceUnavailableException"} ], - "documentation":"Lists the Amazon EKS clusters in your Amazon Web Services account in the specified Region.
" + "documentation":"Lists the Amazon EKS clusters in your Amazon Web Services account in the specified Amazon Web Services Region.
" }, "ListEksAnywhereSubscriptions":{ "name":"ListEksAnywhereSubscriptions", @@ -518,7 +641,7 @@ {"shape":"ClientException"}, {"shape":"ServerException"} ], - "documentation":"Lists the Fargate profiles associated with the specified cluster in your Amazon Web Services account in the specified Region.
" + "documentation":"Lists the Fargate profiles associated with the specified cluster in your Amazon Web Services account in the specified Amazon Web Services Region.
" }, "ListIdentityProviderConfigs":{ "name":"ListIdentityProviderConfigs", @@ -535,7 +658,7 @@ {"shape":"ServiceUnavailableException"}, {"shape":"ResourceNotFoundException"} ], - "documentation":"A list of identity provider configurations.
" + "documentation":"Lists the identity provider configurations for your cluster.
" }, "ListNodegroups":{ "name":"ListNodegroups", @@ -552,7 +675,7 @@ {"shape":"ServiceUnavailableException"}, {"shape":"ResourceNotFoundException"} ], - "documentation":"Lists the Amazon EKS managed node groups associated with the specified cluster in your Amazon Web Services account in the specified Region. Self-managed node groups are not listed.
" + "documentation":"Lists the managed node groups associated with the specified cluster in your Amazon Web Services account in the specified Amazon Web Services Region. Self-managed node groups aren't listed.
" }, "ListPodIdentityAssociations":{ "name":"ListPodIdentityAssociations", @@ -598,7 +721,7 @@ {"shape":"ServerException"}, {"shape":"ResourceNotFoundException"} ], - "documentation":"Lists the updates associated with an Amazon EKS cluster or managed node group in your Amazon Web Services account, in the specified Region.
" + "documentation":"Lists the updates associated with an Amazon EKS resource in your Amazon Web Services account, in the specified Amazon Web Services Region.
" }, "RegisterCluster":{ "name":"RegisterCluster", @@ -618,7 +741,7 @@ {"shape":"ResourceInUseException"}, {"shape":"ResourcePropagationDelayException"} ], - "documentation":"Connects a Kubernetes cluster to the Amazon EKS control plane.
Any Kubernetes cluster can be connected to the Amazon EKS control plane to view current information about the cluster and its nodes.
Cluster connection requires two steps. First, send a RegisterClusterRequest to add it to the Amazon EKS control plane.
Second, a Manifest containing the activationID and activationCode must be applied to the Kubernetes cluster through it's native provider to provide visibility.
After the Manifest is updated and applied, then the connected cluster is visible to the Amazon EKS control plane. If the Manifest is not applied within three days, then the connected cluster will no longer be visible and must be deregistered. See DeregisterCluster.
" + "documentation":"Connects a Kubernetes cluster to the Amazon EKS control plane.
Any Kubernetes cluster can be connected to the Amazon EKS control plane to view current information about the cluster and its nodes.
Cluster connection requires two steps. First, send a RegisterClusterRequest to add it to the Amazon EKS control plane.
Second, a Manifest containing the activationID and activationCode must be applied to the Kubernetes cluster through it's native provider to provide visibility.
After the manifest is updated and applied, the connected cluster is visible to the Amazon EKS control plane. If the manifest isn't applied within three days, the connected cluster will no longer be visible and must be deregistered using DeregisterCluster.
Associates the specified tags to a resource with the specified resourceArn. If existing tags on a resource are not specified in the request parameters, they are not changed. When a resource is deleted, the tags associated with that resource are deleted as well. Tags that you create for Amazon EKS resources do not propagate to any other resources associated with the cluster. For example, if you tag a cluster with this operation, that tag does not automatically propagate to the subnets and nodes associated with the cluster.
Associates the specified tags to an Amazon EKS resource with the specified resourceArn. If existing tags on a resource are not specified in the request parameters, they aren't changed. When a resource is deleted, the tags associated with that resource are also deleted. Tags that you create for Amazon EKS resources don't propagate to any other resources associated with the cluster. For example, if you tag a cluster with this operation, that tag doesn't automatically propagate to the subnets and nodes associated with the cluster.
Deletes specified tags from a resource.
" + "documentation":"Deletes specified tags from an Amazon EKS resource.
" + }, + "UpdateAccessEntry":{ + "name":"UpdateAccessEntry", + "http":{ + "method":"POST", + "requestUri":"/clusters/{name}/access-entries/{principalArn}" + }, + "input":{"shape":"UpdateAccessEntryRequest"}, + "output":{"shape":"UpdateAccessEntryResponse"}, + "errors":[ + {"shape":"ServerException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"InvalidRequestException"}, + {"shape":"InvalidParameterException"} + ], + "documentation":"Updates an access entry.
" }, "UpdateAddon":{ "name":"UpdateAddon", @@ -682,7 +821,7 @@ {"shape":"ResourceNotFoundException"}, {"shape":"InvalidRequestException"} ], - "documentation":"Updates an Amazon EKS cluster configuration. Your cluster continues to function during the update. The response output includes an update ID that you can use to track the status of your cluster update with the DescribeUpdate API operation.
You can use this API operation to enable or disable exporting the Kubernetes control plane logs for your cluster to CloudWatch Logs. By default, cluster control plane logs aren't exported to CloudWatch Logs. For more information, see Amazon EKS Cluster Control Plane Logs in the Amazon EKS User Guide .
CloudWatch Logs ingestion, archive storage, and data scanning rates apply to exported control plane logs. For more information, see CloudWatch Pricing.
You can also use this API operation to enable or disable public and private access to your cluster's Kubernetes API server endpoint. By default, public access is enabled, and private access is disabled. For more information, see Amazon EKS cluster endpoint access control in the Amazon EKS User Guide .
You can also use this API operation to choose different subnets and security groups for the cluster. You must specify at least two subnets that are in different Availability Zones. You can't change which VPC the subnets are from, the subnets must be in the same VPC as the subnets that the cluster was created with. For more information about the VPC requirements, see https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html in the Amazon EKS User Guide .
Cluster updates are asynchronous, and they should finish within a few minutes. During an update, the cluster status moves to UPDATING (this status transition is eventually consistent). When the update is complete (either Failed or Successful), the cluster status moves to Active.
Updates an Amazon EKS cluster configuration. Your cluster continues to function during the update. The response output includes an update ID that you can use to track the status of your cluster update with DescribeUpdate\"/>.
You can use this API operation to enable or disable exporting the Kubernetes control plane logs for your cluster to CloudWatch Logs. By default, cluster control plane logs aren't exported to CloudWatch Logs. For more information, see Amazon EKS Cluster control plane logs in the Amazon EKS User Guide .
CloudWatch Logs ingestion, archive storage, and data scanning rates apply to exported control plane logs. For more information, see CloudWatch Pricing.
You can also use this API operation to enable or disable public and private access to your cluster's Kubernetes API server endpoint. By default, public access is enabled, and private access is disabled. For more information, see Amazon EKS cluster endpoint access control in the Amazon EKS User Guide .
You can also use this API operation to choose different subnets and security groups for the cluster. You must specify at least two subnets that are in different Availability Zones. You can't change which VPC the subnets are from, the subnets must be in the same VPC as the subnets that the cluster was created with. For more information about the VPC requirements, see https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html in the Amazon EKS User Guide .
Cluster updates are asynchronous, and they should finish within a few minutes. During an update, the cluster status moves to UPDATING (this status transition is eventually consistent). When the update is complete (either Failed or Successful), the cluster status moves to Active.
Updates the Kubernetes version or AMI version of an Amazon EKS managed node group.
You can update a node group using a launch template only if the node group was originally deployed with a launch template. If you need to update a custom AMI in a node group that was deployed with a launch template, then update your custom AMI, specify the new ID in a new version of the launch template, and then update the node group to the new version of the launch template.
If you update without a launch template, then you can update to the latest available AMI version of a node group's current Kubernetes version by not specifying a Kubernetes version in the request. You can update to the latest AMI version of your cluster's current Kubernetes version by specifying your cluster's Kubernetes version in the request. For information about Linux versions, see Amazon EKS optimized Amazon Linux AMI versions in the Amazon EKS User Guide. For information about Windows versions, see Amazon EKS optimized Windows AMI versions in the Amazon EKS User Guide.
You cannot roll back a node group to an earlier Kubernetes version or AMI version.
When a node in a managed node group is terminated due to a scaling action or update, the pods in that node are drained first. Amazon EKS attempts to drain the nodes gracefully and will fail if it is unable to do so. You can force the update if Amazon EKS is unable to drain the nodes as a result of a pod disruption budget issue.
Updates the Kubernetes version or AMI version of an Amazon EKS managed node group.
You can update a node group using a launch template only if the node group was originally deployed with a launch template. If you need to update a custom AMI in a node group that was deployed with a launch template, then update your custom AMI, specify the new ID in a new version of the launch template, and then update the node group to the new version of the launch template.
If you update without a launch template, then you can update to the latest available AMI version of a node group's current Kubernetes version by not specifying a Kubernetes version in the request. You can update to the latest AMI version of your cluster's current Kubernetes version by specifying your cluster's Kubernetes version in the request. For information about Linux versions, see Amazon EKS optimized Amazon Linux AMI versions in the Amazon EKS User Guide. For information about Windows versions, see Amazon EKS optimized Windows AMI versions in the Amazon EKS User Guide.
You cannot roll back a node group to an earlier Kubernetes version or AMI version.
When a node in a managed node group is terminated due to a scaling action or update, every Pod on that node is drained first. Amazon EKS attempts to drain the nodes gracefully and will fail if it is unable to do so. You can force the update if Amazon EKS is unable to drain the nodes as a result of a Pod disruption budget issue.
Updates a EKS Pod Identity association. Only the IAM role can be changed; an association can't be moved between clusters, namespaces, or service accounts. If you need to edit the namespace or service account, you need to remove the association and then create a new association with your desired settings.
" + "documentation":"Updates a EKS Pod Identity association. Only the IAM role can be changed; an association can't be moved between clusters, namespaces, or service accounts. If you need to edit the namespace or service account, you need to delete the association and then create a new association with your desired settings.
" } }, "shapes":{ @@ -790,6 +929,20 @@ "WINDOWS_FULL_2022_x86_64" ] }, + "AccessConfigResponse":{ + "type":"structure", + "members":{ + "bootstrapClusterCreatorAdminPermissions":{ + "shape":"BoxedBoolean", + "documentation":"Specifies whether or not the cluster creator IAM principal was set as a cluster admin access entry during cluster creation time.
" + }, + "authenticationMode":{ + "shape":"AuthenticationMode", + "documentation":"The current authentication mode of the cluster.
" + } + }, + "documentation":"The access configuration for the cluster.
" + }, "AccessDeniedException":{ "type":"structure", "members":{ @@ -802,6 +955,87 @@ "error":{"httpStatusCode":403}, "exception":true }, + "AccessEntry":{ + "type":"structure", + "members":{ + "clusterName":{ + "shape":"String", + "documentation":"The name of your cluster.
" + }, + "principalArn":{ + "shape":"String", + "documentation":"The ARN of the IAM principal for the access entry. If you ever delete the IAM principal with this ARN, the access entry isn't automatically deleted. We recommend that you delete the access entry with an ARN for an IAM principal that you delete. If you don't delete the access entry and ever recreate the IAM principal, even if it has the same ARN, the access entry won't work. This is because even though the ARN is the same for the recreated IAM principal, the roleID or userID (you can see this with the Security Token Service GetCallerIdentity API) is different for the recreated IAM principal than it was for the original IAM principal. Even though you don't see the IAM principal's roleID or userID for an access entry, Amazon EKS stores it with the access entry.
A name that you've specified in a Kubernetes RoleBinding or ClusterRoleBinding object so that Kubernetes authorizes the principalARN access to cluster objects.
The ARN of the access entry.
" + }, + "createdAt":{ + "shape":"Timestamp", + "documentation":"The Unix epoch timestamp at object creation.
" + }, + "modifiedAt":{ + "shape":"Timestamp", + "documentation":"The Unix epoch timestamp for the last modification to the object.
" + }, + "tags":{ + "shape":"TagMap", + "documentation":"Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
" + }, + "username":{ + "shape":"String", + "documentation":"The name of a user that can authenticate to your cluster.
The type of the access entry.
" + } + }, + "documentation":"An access entry allows an IAM principal (user or role) to access your cluster. Access entries can replace the need to maintain the aws-auth ConfigMap for authentication. For more information about access entries, see Access entries in the Amazon EKS User Guide.
The name of the access policy.
" + }, + "arn":{ + "shape":"String", + "documentation":"The ARN of the access policy.
" + } + }, + "documentation":"An access policy includes permissions that allow Amazon EKS to authorize an IAM principal to work with Kubernetes objects on your cluster. The policies are managed by Amazon EKS, but they're not IAM policies. You can't view the permissions in the policies using the API. The permissions for many of the policies are similar to the Kubernetes cluster-admin, admin, edit, and view cluster roles. For more information about these cluster roles, see User-facing roles in the Kubernetes documentation. To view the contents of the policies, see Access policy permissions in the Amazon EKS User Guide.
The scope type of an access policy.
" + }, + "namespaces":{ + "shape":"StringList", + "documentation":"A Kubernetes namespace that an access policy is scoped to. A value is required if you specified namespace for Type.
The scope of an AccessPolicy that's associated to an AccessEntry.
The name of the cluster.
" + "documentation":"The name of your cluster.
" }, "status":{ "shape":"AddonStatus", @@ -831,19 +1065,19 @@ }, "createdAt":{ "shape":"Timestamp", - "documentation":"The date and time that the add-on was created.
" + "documentation":"The Unix epoch timestamp at object creation.
" }, "modifiedAt":{ "shape":"Timestamp", - "documentation":"The date and time that the add-on was last modified.
" + "documentation":"The Unix epoch timestamp for the last modification to the object.
" }, "serviceAccountRoleArn":{ "shape":"String", - "documentation":"The Amazon Resource Name (ARN) of the IAM role that's bound to the Kubernetes service account that the add-on uses.
" + "documentation":"The Amazon Resource Name (ARN) of the IAM role that's bound to the Kubernetes ServiceAccount object that the add-on uses.
The metadata that you apply to the add-on to assist with categorization and organization. Each tag consists of a key and an optional value. You define both. Add-on tags do not propagate to any other resources associated with the cluster.
" + "documentation":"Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
" }, "publisher":{ "shape":"String", @@ -982,6 +1216,54 @@ "type":"list", "member":{"shape":"AddonInfo"} }, + "AssociateAccessPolicyRequest":{ + "type":"structure", + "required":[ + "clusterName", + "principalArn", + "policyArn", + "accessScope" + ], + "members":{ + "clusterName":{ + "shape":"String", + "documentation":"The name of your cluster.
", + "location":"uri", + "locationName":"name" + }, + "principalArn":{ + "shape":"String", + "documentation":"The Amazon Resource Name (ARN) of the IAM user or role for the AccessEntry that you're associating the access policy to.
The ARN of the AccessPolicy that you're associating. For a list of ARNs, use ListAccessPolicies.
The scope for the AccessPolicy. You can scope access policies to an entire cluster or to specific Kubernetes namespaces.
The name of your cluster.
" + }, + "principalArn":{ + "shape":"String", + "documentation":"The ARN of the IAM principal for the AccessEntry.
The AccessPolicy and scope associated to the AccessEntry.
The name of the cluster that you are associating with encryption configuration.
", + "documentation":"The name of your cluster.
", "location":"uri", "locationName":"name" }, @@ -1001,7 +1283,7 @@ }, "clientRequestToken":{ "shape":"String", - "documentation":"The client request token you are using with the encryption configuration.
", + "documentation":"A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
", "idempotencyToken":true } } @@ -1021,7 +1303,7 @@ "members":{ "clusterName":{ "shape":"String", - "documentation":"The name of the cluster to associate the configuration to.
", + "documentation":"The name of your cluster.
", "location":"uri", "locationName":"name" }, @@ -1031,11 +1313,11 @@ }, "tags":{ "shape":"TagMap", - "documentation":"The metadata to apply to the configuration to assist with categorization and organization. Each tag consists of a key and an optional value. You define both.
" + "documentation":"Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
" }, "clientRequestToken":{ "shape":"String", - "documentation":"Unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
", + "documentation":"A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
", "idempotencyToken":true } } @@ -1050,6 +1332,40 @@ } } }, + "AssociatedAccessPoliciesList":{ + "type":"list", + "member":{"shape":"AssociatedAccessPolicy"} + }, + "AssociatedAccessPolicy":{ + "type":"structure", + "members":{ + "policyArn":{ + "shape":"String", + "documentation":"The ARN of the AccessPolicy.
The scope of the access policy.
" + }, + "associatedAt":{ + "shape":"Timestamp", + "documentation":"The date and time the AccessPolicy was associated with an AccessEntry.
The Unix epoch timestamp for the last modification to the object.
" + } + }, + "documentation":"An access policy association.
" + }, + "AuthenticationMode":{ + "type":"string", + "enum":[ + "API", + "API_AND_CONFIG_MAP", + "CONFIG_MAP" + ] + }, "AutoScalingGroup":{ "type":"structure", "members":{ @@ -1140,7 +1456,7 @@ "members":{ "name":{ "shape":"String", - "documentation":"The name of the cluster.
" + "documentation":"The name of your cluster.
" }, "arn":{ "shape":"String", @@ -1148,7 +1464,7 @@ }, "createdAt":{ "shape":"Timestamp", - "documentation":"The Unix epoch timestamp in seconds for when the cluster was created.
" + "documentation":"The Unix epoch timestamp at object creation.
" }, "version":{ "shape":"String", @@ -1164,7 +1480,7 @@ }, "resourcesVpcConfig":{ "shape":"VpcConfigResponse", - "documentation":"The VPC configuration used by the cluster control plane. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see Cluster VPC Considerations and Cluster Security Group Considerations in the Amazon EKS User Guide.
" + "documentation":"The VPC configuration used by the cluster control plane. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see Cluster VPC considerations and Cluster security group considerations in the Amazon EKS User Guide.
" }, "kubernetesNetworkConfig":{ "shape":"KubernetesNetworkConfigResponse", @@ -1188,15 +1504,15 @@ }, "clientRequestToken":{ "shape":"String", - "documentation":"Unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
" + "documentation":"A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
" }, "platformVersion":{ "shape":"String", - "documentation":"The platform version of your Amazon EKS cluster. For more information, see Platform Versions in the Amazon EKS User Guide .
" + "documentation":"The platform version of your Amazon EKS cluster. For more information about clusters deployed on the Amazon Web Services Cloud, see Platform versions in the Amazon EKS User Guide . For more information about local clusters deployed on an Outpost, see Amazon EKS local cluster platform versions in the Amazon EKS User Guide .
" }, "tags":{ "shape":"TagMap", - "documentation":"The metadata that you apply to the cluster to assist with categorization and organization. Each tag consists of a key and an optional value. You define both. Cluster tags do not propagate to any other resources associated with the cluster.
" + "documentation":"Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
" }, "encryptionConfig":{ "shape":"EncryptionConfigList", @@ -1217,6 +1533,10 @@ "outpostConfig":{ "shape":"OutpostConfigResponse", "documentation":"An object representing the configuration of your local Amazon EKS cluster on an Amazon Web Services Outpost. This object isn't available for clusters on the Amazon Web Services cloud.
" + }, + "accessConfig":{ + "shape":"AccessConfigResponse", + "documentation":"The access configuration for the cluster.
" } }, "documentation":"An object representing an Amazon EKS cluster.
" @@ -1394,6 +1714,66 @@ }, "documentation":"The placement configuration for all the control plane instances of your local Amazon EKS cluster on an Amazon Web Services Outpost. For more information, see Capacity considerations in the Amazon EKS User Guide.
" }, + "CreateAccessConfigRequest":{ + "type":"structure", + "members":{ + "bootstrapClusterCreatorAdminPermissions":{ + "shape":"BoxedBoolean", + "documentation":"Specifies whether or not the cluster creator IAM principal was set as a cluster admin access entry during cluster creation time. The default value is true.
The desired authentication mode for the cluster. If you create a cluster by using the EKS API, Amazon Web Services SDKs, or CloudFormation, the default is CONFIG_MAP. If you create the cluster by using the Amazon Web Services Management Console, the default value is API_AND_CONFIG_MAP.
The access configuration information for the cluster.
" + }, + "CreateAccessEntryRequest":{ + "type":"structure", + "required":[ + "clusterName", + "principalArn" + ], + "members":{ + "clusterName":{ + "shape":"String", + "documentation":"The name of your cluster.
", + "location":"uri", + "locationName":"name" + }, + "principalArn":{ + "shape":"String", + "documentation":"The ARN of the IAM principal for the AccessEntry. You can specify one ARN for each access entry. You can't specify the same ARN in more than one access entry. This value can't be changed after access entry creation.
IAM best practices recommend using IAM roles with temporary credentials, rather than IAM users with long-term credentials.
" + }, + "kubernetesGroups":{ + "shape":"StringList", + "documentation":"The value for name that you've specified for kind: Group as a subject in a Kubernetes RoleBinding or ClusterRoleBinding object. Amazon EKS doesn't confirm that the value for name exists in any bindings on your cluster. You can specify one or more names.
Kubernetes authorizes the principalArn of the access entry to access any cluster objects that you've specified in a Kubernetes Role or ClusterRole object that is also specified in a binding's roleRef. For more information about creating Kubernetes RoleBinding, ClusterRoleBinding, Role, or ClusterRole objects, see Using RBAC Authorization in the Kubernetes documentation.
If you want Amazon EKS to authorize the principalArn (instead of, or in addition to Kubernetes authorizing the principalArn), you can associate one or more access policies to the access entry using AssociateAccessPolicy. If you associate any access policies, the principalARN has all permissions assigned in the associated access policies and all permissions in any Kubernetes Role or ClusterRole objects that the group names are bound to.
Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
" + }, + "clientRequestToken":{ + "shape":"String", + "documentation":"A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
", + "idempotencyToken":true + }, + "username":{ + "shape":"String", + "documentation":"The username to authenticate to Kubernetes with. We recommend not specifying a username and letting Amazon EKS specify it for you. For more information about the value Amazon EKS specifies for you, or constraints before specifying your own username, see Creating access entries in the Amazon EKS User Guide.
" + }, + "type":{ + "shape":"String", + "documentation":"If the principalArn is for an IAM role that's used for self-managed Amazon EC2 nodes, specify EC2_LINUX or EC2_WINDOWS. Amazon EKS grants the necessary permissions to the node for you. If the principalArn is for any other purpose, specify STANDARD. If you don't specify a value, Amazon EKS sets the value to STANDARD. It's unnecessary to create access entries for IAM roles used with Fargate profiles or managed Amazon EC2 nodes, because Amazon EKS creates entries in the aws-auth ConfigMap for the roles. You can't change this value once you've created the access entry.
If you set the value to EC2_LINUX or EC2_WINDOWS, you can't specify values for kubernetesGroups, or associate an AccessPolicy to the access entry.
The name of the cluster to create the add-on for.
", + "documentation":"The name of your cluster.
", "location":"uri", "locationName":"name" }, "addonName":{ "shape":"String", - "documentation":"The name of the add-on. The name must match one of the names that DescribeAddonVersions returns.
The name of the add-on. The name must match one of the names returned by DescribeAddonVersions.
The metadata to apply to the cluster to assist with categorization and organization. Each tag consists of a key and an optional value. You define both.
" + "documentation":"Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
" }, "configurationValues":{ "shape":"String", - "documentation":"The set of configuration values for the add-on that's created. The values that you provide are validated against the schema in DescribeAddonConfiguration .
The set of configuration values for the add-on that's created. The values that you provide are validated against the schema returned by DescribeAddonConfiguration.
Unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
", + "documentation":"A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
", "idempotencyToken":true }, "tags":{ "shape":"TagMap", - "documentation":"The metadata to apply to the cluster to assist with categorization and organization. Each tag consists of a key and an optional value. You define both.
" + "documentation":"Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
" }, "encryptionConfig":{ "shape":"EncryptionConfigList", @@ -1492,6 +1872,10 @@ "outpostConfig":{ "shape":"OutpostConfigRequest", "documentation":"An object representing the configuration of your local Amazon EKS cluster on an Amazon Web Services Outpost. Before creating a local cluster on an Outpost, review Local clusters for Amazon EKS on Amazon Web Services Outposts in the Amazon EKS User Guide. This object isn't available for creating Amazon EKS clusters on the Amazon Web Services cloud.
" + }, + "accessConfig":{ + "shape":"CreateAccessConfigRequest", + "documentation":"The access configuration for the cluster.
" } } }, @@ -1533,7 +1917,7 @@ }, "clientRequestToken":{ "shape":"String", - "documentation":"Unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
", + "documentation":"A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
", "idempotencyToken":true }, "tags":{ @@ -1565,30 +1949,30 @@ }, "clusterName":{ "shape":"String", - "documentation":"The name of the Amazon EKS cluster to apply the Fargate profile to.
", + "documentation":"The name of your cluster.
", "location":"uri", "locationName":"name" }, "podExecutionRoleArn":{ "shape":"String", - "documentation":"The Amazon Resource Name (ARN) of the pod execution role to use for pods that match the selectors in the Fargate profile. The pod execution role allows Fargate infrastructure to register with your cluster as a node, and it provides read access to Amazon ECR image repositories. For more information, see Pod Execution Role in the Amazon EKS User Guide.
" + "documentation":"The Amazon Resource Name (ARN) of the Pod execution role to use for a Pod that matches the selectors in the Fargate profile. The Pod execution role allows Fargate infrastructure to register with your cluster as a node, and it provides read access to Amazon ECR image repositories. For more information, see Pod execution role in the Amazon EKS User Guide.
The IDs of subnets to launch your pods into. At this time, pods running on Fargate are not assigned public IP addresses, so only private subnets (with no direct route to an Internet Gateway) are accepted for this parameter.
" + "documentation":"The IDs of subnets to launch a Pod into. A Pod running on Fargate isn't assigned a public IP address, so only private subnets (with no direct route to an Internet Gateway) are accepted for this parameter.
The selectors to match for pods to use this Fargate profile. Each selector must have an associated namespace. Optionally, you can also specify labels for a namespace. You may specify up to five selectors in a Fargate profile.
" + "documentation":"The selectors to match for a Pod to use this Fargate profile. Each selector must have an associated Kubernetes namespace. Optionally, you can also specify labels for a namespace. You may specify up to five selectors in a Fargate profile.
Unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
", + "documentation":"A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
", "idempotencyToken":true }, "tags":{ "shape":"TagMap", - "documentation":"The metadata to apply to the Fargate profile to assist with categorization and organization. Each tag consists of a key and an optional value. You define both. Fargate profile tags do not propagate to any other resources associated with the Fargate profile, such as the pods that are scheduled with it.
" + "documentation":"Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
" } } }, @@ -1612,7 +1996,7 @@ "members":{ "clusterName":{ "shape":"String", - "documentation":"The name of the cluster to create the node group in.
", + "documentation":"The name of your cluster.
", "location":"uri", "locationName":"name" }, @@ -1630,7 +2014,7 @@ }, "subnets":{ "shape":"StringList", - "documentation":"The subnets to use for the Auto Scaling group that is created for your node group. If you specify launchTemplate, then don't specify SubnetId in your launch template, or the node group deployment will fail. For more information about using launch templates with Amazon EKS, see Launch template support in the Amazon EKS User Guide.
The subnets to use for the Auto Scaling group that is created for your node group. If you specify launchTemplate, then don't specify SubnetId in your launch template, or the node group deployment will fail. For more information about using launch templates with Amazon EKS, see Launch template support in the Amazon EKS User Guide.
The Amazon Resource Name (ARN) of the IAM role to associate with your node group. The Amazon EKS worker node kubelet daemon makes calls to Amazon Web Services APIs on your behalf. Nodes receive permissions for these API calls through an IAM instance profile and associated policies. Before you can launch nodes and register them into a cluster, you must create an IAM role for those nodes to use when they are launched. For more information, see Amazon EKS node IAM role in the Amazon EKS User Guide . If you specify launchTemplate, then don't specify IamInstanceProfile in your launch template, or the node group deployment will fail. For more information about using launch templates with Amazon EKS, see Launch template support in the Amazon EKS User Guide.
The Amazon Resource Name (ARN) of the IAM role to associate with your node group. The Amazon EKS worker node kubelet daemon makes calls to Amazon Web Services APIs on your behalf. Nodes receive permissions for these API calls through an IAM instance profile and associated policies. Before you can launch nodes and register them into a cluster, you must create an IAM role for those nodes to use when they are launched. For more information, see Amazon EKS node IAM role in the Amazon EKS User Guide . If you specify launchTemplate, then don't specify IamInstanceProfile in your launch template, or the node group deployment will fail. For more information about using launch templates with Amazon EKS, see Launch template support in the Amazon EKS User Guide.
The Kubernetes labels to be applied to the nodes in the node group when they are created.
" + "documentation":"The Kubernetes labels to apply to the nodes in the node group when they are created.
The metadata to apply to the node group to assist with categorization and organization. Each tag consists of a key and an optional value. You define both. Node group tags do not propagate to any other resources associated with the node group, such as the Amazon EC2 instances or subnets.
" + "documentation":"Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
" }, "clientRequestToken":{ "shape":"String", - "documentation":"Unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
", + "documentation":"A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
", "idempotencyToken":true }, "launchTemplate":{ @@ -1725,12 +2109,12 @@ }, "clientRequestToken":{ "shape":"String", - "documentation":"Unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
", + "documentation":"A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
", "idempotencyToken":true }, "tags":{ "shape":"TagMap", - "documentation":"The metadata that you apply to a resource to assist with categorization and organization. Each tag consists of a key and an optional value. You define both.
The following basic restrictions apply to tags:
Maximum number of tags per resource – 50
For each resource, each tag key must be unique, and each tag key can have only one value.
Maximum key length – 128 Unicode characters in UTF-8
Maximum value length – 256 Unicode characters in UTF-8
If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @.
Tag keys and values are case-sensitive.
Do not use aws:, AWS:, or any upper or lowercase combination of such as a prefix for either keys or values as it is reserved for Amazon Web Services use. You cannot edit or delete tag keys or values with this prefix. Tags with this prefix do not count against your tags per resource limit.
Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
The following basic restrictions apply to tags:
Maximum number of tags per resource – 50
For each resource, each tag key must be unique, and each tag key can have only one value.
Maximum key length – 128 Unicode characters in UTF-8
Maximum value length – 256 Unicode characters in UTF-8
If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @.
Tag keys and values are case-sensitive.
Do not use aws:, AWS:, or any upper or lowercase combination of such as a prefix for either keys or values as it is reserved for Amazon Web Services use. You cannot edit or delete tag keys or values with this prefix. Tags with this prefix do not count against your tags per resource limit.
The name of your cluster.
", + "location":"uri", + "locationName":"name" + }, + "principalArn":{ + "shape":"String", + "documentation":"The ARN of the IAM principal for the AccessEntry.
The name of the cluster to delete the add-on from.
", + "documentation":"The name of your cluster.
", "location":"uri", "locationName":"name" }, @@ -1827,7 +2237,7 @@ "members":{ "clusterName":{ "shape":"String", - "documentation":"The name of the Amazon EKS cluster associated with the Fargate profile to delete.
", + "documentation":"The name of your cluster.
", "location":"uri", "locationName":"name" }, @@ -1857,7 +2267,7 @@ "members":{ "clusterName":{ "shape":"String", - "documentation":"The name of the Amazon EKS cluster that is associated with your node group.
", + "documentation":"The name of your cluster.
", "location":"uri", "locationName":"name" }, @@ -1926,6 +2336,36 @@ "cluster":{"shape":"Cluster"} } }, + "DescribeAccessEntryRequest":{ + "type":"structure", + "required":[ + "clusterName", + "principalArn" + ], + "members":{ + "clusterName":{ + "shape":"String", + "documentation":"The name of your cluster.
", + "location":"uri", + "locationName":"name" + }, + "principalArn":{ + "shape":"String", + "documentation":"The ARN of the IAM principal for the AccessEntry.
Information about the access entry.
" + } + } + }, "DescribeAddonConfigurationRequest":{ "type":"structure", "required":[ @@ -1935,7 +2375,7 @@ "members":{ "addonName":{ "shape":"String", - "documentation":"The name of the add-on. The name must match one of the names that DescribeAddonVersions returns.
The name of the add-on. The name must match one of the names returned by DescribeAddonVersions.
A JSON schema that's used to validate the configuration values that you provide when an addon is created or updated.
" + "documentation":"A JSON schema that's used to validate the configuration values you provide when an add-on is created or updated.
" } } }, @@ -1973,7 +2413,7 @@ "members":{ "clusterName":{ "shape":"ClusterName", - "documentation":"The name of the cluster.
", + "documentation":"The name of your cluster.
", "location":"uri", "locationName":"name" }, @@ -2002,13 +2442,13 @@ }, "maxResults":{ "shape":"DescribeAddonVersionsRequestMaxResults", - "documentation":"The maximum number of results to return.
", + "documentation":"The maximum number of results, returned in paginated output. You receive maxResults in a single page, along with a nextToken response element. You can see the remaining results of the initial request by sending another request with the returned nextToken value. This value can be between 1 and 100. If you don't use this parameter, 100 results and a nextToken value, if applicable, are returned.
The nextToken value returned from a previous paginated DescribeAddonVersionsRequest where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value.
This token should be treated as an opaque identifier that is used only to retrieve the next items in a list and not for other programmatic purposes.
The nextToken value returned from a previous paginated request, where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value. This value is null when there are no more results to return.
This token should be treated as an opaque identifier that is used only to retrieve the next items in a list and not for other programmatic purposes.
The name of the cluster to describe.
", + "documentation":"The name of your cluster.
", "location":"uri", "locationName":"name" } @@ -2108,7 +2548,7 @@ "members":{ "clusterName":{ "shape":"String", - "documentation":"The name of the Amazon EKS cluster associated with the Fargate profile.
", + "documentation":"The name of your cluster.
", "location":"uri", "locationName":"name" }, @@ -2138,7 +2578,7 @@ "members":{ "clusterName":{ "shape":"String", - "documentation":"The cluster name that the identity provider configuration is associated to.
", + "documentation":"The name of your cluster.
", "location":"uri", "locationName":"name" }, @@ -2166,7 +2606,7 @@ "members":{ "clusterName":{ "shape":"String", - "documentation":"The name of the Amazon EKS cluster associated with the node group.
", + "documentation":"The name of your cluster.
", "location":"uri", "locationName":"name" }, @@ -2248,7 +2688,8 @@ "location":"querystring", "locationName":"addonName" } - } + }, + "documentation":"Describes an update request.
" }, "DescribeUpdateResponse":{ "type":"structure", @@ -2259,6 +2700,39 @@ } } }, + "DisassociateAccessPolicyRequest":{ + "type":"structure", + "required":[ + "clusterName", + "principalArn", + "policyArn" + ], + "members":{ + "clusterName":{ + "shape":"String", + "documentation":"The name of your cluster.
", + "location":"uri", + "locationName":"name" + }, + "principalArn":{ + "shape":"String", + "documentation":"The ARN of the IAM principal for the AccessEntry.
The ARN of the policy to disassociate from the access entry. For a list of associated policies ARNs, use ListAssociatedAccessPolicies.
The name of the cluster to disassociate an identity provider from.
", + "documentation":"The name of your cluster.
", "location":"uri", "locationName":"name" }, @@ -2395,7 +2869,7 @@ "members":{ "resources":{ "shape":"StringList", - "documentation":"Specifies the resources to be encrypted. The only supported value is \"secrets\".
" + "documentation":"Specifies the resources to be encrypted. The only supported value is secrets.
A brief description of the error.
SubnetNotFound: We couldn't find one of the subnets associated with the cluster.
SecurityGroupNotFound: We couldn't find one of the security groups associated with the cluster.
EniLimitReached: You have reached the elastic network interface limit for your account.
IpNotAvailable: A subnet associated with the cluster doesn't have any free IP addresses.
AccessDenied: You don't have permissions to perform the specified operation.
OperationNotPermitted: The service role associated with the cluster doesn't have the required access permissions for Amazon EKS.
VpcIdNotFound: We couldn't find the VPC associated with the cluster.
A brief description of the error.
SubnetNotFound: We couldn't find one of the subnets associated with the cluster.
SecurityGroupNotFound: We couldn't find one of the security groups associated with the cluster.
EniLimitReached: You have reached the elastic network interface limit for your account.
IpNotAvailable: A subnet associated with the cluster doesn't have any available IP addresses.
AccessDenied: You don't have permissions to perform the specified operation.
OperationNotPermitted: The service role associated with the cluster doesn't have the required access permissions for Amazon EKS.
VpcIdNotFound: We couldn't find the VPC associated with the cluster.
The name of the Amazon EKS cluster that the Fargate profile belongs to.
" + "documentation":"The name of your cluster.
" }, "createdAt":{ "shape":"Timestamp", - "documentation":"The Unix epoch timestamp in seconds for when the Fargate profile was created.
" + "documentation":"The Unix epoch timestamp at object creation.
" }, "podExecutionRoleArn":{ "shape":"String", - "documentation":"The Amazon Resource Name (ARN) of the pod execution role to use for pods that match the selectors in the Fargate profile. For more information, see Pod Execution Role in the Amazon EKS User Guide.
" + "documentation":"The Amazon Resource Name (ARN) of the Pod execution role to use for any Pod that matches the selectors in the Fargate profile. For more information, see Pod execution role in the Amazon EKS User Guide.
The IDs of subnets to launch pods into.
" + "documentation":"The IDs of subnets to launch a Pod into.
The selectors to match for pods to use this Fargate profile.
" + "documentation":"The selectors to match for a Pod to use this Fargate profile.
The metadata applied to the Fargate profile to assist with categorization and organization. Each tag consists of a key and an optional value. You define both. Fargate profile tags do not propagate to any other resources associated with the Fargate profile, such as the pods that are scheduled with it.
" + "documentation":"Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
" } }, "documentation":"An object representing an Fargate profile.
" @@ -2505,7 +2979,7 @@ "members":{ "namespace":{ "shape":"String", - "documentation":"The Kubernetes namespace that the selector should match.
" + "documentation":"The Kubernetes namespace that the selector should match.
A brief description of the error.
AccessDenied: Amazon EKS or one or more of your managed nodes is failing to authenticate or authorize with your Kubernetes cluster API server.
AsgInstanceLaunchFailures: Your Auto Scaling group is experiencing failures while attempting to launch instances.
AutoScalingGroupNotFound: We couldn't find the Auto Scaling group associated with the managed node group. You may be able to recreate an Auto Scaling group with the same settings to recover.
ClusterUnreachable: Amazon EKS or one or more of your managed nodes is unable to to communicate with your Kubernetes cluster API server. This can happen if there are network disruptions or if API servers are timing out processing requests.
Ec2LaunchTemplateNotFound: We couldn't find the Amazon EC2 launch template for your managed node group. You may be able to recreate a launch template with the same settings to recover.
Ec2LaunchTemplateVersionMismatch: The Amazon EC2 launch template version for your managed node group does not match the version that Amazon EKS created. You may be able to revert to the version that Amazon EKS created to recover.
Ec2SecurityGroupDeletionFailure: We could not delete the remote access security group for your managed node group. Remove any dependencies from the security group.
Ec2SecurityGroupNotFound: We couldn't find the cluster security group for the cluster. You must recreate your cluster.
Ec2SubnetInvalidConfiguration: One or more Amazon EC2 subnets specified for a node group do not automatically assign public IP addresses to instances launched into it. If you want your instances to be assigned a public IP address, then you need to enable the auto-assign public IP address setting for the subnet. See Modifying the public IPv4 addressing attribute for your subnet in the Amazon VPC User Guide.
IamInstanceProfileNotFound: We couldn't find the IAM instance profile for your managed node group. You may be able to recreate an instance profile with the same settings to recover.
IamNodeRoleNotFound: We couldn't find the IAM role for your managed node group. You may be able to recreate an IAM role with the same settings to recover.
InstanceLimitExceeded: Your Amazon Web Services account is unable to launch any more instances of the specified instance type. You may be able to request an Amazon EC2 instance limit increase to recover.
InsufficientFreeAddresses: One or more of the subnets associated with your managed node group does not have enough available IP addresses for new nodes.
InternalFailure: These errors are usually caused by an Amazon EKS server-side issue.
NodeCreationFailure: Your launched instances are unable to register with your Amazon EKS cluster. Common causes of this failure are insufficient node IAM role permissions or lack of outbound internet access for the nodes.
A brief description of the error.
AccessDenied: Amazon EKS or one or more of your managed nodes is failing to authenticate or authorize with your Kubernetes cluster API server.
AsgInstanceLaunchFailures: Your Auto Scaling group is experiencing failures while attempting to launch instances.
AutoScalingGroupNotFound: We couldn't find the Auto Scaling group associated with the managed node group. You may be able to recreate an Auto Scaling group with the same settings to recover.
ClusterUnreachable: Amazon EKS or one or more of your managed nodes is unable to to communicate with your Kubernetes cluster API server. This can happen if there are network disruptions or if API servers are timing out processing requests.
Ec2LaunchTemplateNotFound: We couldn't find the Amazon EC2 launch template for your managed node group. You may be able to recreate a launch template with the same settings to recover.
Ec2LaunchTemplateVersionMismatch: The Amazon EC2 launch template version for your managed node group does not match the version that Amazon EKS created. You may be able to revert to the version that Amazon EKS created to recover.
Ec2SecurityGroupDeletionFailure: We could not delete the remote access security group for your managed node group. Remove any dependencies from the security group.
Ec2SecurityGroupNotFound: We couldn't find the cluster security group for the cluster. You must recreate your cluster.
Ec2SubnetInvalidConfiguration: One or more Amazon EC2 subnets specified for a node group do not automatically assign public IP addresses to instances launched into it. If you want your instances to be assigned a public IP address, then you need to enable the auto-assign public IP address setting for the subnet. See Modifying the public IPv4 addressing attribute for your subnet in the Amazon VPC User Guide.
IamInstanceProfileNotFound: We couldn't find the IAM instance profile for your managed node group. You may be able to recreate an instance profile with the same settings to recover.
IamNodeRoleNotFound: We couldn't find the IAM role for your managed node group. You may be able to recreate an IAM role with the same settings to recover.
InstanceLimitExceeded: Your Amazon Web Services account is unable to launch any more instances of the specified instance type. You may be able to request an Amazon EC2 instance limit increase to recover.
InsufficientFreeAddresses: One or more of the subnets associated with your managed node group does not have enough available IP addresses for new nodes.
InternalFailure: These errors are usually caused by an Amazon EKS server-side issue.
NodeCreationFailure: Your launched instances are unable to register with your Amazon EKS cluster. Common causes of this failure are insufficient node IAM role permissions or lack of outbound internet access for the nodes.
Don't specify a value if you select ipv6 for ipFamily. The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. We recommend that you specify a block that does not overlap with resources in other networks that are peered or connected to your VPC. The block must meet the following requirements:
Within one of the following private IP address blocks: 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16.
Doesn't overlap with any CIDR block assigned to the VPC that you selected for VPC.
Between /24 and /12.
You can only specify a custom CIDR block when you create a cluster and can't change this value once the cluster is created.
Don't specify a value if you select ipv6 for ipFamily. The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. We recommend that you specify a block that does not overlap with resources in other networks that are peered or connected to your VPC. The block must meet the following requirements:
Within one of the following private IP address blocks: 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16.
Doesn't overlap with any CIDR block assigned to the VPC that you selected for VPC.
Between /24 and /12.
You can only specify a custom CIDR block when you create a cluster. You can't change this value after the cluster is created.
The CIDR block that Kubernetes pod and service IP addresses are assigned from. Kubernetes assigns addresses from an IPv4 CIDR block assigned to a subnet that the node is in. If you didn't specify a CIDR block when you created the cluster, then Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. If this was specified, then it was specified when the cluster was created and it can't be changed.
The CIDR block that Kubernetes Pod and Service object IP addresses are assigned from. Kubernetes assigns addresses from an IPv4 CIDR block assigned to a subnet that the node is in. If you didn't specify a CIDR block when you created the cluster, then Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. If this was specified, then it was specified when the cluster was created and it can't be changed.
The IP family used to assign Kubernetes pod and service IP addresses. The IP family is always ipv4, unless you have a 1.21 or later cluster running version 1.10.1 or later of the Amazon VPC CNI add-on and specified ipv6 when you created the cluster.
The IP family used to assign Kubernetes Pod and Service objects IP addresses. The IP family is always ipv4, unless you have a 1.21 or later cluster running version 1.10.1 or later of the Amazon VPC CNI plugin for Kubernetes and specified ipv6 when you created the cluster.
The Kubernetes network configuration for the cluster. The response contains a value for serviceIpv6Cidr or serviceIpv4Cidr, but not both.
" @@ -2720,25 +3194,110 @@ }, "documentation":"An object representing a node group launch template specification. The launch template can't include SubnetId , IamInstanceProfile , RequestSpotInstances , HibernationOptions , or TerminateInstances , or the node group deployment or update will fail. For more information about launch templates, see CreateLaunchTemplate in the Amazon EC2 API Reference. For more information about using launch templates with Amazon EKS, see Launch template support in the Amazon EKS User Guide.
You must specify either the launch template ID or the launch template name in the request, but not both.
" }, + "ListAccessEntriesRequest":{ + "type":"structure", + "required":["clusterName"], + "members":{ + "clusterName":{ + "shape":"String", + "documentation":"The name of your cluster.
", + "location":"uri", + "locationName":"name" + }, + "associatedPolicyArn":{ + "shape":"String", + "documentation":"The ARN of an AccessPolicy. When you specify an access policy ARN, only the access entries associated to that access policy are returned. For a list of available policy ARNs, use ListAccessPolicies.
The maximum number of results, returned in paginated output. You receive maxResults in a single page, along with a nextToken response element. You can see the remaining results of the initial request by sending another request with the returned nextToken value. This value can be between 1 and 100. If you don't use this parameter, 100 results and a nextToken value, if applicable, are returned.
The nextToken value returned from a previous paginated request, where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value. This value is null when there are no more results to return.
This token should be treated as an opaque identifier that is used only to retrieve the next items in a list and not for other programmatic purposes.
The list of access entries that exist for the cluster.
" + }, + "nextToken":{ + "shape":"String", + "documentation":"The nextToken value returned from a previous paginated request, where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value. This value is null when there are no more results to return.
This token should be treated as an opaque identifier that is used only to retrieve the next items in a list and not for other programmatic purposes.
The maximum number of results, returned in paginated output. You receive maxResults in a single page, along with a nextToken response element. You can see the remaining results of the initial request by sending another request with the returned nextToken value. This value can be between 1 and 100. If you don't use this parameter, 100 results and a nextToken value, if applicable, are returned.
The nextToken value returned from a previous paginated request, where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value. This value is null when there are no more results to return.
This token should be treated as an opaque identifier that is used only to retrieve the next items in a list and not for other programmatic purposes.
The list of available access policies. You can't view the contents of an access policy using the API. To view the contents, see Access policy permissions in the Amazon EKS User Guide.
" + }, + "nextToken":{ + "shape":"String", + "documentation":"The nextToken value returned from a previous paginated request, where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value. This value is null when there are no more results to return.
This token should be treated as an opaque identifier that is used only to retrieve the next items in a list and not for other programmatic purposes.
The name of the cluster.
", + "documentation":"The name of your cluster.
", "location":"uri", "locationName":"name" }, "maxResults":{ "shape":"ListAddonsRequestMaxResults", - "documentation":"The maximum number of add-on results returned by ListAddonsRequest in paginated output. When you use this parameter, ListAddonsRequest returns only maxResults results in a single page along with a nextToken response element. You can see the remaining results of the initial request by sending another ListAddonsRequest request with the returned nextToken value. This value can be between 1 and 100. If you don't use this parameter, ListAddonsRequest returns up to 100 results and a nextToken value, if applicable.
The maximum number of results, returned in paginated output. You receive maxResults in a single page, along with a nextToken response element. You can see the remaining results of the initial request by sending another request with the returned nextToken value. This value can be between 1 and 100. If you don't use this parameter, 100 results and a nextToken value, if applicable, are returned.
The nextToken value returned from a previous paginated ListAddonsRequest where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value.
This token should be treated as an opaque identifier that is used only to retrieve the next items in a list and not for other programmatic purposes.
The nextToken value returned from a previous paginated request, where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value. This value is null when there are no more results to return.
This token should be treated as an opaque identifier that is used only to retrieve the next items in a list and not for other programmatic purposes.
The name of your cluster.
", + "location":"uri", + "locationName":"name" + }, + "principalArn":{ + "shape":"String", + "documentation":"The ARN of the IAM principal for the AccessEntry.
The maximum number of results, returned in paginated output. You receive maxResults in a single page, along with a nextToken response element. You can see the remaining results of the initial request by sending another request with the returned nextToken value. This value can be between 1 and 100. If you don't use this parameter, 100 results and a nextToken value, if applicable, are returned.
The nextToken value returned from a previous paginated request, where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value. This value is null when there are no more results to return.
This token should be treated as an opaque identifier that is used only to retrieve the next items in a list and not for other programmatic purposes.
The name of your cluster.
" + }, + "principalArn":{ + "shape":"String", + "documentation":"The ARN of the IAM principal for the AccessEntry.
The nextToken value returned from a previous paginated request, where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value. This value is null when there are no more results to return.
This token should be treated as an opaque identifier that is used only to retrieve the next items in a list and not for other programmatic purposes.
The list of access policies associated with the access entry.
" + } + } + }, "ListClustersRequest":{ "type":"structure", "members":{ "maxResults":{ "shape":"ListClustersRequestMaxResults", - "documentation":"The maximum number of cluster results returned by ListClusters in paginated output. When you use this parameter, ListClusters returns only maxResults results in a single page along with a nextToken response element. You can see the remaining results of the initial request by sending another ListClusters request with the returned nextToken value. This value can be between 1 and 100. If you don't use this parameter, ListClusters returns up to 100 results and a nextToken value if applicable.
The maximum number of results, returned in paginated output. You receive maxResults in a single page, along with a nextToken response element. You can see the remaining results of the initial request by sending another request with the returned nextToken value. This value can be between 1 and 100. If you don't use this parameter, 100 results and a nextToken value, if applicable, are returned.
The nextToken value returned from a previous paginated ListClusters request where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value.
This token should be treated as an opaque identifier that is used only to retrieve the next items in a list and not for other programmatic purposes.
The nextToken value returned from a previous paginated request, where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value. This value is null when there are no more results to return.
This token should be treated as an opaque identifier that is used only to retrieve the next items in a list and not for other programmatic purposes.
Indicates whether external clusters are included in the returned list. Use 'all' to return connected clusters, or blank to return only Amazon EKS clusters. 'all' must be in lowercase otherwise an error occurs.
Indicates whether external clusters are included in the returned list. Use 'all' to return https://docs.aws.amazon.com/eks/latest/userguide/eks-connector.htmlconnected clusters, or blank to return only Amazon EKS clusters. 'all' must be in lowercase otherwise an error occurs.
A list of all of the clusters for your account in the specified Region.
" + "documentation":"A list of all of the clusters for your account in the specified Amazon Web Services Region.
" }, "nextToken":{ "shape":"String", - "documentation":"The nextToken value to include in a future ListClusters request. When the results of a ListClusters request exceed maxResults, you can use this value to retrieve the next page of results. This value is null when there are no more results to return.
The nextToken value returned from a previous paginated request, where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value. This value is null when there are no more results to return.
This token should be treated as an opaque identifier that is used only to retrieve the next items in a list and not for other programmatic purposes.
The name of the Amazon EKS cluster that you would like to list Fargate profiles in.
", + "documentation":"The name of your cluster.
", "location":"uri", "locationName":"name" }, "maxResults":{ "shape":"FargateProfilesRequestMaxResults", - "documentation":"The maximum number of Fargate profile results returned by ListFargateProfiles in paginated output. When you use this parameter, ListFargateProfiles returns only maxResults results in a single page along with a nextToken response element. You can see the remaining results of the initial request by sending another ListFargateProfiles request with the returned nextToken value. This value can be between 1 and 100. If you don't use this parameter, ListFargateProfiles returns up to 100 results and a nextToken value if applicable.
The maximum number of results, returned in paginated output. You receive maxResults in a single page, along with a nextToken response element. You can see the remaining results of the initial request by sending another request with the returned nextToken value. This value can be between 1 and 100. If you don't use this parameter, 100 results and a nextToken value, if applicable, are returned.
The nextToken value returned from a previous paginated ListFargateProfiles request where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value.
The nextToken value returned from a previous paginated request, where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value. This value is null when there are no more results to return.
This token should be treated as an opaque identifier that is used only to retrieve the next items in a list and not for other programmatic purposes.
The nextToken value to include in a future ListFargateProfiles request. When the results of a ListFargateProfiles request exceed maxResults, you can use this value to retrieve the next page of results. This value is null when there are no more results to return.
The nextToken value returned from a previous paginated request, where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value. This value is null when there are no more results to return.
This token should be treated as an opaque identifier that is used only to retrieve the next items in a list and not for other programmatic purposes.
The cluster name that you want to list identity provider configurations for.
", + "documentation":"The name of your cluster.
", "location":"uri", "locationName":"name" }, "maxResults":{ "shape":"ListIdentityProviderConfigsRequestMaxResults", - "documentation":"The maximum number of identity provider configurations returned by ListIdentityProviderConfigs in paginated output. When you use this parameter, ListIdentityProviderConfigs returns only maxResults results in a single page along with a nextToken response element. You can see the remaining results of the initial request by sending another ListIdentityProviderConfigs request with the returned nextToken value. This value can be between 1 and 100. If you don't use this parameter, ListIdentityProviderConfigs returns up to 100 results and a nextToken value, if applicable.
The maximum number of results, returned in paginated output. You receive maxResults in a single page, along with a nextToken response element. You can see the remaining results of the initial request by sending another request with the returned nextToken value. This value can be between 1 and 100. If you don't use this parameter, 100 results and a nextToken value, if applicable, are returned.
The nextToken value returned from a previous paginated IdentityProviderConfigsRequest where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value.
The nextToken value returned from a previous paginated request, where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value. This value is null when there are no more results to return.
This token should be treated as an opaque identifier that is used only to retrieve the next items in a list and not for other programmatic purposes.
The name of the Amazon EKS cluster that you would like to list node groups in.
", + "documentation":"The name of your cluster.
", "location":"uri", "locationName":"name" }, "maxResults":{ "shape":"ListNodegroupsRequestMaxResults", - "documentation":"The maximum number of node group results returned by ListNodegroups in paginated output. When you use this parameter, ListNodegroups returns only maxResults results in a single page along with a nextToken response element. You can see the remaining results of the initial request by sending another ListNodegroups request with the returned nextToken value. This value can be between 1 and 100. If you don't use this parameter, ListNodegroups returns up to 100 results and a nextToken value if applicable.
The maximum number of results, returned in paginated output. You receive maxResults in a single page, along with a nextToken response element. You can see the remaining results of the initial request by sending another request with the returned nextToken value. This value can be between 1 and 100. If you don't use this parameter, 100 results and a nextToken value, if applicable, are returned.
The nextToken value returned from a previous paginated ListNodegroups request where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value.
The nextToken value returned from a previous paginated request, where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value. This value is null when there are no more results to return.
This token should be treated as an opaque identifier that is used only to retrieve the next items in a list and not for other programmatic purposes.
The nextToken value to include in a future ListNodegroups request. When the results of a ListNodegroups request exceed maxResults, you can use this value to retrieve the next page of results. This value is null when there are no more results to return.
The nextToken value returned from a previous paginated request, where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value. This value is null when there are no more results to return.
This token should be treated as an opaque identifier that is used only to retrieve the next items in a list and not for other programmatic purposes.
The Amazon Resource Name (ARN) that identifies the resource for which to list the tags. Currently, the supported resources are Amazon EKS clusters and managed node groups.
", + "documentation":"The Amazon Resource Name (ARN) that identifies the resource to list tags for.
", "location":"uri", "locationName":"resourceArn" } @@ -3070,13 +3689,13 @@ }, "nextToken":{ "shape":"String", - "documentation":"The nextToken value returned from a previous paginated ListUpdates request where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value.
The nextToken value returned from a previous paginated request, where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value. This value is null when there are no more results to return.
This token should be treated as an opaque identifier that is used only to retrieve the next items in a list and not for other programmatic purposes.
The maximum number of update results returned by ListUpdates in paginated output. When you use this parameter, ListUpdates returns only maxResults results in a single page along with a nextToken response element. You can see the remaining results of the initial request by sending another ListUpdates request with the returned nextToken value. This value can be between 1 and 100. If you don't use this parameter, ListUpdates returns up to 100 results and a nextToken value if applicable.
The maximum number of results, returned in paginated output. You receive maxResults in a single page, along with a nextToken response element. You can see the remaining results of the initial request by sending another request with the returned nextToken value. This value can be between 1 and 100. If you don't use this parameter, 100 results and a nextToken value, if applicable, are returned.
The nextToken value to include in a future ListUpdates request. When the results of a ListUpdates request exceed maxResults, you can use this value to retrieve the next page of results. This value is null when there are no more results to return.
The nextToken value returned from a previous paginated request, where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value. This value is null when there are no more results to return.
This token should be treated as an opaque identifier that is used only to retrieve the next items in a list and not for other programmatic purposes.
The name of the cluster that the managed node group resides in.
" + "documentation":"The name of your cluster.
" }, "version":{ "shape":"String", @@ -3182,11 +3801,11 @@ }, "createdAt":{ "shape":"Timestamp", - "documentation":"The Unix epoch timestamp in seconds for when the managed node group was created.
" + "documentation":"The Unix epoch timestamp at object creation.
" }, "modifiedAt":{ "shape":"Timestamp", - "documentation":"The Unix epoch timestamp in seconds for when the managed node group was last modified.
" + "documentation":"The Unix epoch timestamp for the last modification to the object.
" }, "status":{ "shape":"NodegroupStatus", @@ -3222,7 +3841,7 @@ }, "labels":{ "shape":"labelsMap", - "documentation":"The Kubernetes labels applied to the nodes in the node group.
Only labels that are applied with the Amazon EKS API are shown here. There may be other Kubernetes labels applied to the nodes in this group.
The Kubernetes labels applied to the nodes in the node group.
Only labels that are applied with the Amazon EKS API are shown here. There may be other Kubernetes labels applied to the nodes in this group.
The metadata applied to the node group to assist with categorization and organization. Each tag consists of a key and an optional value. You define both. Node group tags do not propagate to any other resources associated with the node group, such as the Amazon EC2 instances or subnets.
" + "documentation":"Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
" } }, "documentation":"An object representing an Amazon EKS managed node group.
" @@ -3330,7 +3949,7 @@ }, "desiredSize":{ "shape":"ZeroCapacity", - "documentation":"The current number of nodes that the managed node group should maintain.
If you use Cluster Autoscaler, you shouldn't change the desiredSize value directly, as this can cause the Cluster Autoscaler to suddenly scale up or scale down.
Whenever this parameter changes, the number of worker nodes in the node group is updated to the specified size. If this parameter is given a value that is smaller than the current number of running worker nodes, the necessary number of worker nodes are terminated to match the given value. When using CloudFormation, no action occurs if you remove this parameter from your CFN template.
This parameter can be different from minSize in some cases, such as when starting with extra hosts for testing. This parameter can also be different when you want to start with an estimated number of needed hosts, but let Cluster Autoscaler reduce the number if there are too many. When Cluster Autoscaler is used, the desiredSize parameter is altered by Cluster Autoscaler (but can be out-of-date for short periods of time). Cluster Autoscaler doesn't scale a managed node group lower than minSize or higher than maxSize.
" + "documentation":"The current number of nodes that the managed node group should maintain.
If you use the Kubernetes Cluster Autoscaler, you shouldn't change the desiredSize value directly, as this can cause the Cluster Autoscaler to suddenly scale up or scale down.
Whenever this parameter changes, the number of worker nodes in the node group is updated to the specified size. If this parameter is given a value that is smaller than the current number of running worker nodes, the necessary number of worker nodes are terminated to match the given value. When using CloudFormation, no action occurs if you remove this parameter from your CFN template.
This parameter can be different from minSize in some cases, such as when starting with extra hosts for testing. This parameter can also be different when you want to start with an estimated number of needed hosts, but let the Cluster Autoscaler reduce the number if there are too many. When the Cluster Autoscaler is used, the desiredSize parameter is altered by the Cluster Autoscaler (but can be out-of-date for short periods of time). the Cluster Autoscaler doesn't scale a managed node group lower than minSize or higher than maxSize.
An object representing the scaling configuration details for the Auto Scaling group that is associated with your node group. When creating a node group, you must specify all or none of the properties. When updating a node group, you can specify any or none of the properties.
" @@ -3352,11 +3971,11 @@ "members":{ "maxUnavailable":{ "shape":"NonZeroInteger", - "documentation":"The maximum number of nodes unavailable at once during a version update. Nodes will be updated in parallel. This value or maxUnavailablePercentage is required to have a value.The maximum number is 100.
The maximum number of nodes unavailable at once during a version update. Nodes are updated in parallel. This value or maxUnavailablePercentage is required to have a value.The maximum number is 100.
The maximum percentage of nodes unavailable during a version update. This percentage of nodes will be updated in parallel, up to 100 nodes at once. This value or maxUnavailable is required to have a value.
The maximum percentage of nodes unavailable during a version update. This percentage of nodes are updated in parallel, up to 100 nodes at once. This value or maxUnavailable is required to have a value.
The node group update configuration.
" @@ -3401,7 +4020,7 @@ }, "clusterName":{ "shape":"String", - "documentation":"The cluster that the configuration is associated to.
" + "documentation":"The name of your cluster.
" }, "issuerUrl":{ "shape":"String", @@ -3433,7 +4052,7 @@ }, "tags":{ "shape":"TagMap", - "documentation":"The metadata to apply to the provider configuration to assist with categorization and organization. Each tag consists of a key and an optional value. You define both.
" + "documentation":"Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
" }, "status":{ "shape":"configStatus", @@ -3456,15 +4075,15 @@ }, "issuerUrl":{ "shape":"String", - "documentation":"The URL of the OpenID identity provider that allows the API server to discover public signing keys for verifying tokens. The URL must begin with https:// and should correspond to the iss claim in the provider's OIDC ID tokens. Per the OIDC standard, path components are allowed but query parameters are not. Typically the URL consists of only a hostname, like https://server.example.org or https://example.com. This URL should point to the level below .well-known/openid-configuration and must be publicly accessible over the internet.
The URL of the OIDC identity provider that allows the API server to discover public signing keys for verifying tokens. The URL must begin with https:// and should correspond to the iss claim in the provider's OIDC ID tokens. Based on the OIDC standard, path components are allowed but query parameters are not. Typically the URL consists of only a hostname, like https://server.example.org or https://example.com. This URL should point to the level below .well-known/openid-configuration and must be publicly accessible over the internet.
This is also known as audience. The ID for the client application that makes authentication requests to the OpenID identity provider.
" + "documentation":"This is also known as audience. The ID for the client application that makes authentication requests to the OIDC identity provider.
" }, "usernameClaim":{ "shape":"String", - "documentation":"The JSON Web Token (JWT) claim to use as the username. The default is sub, which is expected to be a unique identifier of the end user. You can choose other claims, such as email or name, depending on the OpenID identity provider. Claims other than email are prefixed with the issuer URL to prevent naming clashes with other plug-ins.
The JSON Web Token (JWT) claim to use as the username. The default is sub, which is expected to be a unique identifier of the end user. You can choose other claims, such as email or name, depending on the OIDC identity provider. Claims other than email are prefixed with the issuer URL to prevent naming clashes with other plug-ins.
The key value pairs that describe required claims in the identity token. If set, each claim is verified to be present in the token with a matching value. For the maximum number of claims that you can require, see Amazon EKS service quotas in the Amazon EKS User Guide.
" } }, - "documentation":"An object representing an OpenID Connect (OIDC) configuration. Before associating an OIDC identity provider to your cluster, review the considerations in Authenticating users for your cluster from an OpenID Connect identity provider in the Amazon EKS User Guide.
" + "documentation":"An object representing an OpenID Connect (OIDC) configuration. Before associating an OIDC identity provider to your cluster, review the considerations in Authenticating users for your cluster from an OIDC identity provider in the Amazon EKS User Guide.
" }, "OutpostConfigRequest":{ "type":"structure", @@ -3564,7 +4183,7 @@ }, "tags":{ "shape":"TagMap", - "documentation":"The metadata that you apply to a resource to assist with categorization and organization. Each tag consists of a key and an optional value. You define both.
The following basic restrictions apply to tags:
Maximum number of tags per resource – 50
For each resource, each tag key must be unique, and each tag key can have only one value.
Maximum key length – 128 Unicode characters in UTF-8
Maximum value length – 256 Unicode characters in UTF-8
If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @.
Tag keys and values are case-sensitive.
Do not use aws:, AWS:, or any upper or lowercase combination of such as a prefix for either keys or values as it is reserved for Amazon Web Services use. You cannot edit or delete tag keys or values with this prefix. Tags with this prefix do not count against your tags per resource limit.
Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
The following basic restrictions apply to tags:
Maximum number of tags per resource – 50
For each resource, each tag key must be unique, and each tag key can have only one value.
Maximum key length – 128 Unicode characters in UTF-8
Maximum value length – 256 Unicode characters in UTF-8
If your tagging schema is used across multiple services and resources, remember that other services may have restrictions on allowed characters. Generally allowed characters are: letters, numbers, and spaces representable in UTF-8, and the following characters: + - = . _ : / @.
Tag keys and values are case-sensitive.
Do not use aws:, AWS:, or any upper or lowercase combination of such as a prefix for either keys or values as it is reserved for Amazon Web Services use. You cannot edit or delete tag keys or values with this prefix. Tags with this prefix do not count against your tags per resource limit.
The most recent timestamp that the association was modified at
" } }, - "documentation":"Amazon EKS Pod Identity associations provide the ability to manage credentials for your applications, similar to the way that 7EC2l instance profiles provide credentials to Amazon EC2 instances.
" + "documentation":"Amazon EKS Pod Identity associations provide the ability to manage credentials for your applications, similar to the way that Amazon EC2 instance profiles provide credentials to Amazon EC2 instances.
" }, "PodIdentityAssociationSummaries":{ "type":"list", @@ -3626,7 +4245,7 @@ "members":{ "name":{ "shape":"ClusterName", - "documentation":"Define a unique name for this cluster for your Region.
" + "documentation":"A unique name for this cluster in your Amazon Web Services Region.
" }, "connectorConfig":{ "shape":"ConnectorConfigRequest", @@ -3634,12 +4253,12 @@ }, "clientRequestToken":{ "shape":"String", - "documentation":"Unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
", + "documentation":"A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
", "idempotencyToken":true }, "tags":{ "shape":"TagMap", - "documentation":"The metadata that you apply to the cluster to assist with categorization and organization. Each tag consists of a key and an optional value, both of which you define. Cluster tags do not propagate to any other resources associated with the cluster.
" + "documentation":"Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
" } } }, @@ -3747,7 +4366,7 @@ "documentation":"The Amazon EKS message associated with the exception.
" } }, - "documentation":"The specified resource could not be found. You can view your available clusters with ListClusters. You can view your available managed node groups with ListNodegroups. Amazon EKS clusters and node groups are Region-specific.
", + "documentation":"The specified resource could not be found. You can view your available clusters with ListClusters. You can view your available managed node groups with ListNodegroups. Amazon EKS clusters and node groups are Amazon Web Services Region specific.
The Amazon Resource Name (ARN) of the resource to which to add tags. Currently, the supported resources are Amazon EKS clusters and managed node groups.
", + "documentation":"The Amazon Resource Name (ARN) of the resource to add tags to.
", "location":"uri", "locationName":"resourceArn" }, "tags":{ "shape":"TagMap", - "documentation":"The tags to add to the resource. A tag is an array of key-value pairs.
" + "documentation":"Metadata that assists with categorization and organization. Each tag consists of a key and an optional value. You define both. Tags don't propagate to any other cluster or Amazon Web Services resources.
" } } }, @@ -3880,7 +4499,7 @@ "documentation":"The effect of the taint.
" } }, - "documentation":"A property that allows a node to repel a set of pods. For more information, see Node taints on managed node groups.
" + "documentation":"A property that allows a node to repel a Pod. For more information, see Node taints on managed node groups in the Amazon EKS User Guide.
The Amazon Resource Name (ARN) of the resource from which to delete tags. Currently, the supported resources are Amazon EKS clusters and managed node groups.
", + "documentation":"The Amazon Resource Name (ARN) of the resource to delete tags from.
", "location":"uri", "locationName":"resourceArn" }, "tagKeys":{ "shape":"TagKeyList", - "documentation":"The keys of the tags to be removed.
", + "documentation":"The keys of the tags to remove.
", "location":"querystring", "locationName":"tagKeys" } @@ -3962,7 +4581,7 @@ }, "createdAt":{ "shape":"Timestamp", - "documentation":"The Unix epoch timestamp in seconds for when the update was created.
" + "documentation":"The Unix epoch timestamp at object creation.
" }, "errors":{ "shape":"ErrorDetails", @@ -3971,6 +4590,59 @@ }, "documentation":"An object representing an asynchronous update.
" }, + "UpdateAccessConfigRequest":{ + "type":"structure", + "members":{ + "authenticationMode":{ + "shape":"AuthenticationMode", + "documentation":"The desired authentication mode for the cluster.
" + } + }, + "documentation":"The access configuration information for the cluster.
" + }, + "UpdateAccessEntryRequest":{ + "type":"structure", + "required":[ + "clusterName", + "principalArn" + ], + "members":{ + "clusterName":{ + "shape":"String", + "documentation":"The name of your cluster.
", + "location":"uri", + "locationName":"name" + }, + "principalArn":{ + "shape":"String", + "documentation":"The ARN of the IAM principal for the AccessEntry.
The value for name that you've specified for kind: Group as a subject in a Kubernetes RoleBinding or ClusterRoleBinding object. Amazon EKS doesn't confirm that the value for name exists in any bindings on your cluster. You can specify one or more names.
Kubernetes authorizes the principalArn of the access entry to access any cluster objects that you've specified in a Kubernetes Role or ClusterRole object that is also specified in a binding's roleRef. For more information about creating Kubernetes RoleBinding, ClusterRoleBinding, Role, or ClusterRole objects, see Using RBAC Authorization in the Kubernetes documentation.
If you want Amazon EKS to authorize the principalArn (instead of, or in addition to Kubernetes authorizing the principalArn), you can associate one or more access policies to the access entry using AssociateAccessPolicy. If you associate any access policies, the principalARN has all permissions assigned in the associated access policies and all permissions in any Kubernetes Role or ClusterRole objects that the group names are bound to.
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
", + "idempotencyToken":true + }, + "username":{ + "shape":"String", + "documentation":"The username to authenticate to Kubernetes with. We recommend not specifying a username and letting Amazon EKS specify it for you. For more information about the value Amazon EKS specifies for you, or constraints before specifying your own username, see Creating access entries in the Amazon EKS User Guide.
" + } + } + }, + "UpdateAccessEntryResponse":{ + "type":"structure", + "members":{ + "accessEntry":{ + "shape":"AccessEntry", + "documentation":"The ARN of the IAM principal for the AccessEntry.
The name of the cluster.
", + "documentation":"The name of your cluster.
", "location":"uri", "locationName":"name" }, @@ -4004,12 +4676,12 @@ }, "clientRequestToken":{ "shape":"String", - "documentation":"Unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
", + "documentation":"A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
", "idempotencyToken":true }, "configurationValues":{ "shape":"String", - "documentation":"The set of configuration values for the add-on that's created. The values that you provide are validated against the schema in DescribeAddonConfiguration.
" + "documentation":"The set of configuration values for the add-on that's created. The values that you provide are validated against the schema returned by DescribeAddonConfiguration.
Unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
", + "documentation":"A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
", "idempotencyToken":true + }, + "accessConfig":{ + "shape":"UpdateAccessConfigRequest", + "documentation":"The access configuration for the cluster.
" } } }, @@ -4066,7 +4742,7 @@ }, "clientRequestToken":{ "shape":"String", - "documentation":"Unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
", + "documentation":"A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
", "idempotencyToken":true } } @@ -4118,14 +4794,14 @@ "members":{ "addOrUpdateLabels":{ "shape":"labelsMap", - "documentation":"Kubernetes labels to be added or updated.
" + "documentation":"The Kubernetes labels to add or update.
Kubernetes labels to be removed.
" + "documentation":"The Kubernetes labels to remove.
An object representing a Kubernetes label change for a managed node group.
" + "documentation":"An object representing a Kubernetes label change for a managed node group.
The name of the Amazon EKS cluster that the managed node group resides in.
", + "documentation":"The name of your cluster.
", "location":"uri", "locationName":"name" }, @@ -4148,7 +4824,7 @@ }, "labels":{ "shape":"UpdateLabelsPayload", - "documentation":"The Kubernetes labels to be applied to the nodes in the node group after the update.
" + "documentation":"The Kubernetes labels to apply to the nodes in the node group after the update.
Unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
", + "documentation":"A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
", "idempotencyToken":true } } @@ -4184,7 +4860,7 @@ "members":{ "clusterName":{ "shape":"String", - "documentation":"The name of the Amazon EKS cluster that is associated with the managed node group to update.
", + "documentation":"The name of your cluster.
", "location":"uri", "locationName":"name" }, @@ -4208,11 +4884,11 @@ }, "force":{ "shape":"Boolean", - "documentation":"Force the update if the existing node group's pods are unable to be drained due to a pod disruption budget issue. If an update fails because pods could not be drained, you can force the update after it fails to terminate the old node whether or not any pods are running on the node.
" + "documentation":"Force the update if any Pod on the existing node group can't be drained due to a Pod disruption budget issue. If an update fails because all Pods can't be drained, you can force the update after it fails to terminate the old node whether or not any Pod is running on the node.
Unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
", + "documentation":"A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
", "idempotencyToken":true } } @@ -4265,7 +4941,8 @@ "MaxUnavailablePercentage", "ConfigurationValues", "SecurityGroups", - "Subnets" + "Subnets", + "AuthenticationMode" ] }, "UpdateParams":{ @@ -4297,7 +4974,7 @@ }, "clientRequestToken":{ "shape":"String", - "documentation":"Unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
", + "documentation":"A unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
", "idempotencyToken":true } } @@ -4332,7 +5009,7 @@ "documentation":"Kubernetes taints to remove.
" } }, - "documentation":"An object representing the details of an update to a taints payload. For more information, see Node taints on managed node groups.
" + "documentation":"An object representing the details of an update to a taints payload. For more information, see Node taints on managed node groups in the Amazon EKS User Guide.
" }, "UpdateType":{ "type":"string", @@ -4345,7 +5022,8 @@ "DisassociateIdentityProviderConfig", "AssociateEncryptionConfig", "AddonUpdate", - "VpcConfigUpdate" + "VpcConfigUpdate", + "AccessConfigUpdate" ] }, "VpcConfigRequest":{ @@ -4369,7 +5047,7 @@ }, "publicAccessCidrs":{ "shape":"StringList", - "documentation":"The CIDR blocks that are allowed access to your cluster's public Kubernetes API server endpoint. Communication to the endpoint from addresses outside of the CIDR blocks that you specify is denied. The default value is 0.0.0.0/0. If you've disabled private endpoint access and you have nodes or Fargate pods in the cluster, then ensure that you specify the necessary CIDR blocks. For more information, see Amazon EKS cluster endpoint access control in the Amazon EKS User Guide .
The CIDR blocks that are allowed access to your cluster's public Kubernetes API server endpoint. Communication to the endpoint from addresses outside of the CIDR blocks that you specify is denied. The default value is 0.0.0.0/0. If you've disabled private endpoint access, make sure that you specify the necessary CIDR blocks for every node and Fargate Pod in the cluster. For more information, see Amazon EKS cluster endpoint access control in the Amazon EKS User Guide .
An object representing the VPC configuration to use for an Amazon EKS cluster.
" @@ -4395,7 +5073,7 @@ }, "endpointPublicAccess":{ "shape":"Boolean", - "documentation":"This parameter indicates whether the Amazon EKS public API server endpoint is enabled. If the Amazon EKS public API server endpoint is disabled, your cluster's Kubernetes API server can only receive requests that originate from within the cluster VPC.
" + "documentation":"Whether the public API server endpoint is enabled.
" }, "endpointPrivateAccess":{ "shape":"Boolean", @@ -4403,7 +5081,7 @@ }, "publicAccessCidrs":{ "shape":"StringList", - "documentation":"The CIDR blocks that are allowed access to your cluster's public Kubernetes API server endpoint. Communication to the endpoint from addresses outside of the listed CIDR blocks is denied. The default value is 0.0.0.0/0. If you've disabled private endpoint access and you have nodes or Fargate pods in the cluster, then ensure that the necessary CIDR blocks are listed. For more information, see Amazon EKS cluster endpoint access control in the Amazon EKS User Guide .
The CIDR blocks that are allowed access to your cluster's public Kubernetes API server endpoint.
" } }, "documentation":"An object representing an Amazon EKS cluster VPC configuration response.
" @@ -4470,5 +5148,5 @@ "member":{"shape":"Taint"} } }, - "documentation":"Amazon Elastic Kubernetes Service (Amazon EKS) is a managed service that makes it easy for you to run Kubernetes on Amazon Web Services without needing to stand up or maintain your own Kubernetes control plane. Kubernetes is an open-source system for automating the deployment, scaling, and management of containerized applications.
Amazon EKS runs up-to-date versions of the open-source Kubernetes software, so you can use all the existing plugins and tooling from the Kubernetes community. Applications running on Amazon EKS are fully compatible with applications running on any standard Kubernetes environment, whether running in on-premises data centers or public clouds. This means that you can easily migrate any standard Kubernetes application to Amazon EKS without any code modification required.
" + "documentation":"Amazon Elastic Kubernetes Service (Amazon EKS) is a managed service that makes it easy for you to run Kubernetes on Amazon Web Services without needing to setup or maintain your own Kubernetes control plane. Kubernetes is an open-source system for automating the deployment, scaling, and management of containerized applications.
Amazon EKS runs up-to-date versions of the open-source Kubernetes software, so you can use all the existing plugins and tooling from the Kubernetes community. Applications running on Amazon EKS are fully compatible with applications running on any standard Kubernetes environment, whether running in on-premises data centers or public clouds. This means that you can easily migrate any standard Kubernetes application to Amazon EKS without any code modification required.
" } diff --git a/botocore/data/quicksight/2018-04-01/service-2.json b/botocore/data/quicksight/2018-04-01/service-2.json index f1b1ff46fc..545aeae77c 100644 --- a/botocore/data/quicksight/2018-04-01/service-2.json +++ b/botocore/data/quicksight/2018-04-01/service-2.json @@ -211,7 +211,7 @@ {"shape":"InternalFailureException"}, {"shape":"ResourceUnavailableException"} ], - "documentation":"Use the CreateGroup operation to create a group in Amazon QuickSight. You can create up to 10,000 groups in a namespace. If you want to create more than 10,000 groups in a namespace, contact AWS Support.
The permissions resource is arn:aws:quicksight:<your-region>:<relevant-aws-account-id>:group/default/<group-name> .
The response is a group object.
" + "documentation":"Use the CreateGroup operation to create a group in Amazon QuickSight. You can create up to 10,000 groups in a namespace. If you want to create more than 10,000 groups in a namespace, contact Amazon Web Services Support.
The permissions resource is arn:aws:quicksight:<your-region>:<relevant-aws-account-id>:group/default/<group-name> .
The response is a group object.
" }, "CreateGroupMembership":{ "name":"CreateGroupMembership", diff --git a/botocore/data/route53resolver/2018-04-01/endpoint-rule-set-1.json b/botocore/data/route53resolver/2018-04-01/endpoint-rule-set-1.json index 574079562e..f86daee8a3 100644 --- a/botocore/data/route53resolver/2018-04-01/endpoint-rule-set-1.json +++ b/botocore/data/route53resolver/2018-04-01/endpoint-rule-set-1.json @@ -40,7 +40,6 @@ ] } ], - "type": "tree", "rules": [ { "conditions": [ @@ -83,7 +82,8 @@ }, "type": "endpoint" } - ] + ], + "type": "tree" }, { "conditions": [ @@ -96,7 +96,6 @@ ] } ], - "type": "tree", "rules": [ { "conditions": [ @@ -110,7 +109,6 @@ "assign": "PartitionResult" } ], - "type": "tree", "rules": [ { "conditions": [ @@ -133,7 +131,6 @@ ] } ], - "type": "tree", "rules": [ { "conditions": [ @@ -168,7 +165,6 @@ ] } ], - "type": "tree", "rules": [ { "conditions": [], @@ -179,14 +175,16 @@ }, "type": "endpoint" } - ] + ], + "type": "tree" }, { "conditions": [], "error": "FIPS and DualStack are enabled, but this partition does not support one or both", "type": "error" } - ] + ], + "type": "tree" }, { "conditions": [ @@ -200,14 +198,12 @@ ] } ], - "type": "tree", "rules": [ { "conditions": [ { "fn": "booleanEquals", "argv": [ - true, { "fn": "getAttr", "argv": [ @@ -216,11 +212,11 @@ }, "supportsFIPS" ] - } + }, + true ] } ], - "type": "tree", "rules": [ { "conditions": [ @@ -269,14 +265,16 @@ }, "type": "endpoint" } - ] + ], + "type": "tree" }, { "conditions": [], "error": "FIPS is enabled but this partition does not support FIPS", "type": "error" } - ] + ], + "type": "tree" }, { "conditions": [ @@ -290,7 +288,6 @@ ] } ], - "type": "tree", "rules": [ { "conditions": [ @@ -310,7 +307,6 @@ ] } ], - "type": "tree", "rules": [ { "conditions": [], @@ -321,14 +317,16 @@ }, "type": "endpoint" } - ] + ], + "type": "tree" }, { "conditions": [], "error": "DualStack is enabled but this partition does not support DualStack", "type": "error" } - ] + ], + "type": "tree" }, { "conditions": [], @@ -339,9 +337,11 @@ }, "type": "endpoint" } - ] + ], + "type": "tree" } - ] + ], + "type": "tree" }, { "conditions": [], diff --git a/botocore/data/route53resolver/2018-04-01/service-2.json b/botocore/data/route53resolver/2018-04-01/service-2.json index 968250b13a..91152f0915 100644 --- a/botocore/data/route53resolver/2018-04-01/service-2.json +++ b/botocore/data/route53resolver/2018-04-01/service-2.json @@ -159,7 +159,7 @@ {"shape":"ThrottlingException"}, {"shape":"ValidationException"} ], - "documentation":"Creates an Route 53 Resolver on an Outpost.
" + "documentation":"Creates a Route 53 Resolver on an Outpost.
" }, "CreateResolverEndpoint":{ "name":"CreateResolverEndpoint", @@ -174,6 +174,7 @@ {"shape":"ResourceNotFoundException"}, {"shape":"InvalidRequestException"}, {"shape":"ResourceExistsException"}, + {"shape":"AccessDeniedException"}, {"shape":"LimitExceededException"}, {"shape":"InternalServiceErrorException"}, {"shape":"ThrottlingException"} @@ -216,6 +217,7 @@ {"shape":"ResourceExistsException"}, {"shape":"ResourceUnavailableException"}, {"shape":"InternalServiceErrorException"}, + {"shape":"AccessDeniedException"}, {"shape":"ThrottlingException"} ], "documentation":"For DNS queries that originate in your VPCs, specifies which Resolver endpoint the queries pass through, one domain name that you want to forward to your network, and the IP addresses of the DNS resolvers in your network.
" @@ -1186,10 +1188,11 @@ {"shape":"ResourceNotFoundException"}, {"shape":"InvalidParameterException"}, {"shape":"InvalidRequestException"}, + {"shape":"AccessDeniedException"}, {"shape":"InternalServiceErrorException"}, {"shape":"ThrottlingException"} ], - "documentation":"Updates the name, or enpoint type for an inbound or an outbound Resolver endpoint. You can only update between IPV4 and DUALSTACK, IPV6 endpoint type can't be updated to other type.
" + "documentation":"Updates the name, or endpoint type for an inbound or an outbound Resolver endpoint. You can only update between IPV4 and DUALSTACK, IPV6 endpoint type can't be updated to other type.
" }, "UpdateResolverRule":{ "name":"UpdateResolverRule", @@ -1206,7 +1209,8 @@ {"shape":"ResourceUnavailableException"}, {"shape":"LimitExceededException"}, {"shape":"InternalServiceErrorException"}, - {"shape":"ThrottlingException"} + {"shape":"ThrottlingException"}, + {"shape":"AccessDeniedException"} ], "documentation":"Updates settings for a specified Resolver rule. ResolverRuleId is required, and all other parameters are optional. If you don't specify a parameter, it retains its current value.
The subnets and IP addresses in your VPC that DNS queries originate from (for outbound endpoints) or that you forward DNS queries to (for inbound endpoints). The subnet ID uniquely identifies a VPC.
" + "documentation":"The subnets and IP addresses in your VPC that DNS queries originate from (for outbound endpoints) or that you forward DNS queries to (for inbound endpoints). The subnet ID uniquely identifies a VPC.
Even though the minimum is 1, Route 53 requires that you create at least two.
The Amazon Resource Name (ARN) of the Outpost. If you specify this, you must also specify a value for the PreferredInstanceType.
The instance type. If you specify this, you must also specify a value for the OutpostArn.
For the endpoint type you can choose either IPv4, IPv6, or dual-stack. A dual-stack endpoint means that it will resolve via both IPv4 and IPv6. This endpoint type is applied to all IP addresses.
", "box":true }, - "OutpostArn":{ - "shape":"OutpostArn", - "documentation":"The Amazon Resource Name (ARN) of the Outpost. If you specify this, you must also specify a value for the PreferredInstanceType.
The instance type. If you specify this, you must also specify a value for the OutpostArn.
The protocols you want to use for the endpoint. DoH-FIPS is applicable for inbound endpoints only.
For an inbound endpoint you can apply the protocols as follows:
Do53 and DoH in combination.
Do53 and DoH-FIPS in combination.
Do53 alone.
DoH alone.
DoH-FIPS alone.
None, which is treated as Do53.
For an outbound endpoint you can apply the protocols as follows:
Do53 and DoH in combination.
Do53 alone.
DoH alone.
None, which is treated as Do53.
DNS queries for this domain name are forwarded to the IP addresses that you specify in TargetIps. If a query matches multiple Resolver rules (example.com and www.example.com), outbound DNS queries are routed using the Resolver rule that contains the most specific domain name (www.example.com).
DNS queries for this domain name are forwarded to the IP addresses that you specify in TargetIps. If a query matches multiple Resolver rules (example.com and www.example.com), outbound DNS queries are routed using the Resolver rule that contains the most specific domain name (www.example.com).
An array that contains one ResolverDnssecConfig element for each configuration for DNSSEC validation that is associated with the current Amazon Web Services account.
" + "documentation":"An array that contains one ResolverDnssecConfig element for each configuration for DNSSEC validation that is associated with the current Amazon Web Services account. It doesn't contain disabled DNSSEC configurations for the resource.
" } } }, @@ -3612,6 +3621,20 @@ "min":0 }, "Priority":{"type":"integer"}, + "Protocol":{ + "type":"string", + "enum":[ + "DoH", + "Do53", + "DoH-FIPS" + ] + }, + "ProtocolList":{ + "type":"list", + "member":{"shape":"Protocol"}, + "max":2, + "min":1 + }, "PutFirewallRuleGroupPolicyRequest":{ "type":"structure", "required":[ @@ -3817,10 +3840,6 @@ "shape":"Rfc3339TimeString", "documentation":"The date and time that the endpoint was last modified, in Unix time format and Coordinated Universal Time (UTC).
" }, - "ResolverEndpointType":{ - "shape":"ResolverEndpointType", - "documentation":"The Resolver endpoint IP address type.
" - }, "OutpostArn":{ "shape":"OutpostArn", "documentation":"The ARN (Amazon Resource Name) for the Outpost.
" @@ -3828,6 +3847,14 @@ "PreferredInstanceType":{ "shape":"OutpostInstanceType", "documentation":"The Amazon EC2 instance type.
" + }, + "ResolverEndpointType":{ + "shape":"ResolverEndpointType", + "documentation":"The Resolver endpoint IP address type.
" + }, + "Protocols":{ + "shape":"ProtocolList", + "documentation":"Protocols used for the endpoint. DoH-FIPS is applicable for inbound endpoints only.
For an inbound endpoint you can apply the protocols as follows:
Do53 and DoH in combination.
Do53 and DoH-FIPS in combination.
Do53 alone.
DoH alone.
DoH-FIPS alone.
None, which is treated as Do53.
For an outbound endpoint you can apply the protocols as follows:
Do53 and DoH in combination.
Do53 alone.
DoH alone.
None, which is treated as Do53.
In the response to a CreateResolverEndpoint, DeleteResolverEndpoint, GetResolverEndpoint, Updates the name, or ResolverEndpointType for an endpoint, or UpdateResolverEndpoint request, a complex type that contains settings for an existing inbound or outbound Resolver endpoint.
" @@ -4320,6 +4347,11 @@ "shape":"Ipv6", "documentation":"One IPv6 address that you want to forward DNS queries to.
", "box":true + }, + "Protocol":{ + "shape":"Protocol", + "documentation":"The protocols for the Resolver endpoints. DoH-FIPS is applicable for inbound endpoints only.
For an inbound endpoint you can apply the protocols as follows:
Do53 and DoH in combination.
Do53 and DoH-FIPS in combination.
Do53 alone.
DoH alone.
DoH-FIPS alone.
None, which is treated as Do53.
For an outbound endpoint you can apply the protocols as follows:
Do53 and DoH in combination.
Do53 alone.
DoH alone.
None, which is treated as Do53.
In a CreateResolverRule request, an array of the IPs that you want to forward DNS queries to.
" @@ -4664,6 +4696,11 @@ "shape":"UpdateIpAddresses", "documentation":"Specifies the IPv6 address when you update the Resolver endpoint from IPv4 to dual-stack. If you don't specify an IPv6 address, one will be automatically chosen from your subnet.
", "box":true + }, + "Protocols":{ + "shape":"ProtocolList", + "documentation":"The protocols you want to use for the endpoint. DoH-FIPS is applicable for inbound endpoints only.
For an inbound endpoint you can apply the protocols as follows:
Do53 and DoH in combination.
Do53 and DoH-FIPS in combination.
Do53 alone.
DoH alone.
DoH-FIPS alone.
None, which is treated as Do53.
For an outbound endpoint you can apply the protocols as follows:
Do53 and DoH in combination.
Do53 alone.
DoH alone.
None, which is treated as Do53.
You can't change the protocol of an inbound endpoint directly from only Do53 to only DoH, or DoH-FIPS. This is to prevent a sudden disruption to incoming traffic that relies on Do53. To change the protocol from Do53 to DoH, or DoH-FIPS, you must first enable both Do53 and DoH, or Do53 and DoH-FIPS, to make sure that all incoming traffic has transferred to using the DoH protocol, or DoH-FIPS, and then remove the Do53.
You have provided an invalid command. Supported values are ADD, REMOVE, or REPLACE a domain.
You have provided an invalid command. If you ran the UpdateFirewallDomains request. supported values are ADD, REMOVE, or REPLACE a domain.