From fa83a18711b309d3a8e2a7c424c8e0f18a212003 Mon Sep 17 00:00:00 2001
From: aws-sdk-python-automation Retrieves a list of resources of the specified type that have been analyzed by the specified external access analyzer. This action is not supported for unused access analyzers. Retrieves a list of resources of the specified type that have been analyzed by the specified analyzer. Removes a tag from the specified resource. Modifies the configuration of an existing analyzer. A list of rules for the analyzer containing criteria to exclude from analysis. Entities that meet the rule criteria will not generate findings. Contains information about analysis rules for the analyzer. Analysis rules determine which entities will generate findings based on the criteria you define when you create the rule. A list of Amazon Web Services account IDs to apply to the analysis rule criteria. The accounts cannot include the organization analyzer owner account. Account IDs can only be applied to the analysis rule criteria for organization-level analyzers. The list cannot include more than 2,000 account IDs. An array of key-value pairs to match for your resources. You can use the set of Unicode letters, digits, whitespace, For the tag key, you can specify a value that is 1 to 128 characters in length and cannot be prefixed with For the tag value, you can specify a value that is 0 to 256 characters in length. If the specified tag value is 0 characters, the rule is applied to all principals with the specified tag key. The criteria for an analysis rule for an analyzer. The criteria determine which entities will generate findings. Specifies the configuration of an unused access analyzer for an Amazon Web Services organization or account. External access analyzers do not support any configuration. Specifies the configuration of an unused access analyzer for an Amazon Web Services organization or account. Contains information about the configuration of an unused access analyzer for an Amazon Web Services organization or account. Contains information about the configuration of an analyzer for an Amazon Web Services organization or account. The time at which the archive rule was last updated. Contains information about an archive rule. Contains information about an archive rule. Archive rules automatically archive new findings that meet the criteria you define when you create the rule. An array of key-value pairs to apply to the analyzer. An array of key-value pairs to apply to the analyzer. You can use the set of Unicode letters, digits, whitespace, For the tag key, you can specify a value that is 1 to 128 characters in length and cannot be prefixed with For the tag value, you can specify a value that is 0 to 256 characters in length. Specifies the configuration of the analyzer. If the analyzer is an unused access analyzer, the specified scope of unused access is used for the configuration. If the analyzer is an external access analyzer, this field is not used. Specifies the configuration of the analyzer. If the analyzer is an unused access analyzer, the specified scope of unused access is used for the configuration. Creates an analyzer. The response to the request. The specified access age in days for which to generate findings for unused access. For example, if you specify 90 days, the analyzer will generate findings for IAM entities within the accounts of the selected organization for any access that hasn't been used in 90 or more days since the analyzer's last scan. You can choose a value between 1 and 180 days. The specified access age in days for which to generate findings for unused access. For example, if you specify 90 days, the analyzer will generate findings for IAM entities within the accounts of the selected organization for any access that hasn't been used in 90 or more days since the analyzer's last scan. You can choose a value between 1 and 365 days. Contains information about an unused access analyzer. Contains information about the action to take for a policy in an unused permissions finding. The name of the analyzer to modify. Represents the current status of the resource operation request. Lists Hook invocations for the specified target in the request. This is a list since the same target can invoke multiple Hooks. The type name of the Hook being invoked. The type version of the Hook being invoked. The ARN of the Hook being invoked. States whether the Hook is invoked before or after resource provisioning. The status of the Hook invocation. The following are potential statuses: The time that the Hook invocation request initiated. The message explaining the current Hook status. The failure mode of the invocation. The following are the potential statuses: Represents the current status of applicable Hooks for a resource operation request. It contains list of Hook invocation information for the resource specified in the request since the same target can invoke multiple Hooks. For more information, see Managing resource operation requests with Amazon Web Services Cloud Control API . Allow up to 256K length of Resource properties The unique token representing this resource operation request. Use the The unique token representing the Hooks operation for the request. The resource operation type. Allow up to 256K length of Resource properties A list of objects that contain the GPU name of the accelerator and driver for the instance types that support the accelerator. The number of GPUs on each worker. The default is 1. Provides information about the GPU accelerators and drivers for the instance types in a fleet. If you include the The minimum GPU for the accelerator. The minimum number of GPUs for the accelerator. If you set the value to 0, a worker will still have 1 GPU. The maximum GPU for the accelerator. The maximum number of GPUs for the accelerator. The range for the GPU fleet acceleration. The name of the GPU accelerator. The driver version that the GPU accelerator uses. Values that you can use to select a particular Amazon EC2 instance type. The root EBS volume. The GPU accelerator capabilities required for the Amazon EC2 instances. If you include the The allowable Amazon EC2 instance types. Removes the specified managed policy from the specified user. A user can also have inline policies embedded with it. To delete an inline policy, use DeleteUserPolicy. For information about policies, see Managed policies and inline policies in the IAM User Guide. Disables the management of privileged root user credentials across member accounts in your organization. When you disable this feature, the management account and the delegated admininstrator for IAM can no longer manage root user credentials for member accounts in your organization. Disables root user sessions for privileged tasks across member accounts in your organization. When you disable this feature, the management account and the delegated admininstrator for IAM can no longer perform privileged tasks on member accounts in your organization. Enables the specified MFA device and associates it with the specified IAM user. When enabled, the MFA device is required for every subsequent login by the IAM user associated with the device. Enables the management of privileged root user credentials across member accounts in your organization. When you enable root credentials management for centralized root access, the management account and the delegated admininstrator for IAM can manage root user credentials for member accounts in your organization. Before you enable centralized root access, you must have an account configured with the following settings: You must manage your Amazon Web Services accounts in Organizations. Enable trusted access for Identity and Access Management in Organizations. For details, see IAM and Organizations in the Organizations User Guide. Allows the management account or delegated administrator to perform privileged tasks on member accounts in your organization. For more information, see Centrally manage root access for member accounts in the Identity and Access Management User Guide. Before you enable this feature, you must have an account configured with the following settings: You must manage your Amazon Web Services accounts in Organizations. Enable trusted access for Identity and Access Management in Organizations. For details, see IAM and Organizations in the Organizations User Guide. Lists the account alias associated with the Amazon Web Services account (Note: you can have only one). For information about using an Amazon Web Services account alias, see Creating, deleting, and listing an Amazon Web Services account alias in the IAM User Guide. Lists the account alias associated with the Amazon Web Services account (Note: you can have only one). For information about using an Amazon Web Services account alias, see Creating, deleting, and listing an Amazon Web Services account alias in the Amazon Web Services Sign-In User Guide. Lists information about the IAM OpenID Connect (OIDC) provider resource objects defined in the Amazon Web Services account. IAM resource-listing operations return a subset of the available attributes for the resource. For example, this operation does not return tags, even though they are an attribute of the returned object. To view all of the information for an OIDC provider, see GetOpenIDConnectProvider. Lists the centralized root access features enabled for your organization. For more information, see Centrally manage root access for member accounts. Contains information about an Amazon Web Services access key, without its secret key. This data type is used as a response element in the ListAccessKeys operation. The request was rejected because the account making the request is not the management account or delegated administrator account for centralized root access. The request was rejected because the account making the request is not the management account for the organization. The name of the IAM user to create a password for. The user must already exist. This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@- The name of the IAM user to create a password for. The user must already exist. This parameter is optional. If no user name is included, it defaults to the principal making the request. When you make this request with root user credentials, you must use an AssumeRoot session to omit the user name. This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@- The new password for the user. The regex pattern that is used to validate this parameter is a string of characters. That string can include almost any printable ASCII character from the space ( The new password for the user. This parameter must be omitted when you make the request with an AssumeRoot session. It is required in all other cases. The regex pattern that is used to validate this parameter is a string of characters. That string can include almost any printable ASCII character from the space ( The name of the user whose MFA device you want to deactivate. This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@- The name of the user whose MFA device you want to deactivate. This parameter is optional. If no user name is included, it defaults to the principal making the request. When you make this request with root user credentials, you must use an AssumeRoot session to omit the user name. This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@- The name of the user whose password you want to delete. This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@- The name of the user whose password you want to delete. This parameter is optional. If no user name is included, it defaults to the principal making the request. When you make this request with root user credentials, you must use an AssumeRoot session to omit the user name. This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@- The unique identifier (ID) of an organization. The features enabled for centralized root access for member accounts in your organization. The unique identifier (ID) of an organization. The features you have enabled for centralized root access of member accounts in your organization. The unique identifier (ID) of an organization. The features you have enabled for centralized root access. The unique identifier (ID) of an organization. The features you have enabled for centralized root access. The name of the user whose login profile you want to retrieve. This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@- The name of the user whose login profile you want to retrieve. This parameter is optional. If no user name is included, it defaults to the principal making the request. When you make this request with root user credentials, you must use an AssumeRoot session to omit the user name. This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@- Contains the response to a successful ListOpenIDConnectProviders request. The unique identifier (ID) of an organization. Specifies the features that are currently available in your organization. The request was rejected because no organization is associated with your account. The request was rejected because your organization does not have All features enabled. For more information, see Available feature sets in the Organizations User Guide. Contains information about a server certificate without its certificate body, certificate chain, and private key. This data type is used as a response element in the UploadServerCertificate and ListServerCertificates operations. The request was rejected because trusted access is not enabled for IAM in Organizations. For details, see IAM and Organizations in the Organizations User Guide. Fetches the log-level override, if any, for a given resource-ID and resource-type. It can be used for a wireless device or a wireless gateway. Fetches the log-level override, if any, for a given resource-ID and resource-type. It can be used for a wireless device, wireless gateway or fuota task. Removes the log-level overrides for all resources; both wireless devices and wireless gateways. Removes the log-level overrides for all resources; wireless devices, wireless gateways, and fuota tasks. Removes the log-level override, if any, for a specific resource-ID and resource-type. It can be used for a wireless device or a wireless gateway. Removes the log-level override, if any, for a specific resource-ID and resource-type. It can be used for a wireless device, a wireless gateway, or a fuota task. The Descriptor specifies some metadata about the File being transferred using FUOTA e.g. the software version. It is sent transparently to the device. It is a binary field encoded in base64 The arn of a FUOTA task. The event for a log message, if the log message is tied to a fuota task. The log options for a FUOTA task event and can be used to set log levels for a specific fuota task event. For a LoRaWAN FuotaTask type, possible event for a log message is The list of FUOTA task event log options. The ID of a FUOTA task. Lists the FUOTA tasks registered to your AWS account. The fuota task type. The log options for fuota tasks and can be used to set log levels for a specific type of fuota task. The list of fuota task log options. The name of a FUOTA task. The fuota task type. Gateway list item object that specifies the frequency and list of gateways for which the downlink message should be sent. The type of the resource, which can be The type of the resource, which can be The LoRaWAN information that is to be used with the multicast group. The LoRaWAN information that is to be returned from getting multicast group information. Specify the list of gateways to which you want to send downlink data traffic when the wireless device is running in class B or class C mode. The list of gateways that you want to use for sending the multicast downlink. Each downlink will be sent to all the gateways in the list with transmission interval between them. If list is empty the gateway list will be dynamically selected similar to the case of no ParticipatingGateways The duration of time for which AWS IoT Core for LoRaWAN will wait before transmitting the multicast payload to the next gateway in the list. Specify the list of gateways to which you want to send the multicast downlink messages. The multicast message will be sent to each gateway in the sequence provided in the list. The type of the resource, which can be The type of the resource, which can be The type of the resource, which can be The type of the resource, which can be The expected ingest bitrate (bits per second). This is configured in the encoder. Name of the audio track (if the stream has an audio track). If multitrack is not enabled, this is track0 (the sole track). Object specifying a stream’s audio configuration, as set up by the broadcaster (usually in an encoder). This is part of the IngestConfiguration object and used for monitoring stream health. Object specifying a stream’s audio configuration, as set up by the broadcaster (usually in an encoder). This is part of the IngestConfigurations object and the deprecated IngestConfiguration object. It is used for monitoring stream health. Whether the channel is private (enabled for playback authorization). Default: Indicates which content-packaging format is used (MPEG-TS or fMP4). If Channel ingest endpoint, part of the definition of an ingest server, used when you set up streaming software. Channel latency mode. Use Object specifying multitrack input configuration. Default: no multitrack input configuration is specified. Channel name. Whether the channel is private (enabled for playback authorization). Default: Indicates which content-packaging format is used (MPEG-TS or fMP4). If Whether the channel allows insecure RTMP and SRT ingest. Default: Channel latency mode. Use Object specifying multitrack input configuration. Default: no multitrack input configuration is specified. Channel name. Encoder settings for video. Object specifying the ingest configuration set up by the broadcaster, usually in an encoder. Object specifying the ingest configuration set up by the broadcaster, usually in an encoder. Note: IngestConfiguration is deprecated in favor of IngestConfigurations but retained to ensure backward compatibility. If multitrack is not enabled, IngestConfiguration and IngestConfigurations contain the same data, namely information about track0 (the sole track). If multitrack is enabled, IngestConfiguration contains data for only the first track (track0) and IngestConfigurations contains data for all tracks. Encoder settings for audio. Encoder settings for video Object specifying the ingest configuration set up by the broadcaster, usually in an encoder. Note: Use IngestConfigurations instead of IngestConfiguration (which is deprecated). If multitrack is not enabled, IngestConfiguration and IngestConfigurations contain the same data, namely information about track0 (the sole track). If multitrack is enabled, IngestConfiguration contains data for only the first track (track0) and IngestConfigurations contains data for all tracks. Indicates whether multitrack input is enabled. Can be set to Maximum resolution for multitrack input. Required if Indicates whether multitrack input is allowed or required. Required if A complex type that specifies multitrack input configuration. Provides additional details about the stream event. There are several values; note that the long descriptions are provided in the IVS console but not delivered through the IVS API or EventBridge: Provides additional details about the stream event. There are several values; the long descriptions are provided in the IVS console but not delivered through the IVS API or EventBridge. Multitrack-related codes are used only for certain Session Ended events. The properties of the incoming RTMP stream for the stream. The properties of the incoming RTMP stream. Note: The properties of the incoming RTMP stream. If multitrack is enabled, The targeted thumbnail-generation interval in seconds. This is configurable (and required) only if Important: For the The targeted thumbnail-generation interval in seconds. This is configurable (and required) only if Important: For the An object representing a configuration of thumbnails for recorded video. Whether the channel is private (enabled for playback authorization). Indicates which content-packaging format is used (MPEG-TS or fMP4). If Whether the channel allows insecure RTMP and SRT ingest. Default: Channel latency mode. Use Object specifying multitrack input configuration. Default: no multitrack input configuration is specified. Channel name. Software or hardware used to encode the video. Indicates the degree of required decoder performance for a profile. Normally this is set automatically by the encoder. When an AVC codec is used, this field has the same value as Indicates to the decoder the requirements for decoding the stream. When an AVC codec is used, this field has the same value as The expected ingest bitrate (bits per second). This is configured in the encoder. The expected ingest framerate. This is configured in the encoder. Name of the video track. If multitrack is not enabled, this is track0 (the sole track). Video-resolution height in pixels. Video-resolution width in pixels. Object specifying a stream’s video configuration, as set up by the broadcaster (usually in an encoder). This is part of the IngestConfiguration object and used for monitoring stream health. Object specifying a stream’s video configuration, as set up by the broadcaster (usually in an encoder). This is part of the IngestConfigurations object and the deprecated IngestConfiguration object. It is used for monitoring stream health. Associates the user to an EC2 instance to utilize user-based subscriptions. Your estimated bill for charges on the number of users and related costs will take 48 hours to appear for billing periods that haven't closed (marked as Pending billing status) in Amazon Web Services Billing. For more information, see Viewing your monthly charges in the Amazon Web Services Billing User Guide. Creates a network endpoint for the Remote Desktop Services (RDS) license server. Deletes a Deregisters the identity provider from providing user-based subscriptions. Deregisters the Active Directory identity provider from License Manager user-based subscriptions. Lists the identity providers for user-based subscriptions. Lists the Active Directory identity providers for user-based subscriptions. Lists the EC2 instances providing user-based subscriptions. List the Remote Desktop Services (RDS) License Server endpoints Lists the user-based subscription products available from an identity provider. Returns the list of tags for the specified resource. Stops a product subscription for a user with the specified identity provider. Adds tags to a resource. Removes tags from a resource. The The type of Active Directory – either a self-managed Active Directory or an Amazon Web Services Managed Active Directory. The directory ID for an Active Directory identity provider. Details about an Active Directory identity provider. Points to the A list of domain IPv4 addresses that are used for the Active Directory. The domain name for the Active Directory. The Contains network access and credential details that are needed for user administration in the Active Directory. The domain name of the user. The domain name of the Active Directory that contains information for the user to associate. The identity provider of the user. The identity provider for the user. The ID of the EC2 instance, which provides user-based subscriptions. The ID of the EC2 instance that provides the user-based subscription. The tags that apply for the user association. The user name from the identity provider for the user. The user name from the identity provider. The Amazon Resource Name (ARN) that identifies the The The tags that apply for the license server endpoint. The Amazon Resource Name (ARN) of the identity provider specified in the request. The ARN of the Identifies the Secrets Manager secret that contains credentials needed for user administration in the Active Directory. Contains information about the credential provider for user administration. The Amazon Resource Name (ARN) that identifies the The type of License Server that the delete request refers to. Shows details from the An object that specifies details for the identity provider. An object that specifies details for the Active Directory identity provider. The Amazon Resource Name (ARN) that identifies the identity provider to deregister. The name of the user-based subscription product. The name of the user-based subscription product. Valid values: The domain name of the user. The domain name of the Active Directory that contains information for the user to disassociate. An object that specifies details for the identity provider. An object that specifies details for the Active Directory identity provider. The ID of the EC2 instance, which provides user-based subscriptions. The ID of the EC2 instance which provides user-based subscriptions. The Amazon Resource Name (ARN) of the user to disassociate from the EC2 instance. The user name from the identity provider for the user. The user name from the Active Directory identity provider for the user. Contains a list of subnets that apply for the Active Directory domain. Contains network settings for the Active Directory domain. Value of the filter. A filter name and value pair that is used to return more specific results from a describe operation. Filters can be used to match a set of resources by specific criteria, such as tags, attributes, or IDs. A filter name and value pair that is used to return more specific results from a describe or list operation. You can use filters can be used to match a set of resources by specific criteria, such as tags, attributes, or IDs. An object that details an Active Directory identity provider. The Details about an identity provider. Refers to an identity provider. An object that specifies details for the identity provider. The The Amazon Resource Name (ARN) of the identity provider. An object that details the registered identity provider’s product related configuration settings such as the subnets to provision VPC endpoints. The The status of an identity provider. The status of the identity provider. Describes an identity provider. The domain name of the user. The domain name of the Active Directory that contains the user information for the product subscription. An object that specifies details for the identity provider. The The ID of the EC2 instance, which provides user-based subscriptions. The ID of the EC2 instance that provides user-based subscriptions. The Amazon Resource Name (ARN) that identifies the instance user. An exception occurred with the service. The health status of the RDS license server. A list of domain IPv4 addresses that are used for the RDS license server. The current state of the provisioning process for the RDS license server. Information about a Remote Desktop Services (RDS) license server. The timestamp when License Manager created the license server endpoint. The Amazon Resource Name (ARN) of the identity provider that's associated with the RDS license server endpoint. The ARN of the The ID of the license server endpoint. The current state of the provisioning process for the RDS license server endpoint An array of The The type of license server. The message associated with the provisioning status, if there is one. Contains details about a network endpoint for a Remote Desktop Services (RDS) license server. The The type of license server. The settings to configure your license server. You can use the following filters to streamline results: Product DirectoryId Maximum number of results to return in a single call. The maximum number of results to return from a single request. Token for the next set of results. A token to specify where to start paginating. This is the nextToken from a previously truncated response. Metadata that describes the list identity providers operation. An array of Token for the next set of results. The next token used for paginated responses. When this field isn't empty, there are additional elements that the service hasn't included in this request. Use this token with the next request to retrieve additional objects. An array of structures that you can use to filter the results to those that match one or more sets of key-value pairs that you specify. You can use the following filters to streamline results: Status InstanceId Maximum number of results to return in a single call. The maximum number of results to return from a single request. Token for the next set of results. A token to specify where to start paginating. This is the nextToken from a previously truncated response. Metadata that describes the list instances operation. An array of The next token used for paginated responses. When this field isn't empty, there are additional elements that the service hasn't included in this request. Use this token with the next request to retrieve additional objects. You can use the following filters to streamline results: IdentityProviderArn The maximum number of results to return from a single request. Token for the next set of results. A token to specify where to start paginating. This is the nextToken from a previously truncated response. An array of The next token used for paginated responses. When this field isn't empty, there are additional elements that the service hasn't included in this request. Use this token with the next request to retrieve additional objects. An array of structures that you can use to filter the results to those that match one or more sets of key-value pairs that you specify. You can use the following filters to streamline results: Status Username Domain Maximum number of results to return in a single call. The maximum number of results to return from a single request. Token for the next set of results. A token to specify where to start paginating. This is the nextToken from a previously truncated response. The name of the user-based subscription product. The name of the user-based subscription product. Valid values: Token for the next set of results. The next token used for paginated responses. When this field isn't empty, there are additional elements that the service hasn't included in this request. Use this token with the next request to retrieve additional objects. The Amazon Resource Name (ARN) of the resource whose tags you want to retrieve. The tags for the specified resource. An array of structures that you can use to filter the results to those that match one or more sets of key-value pairs that you specify. You can use the following filters to streamline results: Status Username Domain Maximum number of results to return in a single call. The maximum number of results to return from a single request. Token for the next set of results. A token to specify where to start paginating. This is the nextToken from a previously truncated response. Token for the next set of results. The next token used for paginated responses. When this field isn't empty, there are additional elements that the service hasn't included in this request. Use this token with the next request to retrieve additional objects. The domain name of the user. The domain name of the Active Directory that contains the user information for the product subscription. The name of the user-based subscription product. The Amazon Resource Name (ARN) for this product user. The status of a product for a user. The status of a product for this user. The status message for a product for a user. The status message for a product for this user. The user name from the identity provider of the user. The user name from the identity provider for this product user. The summary of the user-based subscription products for a user. A summary of the user-based subscription products for a specific user. The Server settings that are specific to a Remote Desktop Services (RDS) license server. An object that specifies details for the identity provider. An object that specifies details for the identity provider to register. The name of the user-based subscription product. The name of the user-based subscription product. Valid values: The registered identity provider’s product related configuration settings such as the subnets to provision VPC endpoints. The tags that apply to the identity provider's registration. The ID of the Secrets Manager secret that contains credentials. Contains a credentials secret that's stored in Secrets Manager. The network address of the endpoint. A network endpoint through which you can access one or more servers. The Contains settings for a specific server. The domain name of the user. The domain name of the Active Directory that contains the user for whom to start the product subscription. The name of the user-based subscription product. The name of the user-based subscription product. Valid values: The tags that apply to the product subscription. The domain name of the user. The domain name of the Active Directory that contains the user for whom to stop the product subscription. The name of the user-based subscription product. The name of the user-based subscription product. Valid values: The Amazon Resource Name (ARN) of the product user. The Amazon Resource Name (ARN) of the resource that you want to tag. The tags to apply to the specified resource. The request was denied because of request throttling. Retry the request. The Amazon Resource Name (ARN) of the resource that you want to remove tags from. The tag keys to remove from the resource. The Amazon Resource Name (ARN) of the identity provider to update. The name of the user-based subscription product. The name of the user-based subscription product. Valid values: Enables you to reassign an existing This is useful for distributing opportunities to the appropriate team members or departments within your organization, ensuring that each opportunity is handled by the right person. By default, the opportunity owner is the one who creates it. Currently, there's no API to enumerate the list of available users. Enables you to create a formal association between an Partner Solution: A software product or consulting practice created and delivered by Partners. Partner Solutions help customers address specific business challenges or achieve particular goals using Amazon Web Services services. Amazon Web Services Product: Amazon Web Services offers a wide range of products and services designed to provide scalable, reliable, and cost-effective infrastructure solutions. For the latest list of Amazon Web Services products, refer to Amazon Web Services products. Amazon Web Services Marketplace private offer: Allows Amazon Web Services Marketplace sellers to extend custom pricing and terms to individual Amazon Web Services customers. Sellers can negotiate custom prices, payment schedules, and end user license terms through private offers, enabling Amazon Web Services customers to acquire software solutions tailored to their specific needs. For more information, refer to Private offers in Amazon Web Services Marketplace. To obtain identifiers for these entities, use the following methods: Solution: Use the AWS products: For the latest list of Amazon Web Services products, refer to the Amazon Web Services products list. Amazon Web Services Marketplace private offer: Use the AWS Marketplace Catalog API to list entities. Specifically, use the Creates an To fully submit an opportunity, follow these steps: To create the opportunity, use To associate a solution with the opportunity, use To submit the opportunity, use After submission, you can't edit the opportunity until the review is complete. However, opportunities in the There's a set of mandatory fields required to create opportunities, but consider providing optional fields to enrich the opportunity record. Allows you to remove an existing association between an Use this operation to update the associations of an Retrieves a summary of an AWS Opportunity. This summary includes high-level details about the opportunity sourced from AWS, such as lifecycle information, customer details, and involvement type. It is useful for tracking updates on the AWS opportunity corresponding to an opportunity in the partner's account. Retrieves the details of an engagement invitation shared by AWS with a partner. The information includes key aspects such as the customer, project details, and lifecycle information related to the engagement. Fetches the Use the Retrieves a list of engagement invitations sent to the partner. This allows partners to view all pending or past engagement invitations, helping them track opportunities shared by AWS. This request accepts a list of filters to use to retrieve a specific subset of opportunities, as well as sort options. This feature is available to partners from Partner Central using the To synchronize your system with Amazon Web Services, only list the opportunities that were newly created or updated. We recommend you rely on events emitted by the service into your Amazon Web Services account’s Amazon EventBridge default event bus, you can also use the We recommend the following approach: Find the latest When you send a Amazon Web Services only returns opportunities created or updated on or after that date and time. Use Retrieves a list of Partner Solutions that the partner registered on Partner Central. This API is used to generate a list of solutions that an end user selects from for association with an opportunity. Use this action to reject an This action starts the engagement by accepting an This action initiates the engagement process from an existing opportunity by accepting the engagement invitation and creating a corresponding opportunity in the partner’s system. Similar to Updates the When you perform updates, include the entire payload with each request. If any field is omitted, the API assumes that the field is set to This error occurs when you don't have permission to perform the requested action. You don’t have access to this action or resource. Review IAM policies or contact your AWS administrator for assistance. Specifies the end Specifies the Specifies the end Indicates the Specifies the industry the end Specifies the end Specifies the end customer's company website URL associated with the Specifies the Represents the alias of the partner account receiving the Engagement Invitation, making it easier to identify and track the recipient in reports or logs. Indicates the AWS account ID of the partner who received the Engagement Invitation. This is a unique identifier for managing engagements with specific AWS accounts. Contains the account details of the partner who received the Engagement Invitation, including the AWS account ID and company name. Specifies the end Specifies the end Specifies which industry the end To submit a value outside the picklist, use Conditionally mandatory if Specifies the end Specifies the end customer's company website URL associated with the An object that contains an Specifies the end Specifies the end Specifies the end Specifies the end Valid values: Specifies the end Specifies the end Specifies the end Specifies the end Specifies the end Specifies the end Valid values: An object that contains an Specifies the user or team member responsible for managing the assigned opportunity. This field identifies the Assignee based on the partner's internal team structure. Ensure that the email address is associated with a registered user in your Partner Central account. Specifies the catalog associated with the request. This field takes a string value from a predefined list: Requires the Specifies the business title of the assignee managing the opportunity. This helps clarify the individual's role and responsibilities within the organization. Provides the email address of the assignee. This email is used for communications and notifications related to the opportunity. Specifies the first name of the assignee managing the opportunity. Specifies the last name of the assignee managing the opportunity. Represents the contact details of the individual assigned to manage the opportunity within the partner organization. This ensures that there is a clear point of contact for the opportunity's progress and updates. Specifies the catalog associated with the request. This field takes a string value from a predefined list: Requires the Requires the related entity's unique identifier when you want to associate it with the Specifies the type of the related entity you're associating with the Provides a list of customer contacts involved in the opportunity. These contacts may include decision-makers, influencers, and other key stakeholders within the customer's organization. Represents the customer associated with the AWS opportunity. This field captures key details about the customer that are necessary for managing the opportunity. Represents a score assigned by AWS to indicate the level of engagement and potential success for the opportunity. This score helps partners prioritize their efforts. Provides recommendations from AWS on the next best actions to take in order to move the opportunity forward and increase the likelihood of success. Contains insights provided by AWS for the opportunity, offering recommendations and analysis that can help the partner optimize their engagement and strategy. Indicates the reason why an opportunity was marked as Specifies the immediate next steps required to progress the opportunity. These steps are based on AWS's guidance and the current stage of the opportunity. Provides a historical log of previous next steps that were taken to move the opportunity forward. This helps in tracking the decision-making process and identifying any delays or obstacles encountered. Represents the current stage of the opportunity in its lifecycle, such as Indicates the expected date by which the opportunity is projected to close. This field helps in planning resources and timelines for both the partner and AWS. Tracks the lifecycle of the AWS opportunity, including stages such as qualification, validation, and closure. This field helps partners understand the current status and progression of the opportunity. Indicates the expected spending by the customer over the course of the project. This value helps partners and AWS estimate the financial impact of the opportunity. Use the AWS Pricing Calculator to create an estimate of the customer’s total spend. If only annual recurring revenue (ARR) is available, distribute it across 12 months to provide an average monthly value. Captures details about the project associated with the opportunity, including objectives, scope, and customer requirements. Specifies the AWS products associated with the opportunity. This field helps track the specific products that are part of the proposed solution. Specifies the partner solutions related to the opportunity. These solutions represent the partner's offerings that are being positioned as part of the overall AWS opportunity. Represents other entities related to the AWS opportunity, such as AWS products, partner solutions, and marketplace offers. These associations help build a complete picture of the solution being sold. Specifies the type of AWS involvement in the opportunity, such as co-selling, deal support, or technical consultation. This helps categorize the nature of AWS's participation. Determines who can view AWS's involvement in the opportunity. Typically, this field is set to Indicates the level of AWS involvement in the opportunity. This field helps track AWS's role and participation throughout the engagement, such as providing technical support, deal assistance, or sales support. Specifies the Amazon Web Services team member's business title and indicates their organizational role. Provides the Amazon Web Services team member's email address. Provides the Amazon Web Services team member's first name. Provides the Amazon Web Services team member's last name. Represents an Amazon Web Services team member for the engagement. This structure includes details such as name, email, and business title. This error occurs when the request can’t be processed due to a conflict with the target resource's current state, which could result from updating or deleting the resource. Suggested action: Fetch the latest state of the resource, verify the state, and retry the request. The partner contact's title (job title or role) associated with the The contact's email address associated with the The contact's first name associated with the The contact's last name associated with the The contact's phone number associated with the An object that contains a Specifies the catalog associated with the request. This field takes a string value from a predefined list: Required to be unique, and should be unchanging, it can be randomly generated or a meaningful string. Default: None Best practice: To ensure uniqueness and avoid collisions, we recommend you use a UUID (Universally Unique Identifier) as the Specifies customer details associated with the An object that contains lifecycle details for the This object contains marketing details and is optional for an opportunity. Indicates whether the Represents the internal team handling the opportunity. Specify the members involved in collaborating on this opportunity within the partner's organization. Specifies the opportunity type as a renewal, new, or expansion. Opportunity types: New opportunity: Represents a new business opportunity with a potential customer that's not previously engaged with your solutions or services. Renewal opportunity: Represents an opportunity to renew an existing contract or subscription with a current customer, ensuring continuity of service. Expansion opportunity: Represents an opportunity to expand the scope of an existing contract or subscription, either by adding new services or increasing the volume of existing services for a current customer. Specifies the origin of the opportunity, indicating if it was sourced from Amazon Web Services or the partner. For all opportunities created with Specifies the opportunity's unique identifier in the partner's CRM system. This value is essential to track and reconcile because it's included in the outbound payload sent back to the partner. This field allows partners to link an opportunity to their CRM, to ensure seamless integration and accurate synchronization between the Partner Central API and the partner's internal systems. Identifies the type of support the partner needs from Amazon Web Services. Valid values: Co-Sell - Architectural Validation: Confirmation from Amazon Web Services that the partner's proposed solution architecture is aligned with Amazon Web Services best practices and poses minimal architectural risks. Co-Sell - Business Presentation: Request Amazon Web Services seller's participation in a joint customer presentation. Co-Sell - Competitive Information: Access to Amazon Web Services competitive resources and support for the partner's proposed solution. Co-Sell - Pricing Assistance: Connect with an Amazon Web Services seller for support situations where a partner may be receiving an upfront discount on a service (for example: EDP deals). Co-Sell - Technical Consultation: Connect with an Amazon Web Services Solutions Architect to address the partner's questions about the proposed solution. Co-Sell - Total Cost of Ownership Evaluation: Assistance with quoting different cost savings of proposed solutions on Amazon Web Services versus on-premises or a traditional hosting environment. Co-Sell - Deal Support: Request Amazon Web Services seller's support to progress the opportunity (for example: joint customer call, strategic positioning). Co-Sell - Support for Public Tender / RFx: Opportunity related to the public sector where the partner needs Amazon Web Services RFx support. Do Not Need Support from AWS Sales Rep: Indicates that a partner doesn't need support from an Amazon Web Services sales representative, and the partner solely manages the opportunity. It's possible to request co-selling support on these opportunities at any stage during their lifecycle. Also known as, for-visibility-only (FVO) opportunity. An object that contains project details for the Specifies details of a customer's procurement terms. Required only for partners in eligible programs. Read-only, system-generated Specifies the opportunity's unique identifier in the partner's CRM system. This value is essential to track and reconcile because it's included in the outbound payload sent back to the partner. An object that contains the customer's account details. Represents the contact details for individuals associated with the customer of the An object that contains the customer's An object that contains a customer's account details. An object that contains a Specifies the catalog associated with the request. This field takes a string value from a predefined list: The opportunity's unique identifier for when you want to disassociate it from related entities. This identifier is crucial to ensure the correct opportunity is updated, especially in environments with numerous opportunities. Validation: Ensure that the identifier provided corresponds to an existing opportunity in the Amazon Web Services system because incorrect identifiers result in an error and no changes are made. The related entity's identifier that you want to disassociate from the opportunity. Depending on the type of entity, this could be a simple identifier or an Amazon Resource Name (ARN) for entities managed through Amazon Web Services Marketplace. For Amazon Web Services Marketplace entities, use the Amazon Web Services Marketplace API to obtain the necessary ARNs. For guidance on retrieving these ARNs, refer to Amazon Web Services Marketplace Catalog API . Validation: Ensure the identifier or ARN is valid and corresponds to an existing related entity. An incorrect or invalid identifier results in an error. The type of the entity that you're disassociating from the opportunity. When you specify the entity type, it helps the system correctly process the disassociation request and ensures that the right connections are removed. Examples of entity types include Partner Solution, Amazon Web Services product, and Amazon Web Services Marketplace offer. Ensure that the value matches one of the expected entity types. Validation: Provide a valid entity type to ensure successful disassociation. Invalid or incorrect entity types result in an error. Represents the name of the customer’s company associated with the Engagement Invitation. This field is used to identify the customer. Indicates the country in which the customer’s company operates. This field is useful for understanding regional requirements or compliance needs. Specifies the industry to which the customer’s company belongs. This field helps categorize the opportunity based on the customer’s business sector. Provides the website URL of the customer’s company. This field helps partners verify the legitimacy and size of the customer organization. Contains details about the customer associated with the Engagement Invitation, including key company information and industry. The Amazon Resource Name (ARN) of the Engagement Invitation. The ARN is a unique identifier that allows partners to reference the invitation in their system and manage its lifecycle. Specifies the catalog in which the Engagement Invitation resides. This can be either the Provides a short title or description of the Engagement Invitation. This title helps partners quickly identify and differentiate between multiple engagement opportunities. Indicates the date and time when the Engagement Invitation will expire. After this date, the invitation can no longer be accepted, and the opportunity will no longer be available for the partner to engage. Represents the unique identifier of the Engagement Invitation. This identifier is used to track the invitation and to manage responses like acceptance or rejection. Indicates the date when the Engagement Invitation was sent to the partner. This provides context for when the opportunity was shared and helps in tracking the timeline for engagement. Describes the type of payload associated with the Engagement Invitation, such as Specifies the partner company or individual that received the Engagement Invitation. This field is important for tracking who the invitation was sent to within the partner organization. Specifies the AWS account ID of the sender who initiated the Engagement Invitation. This allows the partner to identify the AWS entity or representative responsible for sharing the opportunity. Indicates the name of the company or AWS division that sent the Engagement Invitation. This information is useful for partners to know which part of AWS is requesting engagement. Represents the current status of the Engagement Invitation, such as Provides a summarized view of the Engagement Invitation, including key details like the identifier, status, and sender information. This summary helps partners track and manage AWS-originated opportunities. Represents the estimated monthly revenue that the partner expects to earn from the opportunity. This helps in forecasting financial returns. Indicates the currency in which the revenue estimate is provided. This helps in understanding the financial impact across different markets. Indicates how frequently the customer is expected to spend the projected amount. This can include values such as Specifies the name of the partner company that is expected to generate revenue from the opportunity. This field helps track the partner’s involvement in the opportunity. Provides an estimate of the revenue that the partner is expected to generate from the opportunity. This information helps partners assess the financial value of the project. Specifies the catalog in which the AWS Opportunity is located. Accepted values include The unique identifier for the related partner opportunity. Use this field to correlate an AWS opportunity with its corresponding partner opportunity in your CRM system. Specifies the catalog in which the AWS Opportunity exists. This is the environment (e.g., Provides details about the customer associated with the AWS Opportunity, including account information, industry, and other key customer data. These details help partners understand the business context of the opportunity. Provides insights into the AWS Opportunity, including engagement score and recommended actions that AWS suggests for the partner. Specifies the type of involvement AWS has in the opportunity, such as direct co-sell or advisory support. This field helps partners understand the role AWS will play in advancing the opportunity. Provides a reason for any changes in the involvement type of AWS in the opportunity. This field is used to track why the level of AWS engagement has changed from Contains lifecycle information for the AWS Opportunity, including review status, stage, and target close date. This field is crucial for partners to monitor the progression of the opportunity. Details the AWS Opportunity team, including key members involved in the opportunity. This information helps partners know who from AWS is engaged and their roles in the opportunity. Specifies whether the AWS Opportunity originated from AWS or the partner. This helps distinguish between opportunities that were sourced by AWS and those referred by the partner. Provides details about the project associated with the AWS Opportunity, including the customer’s business problem, expected outcomes, and project scope. This information is crucial for understanding the broader context of the opportunity. Lists related entity identifiers, such as AWS products or partner solutions, associated with the AWS Opportunity. These identifiers provide additional context and help partners understand which AWS services are involved. Provides the unique identifier of the related partner opportunity, allowing partners to link the AWS Opportunity to their corresponding opportunity in their CRM system. Defines the visibility level for the AWS Opportunity. Use Specifies the catalog associated with the request. The field accepts values from the predefined set: Specifies the unique identifier for the engagement invitation being retrieved. The Amazon Resource Name (ARN) that uniquely identifies the engagement invitation. Indicates the catalog from which the engagement invitation details are retrieved. This field helps in identifying the appropriate catalog (e.g., The title of the engagement invitation, summarizing the purpose or key objectives of the opportunity shared by AWS. Indicates the date on which the engagement invitation will expire if not accepted by the partner. Unique identifier assigned to the engagement invitation being retrieved. The date when the engagement invitation was sent to the partner. Details of the engagement invitation payload, including specific data relevant to the invitation's contents, such as customer information and opportunity insights. The type of payload contained in the engagement invitation, indicating what data or context the payload covers. Information about the partner organization or team that received the engagement invitation, including contact details and identifiers. If the engagement invitation was rejected, this field specifies the reason provided by the partner for the rejection. Specifies the AWS Account ID of the sender, which identifies the AWS team responsible for sharing the engagement invitation. The name of the AWS organization or team that sent the engagement invitation. The current status of the engagement invitation (e.g., Specifies the catalog associated with the request. This field takes a string value from a predefined list: Read-only, system generated Specifies the catalog associated with the request. This field takes a string value from a predefined list: Specifies details of the customer associated with the Read-only, system generated An object that contains lifecycle details for the An object that contains marketing details for the Indicates whether the Represents the internal team handling the opportunity. Specify the members involved in collaborating on this opportunity within the partner's organization. Specifies the opportunity type as renewal, new, or expansion. Opportunity types: New opportunity: Represents a new business opportunity with a potential customer that's not previously engaged with your solutions or services. Renewal opportunity: Represents an opportunity to renew an existing contract or subscription with a current customer, ensuring continuity of service. Expansion opportunity: Represents an opportunity to expand the scope of an existing contract or subscription, either by adding new services or increasing the volume of existing services for a current customer. Specifies the opportunity's unique identifier in the partner's CRM system. This value is essential to track and reconcile because it's included in the outbound payload sent back to the partner. Identifies the type of support the partner needs from Amazon Web Services. Valid values: Co-Sell - Architectural Validation: Confirmation from Amazon Web Services that the partner's proposed solution architecture is aligned with Amazon Web Services best practices and poses minimal architectural risks. Co-Sell - Business Presentation: Request Amazon Web Services seller's participation in a joint customer presentation. Co-Sell - Competitive Information: Access to Amazon Web Services competitive resources and support for the partner's proposed solution. Co-Sell - Pricing Assistance: Connect with an Amazon Web Services seller for support situations where a partner may be receiving an upfront discount on a service (for example: EDP deals). Co-Sell - Technical Consultation: Connect with an Amazon Web Services Solutions Architect to address the partner's questions about the proposed solution. Co-Sell - Total Cost of Ownership Evaluation: Assistance with quoting different cost savings of proposed solutions on Amazon Web Services versus on-premises or a traditional hosting environment. Co-Sell - Deal Support: Request Amazon Web Services seller's support to progress the opportunity (for example: joint customer call, strategic positioning). Co-Sell - Support for Public Tender / RFx: Opportunity related to the public sector where the partner needs Amazon Web Services RFx support. Do Not Need Support from Amazon Web Services Sales Rep: Indicates that a partner doesn't need support from an Amazon Web Services sales representative, and the partner solely manages the opportunity. It's possible to request co-selling support on these opportunities at any stage during their lifecycle. Also known as, for-visibility-only (FVO) opportunity. An object that contains project details summary for the Provides information about the associations of other entities with the opportunity. These entities include identifiers for Specifies details of a customer's procurement terms. Required only for partners in eligible programs. This error occurs when the specified resource can’t be found or doesn't exist. Resource ID and type might be incorrect. Suggested action: This is usually a transient error. Retry after the provided retry delay or a short interval. If the problem persists, contact AWS support. Specifies the date after which the opportunities were modified. Use this filter to retrieve only those opportunities that were modified after a given timestamp. Specifies the date before which the opportunities were modified. Use this filter to retrieve only those opportunities that were modified before a given timestamp. Defines a filter to retrieve opportunities based on the last modified date. This filter is useful for tracking changes or updates to opportunities over time. Specifies the reason code when an opportunity is marked as Closed Lost. When you select an appropriate reason code, you communicate the context for closing the Customer Deficiency: The customer lacked necessary resources or capabilities. Delay/Cancellation of Project: The project was delayed or canceled. Legal/Tax/Regulatory: Legal, tax, or regulatory issues prevented progress. Lost to Competitor - Google: The opportunity was lost to Google. Lost to Competitor - Microsoft: The opportunity was lost to Microsoft. Lost to Competitor - SoftLayer: The opportunity was lost to SoftLayer. Lost to Competitor - VMWare: The opportunity was lost to VMWare. Lost to Competitor - Other: The opportunity was lost to a competitor not listed above. No Opportunity: There was no opportunity to pursue. On Premises Deployment: The customer chose an on-premises solution. Partner Gap: The partner lacked necessary resources or capabilities. Price: The price was not competitive or acceptable to the customer. Security/Compliance: Security or compliance issues prevented progress. Technical Limitations: Technical limitations prevented progress. Customer Experience: Issues related to the customer's experience impacted the decision. Other: Any reason not covered by the other values. People/Relationship/Governance: Issues related to people, relationships, or governance. Product/Technology: Issues related to the product or technology. Financial/Commercial: Financial or commercial issues impacted the decision. Specifies the upcoming actions or tasks for the Captures a chronological record of the next steps or actions planned or taken for the current opportunity, along with the timestamp. Indicates why an opportuntiy was sent back for further details. Partners must take corrective action based on the Indicates the review status of an opportunity referred by a partner. This field is read-only and only applicable for partner referrals. The possible values are: Pending Submission: Not submitted for validation (editable). Submitted: Submitted for validation, and Amazon Web Services hasn't reviewed it (read-only). In Review: Amazon Web Services is validating (read-only). Action Required: Issues that Amazon Web Services highlights need to be addressed. Partners should use the Customer.Account.Address.City Customer.Account.Address.CountryCode Customer.Account.Address.PostalCode Customer.Account.Address.StateOrRegion Customer.Account.Address.StreetAddress Customer.Account.WebsiteUrl LifeCycle.TargetCloseDate Project.ExpectedMonthlyAWSRevenue.Amount Project.ExpectedMonthlyAWSRevenue.CurrencyCode Project.CustomerBusinessProblem PartnerOpportunityIdentifier After updates, the opportunity re-enters the validation phase. This process repeats until all issues are resolved, and the opportunity's Approved: Validated and converted into the Amazon Web Services seller's pipeline (editable). Rejected: Disqualified (read-only). Indicates the reason a decision was made during the opportunity review process. This field combines the reasons for both disqualified and action required statuses, and provide clarity for why an opportunity was disqualified or requires further action. Specifies the current stage of the A lead and a prospect must be further matured to a The descriptions of each sales stage are: Prospect: Amazon Web Services identifies the opportunity. It can be active (Comes directly from the end customer through a lead) or latent (Your account team believes it exists based on research, account plans, sales plays). Qualified: Your account team engaged with the prospect/end customer to discuss viability and understand requirements. The prospect/end customer agreed that the opportunity is real, of interest, and may solve key business/technical needs. Technical Validation: All parties understand the implementation plan. Business Validation: Pricing was proposed, and all parties agree to the steps to close. Committed: The customer signed the contract, but Amazon Web Services hasn't started billing. Launched: The workload is complete, and Amazon Web Services has started billing. Closed Lost: The opportunity is lost, and there are no steps to move forward. Specifies the date when Amazon Web Services expects to start significant billing, when the project finishes, and when it moves into production. This field informs the Amazon Web Services seller about when the opportunity launches and starts to incur Amazon Web Services usage. Ensure the An object that contains the Specifies the reason code when an opportunity is marked as Closed Lost. When you select an appropriate reason code, you communicate the context for closing the Specifies the upcoming actions or tasks for the Indicates why an opportuntiy was sent back for further details. Partners must take corrective action based on the Indicates the review status of a partner referred opportunity. This field is read-only and only applicable for partner referrals. Valid values: Pending Submission: Not submitted for validation (editable). Submitted: Submitted for validation and not yet Amazon Web Services reviewed (read-only). In Review: Undergoing Amazon Web Services validation (read-only). Action Required: Address any issues Amazon Web Services highlights. Use the Customer.Account.Address.City Customer.Account.Address.CountryCode Customer.Account.Address.PostalCode Customer.Account.Address.StateOrRegion Customer.Account.Address.StreetAddress Customer.Account.WebsiteUrl LifeCycle.TargetCloseDate Project.ExpectedCustomerSpend.Amount Project.ExpectedCustomerSpend.CurrencyCode Project.CustomerBusinessProblem PartnerOpportunityIdentifier After updates, the opportunity re-enters the validation phase. This process repeats until all issues are resolved, and the opportunity's Approved: Validated and converted into the Amazon Web Services seller's pipeline (editable). Rejected: Disqualified (read-only). Indicates the reason a specific decision was taken during the opportunity review process. This field combines the reasons for both disqualified and action required statuses, and provides clarity for why an opportunity was disqualified or required further action. Specifies the current stage of the A lead and a prospect must be further matured to a The descriptions of each sales stage are: Prospect: Amazon Web Services identifies the opportunity. It can be active (Comes directly from the end customer through a lead) or latent (Your account team believes it exists based on research, account plans, sales plays). Qualified: Your account team engaged with the prospect/end customer to discuss viability and understand requirements. The prospect/end customer agreed that the opportunity is real, of interest, and may solve key business/technical needs. Technical Validation: All parties understand the implementation plan. Business Validation: Pricing has been proposed, Pricing was proposed, and all parties agree to the steps to close. Committed: The customer signed the contract, but Amazon Web Services hasn't started billing. Launched: The workload is complete, and Amazon Web Services has started billing. Closed Lost: The opportunity is lost, and there are no steps to move forward. Specifies the date when Amazon Web Services expects to start significant billing, when the project finishes, and when it moves into production. This field informs the Amazon Web Services seller about when the opportunity launches and starts to incur Amazon Web Services usage. Ensure the An object that contains a Specifies the catalog from which to list the engagement invitations. Use Specifies the maximum number of engagement invitations to return in the response. If more results are available, a pagination token will be provided. A pagination token used to retrieve additional pages of results when the response to a previous request was truncated. Pass this token to continue listing invitations from where the previous call left off. Specifies the type of participant for which to list engagement invitations. Identifies the role of the participant. Defines the type of payload associated with the engagement invitations to be listed. The attributes in this payload help decide on acceptance or rejection of the invitation. Specifies the sorting options for listing engagement invitations. Invitations can be sorted by fields such as An array containing summaries of engagement invitations. Each summary includes key information such as the invitation title, invitation date, and the current status of the invitation. A pagination token returned when there are more results available than can be returned in a single call. Use this token to retrieve additional pages of engagement invitation summaries. Specifies the catalog associated with the request. This field takes a string value from a predefined list: Filters the opportunities based on the customer's company name. This allows partners to search for opportunities associated with a specific customer by matching the provided company name string. Filters the opportunities based on the opportunity identifier. This allows partners to retrieve specific opportunities by providing their unique identifiers, ensuring precise results. Filters the opportunities based on their last modified date. This filter helps retrieve opportunities that were updated after the specified date, allowing partners to track recent changes or updates. Filters the opportunities based on their current lifecycle approval status. Use this filter to retrieve opportunities with statuses such as Filters the opportunities based on their lifecycle stage. This filter allows partners to retrieve opportunities at various stages in the sales cycle, such as Specifies the maximum number of results to return in a single call. This limits the number of opportunities returned in the response to avoid overloading with too many results at once. Default: 20 A pagination token used to retrieve the next set of results in subsequent calls. This token is included in the response only if there are additional result pages available. An object that specifies how the response is sorted. The default A pagination token used to retrieve the next set of results in subsequent calls. This token is included in the response only if there are additional result pages available. An array that contains minimal details for opportunities that match the request criteria. This summary view provides a quick overview of relevant opportunities. Specifies the catalog associated with the request. This field takes a string value from a predefined list: Filters the solutions based on the category to which they belong. This allows partners to search for solutions within specific categories, such as Filters the solutions based on their unique identifier. Use this filter to retrieve specific solutions by providing the solution's identifier for accurate results. The maximum number of results returned by a single call. This value must be provided in the next call to retrieve the next set of results. Default: 20 A pagination token used to retrieve the next set of results in subsequent calls. This token is included in the response only if there are additional result pages available. Object that configures sorting done on the response. Default Filters the solutions based on their status. This filter helps retrieve solutions with statuses such as A pagination token used to retrieve the next set of results in subsequent calls. This token is included in the response only if there are additional result pages available. An array with minimal details for solutions matching the request criteria. Indicates if the Specifies the Specifies the Indicates if the Specifies the marketing activity use case or purpose that led to the Valid values: An object that contains marketing details for the Specifies the payment amount. Specifies the payment currency. Specifies payments details. Indicates the step execution time. Indicates the step's execution details. Read-only; shows the last 50 values and change dates for the Specifies the field by which the Engagement Invitations are sorted. Common values include Defines the order in which the Engagement Invitations are sorted. The values can be Defines sorting options for retrieving Engagement Invitations. Sorting can be done based on various criteria like the invitation date or status. Contains information about the customer related to the opportunity in the Engagement Invitation. This data helps partners understand the customer’s profile and requirements. Describes the project details associated with the opportunity, including the customer’s needs and the scope of work expected to be performed. Outlines the responsibilities or expectations of the receiver in the context of the invitation. Represents the contact details of the AWS representatives involved in sending the Engagement Invitation. These contacts are key stakeholders for the opportunity. Represents the data payload of an Engagement Invitation for a specific opportunity. This contains detailed information that partners use to evaluate the engagement. Field name to sort by. Sort order. Default: Object that configures response sorting. Specifies the catalog associated with the opportunity, either An object that contains the Read-only, system-generated An object that contains the Specifies opportunity type as a renewal, new, or expansion. Opportunity types: New Opportunity: Represents a new business opportunity with a potential customer that's not previously engaged with your solutions or services. Renewal Opportunity: Represents an opportunity to renew an existing contract or subscription with a current customer, ensuring continuity of service. Expansion Opportunity: Represents an opportunity to expand the scope of an existing contract or subscription, either by adding new services or increasing the volume of existing services for a current customer. Specifies the An object that contains the An object that contains an Specifies the details of the opportunity invitation within the Engagement Invitation payload. This data helps partners understand the context, scope, and expected involvement for the opportunity from AWS. Contains the data payload associated with the Engagement Invitation. This payload includes essential details related to the AWS opportunity and is used by partners to evaluate whether to accept or reject the engagement. Indicates the date and time when a particular next step was recorded or planned. This helps in managing the timeline for the opportunity. Represents the details of the next step recorded, such as follow-up actions or decisions made. This field helps in tracking progress and ensuring alignment with project goals. Tracks the history of next steps associated with the opportunity. This field captures the actions planned for the future and their timeline. Captures additional comments or information for the Specifies the Amazon Partner Network (APN) program that influenced the Valid values: Name of the Describes the problem the end customer has, and how the partner is helping. Utilize this field to provide a clear and concise narrative that outlines the specific business challenge or issue the customer has. Elaborate on how the partner's solution or offerings align to resolve the customer's business problem. Include relevant information about the partner's value proposition, unique selling points, and expertise to tackle the issue. Offer insights on how the proposed solution meets the customer's needs and provides value. Use concise language and precise descriptions to convey the context and significance of the Specifies the proposed solution focus or type of workload for the Opportunity. This field captures the primary use case or objective of the proposed solution, and provides context and clarity to the addressed workload. Valid values: Specifies the deployment or consumption model for your solution or service in the Options' descriptions from the SaaS or PaaS: Your Amazon Web Services based solution deployed as SaaS or PaaS in your Amazon Web Services environment. BYOL or AMI: Your Amazon Web Services based solution deployed as BYOL or AMI in the end customer's Amazon Web Services environment. Managed Services: The end customer's Amazon Web Services business management (For example: Consulting, design, implementation, billing support, cost optimization, technical support). Professional Services: Offerings to help enterprise end customers achieve specific business outcomes for enterprise cloud adoption (For example: Advisory or transformation planning). Resell: Amazon Web Services accounts and billing management for your customers. Other: Delivery model not described above. Represents the estimated amount that the customer is expected to spend on AWS services related to the opportunity. This helps in evaluating the potential financial value of the opportunity for AWS. Only allowed when Specifies the offered solution for the customer's business problem when the Specifies the current opportunity's parent opportunity identifier. Specifies the Valid values: Initialized discussions with customer: Initial conversations with the customer to understand their needs and introduce your solution. Customer has shown interest in solution: After initial discussions, the customer is interested in your solution. Conducted POC / Demo: You conducted a proof of concept (POC) or demonstration of the solution for the customer. In evaluation / planning stage: The customer is evaluating the solution and planning potential implementation. Agreed on solution to Business Problem: Both parties agree on how the solution addresses the customer's business problem. Completed Action Plan: A detailed action plan is complete and outlines the steps for implementation. Finalized Deployment Need: Both parties agree with and finalized the deployment needs. SOW Signed: Both parties signed a statement of work (SOW), and formalize the agreement and detail the project scope and deliverables. Specifies the An object that contains the Describes the business problem that the project aims to solve. This information is crucial for understanding the project’s goals and objectives. Contains revenue estimates for the partner related to the project. This field provides an idea of the financial potential of the opportunity for the partner. Specifies the estimated date of project completion. This field helps track the project timeline and manage expectations. Specifies the title of the project. This title helps partners quickly identify and understand the focus of the project. Contains details about the project associated with the Engagement Invitation, including the business problem and expected outcomes. Specifies your solution or service's deployment or consumption model in the Options' descriptions from the SaaS or PaaS: Your Amazon Web Services based solution deployed as SaaS or PaaS in your Amazon Web Services environment. BYOL or AMI: Your Amazon Web Services based solution deployed as BYOL or AMI in the end customer's Amazon Web Services environment. Managed Services: The end customer's Amazon Web Services business management (For example: Consulting, design, implementation, billing support, cost optimization, technical support). Professional Services: Offerings to help enterprise end customers achieve specific business outcomes for enterprise cloud adoption (For example: Advisory or transformation planning). Resell: Amazon Web Services accounts and billing management for your customers. Other: Delivery model not described above. Provides a summary of the expected customer spend for the project, offering a high-level view of the potential financial impact. An object that contains a Specifies the AWS account of the partner who received the Engagement Invitation. This field is used to track the invitation recipient within the AWS ecosystem. Represents the entity that received the Engagement Invitation, including account and company details. This field is essential for tracking the partner who is being invited to collaborate. Specifies the catalog related to the engagement invitation. Accepted values are Specifies the unique identifier of the Specifies the reason for rejecting the engagement invitation. Providing a reason helps document the rationale behind the rejection and assists AWS in tracking patterns or issues. Possible values include: Customer problem unclear: The customer's problem is not clearly defined. Next steps unclear: The next steps required to proceed are not clear. Unable to support: The partner is unable to provide support due to resource or capability constraints. Duplicate of Partner Referral: The opportunity is a duplicate of an existing referral. Other: Any other reason not covered by the specified values. Takes one value per opportunity. Each value is an Amazon Resource Name (ARN), in this format: Use the ListEntities action in the Marketplace Catalog APIs for a list of offers in the associated Marketplace seller account. Enables the association of specific Amazon Web Services products with the Use the file with the list of Amazon Web Services products hosted on GitHub: Amazon Web Services products. Enables partner solutions or offerings' association with an opportunity. To associate a solution, provide the solution's unique identifier, which you can obtain with the If the specific solution identifier is not available, you can use the value By associating the relevant solutions with the opportunity, you can clearly communicate the offerings that are being considered or implemented to address the customer's business problem. This field provides the associations' information for other entities with the opportunity. These entities include identifiers for This error occurs when the specified resource can't be found. The resource might not exist, or isn't visible with the current credentials. Suggested action: Verify that the resource ID is correct and the resource is in the expected AWS region. Check IAM permissions for accessing the resource. The sender-provided contact's title (job title or role) associated with the The sender-provided contact's email address associated with the The sender-provided contact's last name associated with the The sender-provided contact's first name associated with the The sender-provided contact's phone number associated with the An object that contains the details of the sender-provided contact person for the This error occurs when the request would cause a service quota to be exceeded. Service quotas represent the maximum allowed use of a specific resource, and this error indicates that the request would surpass that limit. Suggested action: Review the service quotas for the specific resource, and reduce the usage or request a quota increase through support if necessary. Specifies the customer's intended payment type agreement or procurement method to acquire the solution or service outlined in the Specifies the Specifies the expiration date for the contract between the customer and Amazon Web Services partner. It signifies the termination date of the agreed-upon engagement period between both parties. Specifies the payment value (amount and currency). Specifies a customer's procurement terms details. Required only for partners in eligible programs. Specifies the catalog in which the solution is hosted, either Specifies the solution category, which helps to categorize and organize the solutions partners offer. Valid values: Indicates the solution creation date. This is useful to track and audit. Enables the association of solutions (offerings) to opportunities. Specifies the solution name. Specifies the solution's current status, which indicates its state in the system. Valid values: Specifies minimal information for the solution offered to solve the customer's business problem. Specifies the attribute to sort by, such as Specifies the sorting order, either Configures the solutions' response sorting that enables partners to order solutions based on specified attributes. Specifies the catalog related to the task. Use A unique, case-sensitive identifier provided by the client to ensure the idempotency of the request. Can be a random or meaningful string, but must be unique for each request. Specifies the unique identifier of the Returns the identifier of the engagement invitation that was accepted and used to create the opportunity. If the task fails, this field contains a detailed message describing the failure and possible recovery steps. Returns the original opportunity identifier passed in the request. This is the unique identifier for the opportunity. Indicates the reason for task failure using an enumerated code. Possible values are: The timestamp indicating when the task was initiated. The format follows RFC 3339 section 5.6. The Amazon Resource Name (ARN) of the task, used for tracking and managing the task within AWS. The unique identifier of the task, used to track the task’s progress. This value follows a specific pattern: Indicates the current status of the task. Valid values include Specifies the catalog in which the engagement is tracked. Acceptable values include A unique token provided by the client to ensure the idempotency of the request. It helps prevent the same task from being performed multiple times. The unique identifier of the opportunity from which the engagement task is to be initiated. This ensures the task is applied to the correct opportunity. If the task fails, this field contains a detailed message describing the failure and possible recovery steps. Returns the original opportunity identifier passed in the request, which is the unique identifier for the opportunity created in the partner’s system. Indicates the reason for task failure using an enumerated code. Possible values are: The timestamp indicating when the task was initiated. The format follows RFC 3339 section 5.6. The Amazon Resource Name (ARN) of the task, used for tracking and managing the task within AWS. The unique identifier of the task, used to track the task’s progress. This value follows a specific pattern: Indicates the current status of the task. Valid values include This error occurs when there are too many requests sent. Review the provided quotas and adapt your usage to avoid throttling. This error occurs when there are too many requests sent. Review the provided quotas and retry after the provided delay. Specifies the catalog associated with the request. This field takes a string value from a predefined list: Specifies details of the customer associated with the Read-only, system generated An object that contains lifecycle details for the An object that contains marketing details for the Specifies if the opportunity is associated with national security concerns. This flag is only applicable when the industry is Specifies the opportunity type as a renewal, new, or expansion. Opportunity types: New opportunity: Represents a new business opportunity with a potential customer that's not previously engaged with your solutions or services. Renewal opportunity: Represents an opportunity to renew an existing contract or subscription with a current customer, ensuring continuity of service. Expansion opportunity: Represents an opportunity to expand the scope of an existing contract or subscription, either by adding new services or increasing the volume of existing services for a current customer. Specifies the opportunity's unique identifier in the partner's CRM system. This value is essential to track and reconcile because it's included in the outbound payload sent back to the partner. Identifies the type of support the partner needs from Amazon Web Services. Valid values: Co-Sell - Architectural Validation: Confirmation from Amazon Web Services that the partner's proposed solution architecture is aligned with Amazon Web Services best practices and poses minimal architectural risks. Co-Sell - Business Presentation: Request Amazon Web Services seller's participation in a joint customer presentation. Co-Sell - Competitive Information: Access to Amazon Web Services competitive resources and support for the partner's proposed solution. Co-Sell - Pricing Assistance: Connect with an AWS seller for support situations where a partner may be receiving an upfront discount on a service (for example: EDP deals). Co-Sell - Technical Consultation: Connection with an Amazon Web Services Solutions Architect to address the partner's questions about the proposed solution. Co-Sell - Total Cost of Ownership Evaluation: Assistance with quoting different cost savings of proposed solutions on Amazon Web Services versus on-premises or a traditional hosting environment. Co-Sell - Deal Support: Request Amazon Web Services seller's support to progress the opportunity (for example: joint customer call, strategic positioning). Co-Sell - Support for Public Tender / RFx: Opportunity related to the public sector where the partner needs RFx support from Amazon Web Services. Do Not Need Support from AWS Sales Rep: Indicates that a partner doesn't need support from an Amazon Web Services Sales representative. The opportunity is managed solely by the partner. It's possible to request co-selling support on these opportunities at any stage during their lifecycle. Also known as, for-visibility-only (FVO) opportunity. An object that contains project details summary for the Specifies details of a customer's procurement terms. Required only for partners in eligible programs. Read-only, system generated A list of issues that were discovered in the submitted request or the resource state. The primary reason for this validation exception to occur. REQUEST_VALIDATION_FAILED: The request format is not valid. Fix: Verify your request payload includes all required fields, uses correct data types and string formats. BUSINESS_VALIDATION_FAILED: The requested change doesn't pass the business validation rules. Fix: Check that your change aligns with the business rules defined by AWS Partner Central. The input fails to satisfy the constraints specified by the service or business validation rules. Suggested action: Review the error message, including the failed fields and reasons, to correct the request payload. Specifies the error code for the invalid field value. Specifies the field name with the invalid value. Specifies the detailed error message for the invalid field value. Indicates an invalid value for a field. REQUIRED_FIELD_MISSING: The request is missing a required field. Fix: Verify your request payload includes all required fields. INVALID_ENUM_VALUE: The enum field value isn't an accepted values. Fix: Check the documentation for the list of valid enum values, and update your request with a valid value. INVALID_STRING_FORMAT: The string format is invalid. Fix: Confirm that the string is in the expected format (For example: email address, date). INVALID_VALUE: The value isn't valid. Fix: Confirm that the value meets the expected criteria and is within the allowable range or set. TOO_MANY_VALUES: There are too many values in a field that expects fewer entries. Fix: Reduce the number of values to match the expected limit. ACTION_NOT_PERMITTED: The action isn't permitted due to current state or permissions. Fix: Verify that the action is appropriate for the current state, and that you have the necessary permissions to perform it. DUPLICATE_KEY_VALUE: The value in a field duplicates a value that must be unique. Fix: Verify that the value is unique and doesn't duplicate an existing value in the system. AWS Partner Central API for Selling Reference Guide Amazon Web Services (AWS) Partner Central API reference guide is designed to help AWS Partners programmatically integrate their Customer Relationship Management (CRM) systems with AWS Partner Central. Through the Partner Central APIs, partners can automate and streamline their interactions with AWS Partner Central, ensuring a more efficient and effective engagement in joint business activities. The AWS Partner Central API service provides standard AWS API functionality. You can directly use the API Actions, or you can use an AWS SDK to access an API that's tailored to the programming language or platform that you're using. For more information about AWS application development, see Getting Started with AWS. For more information about using AWS SDKs, see AWS SDKs. Features offered by AWS Partner Central API Opportunity management: Facilitates the management of co-selling opportunities with AWS using API actions such as AWS referral management: Facilitates receiving referrals shared by AWS using actions like Entity association: Associate related entities such as AWS Products, Partner Solutions, and AWS Marketplace Private Offers with opportunities using the actions View AWS opportunity details: Use the List solutions: Provides list APIs for listing solutions partners offer using Event subscription: Partners can subscribe to real-time updates on opportunities by listening to events such as Opportunity Created, Opportunity Updated, Engagement Invitation Accepted, Engagement Invitation Rejected and Engagement Invitation Created using AWS EventBridge._
, .
, /
, =
, +
, and -
.aws:
._
, .
, /
, =
, +
, and -
.aws:
.
"
+ },
+ "HookEventTime":{
+ "shape":"Timestamp",
+ "documentation":"HOOK_PENDING
: The Hook was added to the invocation plan, but not yet invoked.HOOK_IN_PROGRESS
: The Hook was invoked, but hasn't completed.HOOK_COMPLETE_SUCCEEDED
: The Hook invocation is complete with a successful result.HOOK_COMPLETE_FAILED
: The Hook invocation is complete with a failed result.HOOK_FAILED
: The Hook invocation didn't complete successfully.
"
+ }
+ },
+ "documentation":"FAIL
: This will fail the Hook invocation and the request associated with it.WARN
: This will fail the Hook invocation, but not the request associated with it.RequestToken
with GetResourceRequestStatus to return the current status of a resource operation request.acceleratorCapabilities
property in the ServiceManagedEc2InstanceCapabilities object, all of the Amazon EC2 instances will have at least one accelerator. acceleratorCapabilities
property in the ServiceManagedEc2InstanceCapabilities object, all of the Amazon EC2 instances will have at least one accelerator.
"
+ },
+ "EnableOrganizationsRootSessions":{
+ "name":"EnableOrganizationsRootSessions",
+ "http":{
+ "method":"POST",
+ "requestUri":"/"
+ },
+ "input":{"shape":"EnableOrganizationsRootSessionsRequest"},
+ "output":{
+ "shape":"EnableOrganizationsRootSessionsResponse",
+ "resultWrapper":"EnableOrganizationsRootSessionsResult"
+ },
+ "errors":[
+ {"shape":"ServiceAccessNotEnabledException"},
+ {"shape":"AccountNotManagementOrDelegatedAdministratorException"},
+ {"shape":"OrganizationNotFoundException"},
+ {"shape":"OrganizationNotInAllFeaturesModeException"},
+ {"shape":"CallerIsNotManagementAccountException"}
+ ],
+ "documentation":"
"
+ },
"GenerateCredentialReport":{
"name":"GenerateCredentialReport",
"http":{
@@ -1336,7 +1414,7 @@
"errors":[
{"shape":"ServiceFailureException"}
],
- "documentation":"\\u0020
) through the end of the ASCII character range (\\u00FF
). You can also include the tab (\\u0009
), line feed (\\u000A
), and carriage return (\\u000D
) characters. Any of these characters are valid in a password. However, many tools, such as the Amazon Web Services Management Console, might restrict the ability to type certain characters because they have special meaning within that tool.\\u0020
) through the end of the ASCII character range (\\u00FF
). You can also include the tab (\\u0009
), line feed (\\u000A
), and carriage return (\\u000D
) characters. Any of these characters are valid in a password. However, many tools, such as the Amazon Web Services Management Console, might restrict the ability to type certain characters because they have special meaning within that tool.Fuota
.WirelessDevice
or WirelessGateway
.WirelessDevice
, WirelessGateway
or FuotaTask
.WirelessDevice
or WirelessGateway
.WirelessDevice
, WirelessGateway
, or FuotaTask
.WirelessDevice
or WirelessGateway
.WirelessDevice
, WirelessGateway
, or FuotaTask
.false
.multitrackInputConfiguration
is specified and enabled
is true
, then containerFormat
is required and must be set to FRAGMENTED_MP4
. Otherwise, containerFormat
may be set to TS
or FRAGMENTED_MP4
. Default: TS
.NORMAL
to broadcast and deliver live video up to Full HD. Use LOW
for near-real-time interaction with viewers. Default: LOW
.false
.multitrackInputConfiguration
is specified and enabled
is true
, then containerFormat
is required and must be set to FRAGMENTED_MP4
. Otherwise, containerFormat
may be set to TS
or FRAGMENTED_MP4
. Default: TS
.false
.NORMAL
to broadcast and deliver live video up to Full HD. Use LOW
for near-real-time interaction with viewers. Default: LOW
.true
only if channel type is STANDARD
. Setting enabled
to true
with any other channel type will cause an exception. If true
, then policy
, maximumResolution
, and containerFormat
are required, and containerFormat
must be set to FRAGMENTED_MP4
. Default: false
.enabled
is true
.enabled
is true
.
"
+ "documentation":"StreamTakeoverMediaMismatch
— The broadcast client attempted to take over with different media properties (e.g., codec, resolution, or video track type) from the original stream.StreamTakeoverInvalidPriority
— The broadcast client attempted a takeover with either a priority integer value equal to or lower than the original stream's value or a value outside the allowed range of 1 to 2,147,483,647.StreamTakeoverLimitBreached
— The broadcast client reached the maximum allowed takeover attempts for this stream.
"
},
"eventTime":{
"shape":"Time",
@@ -2285,7 +2368,11 @@
},
"ingestConfiguration":{
"shape":"IngestConfiguration",
- "documentation":"MultitrackInputNotAllowed
— The broadcast client attempted to connect with multitrack input, but multitrack input was not enabled on the channel. Check your broadcast software settings or set MultitrackInputConfiguration.Policy
to ALLOW
or REQUIRE
.MultitrackInputRequired
— The broadcast client attempted to connect with single-track video, but multitrack input is required on this channel. Enable multitrack video in your broadcast software or configure the channel’s MultitrackInputConfiguration.Policy
to ALLOW
.InvalidGetClientConfigurationStreamKey
— The broadcast client attempted to connect with an invalid, expired, or corrupt stream key.GetClientConfigurationStreamKeyRequired
— The broadcast client attempted to stream multitrack video without providing an authenticated stream key from GetClientConfiguration.InvalidMultitrackInputTrackCount
— The multitrack input stream contained an invalid number of tracks.InvalidMultitrackInputVideoTrackMediaProperties
— The multitrack input stream contained one or more tracks with an invalid codec, resolution, bitrate, or framerate.StreamTakeoverMediaMismatch
— The broadcast client attempted to take over with different media properties (e.g., codec, resolution, or video track type) from the original stream.StreamTakeoverInvalidPriority
— The broadcast client attempted a takeover with either a priority integer value equal to or lower than the original stream's value or a value outside the allowed range of 1 to 2,147,483,647.StreamTakeoverLimitBreached
— The broadcast client reached the maximum allowed takeover attempts for this stream.ingestConfiguration
is deprecated in favor of ingestConfigurations
but retained to ensure backward compatibility. If multitrack is not enabled, ingestConfiguration
and ingestConfigurations
contain the same data, namely information about track0 (the sole track). If multitrack is enabled, ingestConfiguration
contains data for only the first track (track0) and ingestConfigurations
contains data for all tracks.ingestConfigurations
contains data for all tracks; otherwise, it contains data only for track0 (the sole track).recordingMode
is INTERVAL
. Default: 60.BASIC
channel type, setting a value for targetIntervalSeconds
does not guarantee that thumbnails are generated at the specified interval. For thumbnails to be generated at the targetIntervalSeconds
interval, the IDR/Keyframe
value for the input video must be less than the targetIntervalSeconds
value. See Amazon IVS Streaming Configuration for information on setting IDR/Keyframe
to the recommended value in video-encoder settings.recordingMode
is INTERVAL
. Default: 60.BASIC
channel type, or the STANDARD
channel type with multitrack input, setting a value for targetIntervalSeconds
does not guarantee that thumbnails are generated at the specified interval. For thumbnails to be generated at the targetIntervalSeconds
interval, the IDR/Keyframe
value for the input video must be less than the targetIntervalSeconds
value. See Amazon IVS Streaming Configuration for information on setting IDR/Keyframe
to the recommended value in video-encoder settings.multitrackInputConfiguration
is specified and enabled
is true
, then containerFormat
is required and must be set to FRAGMENTED_MP4
. Otherwise, containerFormat
may be set to TS
or FRAGMENTED_MP4
. Default: TS
.false
.NORMAL
to broadcast and deliver live video up to Full HD. Use LOW
for near-real-time interaction with viewers.avcLevel
.avcProfile
.LicenseServerEndpoint
resource.ActiveDirectorySettings
resource contains details about the Active Directory, including network access details such as domain name and IP addresses, and the credential provider for user administration.CredentialsProvider
resource that contains information about the credential provider for user administration.DomainNetworkSettings
resource contains an array of subnets that apply for the Active Directory.IdentityProvider
resource that contains details about a registered identity provider. In the case of Active Directory, that can be a self-managed Active Directory or an Amazon Web Services Managed Active Directory that contains user identity details.LicenseServerSettings
resource to create for the endpoint. The settings include the type of license server and the Secrets Manager secret that enables administrators to add or remove users associated with the license server.LicenseServerEndpoint
resource.LicenseServerEndpoint
resource to delete.LicenseServerEndpoint
resource that was deleted.VISUAL_STUDIO_ENTERPRISE
| VISUAL_STUDIO_PROFESSIONAL
| OFFICE_PROFESSIONAL_PLUS
ActiveDirectoryIdentityProvider
resource contains settings and other details about a specific Active Directory identity provider.IdentityProvider
resource contains information about an identity provider.Settings
resource contains details about the registered identity provider’s product related configuration settings, such as the subnets to provision VPC endpoints.IdentityProvider
resource specifies details about the identity provider.ServerEndpoint
resource for the RDS license server.LicenseServer
resources that represent the license servers that are accessed through this endpoint.ServerEndpoint
resource contains the network address of the RDS license server endpoint.ServerSettings
resource contains the settings for your server.
"
+ },
"MaxResults":{
"shape":"BoxInteger",
- "documentation":"IdentityProviderSummary
resources that contain details about the Active Directory identity providers that meet the request criteria.
"
},
"MaxResults":{
"shape":"BoxInteger",
- "documentation":"InstanceSummary
resources that contain details about the instances that provide user-based subscriptions and also meet the request criteria.
"
+ },
+ "MaxResults":{
+ "shape":"ListLicenseServerEndpointsRequestMaxResultsInteger",
+ "documentation":"LicenseServerEndpoint
resources that contain detailed information about the RDS License Servers that meet the request criteria.
"
},
"IdentityProvider":{
"shape":"IdentityProvider",
@@ -601,15 +1010,15 @@
},
"MaxResults":{
"shape":"BoxInteger",
- "documentation":"VISUAL_STUDIO_ENTERPRISE
| VISUAL_STUDIO_PROFESSIONAL
| OFFICE_PROFESSIONAL_PLUS
"
},
"IdentityProvider":{
"shape":"IdentityProvider",
@@ -647,11 +1077,11 @@
},
"MaxResults":{
"shape":"BoxInteger",
- "documentation":"CredentialsProvider
resource contains a reference to the credentials provider that's used for RDS license server user administration.VISUAL_STUDIO_ENTERPRISE
| VISUAL_STUDIO_PROFESSIONAL
| OFFICE_PROFESSIONAL_PLUS
RdsSalSettings
resource contains settings to configure a specific Remote Desktop Services (RDS) license server.VISUAL_STUDIO_ENTERPRISE
| VISUAL_STUDIO_PROFESSIONAL
| OFFICE_PROFESSIONAL_PLUS
VISUAL_STUDIO_ENTERPRISE
| VISUAL_STUDIO_PROFESSIONAL
| OFFICE_PROFESSIONAL_PLUS
VISUAL_STUDIO_ENTERPRISE
| VISUAL_STUDIO_PROFESSIONAL
| OFFICE_PROFESSIONAL_PLUS
Opportunity
to another user within your Partner Central account. The specified user receives the opportunity, and it appears on their Partner Central dashboard, allowing them to take necessary actions or proceed with the opportunity. Opportunity
and various related entities, enriching the context and details of the opportunity for better collaboration and decision-making. You can associate an opportunity with the following types of entities:
"
+ },
+ "CreateOpportunity":{
+ "name":"CreateOpportunity",
+ "http":{
+ "method":"POST",
+ "requestUri":"/"
+ },
+ "input":{"shape":"CreateOpportunityRequest"},
+ "output":{"shape":"CreateOpportunityResponse"},
+ "errors":[
+ {"shape":"ThrottlingException"},
+ {"shape":"ConflictException"},
+ {"shape":"AccessDeniedException"},
+ {"shape":"InternalServerException"},
+ {"shape":"ValidationException"},
+ {"shape":"ResourceNotFoundException"}
+ ],
+ "documentation":"ListSolutions
operation.ListEntities
operation to retrieve a list of private offers. The request to the ListEntities
API returns the details of the private offers available to you. For more information, refer to ListEntities. Opportunity
record in Partner Central. Use this operation to create a potential business opportunity intended to be submitted to Amazon Web Services. Creating an opportunity sets its Lifecycle.ReviewStatus
to Pending Submission
.
CreateOpportunity
.AssociateOpportunity
.SubmitOpportunity
.Pending Submission
state still need all details completed. You can update the opportunity while it's in the Pending Submission
state. Opportunity
and related entities such as a Partner Solution, Amazon Web Services product, or an Amazon Web Services Marketplace offer. This operation is the counterpart to AssociateOpportunity
, and it provides flexibility to manage associations as business needs change. Opportunity
due to changes in the related entities, or if an association was made in error. Ensuring accurate associations helps maintain clarity and accuracy to track and manage business opportunities. When you replace an entity, first attach the new entity and then disassociate the one to be removed, especially if it's the last remaining related entity that's required. Opportunity
record from Partner Central by a given Identifier
. ListOpportunities
action or the event notification (from Amazon EventBridge) to obtain this identifier. ListOpportunities
API action. ListOpportunities
action.
"
+ },
+ "ListSolutions":{
+ "name":"ListSolutions",
+ "http":{
+ "method":"POST",
+ "requestUri":"/"
+ },
+ "input":{"shape":"ListSolutionsRequest"},
+ "output":{"shape":"ListSolutionsResponse"},
+ "errors":[
+ {"shape":"AccessDeniedException"},
+ {"shape":"InternalServerException"},
+ {"shape":"ValidationException"},
+ {"shape":"ResourceNotFoundException"}
+ ],
+ "documentation":"LastModifiedDate
that you stored, and only use the values that came from Amazon Web Services. Don’t use values generated by your system. ListOpportunities
request, submit the date in ISO 8601 format in the AfterLastModifiedDate
filter. NextToken
to iterate over all pages. EngagementInvitation
that has been shared by AWS. Rejecting the engagement invitation indicates that the partner does not wish to pursue the opportunity, and all related data will be inaccessible after the rejection.EngagementInvitation
. The task is asynchronous and involves several steps: accepting the invitation, creating an opportunity in the partner’s account from the AWS Opportunity, and copying over key details for tracking. Once completed, an Opportunity Created
event is generated, indicating that the opportunity has been successfully created in the partner's account.StartEngagementByAcceptingInvitationTask
, this action is asynchronous and performs multiple steps before completion.Opportunity
record identified by a given Identifier
. This operation allows you to modify the details of an existing opportunity to reflect the latest information and progress. Use this action to keep the opportunity record up-to-date and accurate. null
. The best practice is to always perform a GetOpportunity
to retrieve the latest values, then send the complete payload with the updated values to be changed. Customer
's address details associated with the Opportunity
. Customer
Amazon Web Services account ID associated with the Opportunity
. Customer
's company name associated with the Opportunity
. Customer
DUNS number, if available. Customer
belongs to that's associated with the Opportunity
. It refers to the category or sector where the customer's business operates. This is a required field. Customer
's industry associated with the Opportunity
, when the selected value in the Industry
field is Other
. Opportunity
. This value is crucial to map the customer within the Amazon Web Services CRM system. This field is required in all cases except when the opportunity is related to national security. Customer
's account details associated with the Opportunity
. Customer
's address details associated with the Opportunity
. Customer
's company name associated with the Opportunity
. Customer
belongs to associated with the Opportunity
. It refers to the category or sector that the customer's business operates in. Other
. Other
is selected for Industry Vertical in LOVs. Customer
's industry associated with the Opportunity
, when the selected value in the Industry
field is Other
. This field is relevant when the customer's industry doesn't fall under the predefined picklist values and requires a custom description. Opportunity
. This value is crucial to map the customer within the Amazon Web Services CRM system. Account
's subset of fields. Customer
's city associated with the Opportunity
. Customer
's country associated with the Opportunity
. Customer
's postal code associated with the Opportunity
. Customer
's state or region associated with the Opportunity
. Alabama | Alaska | American Samoa | Arizona | Arkansas | California | Colorado | Connecticut | Delaware | Dist. of Columbia | Federated States of Micronesia | Florida | Georgia | Guam | Hawaii | Idaho | Illinois | Indiana | Iowa | Kansas | Kentucky | Louisiana | Maine | Marshall Islands | Maryland | Massachusetts | Michigan | Minnesota | Mississippi | Missouri | Montana | Nebraska | Nevada | New Hampshire | New Jersey | New Mexico | New York | North Carolina | North Dakota | Northern Mariana Islands | Ohio | Oklahoma | Oregon | Palau | Pennsylvania | Puerto Rico | Rhode Island | South Carolina | South Dakota | Tennessee | Texas | Utah | Vermont | Virginia | Virgin Islands | Washington | West Virginia | Wisconsin | Wyoming | APO/AE | AFO/FPO | FPO, AP
Customer
's street address associated with the Opportunity
. Customer
's address details associated with the Opportunity
. Customer
's city associated with the Opportunity
. Customer
's country associated with the Opportunity
. Customer
's postal code associated with the Opportunity
. Customer
's state or region associated with the Opportunity
. Alabama | Alaska | American Samoa | Arizona | Arkansas | California | Colorado | Connecticut | Delaware | Dist. of Columbia | Federated States of Micronesia | Florida | Georgia | Guam | Hawaii | Idaho | Illinois | Indiana | Iowa | Kansas | Kentucky | Louisiana | Maine | Marshall Islands | Maryland | Massachusetts | Michigan | Minnesota | Mississippi | Missouri | Montana | Nebraska | Nevada | New Hampshire | New Jersey | New Mexico | New York | North Carolina | North Dakota | Northern Mariana Islands | Ohio | Oklahoma | Oregon | Palau | Pennsylvania | Puerto Rico | Rhode Island | South Carolina | South Dakota | Tennessee | Texas | Utah | Vermont | Virginia | Virgin Islands | Washington | West Virginia | Wisconsin | Wyoming | APO/AE | AFO/FPO | FPO, AP
Address
object's subset of fields. AWS
or Sandbox
. The catalog determines which environment the opportunity is assigned in. Use AWS
to assign real opportunities in the Amazon Web Services catalog, and Sandbox
to test in a secure and isolated environment. Opportunity
's unique identifier when you want to assign it to another user. Provide the correct identifier so the intended opportunity is reassigned. AWS
or Sandbox
. The catalog determines whichenvironment the opportunity association is made in. Use AWS
to associate opportunities in the Amazon Web Services catalog, and Sandbox
to test in a secure and isolated environment. Opportunity
's unique identifier when you want to associate it with a related entity. Provide the correct identifier so the intended opportunity is updated with the association. Opportunity
. For Amazon Web Services Marketplace entities, provide the Amazon Resource Name (ARN). Use the Amazon Web Services Marketplace API to obtain the ARN. Opportunity
. This helps to categorize and properly process the association. Closed Lost
. This helps in understanding the context behind the lost opportunity and aids in refining future strategies.Qualification
, Validation
, or Closed Won
. This helps in understanding the opportunity's progress.Full
for most cases, but it may be restricted based on special program requirements or confidentiality needs.Opportunity
. Opportunity
. Opportunity
. Opportunity
. Opportunity
. Customer Partner
's contact details. AWS
or Sandbox
. The catalog determines which environment the opportunity is created in. Use AWS
to create opportunities in the Amazon Web Services catalog, and Sandbox
to test in a secure and isolated environment. ClientToken
. You can use standard libraries available in most programming languages to generated this. If you use the same client token, the API throws this error: \"Conflicting client token submitted for a new request body\". Opportunity
. Opportunity
. Opportunity
pertains to a national security project. This field must be set to true
only when the customer's industry is Government. Additional privacy and security measures apply during the review and management process for opportunities marked as NationalSecurity
.
"
+ },
+ "Origin":{
+ "shape":"OpportunityOrigin",
+ "documentation":"Catalog: AWS
, this field must only be Partner Referral
. However, when using Catalog: Sandbox
, you can set this field to AWS Referral
to simulate Amazon Web Services referral creation. This allows Amazon Web Services-originated flows testing in the sandbox catalog.
"
+ },
+ "Project":{
+ "shape":"Project",
+ "documentation":"Opportunity
. Opportunity
unique identifier. Amazon Web Services creates this identifier, and it's used for all subsequent actions on the opportunity, such as updates, associations, and submissions. It ensures that each opportunity can be accurately tracked and managed within the system. DateTime
when the opportunity was last modified. When the Opportunity
is created, its value is equal to CreatedDate
. Opportunity
. This field captures relevant contacts, including decision-makers, influencers, and technical stakeholders within the customer organization. These contacts are key to progressing the opportunity.Account
and Contact
. Customer
object's subset of fields. AWS
or Sandbox
. The catalog determines which environment the opportunity disassociation is made in. Use AWS
to disassociate opportunities in the Amazon Web Services catalog, and Sandbox
to test in a secure and isolated environment. AWS
or Sandbox
catalog, indicating whether the opportunity is live or being tested.Opportunity
or MarketplaceOffer
. This helps partners understand the nature of the engagement request from AWS.Pending
, Accepted
, or Rejected
. The status helps track the progress and response to the invitation.Monthly
, Quarterly
, or Annually
. The default value is Monthly
, representing recurring monthly spend.AWS
for production opportunities or Sandbox
for testing purposes. The catalog determines which environment the opportunity data is pulled from. AWS
or Sandbox
) where the opportunity is being managed. For Visibility Only
to Co-sell
offering transparency into the partnership dynamics. Full
visibility for most cases, while Limited
visibility is reserved for special programs or sensitive opportunities. AWS
for live operations or Sandbox
for testing environments.AWS
or Sandbox
) used in the request.Accepted
, Pending
, or Rejected
).AWS
or Sandbox
. The catalog determines which environment the opportunity is fetched from. Use AWS
to retrieve opportunities in the Amazon Web Services catalog, and Sandbox
to retrieve opportunities in a secure and isolated testing environment. Opportunity
unique identifier. AWS
or Sandbox
. The catalog determines which environment the opportunity information is retrieved from. Use AWS
to retrieve opportunities in the Amazon Web Services catalog, and Sandbox
to retrieve opportunities in a secure and isolated testing environment. DateTime
when the Opportunity
was last created. Opportunity
. Opportunity
unique identifier. DateTime
when the opportunity was last modified. Opportunity
. Opportunity
. Opportunity
pertains to a national security project. This field must be set to true
only when the customer's industry is Government. Additional privacy and security measures apply during the review and management process for opportunities marked as NationalSecurity
.
"
+ },
+ "PartnerOpportunityIdentifier":{
+ "shape":"GetOpportunityResponsePartnerOpportunityIdentifierString",
+ "documentation":"
"
+ },
+ "Project":{
+ "shape":"Project",
+ "documentation":"Opportunity
. AWSProducts
, Partner Solutions
, and AWSMarketplaceOffers
. Opportunity
, and aid in accurate reports and analysis of opportunity outcomes. The possible values are:
"
+ },
+ "NextSteps":{
+ "shape":"LifeCycleNextStepsString",
+ "documentation":"Opportunity
. This field is utilized to communicate to Amazon Web Services the next actions required for the Opportunity
. ReviewComments
.
"
+ },
+ "ReviewStatusReason":{
+ "shape":"String",
+ "documentation":"UpdateOpportunity
API action to update the opportunity, and ensure all required changes are made. Only these fields are editable when the Lifecycle.ReviewStatus
is Action Required
:
Lifecycle.ReviewStatus
is set to Approved
or Rejected
. Opportunity
's lifecycle as it maps to Amazon Web Services stages from the current stage in the partner CRM. This field provides a translated value of the stage, and offers insight into the Opportunity
's progression in the sales cycle, according to Amazon Web Services definitions. Qualified
opportunity before submission. Opportunities that were closed/lost before submission aren't suitable for submission.
"
+ },
+ "TargetCloseDate":{
+ "shape":"Date",
+ "documentation":"Target Close Date
isn't in the past. Opportunity
lifecycle's details. Opportunity
, and aid in accurate reports and analysis of opportunity outcomes. Opportunity
. This field is utilized to communicate to Amazon Web Services the next actions required for the Opportunity
. ReviewComments
.
"
+ },
+ "ReviewStatusReason":{
+ "shape":"String",
+ "documentation":"UpdateOpportunity
API action to update the opportunity, and ensure you make all required changes. Only these fields are editable when the Lifecycle.ReviewStatus
is Action Required
:
Lifecycle.ReviewStatus
is set to Approved
or Rejected
. Opportunity
's lifecycle as it maps to Amazon Web Services stages from the current stage in the partner CRM. This field provides a translated value of the stage, and offers insight into the Opportunity
's progression in the sales cycle, according to Amazon Web Services definitions. Qualified
opportunity before submission. Opportunities that were closed/lost before submission aren't suitable for submission.
"
+ },
+ "TargetCloseDate":{
+ "shape":"Date",
+ "documentation":"Target Close Date
isn't in the past. LifeCycle
object's subset of fields. AWS
for production invitations or Sandbox
for testing environments.InvitationDate
or Status
to help partners view results in their preferred order.AWS
or Sandbox
. The catalog determines which environment the opportunities are listed in. Use AWS
for listing real opportunities in the Amazon Web Services catalog, and Sandbox
for to test in a secure and isolated environment. Pending Submission
, In Review
, Action Required
, or Approved
.Qualified
, Technical Validation
, Business Validation
, or Closed Won
.Sort.SortBy
value is LastModifiedDate
. AWS
or Sandbox
. The catalog determines which environment the solutions are listed in. Use AWS
to list solutions in the Amazon Web Services catalog, and Sandbox
to list solutions in a secure and isolated testing environment. Software
, Consulting
, or Managed Services
.Sort.SortBy
is Identifier
. Active
, Inactive
, or Pending Approval
, allowing partners to manage their solution portfolios effectively.Opportunity
is a marketing development fund (MDF) funded activity. Opportunity
's unique marketing campaign name. The Amazon Web Services campaign name serves as a reference to specific marketing initiatives, promotions, or activities related to the Opportunity
. This field captures the identifier used to track and categorize the Opportunity
within Amazon Web Services's marketing campaigns. If you don't have a campaign name, reach out to your Amazon Web Services point of contact to obtain one. Opportunity
's channel that the marketing activity is associated with or was contacted through. This field provides information about the specific marketing channel that contributed to the generation of the lead or contact. Opportunity
was sourced from an Amazon Web Services marketing activity. Use the value Marketing Activity
. Use None
if it's not associated with an Amazon Web Services marketing activity. This field helps Amazon Web Services track the return on marketing investments and enables better distribution of marketing budgets among partners. Opportunity
's creation or contact. This field captures the context or marketing activity's execution's intention and the direct correlation to the generated opportunity or contact. Must be empty when Marketing.AWSFundingUsed = No
. AI/ML | Analytics | Application Integration | Blockchain | Business Applications | Cloud Financial Management | Compute | Containers | Customer Engagement | Databases | Developer Tools | End User Computing | Front End Web & Mobile | Game Tech | IoT | Management & Governance | Media Services | Migration & Transfer | Networking & Content Delivery | Quantum Technologies | Robotics | Satellite | Security | Serverless | Storage | VR & AR
Opportunity
. NextSteps
field.InvitationDate
and Status
.ASC
(ascending) or DESC
(descending).Descending
AWS
or Sandbox
. This indicates the environment in which the opportunity is managed.DateTime
when the Opportunity
was last created. Opportunity
's customer details. Opportunity
unique identifier. DateTime
when the Opportunity
was last modified. Opportunity
's lifecycle details.
"
+ },
+ "PartnerOpportunityIdentifier":{
+ "shape":"String",
+ "documentation":"Opportunity
's unique identifier in the partner's CRM system. This value is essential to track and reconcile because it's included in the outbound payload sent back to the partner. It allows partners to link an opportunity to their CRM. Opportunity
's project details summary. Opportunity
's subset of fields. Opportunity
that weren't captured in other fields. Opportunity
. APN programs refer to specific partner programs or initiatives that can impact the Opportunity
. APN Immersion Days | APN Solution Space | ATO (Authority to Operate) | AWS Marketplace Campaign | IS Immersion Day SFID Program | ISV Workload Migration | Migration Acceleration Program | P3 | Partner Launch Initiative | Partner Opportunity Acceleration Funded | The Next Smart | VMware Cloud on AWS | Well-Architected | Windows | Workspaces/AppStream Accelerator Program | WWPS NDPP
Opportunity
's competitor (if any). Use Other
to submit a value not in the picklist. Opportunity
. The content in this field helps Amazon Web Services understand the nature of the Opportunity
and the strategic fit of the partner's solution. AI Machine Learning and Analytics | Archiving | Big Data: Data Warehouse / Data Integration / ETL / Data Lake / BI | Blockchain | Business Applications: Mainframe Modernization | Business Applications & Contact Center | Business Applications & SAP Production | Centralized Operations Management | Cloud Management Tools | Cloud Management Tools & DevOps with Continuous Integration & Continuous Delivery (CICD) | Configuration, Compliance & Auditing | Connected Services | Containers & Serverless | Content Delivery & Edge Services | Database | Edge Computing / End User Computing | Energy | Enterprise Governance & Controls | Enterprise Resource Planning | Financial Services | Healthcare and Life Sciences | High Performance Computing | Hybrid Application Platform | Industrial Software | IOT | Manufacturing, Supply Chain and Operations | Media & High performance computing (HPC) | Migration / Database Migration | Monitoring, logging and performance | Monitoring & Observability | Networking | Outpost | SAP | Security & Compliance | Storage & Backup | Training | VMC | VMWare | Web development & DevOps
Opportunity
's context. You can select multiple options. Delivery Model
field are:
"
+ },
+ "ExpectedCustomerSpend":{
+ "shape":"ExpectedCustomerSpendList",
+ "documentation":"CompetitorNames
has Other
selected. RelatedEntityIdentifiers.Solutions
field value is Other
. Opportunity
's sales activities conducted with the end customer. These activities help drive Amazon Web Services assignment priority.
"
+ },
+ "Title":{
+ "shape":"ProjectTitleString",
+ "documentation":"Opportunity
's title or name. Opportunity
's project details. Opportunity
's context. You can select multiple options. Delivery Model
field are:
"
+ },
+ "ExpectedCustomerSpend":{
+ "shape":"ExpectedCustomerSpendList",
+ "documentation":"Project
object's subset of fields. AWS
and Sandbox
, which determine the environment in which the opportunity is managed.EngagementInvitation
to be rejected. Providing the correct identifier ensures that the intended invitation is rejected.
"
+ }
+ }
+ },
+ "RejectionReasonString":{
+ "type":"string",
+ "pattern":"^[\\u0020-\\u007E\\u00A0-\\uD7FF\\uE000-\\uFFFD]{1,80}$"
+ },
+ "RelatedEntityIdentifiers":{
+ "type":"structure",
+ "members":{
+ "AwsMarketplaceOffers":{
+ "shape":"AwsMarketplaceOfferIdentifiers",
+ "documentation":"\"offers\": [\"arn:aws:aws-marketplace:us-east-1:999999999999:AWSMarketplace/Offer/offer-sampleOffer32\"]
. Opportunity
. Partners can indicate the relevant Amazon Web Services products for the Opportunity
's solution and align with the customer's needs. Returns multiple values separated by commas. For example, \"AWSProducts\" : [\"AmazonRedshift\", \"AWSAppFabric\", \"AWSCleanRooms\"]
. ListSolutions
operation. Other
and provide details about the solution in the otherSolutionOffered
field. However, once the opportunity reaches the Committed
stage or beyond, the Other
value cannot be used, and a valid solution identifier must be provided. AWSProducts
, Partner Solutions
, and AWSMarketplaceOffers
. EngagementInvitation
. EngagementInvitation
. EngagementInvitation
. EngagementInvitation
. EngagementInvitation
. EngagementInvitation
. Opportunity
. Opportunity
's customer engagement start date for the contract's effectiveness. AWS
or Sandbox
. This helps partners differentiate between live solutions and those in testing environments.Software Product
| Consulting Service
| Hardware Product
| Communications Product
| Professional Service
| Managed Service
| Value-Added Resale Amazon Web Services Service
| Distribution Service
| Training Service
| Merger and Acquisition Advising Service
. Active
| Inactive
| Draft
. The status helps partners and Amazon Web Services track the solution's lifecycle and availability. Filter for Active
solutions for association to an opportunity. Name
, CreatedDate
, or Status
. Ascending
or Descending
. The default is Descending
. AWS
for production engagements and Sandbox
for testing scenarios.EngagementInvitation
to be accepted. Providing the correct identifier ensures the right engagement invitation is processed.ACCEPT_ENGAGEMENT_INVITATION_FAILED
, GET_ENGAGEMENT_INVITATION_FAILED
, CREATE_OPPORTUNITY_FAILED
, CREATE_RESOURCE_VIEW_AUTOMATION_FAILED
, SUBMIT_OPPORTUNITY_FAILED
.^oit-[0-9a-z]{13}$
.IN_PROGRESS
, COMPLETE
, and FAILED
.AWS
for production and Sandbox
for testing environments.ACCEPT_ENGAGEMENT_INVITATION_FAILED
, GET_ENGAGEMENT_INVITATION_FAILED
, CREATE_OPPORTUNITY_FAILED
, CREATE_RESOURCE_VIEW_AUTOMATION_FAILED
, SUBMIT_OPPORTUNITY_FAILED
.^oit-[0-9a-z]{13}$
.IN_PROGRESS
, COMPLETE
, and FAILED
.AWS
or Sandbox
. The catalog determines which environment the opportunity is updated in. Use AWS
to update real opportunities in the production environment, and Sandbox
to test in a secure and isolated environment. When you use the Sandbox
catalog, it allows you to simulate and validate your interactions with Amazon Web Services services without affecting live data or operations. Opportunity
. Opportunity
unique identifier. DateTime
when the opportunity was last modified. Opportunity
. Opportunity
. Government
. For national security-related opportunities, specific validation and compliance rules may apply, impacting the opportunity's visibility and processing.
"
+ },
+ "PartnerOpportunityIdentifier":{
+ "shape":"UpdateOpportunityRequestPartnerOpportunityIdentifierString",
+ "documentation":"
"
+ },
+ "Project":{
+ "shape":"Project",
+ "documentation":"Opportunity
. Opportunity
unique identifier. DateTime
when the opportunity was last modified.
"
+ }
+ },
+ "documentation":"
"
+ },
+ "ValidationExceptionErrorCode":{
+ "type":"string",
+ "enum":[
+ "REQUIRED_FIELD_MISSING",
+ "INVALID_ENUM_VALUE",
+ "INVALID_STRING_FORMAT",
+ "INVALID_VALUE",
+ "TOO_MANY_VALUES",
+ "INVALID_RESOURCE_STATE",
+ "DUPLICATE_KEY_VALUE",
+ "VALUE_OUT_OF_RANGE",
+ "ACTION_NOT_PERMITTED"
+ ]
+ },
+ "ValidationExceptionErrorList":{
+ "type":"list",
+ "member":{"shape":"ValidationExceptionError"}
+ },
+ "ValidationExceptionReason":{
+ "type":"string",
+ "enum":[
+ "REQUEST_VALIDATION_FAILED",
+ "BUSINESS_VALIDATION_FAILED"
+ ]
+ },
+ "Visibility":{
+ "type":"string",
+ "enum":[
+ "Full",
+ "Limited"
+ ]
+ },
+ "WebsiteUrl":{
+ "type":"string",
+ "max":255,
+ "min":4,
+ "sensitive":true
+ }
+ },
+ "documentation":"
CreateOpportunity
, UpdateOpportunity
, ListOpportunities
, GetOpportunity
, and AssignOpportunity
.ListEngagementInvitations
, GetEngagementInvitation
, StartEngagementByAcceptingInvitation
, and RejectEngagementInvitation
.AssociateOpportunity
and DisassociateOpportunity
.GetAWSOpportunitySummary
action to retrieve real-time summaries of AWS opportunities that are linked to your opportunities.ListSolutions
.
Creates an analysis in Amazon QuickSight. Analyses can be created either from a template or from an AnalysisDefinition
.
Creates an Amazon QuickSight brand.
" + }, + "CreateCustomPermissions":{ + "name":"CreateCustomPermissions", + "http":{ + "method":"POST", + "requestUri":"/accounts/{AwsAccountId}/custom-permissions" + }, + "input":{"shape":"CreateCustomPermissionsRequest"}, + "output":{"shape":"CreateCustomPermissionsResponse"}, + "errors":[ + {"shape":"ConflictException"}, + {"shape":"AccessDeniedException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"ResourceExistsException"}, + {"shape":"InvalidParameterValueException"}, + {"shape":"ThrottlingException"}, + {"shape":"PreconditionNotMetException"}, + {"shape":"LimitExceededException"}, + {"shape":"InternalFailureException"}, + {"shape":"ResourceUnavailableException"} + ], + "documentation":"Creates a custom permissions profile.
" + }, "CreateDashboard":{ "name":"CreateDashboard", "http":{ @@ -568,6 +609,67 @@ ], "documentation":"Deletes an analysis from Amazon QuickSight. You can optionally include a recovery window during which you can restore the analysis. If you don't specify a recovery window value, the operation defaults to 30 days. Amazon QuickSight attaches a DeletionTime
stamp to the response that specifies the end of the recovery window. At the end of the recovery window, Amazon QuickSight deletes the analysis permanently.
At any time before recovery window ends, you can use the RestoreAnalysis
API operation to remove the DeletionTime
stamp and cancel the deletion of the analysis. The analysis remains visible in the API until it's deleted, so you can describe it but you can't make a template from it.
An analysis that's scheduled for deletion isn't accessible in the Amazon QuickSight console. To access it in the console, restore it. Deleting an analysis doesn't delete the dashboards that you publish from it.
" }, + "DeleteBrand":{ + "name":"DeleteBrand", + "http":{ + "method":"DELETE", + "requestUri":"/accounts/{AwsAccountId}/brands/{BrandId}", + "responseCode":200 + }, + "input":{"shape":"DeleteBrandRequest"}, + "output":{"shape":"DeleteBrandResponse"}, + "errors":[ + {"shape":"ThrottlingException"}, + {"shape":"InvalidRequestException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"AccessDeniedException"}, + {"shape":"ConflictException"}, + {"shape":"InternalServerException"} + ], + "documentation":"Deletes an Amazon QuickSight brand.
", + "idempotent":true + }, + "DeleteBrandAssignment":{ + "name":"DeleteBrandAssignment", + "http":{ + "method":"DELETE", + "requestUri":"/accounts/{AwsAccountId}/brandassignments", + "responseCode":200 + }, + "input":{"shape":"DeleteBrandAssignmentRequest"}, + "output":{"shape":"DeleteBrandAssignmentResponse"}, + "errors":[ + {"shape":"ThrottlingException"}, + {"shape":"InvalidRequestException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"AccessDeniedException"}, + {"shape":"ConflictException"}, + {"shape":"InternalServerException"} + ], + "documentation":"Deletes a brand assignment.
", + "idempotent":true + }, + "DeleteCustomPermissions":{ + "name":"DeleteCustomPermissions", + "http":{ + "method":"DELETE", + "requestUri":"/accounts/{AwsAccountId}/custom-permissions/{CustomPermissionsName}" + }, + "input":{"shape":"DeleteCustomPermissionsRequest"}, + "output":{"shape":"DeleteCustomPermissionsResponse"}, + "errors":[ + {"shape":"ConflictException"}, + {"shape":"AccessDeniedException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"ResourceExistsException"}, + {"shape":"InvalidParameterValueException"}, + {"shape":"ThrottlingException"}, + {"shape":"PreconditionNotMetException"}, + {"shape":"InternalFailureException"}, + {"shape":"ResourceUnavailableException"} + ], + "documentation":"Deletes a custom permissions profile.
" + }, "DeleteDashboard":{ "name":"DeleteDashboard", "http":{ @@ -975,6 +1077,26 @@ ], "documentation":"Deletes a user identified by its principal ID.
" }, + "DeleteUserCustomPermission":{ + "name":"DeleteUserCustomPermission", + "http":{ + "method":"DELETE", + "requestUri":"/accounts/{AwsAccountId}/namespaces/{Namespace}/users/{UserName}/custom-permission" + }, + "input":{"shape":"DeleteUserCustomPermissionRequest"}, + "output":{"shape":"DeleteUserCustomPermissionResponse"}, + "errors":[ + {"shape":"ConflictException"}, + {"shape":"AccessDeniedException"}, + {"shape":"InvalidParameterValueException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"ThrottlingException"}, + {"shape":"PreconditionNotMetException"}, + {"shape":"InternalFailureException"}, + {"shape":"ResourceUnavailableException"} + ], + "documentation":"Deletes a custom permissions profile from a user.
" + }, "DeleteVPCConnection":{ "name":"DeleteVPCConnection", "http":{ @@ -1133,6 +1255,82 @@ ], "documentation":"Describes an existing import job.
Poll job descriptions after starting a job to know when it has succeeded or failed. Job descriptions are available for 14 days after job starts.
" }, + "DescribeBrand":{ + "name":"DescribeBrand", + "http":{ + "method":"GET", + "requestUri":"/accounts/{AwsAccountId}/brands/{BrandId}", + "responseCode":200 + }, + "input":{"shape":"DescribeBrandRequest"}, + "output":{"shape":"DescribeBrandResponse"}, + "errors":[ + {"shape":"ThrottlingException"}, + {"shape":"InvalidRequestException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"AccessDeniedException"}, + {"shape":"ConflictException"}, + {"shape":"InternalServerException"} + ], + "documentation":"Describes a brand.
" + }, + "DescribeBrandAssignment":{ + "name":"DescribeBrandAssignment", + "http":{ + "method":"GET", + "requestUri":"/accounts/{AwsAccountId}/brandassignments", + "responseCode":200 + }, + "input":{"shape":"DescribeBrandAssignmentRequest"}, + "output":{"shape":"DescribeBrandAssignmentResponse"}, + "errors":[ + {"shape":"ThrottlingException"}, + {"shape":"InvalidRequestException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"AccessDeniedException"}, + {"shape":"ConflictException"}, + {"shape":"InternalServerException"} + ], + "documentation":"Describes a brand assignment.
" + }, + "DescribeBrandPublishedVersion":{ + "name":"DescribeBrandPublishedVersion", + "http":{ + "method":"GET", + "requestUri":"/accounts/{AwsAccountId}/brands/{BrandId}/publishedversion", + "responseCode":200 + }, + "input":{"shape":"DescribeBrandPublishedVersionRequest"}, + "output":{"shape":"DescribeBrandPublishedVersionResponse"}, + "errors":[ + {"shape":"ThrottlingException"}, + {"shape":"InvalidRequestException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"AccessDeniedException"}, + {"shape":"ConflictException"}, + {"shape":"InternalServerException"} + ], + "documentation":"Describes the published version of the brand.
" + }, + "DescribeCustomPermissions":{ + "name":"DescribeCustomPermissions", + "http":{ + "method":"GET", + "requestUri":"/accounts/{AwsAccountId}/custom-permissions/{CustomPermissionsName}" + }, + "input":{"shape":"DescribeCustomPermissionsRequest"}, + "output":{"shape":"DescribeCustomPermissionsResponse"}, + "errors":[ + {"shape":"AccessDeniedException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"InvalidParameterValueException"}, + {"shape":"ThrottlingException"}, + {"shape":"PreconditionNotMetException"}, + {"shape":"InternalFailureException"}, + {"shape":"ResourceUnavailableException"} + ], + "documentation":"Describes a custom permissions profile.
" + }, "DescribeDashboard":{ "name":"DescribeDashboard", "http":{ @@ -1920,6 +2118,42 @@ ], "documentation":"Lists all asset bundle import jobs that have taken place in the last 14 days. Jobs created more than 14 days ago are deleted forever and are not returned. If you are using the same job ID for multiple jobs, ListAssetBundleImportJobs
only returns the most recent job that uses the repeated job ID.
Lists all brands in an Amazon QuickSight account.
" + }, + "ListCustomPermissions":{ + "name":"ListCustomPermissions", + "http":{ + "method":"GET", + "requestUri":"/accounts/{AwsAccountId}/custom-permissions" + }, + "input":{"shape":"ListCustomPermissionsRequest"}, + "output":{"shape":"ListCustomPermissionsResponse"}, + "errors":[ + {"shape":"AccessDeniedException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"InvalidParameterValueException"}, + {"shape":"ThrottlingException"}, + {"shape":"PreconditionNotMetException"}, + {"shape":"InternalFailureException"}, + {"shape":"ResourceUnavailableException"} + ], + "documentation":"Returns a list of all the custom permissions profiles.
" + }, "ListDashboardVersions":{ "name":"ListDashboardVersions", "http":{ @@ -2816,6 +3050,86 @@ ], "documentation":"Updates the read and write permissions for an analysis.
" }, + "UpdateBrand":{ + "name":"UpdateBrand", + "http":{ + "method":"PUT", + "requestUri":"/accounts/{AwsAccountId}/brands/{BrandId}", + "responseCode":200 + }, + "input":{"shape":"UpdateBrandRequest"}, + "output":{"shape":"UpdateBrandResponse"}, + "errors":[ + {"shape":"ThrottlingException"}, + {"shape":"InvalidRequestException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"AccessDeniedException"}, + {"shape":"ConflictException"}, + {"shape":"InternalServerException"} + ], + "documentation":"Updates a brand.
", + "idempotent":true + }, + "UpdateBrandAssignment":{ + "name":"UpdateBrandAssignment", + "http":{ + "method":"PUT", + "requestUri":"/accounts/{AwsAccountId}/brandassignments", + "responseCode":200 + }, + "input":{"shape":"UpdateBrandAssignmentRequest"}, + "output":{"shape":"UpdateBrandAssignmentResponse"}, + "errors":[ + {"shape":"ThrottlingException"}, + {"shape":"InvalidRequestException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"AccessDeniedException"}, + {"shape":"ConflictException"}, + {"shape":"InternalServerException"} + ], + "documentation":"Updates a brand assignment.
", + "idempotent":true + }, + "UpdateBrandPublishedVersion":{ + "name":"UpdateBrandPublishedVersion", + "http":{ + "method":"PUT", + "requestUri":"/accounts/{AwsAccountId}/brands/{BrandId}/publishedversion", + "responseCode":200 + }, + "input":{"shape":"UpdateBrandPublishedVersionRequest"}, + "output":{"shape":"UpdateBrandPublishedVersionResponse"}, + "errors":[ + {"shape":"ThrottlingException"}, + {"shape":"InvalidRequestException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"AccessDeniedException"}, + {"shape":"ConflictException"}, + {"shape":"InternalServerException"} + ], + "documentation":"Updates the published version of a brand.
", + "idempotent":true + }, + "UpdateCustomPermissions":{ + "name":"UpdateCustomPermissions", + "http":{ + "method":"PUT", + "requestUri":"/accounts/{AwsAccountId}/custom-permissions/{CustomPermissionsName}" + }, + "input":{"shape":"UpdateCustomPermissionsRequest"}, + "output":{"shape":"UpdateCustomPermissionsResponse"}, + "errors":[ + {"shape":"ConflictException"}, + {"shape":"AccessDeniedException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"InvalidParameterValueException"}, + {"shape":"ThrottlingException"}, + {"shape":"PreconditionNotMetException"}, + {"shape":"InternalFailureException"}, + {"shape":"ResourceUnavailableException"} + ], + "documentation":"Updates a custom permissions profile.
" + }, "UpdateDashboard":{ "name":"UpdateDashboard", "http":{ @@ -3380,6 +3694,26 @@ ], "documentation":"Updates an Amazon QuickSight user.
" }, + "UpdateUserCustomPermission":{ + "name":"UpdateUserCustomPermission", + "http":{ + "method":"PUT", + "requestUri":"/accounts/{AwsAccountId}/namespaces/{Namespace}/users/{UserName}/custom-permission" + }, + "input":{"shape":"UpdateUserCustomPermissionRequest"}, + "output":{"shape":"UpdateUserCustomPermissionResponse"}, + "errors":[ + {"shape":"ConflictException"}, + {"shape":"AccessDeniedException"}, + {"shape":"InvalidParameterValueException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"ThrottlingException"}, + {"shape":"PreconditionNotMetException"}, + {"shape":"InternalFailureException"}, + {"shape":"ResourceUnavailableException"} + ], + "documentation":"Updates a custom permissions profile for a user.
" + }, "UpdateVPCConnection":{ "name":"UpdateVPCConnection", "http":{ @@ -3681,6 +4015,12 @@ }, "documentation":"An empty object that represents that the AllSheets
option is the chosen value for the FilterScopeConfiguration
parameter. This structure applies the filter to all visuals on all sheets of an Analysis, Dashboard, or Template.
This is a union type structure. For this structure to be valid, only one of the attributes can be defined.
" }, + "AltText":{ + "type":"string", + "max":512, + "min":1, + "pattern":"[ -ÿ]+" + }, "AmazonElasticsearchParameters":{ "type":"structure", "required":["Domain"], @@ -4106,6 +4446,20 @@ "type":"list", "member":{"shape":"AnswerId"} }, + "ApplicationTheme":{ + "type":"structure", + "members":{ + "BrandColorPalette":{ + "shape":"BrandColorPalette", + "documentation":"The color palette.
" + }, + "BrandElementStyle":{ + "shape":"BrandElementStyle", + "documentation":"The element style.
" + } + }, + "documentation":"The application theme.
" + }, "ArcAxisConfiguration":{ "type":"structure", "members":{ @@ -6519,6 +6873,180 @@ }, "documentation":"A box plot.
For more information, see Using box plots in the Amazon QuickSight User Guide.
" }, + "BrandColorPalette":{ + "type":"structure", + "members":{ + "Primary":{ + "shape":"Palette", + "documentation":"The primary color.
" + }, + "Secondary":{ + "shape":"Palette", + "documentation":"The secondary color.
" + }, + "Accent":{ + "shape":"Palette", + "documentation":"The color that is used for accent elements.
" + }, + "Measure":{ + "shape":"Palette", + "documentation":"The color that is used for measure elements.
" + }, + "Dimension":{ + "shape":"Palette", + "documentation":"The color that is used for dimension elements.
" + }, + "Success":{ + "shape":"Palette", + "documentation":"The color that is used for success elements.
" + }, + "Info":{ + "shape":"Palette", + "documentation":"The color that is used for info elements.
" + }, + "Warning":{ + "shape":"Palette", + "documentation":"The color that is used for warning elements.
" + }, + "Danger":{ + "shape":"Palette", + "documentation":"The color that is used for danger elements.
" + } + }, + "documentation":"The color palette.
" + }, + "BrandDefinition":{ + "type":"structure", + "required":["BrandName"], + "members":{ + "BrandName":{ + "shape":"Name", + "documentation":"The name of the brand.
" + }, + "Description":{ + "shape":"Description", + "documentation":"The description of the brand.
" + }, + "ApplicationTheme":{ + "shape":"ApplicationTheme", + "documentation":"The application theme of the brand.
" + }, + "LogoConfiguration":{ + "shape":"LogoConfiguration", + "documentation":"The logo configuration of the brand.
" + } + }, + "documentation":"The definition of the brand.
" + }, + "BrandDetail":{ + "type":"structure", + "required":["BrandId"], + "members":{ + "BrandId":{ + "shape":"ShortRestrictiveResourceId", + "documentation":"The ID of the Amazon QuickSight brand.
" + }, + "Arn":{ + "shape":"Arn", + "documentation":"The Amazon Resource Name (ARN) of the brand.
" + }, + "BrandStatus":{ + "shape":"BrandStatus", + "documentation":"The status of the brand.
" + }, + "CreatedTime":{ + "shape":"Timestamp", + "documentation":"The time that the brand was created.
" + }, + "LastUpdatedTime":{ + "shape":"Timestamp", + "documentation":"The last time the brand was updated.
" + }, + "VersionId":{ + "shape":"ShortRestrictiveResourceId", + "documentation":"The ID of the version.
" + }, + "VersionStatus":{ + "shape":"BrandVersionStatus", + "documentation":"The status of the version.
" + }, + "Errors":{ + "shape":"ErrorList", + "documentation":"A list of errors that occurred during the most recent brand operation.
" + }, + "Logo":{ + "shape":"Logo", + "documentation":"The logo details.
" + } + }, + "documentation":"The details of the brand.
" + }, + "BrandElementStyle":{ + "type":"structure", + "members":{ + "NavbarStyle":{ + "shape":"NavbarStyle", + "documentation":"The navigation bar style.
" + } + }, + "documentation":"The element style.
" + }, + "BrandStatus":{ + "type":"string", + "enum":[ + "CREATE_IN_PROGRESS", + "CREATE_SUCCEEDED", + "CREATE_FAILED", + "DELETE_IN_PROGRESS", + "DELETE_FAILED" + ] + }, + "BrandSummary":{ + "type":"structure", + "members":{ + "Arn":{ + "shape":"Arn", + "documentation":"The Amazon Resource Name (ARN) of the brand.
" + }, + "BrandId":{ + "shape":"ShortRestrictiveResourceId", + "documentation":"The ID of the Amazon QuickSight brand.
" + }, + "BrandName":{ + "shape":"Name", + "documentation":"The name of the brand.
" + }, + "Description":{ + "shape":"Description", + "documentation":"The description of the brand.
" + }, + "BrandStatus":{ + "shape":"BrandStatus", + "documentation":"The status of the brand.
" + }, + "CreatedTime":{ + "shape":"Timestamp", + "documentation":"The time that the brand was created.
" + }, + "LastUpdatedTime":{ + "shape":"Timestamp", + "documentation":"The time when the brand was last updated.
" + } + }, + "documentation":"A summary of the brand.
" + }, + "BrandSummaryList":{ + "type":"list", + "member":{"shape":"BrandSummary"} + }, + "BrandVersionStatus":{ + "type":"string", + "enum":[ + "CREATE_IN_PROGRESS", + "CREATE_SUCCEEDED", + "CREATE_FAILED" + ] + }, "CIDR":{ "type":"string", "pattern":"^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(3[0-2]|[1-2][0-9]|[1-9]))$" @@ -6659,6 +7187,84 @@ } } }, + "Capabilities":{ + "type":"structure", + "members":{ + "ExportToCsv":{ + "shape":"CapabilityState", + "documentation":"The ability to export to CSV files.
" + }, + "ExportToExcel":{ + "shape":"CapabilityState", + "documentation":"The ability to export to Excel files.
" + }, + "CreateAndUpdateThemes":{ + "shape":"CapabilityState", + "documentation":"The ability to export to Create and Update themes.
" + }, + "AddOrRunAnomalyDetectionForAnalyses":{ + "shape":"CapabilityState", + "documentation":"The ability to add or run anomaly detection.
" + }, + "ShareAnalyses":{ + "shape":"CapabilityState", + "documentation":"The ability to share analyses.
" + }, + "CreateAndUpdateDatasets":{ + "shape":"CapabilityState", + "documentation":"The ability to create and update datasets.
" + }, + "ShareDatasets":{ + "shape":"CapabilityState", + "documentation":"The ability to share datasets.
" + }, + "SubscribeDashboardEmailReports":{ + "shape":"CapabilityState", + "documentation":"The ability to subscribe to email reports.
" + }, + "CreateAndUpdateDashboardEmailReports":{ + "shape":"CapabilityState", + "documentation":"The ability to create and update email reports.
" + }, + "ShareDashboards":{ + "shape":"CapabilityState", + "documentation":"The ability to share dashboards.
" + }, + "CreateAndUpdateThresholdAlerts":{ + "shape":"CapabilityState", + "documentation":"The ability to create and update threshold alerts.
" + }, + "RenameSharedFolders":{ + "shape":"CapabilityState", + "documentation":"The ability to rename shared folders.
" + }, + "CreateSharedFolders":{ + "shape":"CapabilityState", + "documentation":"The ability to create shared folders.
" + }, + "CreateAndUpdateDataSources":{ + "shape":"CapabilityState", + "documentation":"The ability to create and update data sources.
" + }, + "ShareDataSources":{ + "shape":"CapabilityState", + "documentation":"The ability to share data sources.
" + }, + "ViewAccountSPICECapacity":{ + "shape":"CapabilityState", + "documentation":"The ability to view account SPICE capacity.
" + }, + "CreateSPICEDataset":{ + "shape":"CapabilityState", + "documentation":"The ability to create a SPICE dataset.
" + } + }, + "documentation":"A set of actions that correspond to Amazon QuickSight permissions.
" + }, + "CapabilityState":{ + "type":"string", + "enum":["DENY"] + }, "CascadingControlConfiguration":{ "type":"structure", "members":{ @@ -8158,6 +8764,52 @@ } } }, + "CreateBrandRequest":{ + "type":"structure", + "required":[ + "AwsAccountId", + "BrandId" + ], + "members":{ + "AwsAccountId":{ + "shape":"AwsAccountId", + "documentation":"The ID of the Amazon Web Services account that owns the brand.
", + "location":"uri", + "locationName":"AwsAccountId" + }, + "BrandId":{ + "shape":"ShortRestrictiveResourceId", + "documentation":"The ID of the Amazon QuickSight brand.
", + "location":"uri", + "locationName":"BrandId" + }, + "BrandDefinition":{ + "shape":"BrandDefinition", + "documentation":"The definition of the brand.
" + }, + "Tags":{ + "shape":"TagList", + "documentation":"A map of the key-value pairs that are assigned to the brand.
" + } + } + }, + "CreateBrandResponse":{ + "type":"structure", + "members":{ + "RequestId":{ + "shape":"String", + "documentation":"The Amazon Web Services request ID for this operation.
" + }, + "BrandDetail":{ + "shape":"BrandDetail", + "documentation":"The details of the brand.
" + }, + "BrandDefinition":{ + "shape":"BrandDefinition", + "documentation":"The definition of the brand.
" + } + } + }, "CreateColumnsOperation":{ "type":"structure", "required":["Columns"], @@ -8169,6 +8821,50 @@ }, "documentation":"A transform operation that creates calculated columns. Columns created in one such operation form a lexical closure.
" }, + "CreateCustomPermissionsRequest":{ + "type":"structure", + "required":[ + "AwsAccountId", + "CustomPermissionsName" + ], + "members":{ + "AwsAccountId":{ + "shape":"AwsAccountId", + "documentation":"The ID of the Amazon Web Services account that you want to create the custom permissions profile in.
", + "location":"uri", + "locationName":"AwsAccountId" + }, + "CustomPermissionsName":{ + "shape":"CustomPermissionsName", + "documentation":"The name of the custom permissions profile that you want to create.
" + }, + "Capabilities":{ + "shape":"Capabilities", + "documentation":"A set of actions to include in the custom permissions profile.
" + }, + "Tags":{ + "shape":"TagList", + "documentation":"The tags to associate with the custom permissions profile.
" + } + } + }, + "CreateCustomPermissionsResponse":{ + "type":"structure", + "members":{ + "Status":{ + "shape":"StatusCode", + "documentation":"The HTTP status of the request.
" + }, + "Arn":{ + "shape":"Arn", + "documentation":"The Amazon Resource Name (ARN) of the custom permissions profile.
" + }, + "RequestId":{ + "shape":"String", + "documentation":"The Amazon Web Services request ID for this operation.
" + } + } + }, "CreateDashboardRequest":{ "type":"structure", "required":[ @@ -9788,6 +10484,34 @@ }, "documentation":"The customized parameter values.
This is a union type structure. For this structure to be valid, only one of the attributes can be defined.
" }, + "CustomPermissions":{ + "type":"structure", + "members":{ + "Arn":{ + "shape":"Arn", + "documentation":"The Amazon Resource Name (ARN) of the custom permissions profile.
" + }, + "CustomPermissionsName":{ + "shape":"CustomPermissionsName", + "documentation":"The name of the custom permissions profile.
" + }, + "Capabilities":{ + "shape":"Capabilities", + "documentation":"A set of actions in the custom permissions profile.
" + } + }, + "documentation":"The custom permissions profile.
" + }, + "CustomPermissionsList":{ + "type":"list", + "member":{"shape":"CustomPermissions"} + }, + "CustomPermissionsName":{ + "type":"string", + "max":64, + "min":1, + "pattern":"^[a-zA-Z0-9+=,.@_-]+$" + }, "CustomSql":{ "type":"structure", "required":[ @@ -12191,6 +12915,95 @@ } } }, + "DeleteBrandAssignmentRequest":{ + "type":"structure", + "required":["AwsAccountId"], + "members":{ + "AwsAccountId":{ + "shape":"AwsAccountId", + "documentation":"The ID of the Amazon Web Services account that owns the brand assignment.
", + "location":"uri", + "locationName":"AwsAccountId" + } + } + }, + "DeleteBrandAssignmentResponse":{ + "type":"structure", + "members":{ + "RequestId":{ + "shape":"String", + "documentation":"The Amazon Web Services request ID for this operation.
" + } + } + }, + "DeleteBrandRequest":{ + "type":"structure", + "required":[ + "AwsAccountId", + "BrandId" + ], + "members":{ + "AwsAccountId":{ + "shape":"AwsAccountId", + "documentation":"The ID of the Amazon Web Services account that owns the brand.
", + "location":"uri", + "locationName":"AwsAccountId" + }, + "BrandId":{ + "shape":"ShortRestrictiveResourceId", + "documentation":"The ID of the Amazon QuickSight brand.
", + "location":"uri", + "locationName":"BrandId" + } + } + }, + "DeleteBrandResponse":{ + "type":"structure", + "members":{ + "RequestId":{ + "shape":"String", + "documentation":"The Amazon Web Services request ID for this operation.
" + } + } + }, + "DeleteCustomPermissionsRequest":{ + "type":"structure", + "required":[ + "AwsAccountId", + "CustomPermissionsName" + ], + "members":{ + "AwsAccountId":{ + "shape":"AwsAccountId", + "documentation":"The ID of the Amazon Web Services account that contains the custom permissions profile that you want to delete.
", + "location":"uri", + "locationName":"AwsAccountId" + }, + "CustomPermissionsName":{ + "shape":"CustomPermissionsName", + "documentation":"The name of the custom permissions profile that you want to delete.
", + "location":"uri", + "locationName":"CustomPermissionsName" + } + } + }, + "DeleteCustomPermissionsResponse":{ + "type":"structure", + "members":{ + "Status":{ + "shape":"StatusCode", + "documentation":"The HTTP status of the request.
" + }, + "Arn":{ + "shape":"Arn", + "documentation":"The Amazon Resource Name (ARN) of the custom permissions profile.
" + }, + "RequestId":{ + "shape":"String", + "documentation":"The Amazon Web Services request ID for this operation.
" + } + } + }, "DeleteDashboardRequest":{ "type":"structure", "required":[ @@ -13145,6 +13958,48 @@ } } }, + "DeleteUserCustomPermissionRequest":{ + "type":"structure", + "required":[ + "UserName", + "AwsAccountId", + "Namespace" + ], + "members":{ + "UserName":{ + "shape":"UserName", + "documentation":"The username of the user that you want to remove custom permissions from.
", + "location":"uri", + "locationName":"UserName" + }, + "AwsAccountId":{ + "shape":"AwsAccountId", + "documentation":"The ID of the Amazon Web Services account that contains the custom permission configuration that you want to delete.
", + "location":"uri", + "locationName":"AwsAccountId" + }, + "Namespace":{ + "shape":"Namespace", + "documentation":"The namespace that the user belongs to.
", + "location":"uri", + "locationName":"Namespace" + } + } + }, + "DeleteUserCustomPermissionResponse":{ + "type":"structure", + "members":{ + "RequestId":{ + "shape":"String", + "documentation":"The Amazon Web Services request ID for this operation.
" + }, + "Status":{ + "shape":"StatusCode", + "documentation":"The HTTP status of the request.
", + "location":"statusCode" + } + } + }, "DeleteUserRequest":{ "type":"structure", "required":[ @@ -13696,6 +14551,151 @@ } } }, + "DescribeBrandAssignmentRequest":{ + "type":"structure", + "required":["AwsAccountId"], + "members":{ + "AwsAccountId":{ + "shape":"AwsAccountId", + "documentation":"The ID of the Amazon Web Services account that owns the brand assignment.
", + "location":"uri", + "locationName":"AwsAccountId" + } + } + }, + "DescribeBrandAssignmentResponse":{ + "type":"structure", + "members":{ + "RequestId":{ + "shape":"String", + "documentation":"The Amazon Web Services request ID for this operation.
" + }, + "BrandArn":{ + "shape":"Arn", + "documentation":"The Amazon Resource Name (ARN) of the brand.
" + } + } + }, + "DescribeBrandPublishedVersionRequest":{ + "type":"structure", + "required":[ + "AwsAccountId", + "BrandId" + ], + "members":{ + "AwsAccountId":{ + "shape":"AwsAccountId", + "documentation":"The ID of the Amazon Web Services account that owns the brand.
", + "location":"uri", + "locationName":"AwsAccountId" + }, + "BrandId":{ + "shape":"ShortRestrictiveResourceId", + "documentation":"The ID of the Amazon QuickSight brand.
", + "location":"uri", + "locationName":"BrandId" + } + } + }, + "DescribeBrandPublishedVersionResponse":{ + "type":"structure", + "members":{ + "RequestId":{ + "shape":"String", + "documentation":"The Amazon Web Services request ID for this operation.
" + }, + "BrandDetail":{ + "shape":"BrandDetail", + "documentation":"The details of the brand.
" + }, + "BrandDefinition":{ + "shape":"BrandDefinition", + "documentation":"The definition of the brand.
" + } + } + }, + "DescribeBrandRequest":{ + "type":"structure", + "required":[ + "AwsAccountId", + "BrandId" + ], + "members":{ + "AwsAccountId":{ + "shape":"AwsAccountId", + "documentation":"The ID of the Amazon Web Services account that owns the brand.
", + "location":"uri", + "locationName":"AwsAccountId" + }, + "BrandId":{ + "shape":"ShortRestrictiveResourceId", + "documentation":"The ID of the Amazon QuickSight brand.
", + "location":"uri", + "locationName":"BrandId" + }, + "VersionId":{ + "shape":"ShortRestrictiveResourceId", + "documentation":"The ID of the specific version. The default value is the latest version.
", + "location":"querystring", + "locationName":"versionId" + } + } + }, + "DescribeBrandResponse":{ + "type":"structure", + "members":{ + "RequestId":{ + "shape":"String", + "documentation":"The Amazon Web Services request ID for this operation.
" + }, + "BrandDetail":{ + "shape":"BrandDetail", + "documentation":"The details of the brand.
" + }, + "BrandDefinition":{ + "shape":"BrandDefinition", + "documentation":"The definition of the brand.
" + } + } + }, + "DescribeCustomPermissionsRequest":{ + "type":"structure", + "required":[ + "AwsAccountId", + "CustomPermissionsName" + ], + "members":{ + "AwsAccountId":{ + "shape":"AwsAccountId", + "documentation":"The ID of the Amazon Web Services account that contains the custom permissions profile that you want described.
", + "location":"uri", + "locationName":"AwsAccountId" + }, + "CustomPermissionsName":{ + "shape":"CustomPermissionsName", + "documentation":"The name of the custom permissions profile to describe.
", + "location":"uri", + "locationName":"CustomPermissionsName" + } + } + }, + "DescribeCustomPermissionsResponse":{ + "type":"structure", + "members":{ + "Status":{ + "shape":"StatusCode", + "documentation":"The HTTP status of the request.
" + }, + "CustomPermissions":{ + "shape":"CustomPermissions", + "documentation":"The custom permissions profile.
" + }, + "RequestId":{ + "shape":"String", + "documentation":"The Amazon Web Services request ID for this operation.
" + } + } + }, "DescribeDashboardDefinitionRequest":{ "type":"structure", "required":[ @@ -15484,6 +16484,12 @@ } } }, + "Description":{ + "type":"string", + "max":2048, + "min":1, + "pattern":"[ -ÿ]+" + }, "DestinationParameterValueConfiguration":{ "type":"structure", "members":{ @@ -15784,6 +16790,11 @@ }, "documentation":"Error information for the SPICE ingestion of a dataset.
" }, + "ErrorList":{ + "type":"list", + "member":{"shape":"ErrorMessage"} + }, + "ErrorMessage":{"type":"string"}, "ExasolParameters":{ "type":"structure", "required":[ @@ -18894,6 +19905,75 @@ "error":{"httpStatusCode":403}, "exception":true }, + "Image":{ + "type":"structure", + "members":{ + "Source":{ + "shape":"ImageSource", + "documentation":"The source of the logo image.
" + }, + "GeneratedImageUrl":{ + "shape":"String", + "documentation":"The URL that points to the generated logo image.
" + } + }, + "documentation":"The logo image.
" + }, + "ImageConfiguration":{ + "type":"structure", + "members":{ + "Source":{ + "shape":"ImageSource", + "documentation":"The source of the image.
" + } + }, + "documentation":"The logo image configuration.
" + }, + "ImageSet":{ + "type":"structure", + "required":["Original"], + "members":{ + "Original":{ + "shape":"Image", + "documentation":"The original image.
" + }, + "Height64":{ + "shape":"Image", + "documentation":"The image with the height set to 64 pixels.
" + }, + "Height32":{ + "shape":"Image", + "documentation":"The image with the height set to 32 pixels.
" + } + }, + "documentation":"The image set.
" + }, + "ImageSetConfiguration":{ + "type":"structure", + "required":["Original"], + "members":{ + "Original":{ + "shape":"ImageConfiguration", + "documentation":"The original image.
" + } + }, + "documentation":"The image set configuration.
" + }, + "ImageSource":{ + "type":"structure", + "members":{ + "PublicUrl":{ + "shape":"String", + "documentation":"The public URL that points to the source image.
" + }, + "S3Uri":{ + "shape":"String", + "documentation":"The Amazon S3 URI that points to the source image.
" + } + }, + "documentation":"The source of the image.
", + "union":true + }, "IncludeFolderMembers":{ "type":"string", "enum":[ @@ -19318,6 +20398,17 @@ "exception":true, "fault":true }, + "InternalServerException":{ + "type":"structure", + "required":["Message"], + "members":{ + "Message":{"shape":"String"} + }, + "documentation":"An internal service exception.
", + "error":{"httpStatusCode":500}, + "exception":true, + "fault":true + }, "InvalidNextTokenException":{ "type":"structure", "members":{ @@ -20334,6 +21425,44 @@ } } }, + "ListBrandsRequest":{ + "type":"structure", + "required":["AwsAccountId"], + "members":{ + "AwsAccountId":{ + "shape":"AwsAccountId", + "documentation":"The ID of the Amazon Web Services account that owns the brands that you want to list.
", + "location":"uri", + "locationName":"AwsAccountId" + }, + "MaxResults":{ + "shape":"MaxResults", + "documentation":"The maximum number of results to be returned in a single request.
", + "box":true, + "location":"querystring", + "locationName":"max-results" + }, + "NextToken":{ + "shape":"String", + "documentation":"The token for the next set of results, or null if there are no more results.
", + "location":"querystring", + "locationName":"next-token" + } + } + }, + "ListBrandsResponse":{ + "type":"structure", + "members":{ + "NextToken":{ + "shape":"String", + "documentation":"The token for the next set of results, or null if there are no more results.
" + }, + "Brands":{ + "shape":"BrandSummaryList", + "documentation":"A list of all brands in your Amazon Web Services account. This structure provides basic information about each brand.
" + } + } + }, "ListControlDisplayOptions":{ "type":"structure", "members":{ @@ -20376,6 +21505,53 @@ }, "documentation":"The configuration of the Select all
options in a list control.
The ID of the Amazon Web Services account that contains the custom permissions profiles that you want to list.
", + "location":"uri", + "locationName":"AwsAccountId" + }, + "MaxResults":{ + "shape":"MaxResults", + "documentation":"The maximum number of results to return.
", + "box":true, + "location":"querystring", + "locationName":"max-results" + }, + "NextToken":{ + "shape":"String", + "documentation":"The token for the next set of results, or null if there are no more results.
", + "location":"querystring", + "locationName":"next-token" + } + } + }, + "ListCustomPermissionsResponse":{ + "type":"structure", + "members":{ + "Status":{ + "shape":"StatusCode", + "documentation":"The HTTP status of the request.
", + "location":"statusCode" + }, + "CustomPermissionsList":{ + "shape":"CustomPermissionsList", + "documentation":"A list of custom permissions profiles.
" + }, + "NextToken":{ + "shape":"String", + "documentation":"The token for the next set of results, or null if there are no more results.
" + }, + "RequestId":{ + "shape":"String", + "documentation":"The Amazon Web Services request ID for this operation.
" + } + } + }, "ListDashboardVersionsRequest":{ "type":"structure", "required":[ @@ -21974,6 +23150,72 @@ }, "documentation":"Information about the source of a logical table. This is a variant type structure. For this structure to be valid, only one of the attributes can be non-null.
" }, + "Logo":{ + "type":"structure", + "required":[ + "AltText", + "LogoSet" + ], + "members":{ + "AltText":{ + "shape":"AltText", + "documentation":"The alt text for the logo.
" + }, + "LogoSet":{ + "shape":"LogoSet", + "documentation":"A set of configured logos.
" + } + }, + "documentation":"The logo configuration.
" + }, + "LogoConfiguration":{ + "type":"structure", + "required":[ + "AltText", + "LogoSet" + ], + "members":{ + "AltText":{ + "shape":"String", + "documentation":"The alt text for the logo.
" + }, + "LogoSet":{ + "shape":"LogoSetConfiguration", + "documentation":"A set of configured logos.
" + } + }, + "documentation":"The logo configuration.
" + }, + "LogoSet":{ + "type":"structure", + "required":["Primary"], + "members":{ + "Primary":{ + "shape":"ImageSet", + "documentation":"The primary logo.
" + }, + "Favicon":{ + "shape":"ImageSet", + "documentation":"The favicon logo.
" + } + }, + "documentation":"A set of logos.
" + }, + "LogoSetConfiguration":{ + "type":"structure", + "required":["Primary"], + "members":{ + "Primary":{ + "shape":"ImageSetConfiguration", + "documentation":"The primary logo.
" + }, + "Favicon":{ + "shape":"ImageSetConfiguration", + "documentation":"The favicon logo.
" + } + }, + "documentation":"The logo set configuration.
" + }, "Long":{"type":"long"}, "LongFormatText":{ "type":"structure", @@ -22305,6 +23547,12 @@ }, "documentation":"The parameters for MySQL.
" }, + "Name":{ + "type":"string", + "max":512, + "min":1, + "pattern":"[ -ÿ]+" + }, "NamedEntityAggType":{ "type":"string", "enum":[ @@ -22478,6 +23726,20 @@ "type":"string", "max":150000 }, + "NavbarStyle":{ + "type":"structure", + "members":{ + "GlobalNavbar":{ + "shape":"Palette", + "documentation":"The global navigation bar style.
" + }, + "ContextualNavbar":{ + "shape":"Palette", + "documentation":"The contextual navigation bar style.
" + } + }, + "documentation":"The navigation bar style.
" + }, "NegativeFormat":{ "type":"structure", "members":{ @@ -23106,6 +24368,20 @@ }, "documentation":"The pagination configuration for a table visual or boxplot.
" }, + "Palette":{ + "type":"structure", + "members":{ + "Foreground":{ + "shape":"HexColor", + "documentation":"The foreground color.
" + }, + "Background":{ + "shape":"HexColor", + "documentation":"The background color.
" + } + }, + "documentation":"The color palette.
" + }, "PanelBorderStyle":{ "type":"string", "enum":[ @@ -31942,6 +33218,161 @@ } } }, + "UpdateBrandAssignmentRequest":{ + "type":"structure", + "required":[ + "AwsAccountId", + "BrandArn" + ], + "members":{ + "AwsAccountId":{ + "shape":"AwsAccountId", + "documentation":"The ID of the Amazon Web Services account that owns the brand assignment.
", + "location":"uri", + "locationName":"AwsAccountId" + }, + "BrandArn":{ + "shape":"Arn", + "documentation":"The Amazon Resource Name (ARN) of the brand.
" + } + } + }, + "UpdateBrandAssignmentResponse":{ + "type":"structure", + "members":{ + "RequestId":{ + "shape":"String", + "documentation":"The Amazon Web Services request ID for this operation.
" + }, + "BrandArn":{ + "shape":"Arn", + "documentation":"The Amazon Resource Name (ARN) of the brand.
" + } + } + }, + "UpdateBrandPublishedVersionRequest":{ + "type":"structure", + "required":[ + "AwsAccountId", + "BrandId", + "VersionId" + ], + "members":{ + "AwsAccountId":{ + "shape":"AwsAccountId", + "documentation":"The ID of the Amazon Web Services account that owns the brand.
", + "location":"uri", + "locationName":"AwsAccountId" + }, + "BrandId":{ + "shape":"ShortRestrictiveResourceId", + "documentation":"The ID of the Amazon QuickSight brand.
", + "location":"uri", + "locationName":"BrandId" + }, + "VersionId":{ + "shape":"ShortRestrictiveResourceId", + "documentation":"The ID of the published version.
" + } + } + }, + "UpdateBrandPublishedVersionResponse":{ + "type":"structure", + "members":{ + "RequestId":{ + "shape":"String", + "documentation":"The Amazon Web Services request ID for this operation.
" + }, + "VersionId":{ + "shape":"ShortRestrictiveResourceId", + "documentation":"The ID of the published version.
" + } + } + }, + "UpdateBrandRequest":{ + "type":"structure", + "required":[ + "AwsAccountId", + "BrandId" + ], + "members":{ + "AwsAccountId":{ + "shape":"AwsAccountId", + "documentation":"The ID of the Amazon Web Services account that owns the brand.
", + "location":"uri", + "locationName":"AwsAccountId" + }, + "BrandId":{ + "shape":"ShortRestrictiveResourceId", + "documentation":"The ID of the Amazon QuickSight brand.
", + "location":"uri", + "locationName":"BrandId" + }, + "BrandDefinition":{ + "shape":"BrandDefinition", + "documentation":"The definition of the brand.
" + } + } + }, + "UpdateBrandResponse":{ + "type":"structure", + "members":{ + "RequestId":{ + "shape":"String", + "documentation":"The Amazon Web Services request ID for this operation.
" + }, + "BrandDetail":{ + "shape":"BrandDetail", + "documentation":"The details of the brand.
" + }, + "BrandDefinition":{ + "shape":"BrandDefinition", + "documentation":"The definition of the brand.
" + } + } + }, + "UpdateCustomPermissionsRequest":{ + "type":"structure", + "required":[ + "AwsAccountId", + "CustomPermissionsName" + ], + "members":{ + "AwsAccountId":{ + "shape":"AwsAccountId", + "documentation":"The ID of the Amazon Web Services account that contains the custom permissions profile that you want to update.
", + "location":"uri", + "locationName":"AwsAccountId" + }, + "CustomPermissionsName":{ + "shape":"CustomPermissionsName", + "documentation":"The name of the custom permissions profile that you want to update.
", + "location":"uri", + "locationName":"CustomPermissionsName" + }, + "Capabilities":{ + "shape":"Capabilities", + "documentation":"A set of actions to include in the custom permissions profile.
" + } + } + }, + "UpdateCustomPermissionsResponse":{ + "type":"structure", + "members":{ + "Status":{ + "shape":"StatusCode", + "documentation":"The HTTP status of the request.
" + }, + "Arn":{ + "shape":"Arn", + "documentation":"The Amazon Resource Name (ARN) of the custom permissions profile.
" + }, + "RequestId":{ + "shape":"String", + "documentation":"The Amazon Web Services request ID for this operation.
" + } + } + }, "UpdateDashboardLinksRequest":{ "type":"structure", "required":[ @@ -33523,6 +34954,53 @@ } } }, + "UpdateUserCustomPermissionRequest":{ + "type":"structure", + "required":[ + "UserName", + "AwsAccountId", + "Namespace", + "CustomPermissionsName" + ], + "members":{ + "UserName":{ + "shape":"UserName", + "documentation":"The username of the user that you want to update custom permissions for.
", + "location":"uri", + "locationName":"UserName" + }, + "AwsAccountId":{ + "shape":"AwsAccountId", + "documentation":"The ID of the Amazon Web Services account that contains the custom permission configuration that you want to update.
", + "location":"uri", + "locationName":"AwsAccountId" + }, + "Namespace":{ + "shape":"Namespace", + "documentation":"The namespace that the user belongs to.
", + "location":"uri", + "locationName":"Namespace" + }, + "CustomPermissionsName":{ + "shape":"CustomPermissionsName", + "documentation":"The name of the custom permissions that you want to update.
" + } + } + }, + "UpdateUserCustomPermissionResponse":{ + "type":"structure", + "members":{ + "RequestId":{ + "shape":"String", + "documentation":"The Amazon Web Services request ID for this operation.
" + }, + "Status":{ + "shape":"StatusCode", + "documentation":"The HTTP status of the request.
", + "location":"statusCode" + } + } + }, "UpdateUserRequest":{ "type":"structure", "required":[ diff --git a/botocore/data/redshift/2012-12-01/service-2.json b/botocore/data/redshift/2012-12-01/service-2.json index aedb38de4b..ef3556cb31 100644 --- a/botocore/data/redshift/2012-12-01/service-2.json +++ b/botocore/data/redshift/2012-12-01/service-2.json @@ -9441,6 +9441,17 @@ } } }, + "ReadWriteAccess":{ + "type":"structure", + "required":["Authorization"], + "members":{ + "Authorization":{ + "shape":"ServiceAuthorization", + "documentation":"Determines whether the read/write scope is enabled or disabled.
" + } + }, + "documentation":"The S3 Access Grants scope.
" + }, "RebootClusterMessage":{ "type":"structure", "required":["ClusterIdentifier"], @@ -10585,6 +10596,21 @@ "Cluster":{"shape":"Cluster"} } }, + "S3AccessGrantsScopeUnion":{ + "type":"structure", + "members":{ + "ReadWriteAccess":{ + "shape":"ReadWriteAccess", + "documentation":"The S3 Access Grants scope.
" + } + }, + "documentation":"A list of scopes set up for S3 Access Grants integration.
", + "union":true + }, + "S3AccessGrantsServiceIntegrations":{ + "type":"list", + "member":{"shape":"S3AccessGrantsScopeUnion"} + }, "S3KeyPrefixValue":{ "type":"string", "max":256, @@ -10877,6 +10903,10 @@ "LakeFormation":{ "shape":"LakeFormationServiceIntegrations", "documentation":"A list of scopes set up for Lake Formation integration.
" + }, + "S3AccessGrants":{ + "shape":"S3AccessGrantsServiceIntegrations", + "documentation":"A list of scopes set up for S3 Access Grants integration.
" } }, "documentation":"A list of service integrations.
", diff --git a/botocore/data/s3/2006-03-01/service-2.json b/botocore/data/s3/2006-03-01/service-2.json index 0468eafb11..63ad5c46e0 100644 --- a/botocore/data/s3/2006-03-01/service-2.json +++ b/botocore/data/s3/2006-03-01/service-2.json @@ -28,7 +28,7 @@ {"shape":"NoSuchUpload"} ], "documentationUrl":"http://docs.amazonwebservices.com/AmazonS3/latest/API/mpUploadAbort.html", - "documentation":"This operation aborts a multipart upload. After a multipart upload is aborted, no additional parts can be uploaded using that upload ID. The storage consumed by any previously uploaded parts will be freed. However, if any part uploads are currently in progress, those part uploads might or might not succeed. As a result, it might be necessary to abort a given multipart upload multiple times in order to completely free all storage consumed by all parts.
To verify that all parts have been removed and prevent getting charged for the part storage, you should call the ListParts API operation and ensure that the parts list is empty.
Directory buckets - If multipart uploads in a directory bucket are in progress, you can't delete the bucket until all the in-progress multipart uploads are aborted or completed. To delete these in-progress multipart uploads, use the ListMultipartUploads
operation to list the in-progress multipart uploads in the bucket and use the AbortMultupartUpload
operation to abort all the in-progress multipart uploads.
Directory buckets - For directory buckets, you must make requests for this API operation to the Zonal endpoint. These endpoints support virtual-hosted-style requests in the format https://bucket_name.s3express-az_id.region.amazonaws.com/key-name
. Path-style requests are not supported. For more information, see Regional and Zonal endpoints in the Amazon S3 User Guide.
General purpose bucket permissions - For information about permissions required to use the multipart upload, see Multipart Upload and Permissions in the Amazon S3 User Guide.
Directory bucket permissions - To grant access to this API operation on a directory bucket, we recommend that you use the CreateSession
API operation for session-based authorization. Specifically, you grant the s3express:CreateSession
permission to the directory bucket in a bucket policy or an IAM identity-based policy. Then, you make the CreateSession
API call on the bucket to obtain a session token. With the session token in your request header, you can make API requests to this operation. After the session token expires, you make another CreateSession
API call to generate a new session token for use. Amazon Web Services CLI or SDKs create session and refresh the session token automatically to avoid service interruptions when a session expires. For more information about authorization, see CreateSession
.
Directory buckets - The HTTP Host header syntax is Bucket_name.s3express-az_id.region.amazonaws.com
.
The following operations are related to AbortMultipartUpload
:
This operation aborts a multipart upload. After a multipart upload is aborted, no additional parts can be uploaded using that upload ID. The storage consumed by any previously uploaded parts will be freed. However, if any part uploads are currently in progress, those part uploads might or might not succeed. As a result, it might be necessary to abort a given multipart upload multiple times in order to completely free all storage consumed by all parts.
To verify that all parts have been removed and prevent getting charged for the part storage, you should call the ListParts API operation and ensure that the parts list is empty.
Directory buckets - If multipart uploads in a directory bucket are in progress, you can't delete the bucket until all the in-progress multipart uploads are aborted or completed. To delete these in-progress multipart uploads, use the ListMultipartUploads
operation to list the in-progress multipart uploads in the bucket and use the AbortMultipartUpload
operation to abort all the in-progress multipart uploads.
Directory buckets - For directory buckets, you must make requests for this API operation to the Zonal endpoint. These endpoints support virtual-hosted-style requests in the format https://bucket_name.s3express-az_id.region.amazonaws.com/key-name
. Path-style requests are not supported. For more information, see Regional and Zonal endpoints in the Amazon S3 User Guide.
General purpose bucket permissions - For information about permissions required to use the multipart upload, see Multipart Upload and Permissions in the Amazon S3 User Guide.
Directory bucket permissions - To grant access to this API operation on a directory bucket, we recommend that you use the CreateSession
API operation for session-based authorization. Specifically, you grant the s3express:CreateSession
permission to the directory bucket in a bucket policy or an IAM identity-based policy. Then, you make the CreateSession
API call on the bucket to obtain a session token. With the session token in your request header, you can make API requests to this operation. After the session token expires, you make another CreateSession
API call to generate a new session token for use. Amazon Web Services CLI or SDKs create session and refresh the session token automatically to avoid service interruptions when a session expires. For more information about authorization, see CreateSession
.
Directory buckets - The HTTP Host header syntax is Bucket_name.s3express-az_id.region.amazonaws.com
.
The following operations are related to AbortMultipartUpload
:
This operation is not supported by directory buckets.
Returns a list of all buckets owned by the authenticated sender of the request. To use this operation, you must have the s3:ListAllMyBuckets
permission.
For information about Amazon S3 buckets, see Creating, configuring, and working with Amazon S3 buckets.
", + "documentation":"This operation is not supported by directory buckets.
Returns a list of all buckets owned by the authenticated sender of the request. To use this operation, you must have the s3:ListAllMyBuckets
permission.
For information about Amazon S3 buckets, see Creating, configuring, and working with Amazon S3 buckets.
We strongly recommend using only paginated requests. Unpaginated requests are only supported for Amazon Web Services accounts set to the default general purpose bucket quota of 10,000. If you have an approved general purpose bucket quota above 10,000, you must send paginated requests to list your account’s buckets. All unpaginated ListBuckets requests will be rejected for Amazon Web Services accounts with a general purpose bucket quota greater than 10,000.
Returns a list of all Amazon S3 directory buckets owned by the authenticated sender of the request. For more information about directory buckets, see Directory buckets in the Amazon S3 User Guide.
Directory buckets - For directory buckets, you must make requests for this API operation to the Regional endpoint. These endpoints support path-style requests in the format https://s3express-control.region_code.amazonaws.com/bucket-name
. Virtual-hosted-style requests aren't supported. For more information, see Regional and Zonal endpoints in the Amazon S3 User Guide.
You must have the s3express:ListAllMyDirectoryBuckets
permission in an IAM identity-based policy instead of a bucket policy. Cross-account access to this API operation isn't supported. This operation can only be performed by the Amazon Web Services account that owns the resource. For more information about directory bucket policies and permissions, see Amazon Web Services Identity and Access Management (IAM) for S3 Express One Zone in the Amazon S3 User Guide.
Directory buckets - The HTTP Host header syntax is s3express-control.region.amazonaws.com
.
Returns a list of all Amazon S3 directory buckets owned by the authenticated sender of the request. For more information about directory buckets, see Directory buckets in the Amazon S3 User Guide.
Directory buckets - For directory buckets, you must make requests for this API operation to the Regional endpoint. These endpoints support path-style requests in the format https://s3express-control.region_code.amazonaws.com/bucket-name
. Virtual-hosted-style requests aren't supported. For more information, see Regional and Zonal endpoints in the Amazon S3 User Guide.
You must have the s3express:ListAllMyDirectoryBuckets
permission in an IAM identity-based policy instead of a bucket policy. Cross-account access to this API operation isn't supported. This operation can only be performed by the Amazon Web Services account that owns the resource. For more information about directory bucket policies and permissions, see Amazon Web Services Identity and Access Management (IAM) for S3 Express One Zone in the Amazon S3 User Guide.
Directory buckets - The HTTP Host header syntax is s3express-control.region.amazonaws.com
.
The BucketRegion
response element is not part of the ListDirectoryBuckets
Response Syntax.
This operation lists in-progress multipart uploads in a bucket. An in-progress multipart upload is a multipart upload that has been initiated by the CreateMultipartUpload
request, but has not yet been completed or aborted.
Directory buckets - If multipart uploads in a directory bucket are in progress, you can't delete the bucket until all the in-progress multipart uploads are aborted or completed. To delete these in-progress multipart uploads, use the ListMultipartUploads
operation to list the in-progress multipart uploads in the bucket and use the AbortMultupartUpload
operation to abort all the in-progress multipart uploads.
The ListMultipartUploads
operation returns a maximum of 1,000 multipart uploads in the response. The limit of 1,000 multipart uploads is also the default value. You can further limit the number of uploads in a response by specifying the max-uploads
request parameter. If there are more than 1,000 multipart uploads that satisfy your ListMultipartUploads
request, the response returns an IsTruncated
element with the value of true
, a NextKeyMarker
element, and a NextUploadIdMarker
element. To list the remaining multipart uploads, you need to make subsequent ListMultipartUploads
requests. In these requests, include two query parameters: key-marker
and upload-id-marker
. Set the value of key-marker
to the NextKeyMarker
value from the previous response. Similarly, set the value of upload-id-marker
to the NextUploadIdMarker
value from the previous response.
Directory buckets - The upload-id-marker
element and the NextUploadIdMarker
element aren't supported by directory buckets. To list the additional multipart uploads, you only need to set the value of key-marker
to the NextKeyMarker
value from the previous response.
For more information about multipart uploads, see Uploading Objects Using Multipart Upload in the Amazon S3 User Guide.
Directory buckets - For directory buckets, you must make requests for this API operation to the Zonal endpoint. These endpoints support virtual-hosted-style requests in the format https://bucket_name.s3express-az_id.region.amazonaws.com/key-name
. Path-style requests are not supported. For more information, see Regional and Zonal endpoints in the Amazon S3 User Guide.
General purpose bucket permissions - For information about permissions required to use the multipart upload API, see Multipart Upload and Permissions in the Amazon S3 User Guide.
Directory bucket permissions - To grant access to this API operation on a directory bucket, we recommend that you use the CreateSession
API operation for session-based authorization. Specifically, you grant the s3express:CreateSession
permission to the directory bucket in a bucket policy or an IAM identity-based policy. Then, you make the CreateSession
API call on the bucket to obtain a session token. With the session token in your request header, you can make API requests to this operation. After the session token expires, you make another CreateSession
API call to generate a new session token for use. Amazon Web Services CLI or SDKs create session and refresh the session token automatically to avoid service interruptions when a session expires. For more information about authorization, see CreateSession
.
General purpose bucket - In the ListMultipartUploads
response, the multipart uploads are sorted based on two criteria:
Key-based sorting - Multipart uploads are initially sorted in ascending order based on their object keys.
Time-based sorting - For uploads that share the same object key, they are further sorted in ascending order based on the upload initiation time. Among uploads with the same key, the one that was initiated first will appear before the ones that were initiated later.
Directory bucket - In the ListMultipartUploads
response, the multipart uploads aren't sorted lexicographically based on the object keys.
Directory buckets - The HTTP Host header syntax is Bucket_name.s3express-az_id.region.amazonaws.com
.
The following operations are related to ListMultipartUploads
:
This operation lists in-progress multipart uploads in a bucket. An in-progress multipart upload is a multipart upload that has been initiated by the CreateMultipartUpload
request, but has not yet been completed or aborted.
Directory buckets - If multipart uploads in a directory bucket are in progress, you can't delete the bucket until all the in-progress multipart uploads are aborted or completed. To delete these in-progress multipart uploads, use the ListMultipartUploads
operation to list the in-progress multipart uploads in the bucket and use the AbortMultipartUpload
operation to abort all the in-progress multipart uploads.
The ListMultipartUploads
operation returns a maximum of 1,000 multipart uploads in the response. The limit of 1,000 multipart uploads is also the default value. You can further limit the number of uploads in a response by specifying the max-uploads
request parameter. If there are more than 1,000 multipart uploads that satisfy your ListMultipartUploads
request, the response returns an IsTruncated
element with the value of true
, a NextKeyMarker
element, and a NextUploadIdMarker
element. To list the remaining multipart uploads, you need to make subsequent ListMultipartUploads
requests. In these requests, include two query parameters: key-marker
and upload-id-marker
. Set the value of key-marker
to the NextKeyMarker
value from the previous response. Similarly, set the value of upload-id-marker
to the NextUploadIdMarker
value from the previous response.
Directory buckets - The upload-id-marker
element and the NextUploadIdMarker
element aren't supported by directory buckets. To list the additional multipart uploads, you only need to set the value of key-marker
to the NextKeyMarker
value from the previous response.
For more information about multipart uploads, see Uploading Objects Using Multipart Upload in the Amazon S3 User Guide.
Directory buckets - For directory buckets, you must make requests for this API operation to the Zonal endpoint. These endpoints support virtual-hosted-style requests in the format https://bucket_name.s3express-az_id.region.amazonaws.com/key-name
. Path-style requests are not supported. For more information, see Regional and Zonal endpoints in the Amazon S3 User Guide.
General purpose bucket permissions - For information about permissions required to use the multipart upload API, see Multipart Upload and Permissions in the Amazon S3 User Guide.
Directory bucket permissions - To grant access to this API operation on a directory bucket, we recommend that you use the CreateSession
API operation for session-based authorization. Specifically, you grant the s3express:CreateSession
permission to the directory bucket in a bucket policy or an IAM identity-based policy. Then, you make the CreateSession
API call on the bucket to obtain a session token. With the session token in your request header, you can make API requests to this operation. After the session token expires, you make another CreateSession
API call to generate a new session token for use. Amazon Web Services CLI or SDKs create session and refresh the session token automatically to avoid service interruptions when a session expires. For more information about authorization, see CreateSession
.
General purpose bucket - In the ListMultipartUploads
response, the multipart uploads are sorted based on two criteria:
Key-based sorting - Multipart uploads are initially sorted in ascending order based on their object keys.
Time-based sorting - For uploads that share the same object key, they are further sorted in ascending order based on the upload initiation time. Among uploads with the same key, the one that was initiated first will appear before the ones that were initiated later.
Directory bucket - In the ListMultipartUploads
response, the multipart uploads aren't sorted lexicographically based on the object keys.
Directory buckets - The HTTP Host header syntax is Bucket_name.s3express-az_id.region.amazonaws.com
.
The following operations are related to ListMultipartUploads
:
ContinuationToken
indicates to Amazon S3 that the list is being continued on this bucket with a token. ContinuationToken
is obfuscated and is not a real key. You can use this ContinuationToken
for pagination of the list results.
Length Constraints: Minimum length of 0. Maximum length of 1024.
Required: No.
", + "documentation":" ContinuationToken
indicates to Amazon S3 that the list is being continued on this bucket with a token. ContinuationToken
is obfuscated and is not a real key. You can use this ContinuationToken
for pagination of the list results.
Length Constraints: Minimum length of 0. Maximum length of 1024.
Required: No.
If you specify the bucket-region
, prefix
, or continuation-token
query parameters without using max-buckets
to set the maximum number of buckets returned in the response, Amazon S3 applies a default page size of 10,000 and provides a continuation token if there are more buckets.
Returns a set of temporary security credentials that you can use to access Amazon Web Services resources. These temporary credentials consist of an access key ID, a secret access key, and a security token. Typically, you use AssumeRole
within your account or for cross-account access. For a comparison of AssumeRole
with other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the Amazon Web Services STS API operations in the IAM User Guide.
Permissions
The temporary security credentials created by AssumeRole
can be used to make API calls to any Amazon Web Services service with the following exception: You cannot call the Amazon Web Services STS GetFederationToken
or GetSessionToken
API operations.
(Optional) You can pass inline or managed session policies to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed session policies. The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
When you create a role, you create two policies: a role trust policy that specifies who can assume the role, and a permissions policy that specifies what can be done with the role. You specify the trusted principal that is allowed to assume the role in the role trust policy.
To assume a role from a different account, your Amazon Web Services account must be trusted by the role. The trust relationship is defined in the role's trust policy when the role is created. That trust policy states which accounts are allowed to delegate that access to users in the account.
A user who wants to access a role in a different account must also have permissions that are delegated from the account administrator. The administrator must attach a policy that allows the user to call AssumeRole
for the ARN of the role in the other account.
To allow a user to assume a role in the same account, you can do either of the following:
Attach a policy to the user that allows the user to call AssumeRole
(as long as the role's trust policy trusts the account).
Add the user as a principal directly in the role's trust policy.
You can do either because the role’s trust policy acts as an IAM resource-based policy. When a resource-based policy grants access to a principal in the same account, no additional identity-based policy is required. For more information about trust policies and resource-based policies, see IAM Policies in the IAM User Guide.
Tags
(Optional) You can pass tag key-value pairs to your session. These tags are called session tags. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide.
You can set the session tags as transitive. Transitive tags persist during role chaining. For more information, see Chaining Roles with Session Tags in the IAM User Guide.
Using MFA with AssumeRole
(Optional) You can include multi-factor authentication (MFA) information when you call AssumeRole
. This is useful for cross-account scenarios to ensure that the user that assumes the role has been authenticated with an Amazon Web Services MFA device. In that scenario, the trust policy of the role being assumed includes a condition that tests for MFA authentication. If the caller does not include valid MFA information, the request to assume the role is denied. The condition in a trust policy that tests for MFA authentication might look like the following example.
\"Condition\": {\"Bool\": {\"aws:MultiFactorAuthPresent\": true}}
For more information, see Configuring MFA-Protected API Access in the IAM User Guide guide.
To use MFA with AssumeRole
, you pass values for the SerialNumber
and TokenCode
parameters. The SerialNumber
value identifies the user's hardware or virtual MFA device. The TokenCode
is the time-based one-time password (TOTP) that the MFA device produces.
Returns a set of temporary security credentials that you can use to access Amazon Web Services resources. These temporary credentials consist of an access key ID, a secret access key, and a security token. Typically, you use AssumeRole
within your account or for cross-account access. For a comparison of AssumeRole
with other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Compare STS credentials in the IAM User Guide.
Permissions
The temporary security credentials created by AssumeRole
can be used to make API calls to any Amazon Web Services service with the following exception: You cannot call the Amazon Web Services STS GetFederationToken
or GetSessionToken
API operations.
(Optional) You can pass inline or managed session policies to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed session policies. The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
When you create a role, you create two policies: a role trust policy that specifies who can assume the role, and a permissions policy that specifies what can be done with the role. You specify the trusted principal that is allowed to assume the role in the role trust policy.
To assume a role from a different account, your Amazon Web Services account must be trusted by the role. The trust relationship is defined in the role's trust policy when the role is created. That trust policy states which accounts are allowed to delegate that access to users in the account.
A user who wants to access a role in a different account must also have permissions that are delegated from the account administrator. The administrator must attach a policy that allows the user to call AssumeRole
for the ARN of the role in the other account.
To allow a user to assume a role in the same account, you can do either of the following:
Attach a policy to the user that allows the user to call AssumeRole
(as long as the role's trust policy trusts the account).
Add the user as a principal directly in the role's trust policy.
You can do either because the role’s trust policy acts as an IAM resource-based policy. When a resource-based policy grants access to a principal in the same account, no additional identity-based policy is required. For more information about trust policies and resource-based policies, see IAM Policies in the IAM User Guide.
Tags
(Optional) You can pass tag key-value pairs to your session. These tags are called session tags. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide.
You can set the session tags as transitive. Transitive tags persist during role chaining. For more information, see Chaining Roles with Session Tags in the IAM User Guide.
Using MFA with AssumeRole
(Optional) You can include multi-factor authentication (MFA) information when you call AssumeRole
. This is useful for cross-account scenarios to ensure that the user that assumes the role has been authenticated with an Amazon Web Services MFA device. In that scenario, the trust policy of the role being assumed includes a condition that tests for MFA authentication. If the caller does not include valid MFA information, the request to assume the role is denied. The condition in a trust policy that tests for MFA authentication might look like the following example.
\"Condition\": {\"Bool\": {\"aws:MultiFactorAuthPresent\": true}}
For more information, see Configuring MFA-Protected API Access in the IAM User Guide guide.
To use MFA with AssumeRole
, you pass values for the SerialNumber
and TokenCode
parameters. The SerialNumber
value identifies the user's hardware or virtual MFA device. The TokenCode
is the time-based one-time password (TOTP) that the MFA device produces.
Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response. This operation provides a mechanism for tying an enterprise identity store or directory to role-based Amazon Web Services access without user-specific credentials or configuration. For a comparison of AssumeRoleWithSAML
with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the Amazon Web Services STS API operations in the IAM User Guide.
The temporary security credentials returned by this operation consist of an access key ID, a secret access key, and a security token. Applications can use these temporary security credentials to sign calls to Amazon Web Services services.
Session Duration
By default, the temporary security credentials created by AssumeRoleWithSAML
last for one hour. However, you can use the optional DurationSeconds
parameter to specify the duration of your session. Your role session lasts for the duration that you specify, or until the time specified in the SAML authentication response's SessionNotOnOrAfter
value, whichever is shorter. You can provide a DurationSeconds
value from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide. The maximum session duration limit applies when you use the AssumeRole*
API operations or the assume-role*
CLI commands. However the limit does not apply when you use those operations to create a console URL. For more information, see Using IAM Roles in the IAM User Guide.
Role chaining limits your CLI or Amazon Web Services API role session to a maximum of one hour. When you use the AssumeRole
API operation to assume a role, you can specify the duration of your role session with the DurationSeconds
parameter. You can specify a parameter value of up to 43200 seconds (12 hours), depending on the maximum session duration setting for your role. However, if you assume a role using role chaining and provide a DurationSeconds
parameter value greater than one hour, the operation fails.
Permissions
The temporary security credentials created by AssumeRoleWithSAML
can be used to make API calls to any Amazon Web Services service with the following exception: you cannot call the STS GetFederationToken
or GetSessionToken
API operations.
(Optional) You can pass inline or managed session policies to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed session policies. The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
Calling AssumeRoleWithSAML
does not require the use of Amazon Web Services security credentials. The identity of the caller is validated by using keys in the metadata document that is uploaded for the SAML provider entity for your identity provider.
Calling AssumeRoleWithSAML
can result in an entry in your CloudTrail logs. The entry includes the value in the NameID
element of the SAML assertion. We recommend that you use a NameIDType
that is not associated with any personally identifiable information (PII). For example, you could instead use the persistent identifier (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
).
Tags
(Optional) You can configure your IdP to pass attributes into your SAML assertion as session tags. Each session tag consists of a key name and an associated value. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
You can pass up to 50 session tags. The plaintext session tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.
An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs, and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize
response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
You can pass a session tag with the same key as a tag that is attached to the role. When you do, session tags override the role's tags with the same key.
An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide.
You can set the session tags as transitive. Transitive tags persist during role chaining. For more information, see Chaining Roles with Session Tags in the IAM User Guide.
SAML Configuration
Before your application can call AssumeRoleWithSAML
, you must configure your SAML identity provider (IdP) to issue the claims required by Amazon Web Services. Additionally, you must use Identity and Access Management (IAM) to create a SAML provider entity in your Amazon Web Services account that represents your identity provider. You must also create an IAM role that specifies this SAML provider in its trust policy.
For more information, see the following resources:
About SAML 2.0-based Federation in the IAM User Guide.
Creating SAML Identity Providers in the IAM User Guide.
Configuring a Relying Party and Claims in the IAM User Guide.
Creating a Role for SAML 2.0 Federation in the IAM User Guide.
Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response. This operation provides a mechanism for tying an enterprise identity store or directory to role-based Amazon Web Services access without user-specific credentials or configuration. For a comparison of AssumeRoleWithSAML
with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Compare STS credentials in the IAM User Guide.
The temporary security credentials returned by this operation consist of an access key ID, a secret access key, and a security token. Applications can use these temporary security credentials to sign calls to Amazon Web Services services.
Session Duration
By default, the temporary security credentials created by AssumeRoleWithSAML
last for one hour. However, you can use the optional DurationSeconds
parameter to specify the duration of your session. Your role session lasts for the duration that you specify, or until the time specified in the SAML authentication response's SessionNotOnOrAfter
value, whichever is shorter. You can provide a DurationSeconds
value from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide. The maximum session duration limit applies when you use the AssumeRole*
API operations or the assume-role*
CLI commands. However the limit does not apply when you use those operations to create a console URL. For more information, see Using IAM Roles in the IAM User Guide.
Role chaining limits your CLI or Amazon Web Services API role session to a maximum of one hour. When you use the AssumeRole
API operation to assume a role, you can specify the duration of your role session with the DurationSeconds
parameter. You can specify a parameter value of up to 43200 seconds (12 hours), depending on the maximum session duration setting for your role. However, if you assume a role using role chaining and provide a DurationSeconds
parameter value greater than one hour, the operation fails.
Permissions
The temporary security credentials created by AssumeRoleWithSAML
can be used to make API calls to any Amazon Web Services service with the following exception: you cannot call the STS GetFederationToken
or GetSessionToken
API operations.
(Optional) You can pass inline or managed session policies to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed session policies. The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
Calling AssumeRoleWithSAML
does not require the use of Amazon Web Services security credentials. The identity of the caller is validated by using keys in the metadata document that is uploaded for the SAML provider entity for your identity provider.
Calling AssumeRoleWithSAML
can result in an entry in your CloudTrail logs. The entry includes the value in the NameID
element of the SAML assertion. We recommend that you use a NameIDType
that is not associated with any personally identifiable information (PII). For example, you could instead use the persistent identifier (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
).
Tags
(Optional) You can configure your IdP to pass attributes into your SAML assertion as session tags. Each session tag consists of a key name and an associated value. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
You can pass up to 50 session tags. The plaintext session tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.
An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs, and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize
response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
You can pass a session tag with the same key as a tag that is attached to the role. When you do, session tags override the role's tags with the same key.
An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide.
You can set the session tags as transitive. Transitive tags persist during role chaining. For more information, see Chaining Roles with Session Tags in the IAM User Guide.
SAML Configuration
Before your application can call AssumeRoleWithSAML
, you must configure your SAML identity provider (IdP) to issue the claims required by Amazon Web Services. Additionally, you must use Identity and Access Management (IAM) to create a SAML provider entity in your Amazon Web Services account that represents your identity provider. You must also create an IAM role that specifies this SAML provider in its trust policy.
For more information, see the following resources:
About SAML 2.0-based Federation in the IAM User Guide.
Creating SAML Identity Providers in the IAM User Guide.
Configuring a Relying Party and Claims in the IAM User Guide.
Creating a Role for SAML 2.0 Federation in the IAM User Guide.
Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider. Example providers include the OAuth 2.0 providers Login with Amazon and Facebook, or any OpenID Connect-compatible identity provider such as Google or Amazon Cognito federated identities.
For mobile applications, we recommend that you use Amazon Cognito. You can use Amazon Cognito with the Amazon Web Services SDK for iOS Developer Guide and the Amazon Web Services SDK for Android Developer Guide to uniquely identify a user. You can also supply the user with a consistent identity throughout the lifetime of an application.
To learn more about Amazon Cognito, see Amazon Cognito identity pools in Amazon Cognito Developer Guide.
Calling AssumeRoleWithWebIdentity
does not require the use of Amazon Web Services security credentials. Therefore, you can distribute an application (for example, on mobile devices) that requests temporary security credentials without including long-term Amazon Web Services credentials in the application. You also don't need to deploy server-based proxy services that use long-term Amazon Web Services credentials. Instead, the identity of the caller is validated by using a token from the web identity provider. For a comparison of AssumeRoleWithWebIdentity
with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the Amazon Web Services STS API operations in the IAM User Guide.
The temporary security credentials returned by this API consist of an access key ID, a secret access key, and a security token. Applications can use these temporary security credentials to sign calls to Amazon Web Services service API operations.
Session Duration
By default, the temporary security credentials created by AssumeRoleWithWebIdentity
last for one hour. However, you can use the optional DurationSeconds
parameter to specify the duration of your session. You can provide a value from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide. The maximum session duration limit applies when you use the AssumeRole*
API operations or the assume-role*
CLI commands. However the limit does not apply when you use those operations to create a console URL. For more information, see Using IAM Roles in the IAM User Guide.
Permissions
The temporary security credentials created by AssumeRoleWithWebIdentity
can be used to make API calls to any Amazon Web Services service with the following exception: you cannot call the STS GetFederationToken
or GetSessionToken
API operations.
(Optional) You can pass inline or managed session policies to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed session policies. The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
Tags
(Optional) You can configure your IdP to pass attributes into your web identity token as session tags. Each session tag consists of a key name and an associated value. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
You can pass up to 50 session tags. The plaintext session tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.
An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs, and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize
response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
You can pass a session tag with the same key as a tag that is attached to the role. When you do, the session tag overrides the role tag with the same key.
An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide.
You can set the session tags as transitive. Transitive tags persist during role chaining. For more information, see Chaining Roles with Session Tags in the IAM User Guide.
Identities
Before your application can call AssumeRoleWithWebIdentity
, you must have an identity token from a supported identity provider and create a role that the application can assume. The role that your application assumes must trust the identity provider that is associated with the identity token. In other words, the identity provider must be specified in the role's trust policy.
Calling AssumeRoleWithWebIdentity
can result in an entry in your CloudTrail logs. The entry includes the Subject of the provided web identity token. We recommend that you avoid using any personally identifiable information (PII) in this field. For example, you could instead use a GUID or a pairwise identifier, as suggested in the OIDC specification.
For more information about how to use web identity federation and the AssumeRoleWithWebIdentity
API, see the following resources:
Using Web Identity Federation API Operations for Mobile Apps and Federation Through a Web-based Identity Provider.
Web Identity Federation Playground. Walk through the process of authenticating through Login with Amazon, Facebook, or Google, getting temporary security credentials, and then using those credentials to make a request to Amazon Web Services.
Amazon Web Services SDK for iOS Developer Guide and Amazon Web Services SDK for Android Developer Guide. These toolkits contain sample apps that show how to invoke the identity providers. The toolkits then show how to use the information from these providers to get and use temporary security credentials.
Web Identity Federation with Mobile Applications. This article discusses web identity federation and shows an example of how to use web identity federation to get access to content in Amazon S3.
Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider. Example providers include the OAuth 2.0 providers Login with Amazon and Facebook, or any OpenID Connect-compatible identity provider such as Google or Amazon Cognito federated identities.
For mobile applications, we recommend that you use Amazon Cognito. You can use Amazon Cognito with the Amazon Web Services SDK for iOS Developer Guide and the Amazon Web Services SDK for Android Developer Guide to uniquely identify a user. You can also supply the user with a consistent identity throughout the lifetime of an application.
To learn more about Amazon Cognito, see Amazon Cognito identity pools in Amazon Cognito Developer Guide.
Calling AssumeRoleWithWebIdentity
does not require the use of Amazon Web Services security credentials. Therefore, you can distribute an application (for example, on mobile devices) that requests temporary security credentials without including long-term Amazon Web Services credentials in the application. You also don't need to deploy server-based proxy services that use long-term Amazon Web Services credentials. Instead, the identity of the caller is validated by using a token from the web identity provider. For a comparison of AssumeRoleWithWebIdentity
with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Compare STS credentials in the IAM User Guide.
The temporary security credentials returned by this API consist of an access key ID, a secret access key, and a security token. Applications can use these temporary security credentials to sign calls to Amazon Web Services service API operations.
Session Duration
By default, the temporary security credentials created by AssumeRoleWithWebIdentity
last for one hour. However, you can use the optional DurationSeconds
parameter to specify the duration of your session. You can provide a value from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. To learn how to view the maximum value for your role, see Update the maximum session duration for a role in the IAM User Guide. The maximum session duration limit applies when you use the AssumeRole*
API operations or the assume-role*
CLI commands. However the limit does not apply when you use those operations to create a console URL. For more information, see Using IAM Roles in the IAM User Guide.
Permissions
The temporary security credentials created by AssumeRoleWithWebIdentity
can be used to make API calls to any Amazon Web Services service with the following exception: you cannot call the STS GetFederationToken
or GetSessionToken
API operations.
(Optional) You can pass inline or managed session policies to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed session policies. The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
Tags
(Optional) You can configure your IdP to pass attributes into your web identity token as session tags. Each session tag consists of a key name and an associated value. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
You can pass up to 50 session tags. The plaintext session tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.
An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs, and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize
response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
You can pass a session tag with the same key as a tag that is attached to the role. When you do, the session tag overrides the role tag with the same key.
An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide.
You can set the session tags as transitive. Transitive tags persist during role chaining. For more information, see Chaining Roles with Session Tags in the IAM User Guide.
Identities
Before your application can call AssumeRoleWithWebIdentity
, you must have an identity token from a supported identity provider and create a role that the application can assume. The role that your application assumes must trust the identity provider that is associated with the identity token. In other words, the identity provider must be specified in the role's trust policy.
Calling AssumeRoleWithWebIdentity
can result in an entry in your CloudTrail logs. The entry includes the Subject of the provided web identity token. We recommend that you avoid using any personally identifiable information (PII) in this field. For example, you could instead use a GUID or a pairwise identifier, as suggested in the OIDC specification.
For more information about how to use OIDC federation and the AssumeRoleWithWebIdentity
API, see the following resources:
Using Web Identity Federation API Operations for Mobile Apps and Federation Through a Web-based Identity Provider.
Amazon Web Services SDK for iOS Developer Guide and Amazon Web Services SDK for Android Developer Guide. These toolkits contain sample apps that show how to invoke the identity providers. The toolkits then show how to use the information from these providers to get and use temporary security credentials.
Returns a set of short term credentials you can use to perform privileged tasks in a member account.
Before you can launch a privileged session, you must have enabled centralized root access in your organization. For steps to enable this feature, see Centralize root access for member accounts in the IAM User Guide.
The global endpoint is not supported for AssumeRoot. You must send this request to a Regional STS endpoint. For more information, see Endpoints.
You can track AssumeRoot in CloudTrail logs to determine what actions were performed in a session. For more information, see Track privileged tasks in CloudTrail in the IAM User Guide.
" }, "DecodeAuthorizationMessage":{ "name":"DecodeAuthorizationMessage", @@ -133,7 +152,7 @@ {"shape":"PackedPolicyTooLargeException"}, {"shape":"RegionDisabledException"} ], - "documentation":"Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a user. A typical use is in a proxy application that gets temporary security credentials on behalf of distributed applications inside a corporate network.
You must call the GetFederationToken
operation using the long-term security credentials of an IAM user. As a result, this call is appropriate in contexts where those credentials can be safeguarded, usually in a server-based application. For a comparison of GetFederationToken
with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the Amazon Web Services STS API operations in the IAM User Guide.
Although it is possible to call GetFederationToken
using the security credentials of an Amazon Web Services account root user rather than an IAM user that you create for the purpose of a proxy application, we do not recommend it. For more information, see Safeguard your root user credentials and don't use them for everyday tasks in the IAM User Guide.
You can create a mobile-based or browser-based app that can authenticate users using a web identity provider like Login with Amazon, Facebook, Google, or an OpenID Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or AssumeRoleWithWebIdentity
. For more information, see Federation Through a Web-based Identity Provider in the IAM User Guide.
Session duration
The temporary credentials are valid for the specified duration, from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default session duration is 43,200 seconds (12 hours). Temporary credentials obtained by using the root user credentials have a maximum duration of 3,600 seconds (1 hour).
Permissions
You can use the temporary credentials created by GetFederationToken
in any Amazon Web Services service with the following exceptions:
You cannot call any IAM operations using the CLI or the Amazon Web Services API. This limitation does not apply to console sessions.
You cannot call any STS operations except GetCallerIdentity
.
You can use temporary credentials for single sign-on (SSO) to the console.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed session policies. The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters.
Though the session policy parameters are optional, if you do not pass a policy, then the resulting federated user session has no permissions. When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide. For information about using GetFederationToken
to create temporary security credentials, see GetFederationToken—Federation Through a Custom Identity Broker.
You can use the credentials to access a resource that has a resource-based policy. If that policy specifically references the federated user session in the Principal
element of the policy, the session has the permissions allowed by the policy. These permissions are granted in addition to the permissions granted by the session policies.
Tags
(Optional) You can pass tag key-value pairs to your session. These are called session tags. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
You can create a mobile-based or browser-based app that can authenticate users using a web identity provider like Login with Amazon, Facebook, Google, or an OpenID Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or AssumeRoleWithWebIdentity
. For more information, see Federation Through a Web-based Identity Provider in the IAM User Guide.
An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide.
Tag key–value pairs are not case sensitive, but case is preserved. This means that you cannot have separate Department
and department
tag keys. Assume that the user that you are federating has the Department
=Marketing
tag and you pass the department
=engineering
session tag. Department
and department
are not saved as separate tags, and the session tag passed in the request takes precedence over the user tag.
Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a user. A typical use is in a proxy application that gets temporary security credentials on behalf of distributed applications inside a corporate network.
You must call the GetFederationToken
operation using the long-term security credentials of an IAM user. As a result, this call is appropriate in contexts where those credentials can be safeguarded, usually in a server-based application. For a comparison of GetFederationToken
with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Compare STS credentials in the IAM User Guide.
Although it is possible to call GetFederationToken
using the security credentials of an Amazon Web Services account root user rather than an IAM user that you create for the purpose of a proxy application, we do not recommend it. For more information, see Safeguard your root user credentials and don't use them for everyday tasks in the IAM User Guide.
You can create a mobile-based or browser-based app that can authenticate users using a web identity provider like Login with Amazon, Facebook, Google, or an OpenID Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or AssumeRoleWithWebIdentity
. For more information, see Federation Through a Web-based Identity Provider in the IAM User Guide.
Session duration
The temporary credentials are valid for the specified duration, from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default session duration is 43,200 seconds (12 hours). Temporary credentials obtained by using the root user credentials have a maximum duration of 3,600 seconds (1 hour).
Permissions
You can use the temporary credentials created by GetFederationToken
in any Amazon Web Services service with the following exceptions:
You cannot call any IAM operations using the CLI or the Amazon Web Services API. This limitation does not apply to console sessions.
You cannot call any STS operations except GetCallerIdentity
.
You can use temporary credentials for single sign-on (SSO) to the console.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed session policies. The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters.
Though the session policy parameters are optional, if you do not pass a policy, then the resulting federated user session has no permissions. When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide. For information about using GetFederationToken
to create temporary security credentials, see GetFederationToken—Federation Through a Custom Identity Broker.
You can use the credentials to access a resource that has a resource-based policy. If that policy specifically references the federated user session in the Principal
element of the policy, the session has the permissions allowed by the policy. These permissions are granted in addition to the permissions granted by the session policies.
Tags
(Optional) You can pass tag key-value pairs to your session. These are called session tags. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
You can create a mobile-based or browser-based app that can authenticate users using a web identity provider like Login with Amazon, Facebook, Google, or an OpenID Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or AssumeRoleWithWebIdentity
. For more information, see Federation Through a Web-based Identity Provider in the IAM User Guide.
An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide.
Tag key–value pairs are not case sensitive, but case is preserved. This means that you cannot have separate Department
and department
tag keys. Assume that the user that you are federating has the Department
=Marketing
tag and you pass the department
=engineering
session tag. Department
and department
are not saved as separate tags, and the session tag passed in the request takes precedence over the user tag.
Returns a set of temporary credentials for an Amazon Web Services account or IAM user. The credentials consist of an access key ID, a secret access key, and a security token. Typically, you use GetSessionToken
if you want to use MFA to protect programmatic calls to specific Amazon Web Services API operations like Amazon EC2 StopInstances
.
MFA-enabled IAM users must call GetSessionToken
and submit an MFA code that is associated with their MFA device. Using the temporary security credentials that the call returns, IAM users can then make programmatic calls to API operations that require MFA authentication. An incorrect MFA code causes the API to return an access denied error. For a comparison of GetSessionToken
with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the Amazon Web Services STS API operations in the IAM User Guide.
No permissions are required for users to perform this operation. The purpose of the sts:GetSessionToken
operation is to authenticate the user using MFA. You cannot use policies to control authentication operations. For more information, see Permissions for GetSessionToken in the IAM User Guide.
Session Duration
The GetSessionToken
operation must be called by using the long-term Amazon Web Services security credentials of an IAM user. Credentials that are created by IAM users are valid for the duration that you specify. This duration can range from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours), with a default of 43,200 seconds (12 hours). Credentials based on account credentials can range from 900 seconds (15 minutes) up to 3,600 seconds (1 hour), with a default of 1 hour.
Permissions
The temporary security credentials created by GetSessionToken
can be used to make API calls to any Amazon Web Services service with the following exceptions:
You cannot call any IAM API operations unless MFA authentication information is included in the request.
You cannot call any STS API except AssumeRole
or GetCallerIdentity
.
The credentials that GetSessionToken
returns are based on permissions associated with the IAM user whose credentials were used to call the operation. The temporary credentials have the same permissions as the IAM user.
Although it is possible to call GetSessionToken
using the security credentials of an Amazon Web Services account root user rather than an IAM user, we do not recommend it. If GetSessionToken
is called using root user credentials, the temporary credentials have root user permissions. For more information, see Safeguard your root user credentials and don't use them for everyday tasks in the IAM User Guide
For more information about using GetSessionToken
to create temporary credentials, see Temporary Credentials for Users in Untrusted Environments in the IAM User Guide.
Returns a set of temporary credentials for an Amazon Web Services account or IAM user. The credentials consist of an access key ID, a secret access key, and a security token. Typically, you use GetSessionToken
if you want to use MFA to protect programmatic calls to specific Amazon Web Services API operations like Amazon EC2 StopInstances
.
MFA-enabled IAM users must call GetSessionToken
and submit an MFA code that is associated with their MFA device. Using the temporary security credentials that the call returns, IAM users can then make programmatic calls to API operations that require MFA authentication. An incorrect MFA code causes the API to return an access denied error. For a comparison of GetSessionToken
with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Compare STS credentials in the IAM User Guide.
No permissions are required for users to perform this operation. The purpose of the sts:GetSessionToken
operation is to authenticate the user using MFA. You cannot use policies to control authentication operations. For more information, see Permissions for GetSessionToken in the IAM User Guide.
Session Duration
The GetSessionToken
operation must be called by using the long-term Amazon Web Services security credentials of an IAM user. Credentials that are created by IAM users are valid for the duration that you specify. This duration can range from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours), with a default of 43,200 seconds (12 hours). Credentials based on account credentials can range from 900 seconds (15 minutes) up to 3,600 seconds (1 hour), with a default of 1 hour.
Permissions
The temporary security credentials created by GetSessionToken
can be used to make API calls to any Amazon Web Services service with the following exceptions:
You cannot call any IAM API operations unless MFA authentication information is included in the request.
You cannot call any STS API except AssumeRole
or GetCallerIdentity
.
The credentials that GetSessionToken
returns are based on permissions associated with the IAM user whose credentials were used to call the operation. The temporary credentials have the same permissions as the IAM user.
Although it is possible to call GetSessionToken
using the security credentials of an Amazon Web Services account root user rather than an IAM user, we do not recommend it. If GetSessionToken
is called using root user credentials, the temporary credentials have root user permissions. For more information, see Safeguard your root user credentials and don't use them for everyday tasks in the IAM User Guide
For more information about using GetSessionToken
to create temporary credentials, see Temporary Credentials for Users in Untrusted Environments in the IAM User Guide.
An identifier for the assumed role session.
Use the role session name to uniquely identify a session when the same role is assumed by different principals or for different reasons. In cross-account scenarios, the role session name is visible to, and can be logged by the account that owns the role. The role session name is also used in the ARN of the assumed role principal. This means that subsequent cross-account API requests that use the temporary security credentials will expose the role session name to the external account in their CloudTrail logs.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
" + "documentation":"An identifier for the assumed role session.
Use the role session name to uniquely identify a session when the same role is assumed by different principals or for different reasons. In cross-account scenarios, the role session name is visible to, and can be logged by the account that owns the role. The role session name is also used in the ARN of the assumed role principal. This means that subsequent cross-account API requests that use the temporary security credentials will expose the role session name to the external account in their CloudTrail logs.
For security purposes, administrators can view this field in CloudTrail logs to help identify who performed an action in Amazon Web Services. Your administrator might require that you specify your user name as the session name when you assume the role. For more information, see sts:RoleSessionName
.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
" }, "PolicyArns":{ "shape":"policyDescriptorListType", @@ -174,11 +193,11 @@ }, "Policy":{ "shape":"unrestrictedSessionPolicyDocumentType", - "documentation":"An IAM policy in JSON format that you want to use as an inline session policy.
This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list (\\u0020 through \\u00FF). It can also include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs, and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize
response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
An IAM policy in JSON format that you want to use as an inline session policy.
This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list (\\u0020 through \\u00FF). It can also include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs, and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize
response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
For more information about role session permissions, see Session policies.
" }, "DurationSeconds":{ "shape":"roleDurationSecondsType", - "documentation":"The duration, in seconds, of the role session. The value specified can range from 900 seconds (15 minutes) up to the maximum session duration set for the role. The maximum session duration setting can have a value from 1 hour to 12 hours. If you specify a value higher than this setting or the administrator setting (whichever is lower), the operation fails. For example, if you specify a session duration of 12 hours, but your administrator set the maximum session duration to 6 hours, your operation fails.
Role chaining limits your Amazon Web Services CLI or Amazon Web Services API role session to a maximum of one hour. When you use the AssumeRole
API operation to assume a role, you can specify the duration of your role session with the DurationSeconds
parameter. You can specify a parameter value of up to 43200 seconds (12 hours), depending on the maximum session duration setting for your role. However, if you assume a role using role chaining and provide a DurationSeconds
parameter value greater than one hour, the operation fails. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide.
By default, the value is set to 3600
seconds.
The DurationSeconds
parameter is separate from the duration of a console session that you might request using the returned credentials. The request to the federation endpoint for a console sign-in token takes a SessionDuration
parameter that specifies the maximum length of the console session. For more information, see Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console in the IAM User Guide.
The duration, in seconds, of the role session. The value specified can range from 900 seconds (15 minutes) up to the maximum session duration set for the role. The maximum session duration setting can have a value from 1 hour to 12 hours. If you specify a value higher than this setting or the administrator setting (whichever is lower), the operation fails. For example, if you specify a session duration of 12 hours, but your administrator set the maximum session duration to 6 hours, your operation fails.
Role chaining limits your Amazon Web Services CLI or Amazon Web Services API role session to a maximum of one hour. When you use the AssumeRole
API operation to assume a role, you can specify the duration of your role session with the DurationSeconds
parameter. You can specify a parameter value of up to 43200 seconds (12 hours), depending on the maximum session duration setting for your role. However, if you assume a role using role chaining and provide a DurationSeconds
parameter value greater than one hour, the operation fails. To learn how to view the maximum value for your role, see Update the maximum session duration for a role.
By default, the value is set to 3600
seconds.
The DurationSeconds
parameter is separate from the duration of a console session that you might request using the returned credentials. The request to the federation endpoint for a console sign-in token takes a SessionDuration
parameter that specifies the maximum length of the console session. For more information, see Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console in the IAM User Guide.
A list of keys for session tags that you want to set as transitive. If you set a tag key as transitive, the corresponding key and value passes to subsequent sessions in a role chain. For more information, see Chaining Roles with Session Tags in the IAM User Guide.
This parameter is optional. When you set session tags as transitive, the session policy and session tags packed binary limit is not affected.
If you choose not to specify a transitive tag key, then no tags are passed from this session to any subsequent sessions.
" + "documentation":"A list of keys for session tags that you want to set as transitive. If you set a tag key as transitive, the corresponding key and value passes to subsequent sessions in a role chain. For more information, see Chaining Roles with Session Tags in the IAM User Guide.
This parameter is optional. The transitive status of a session tag does not impact its packed binary size.
If you choose not to specify a transitive tag key, then no tags are passed from this session to any subsequent sessions.
" }, "ExternalId":{ "shape":"externalIdType", @@ -202,7 +221,7 @@ }, "SourceIdentity":{ "shape":"sourceIdentityType", - "documentation":"The source identity specified by the principal that is calling the AssumeRole
operation.
You can require users to specify a source identity when they assume a role. You do this by using the sts:SourceIdentity
condition key in a role trust policy. You can use source identity information in CloudTrail logs to determine who took actions with a role. You can use the aws:SourceIdentity
condition key to further control access to Amazon Web Services resources based on the value of source identity. For more information about using source identity, see Monitor and control actions taken with assumed roles in the IAM User Guide.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-. You cannot use a value that begins with the text aws:
. This prefix is reserved for Amazon Web Services internal use.
The source identity specified by the principal that is calling the AssumeRole
operation. The source identity value persists across chained role sessions.
You can require users to specify a source identity when they assume a role. You do this by using the sts:SourceIdentity
condition key in a role trust policy. You can use source identity information in CloudTrail logs to determine who took actions with a role. You can use the aws:SourceIdentity
condition key to further control access to Amazon Web Services resources based on the value of source identity. For more information about using source identity, see Monitor and control actions taken with assumed roles in the IAM User Guide.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-. You cannot use a value that begins with the text aws:
. This prefix is reserved for Amazon Web Services internal use.
An IAM policy in JSON format that you want to use as an inline session policy.
This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list (\\u0020 through \\u00FF). It can also include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs, and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize
response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
An IAM policy in JSON format that you want to use as an inline session policy.
This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list (\\u0020 through \\u00FF). It can also include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
For more information about role session permissions, see Session policies.
An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs, and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize
response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
The value in the SourceIdentity
attribute in the SAML assertion.
You can require users to set a source identity value when they assume a role. You do this by using the sts:SourceIdentity
condition key in a role trust policy. That way, actions that are taken with the role are associated with that user. After the source identity is set, the value cannot be changed. It is present in the request for all actions that are taken by the role and persists across chained role sessions. You can configure your SAML identity provider to use an attribute associated with your users, like user name or email, as the source identity when calling AssumeRoleWithSAML
. You do this by adding an attribute to the SAML assertion. For more information about using source identity, see Monitor and control actions taken with assumed roles in the IAM User Guide.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
" + "documentation":"The value in the SourceIdentity
attribute in the SAML assertion. The source identity value persists across chained role sessions.
You can require users to set a source identity value when they assume a role. You do this by using the sts:SourceIdentity
condition key in a role trust policy. That way, actions that are taken with the role are associated with that user. After the source identity is set, the value cannot be changed. It is present in the request for all actions that are taken by the role and persists across chained role sessions. You can configure your SAML identity provider to use an attribute associated with your users, like user name or email, as the source identity when calling AssumeRoleWithSAML
. You do this by adding an attribute to the SAML assertion. For more information about using source identity, see Monitor and control actions taken with assumed roles in the IAM User Guide.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
" } }, "documentation":"Contains the response to a successful AssumeRoleWithSAML request, including temporary Amazon Web Services credentials that can be used to make Amazon Web Services requests.
" @@ -318,15 +337,15 @@ "members":{ "RoleArn":{ "shape":"arnType", - "documentation":"The Amazon Resource Name (ARN) of the role that the caller is assuming.
" + "documentation":"The Amazon Resource Name (ARN) of the role that the caller is assuming.
Additional considerations apply to Amazon Cognito identity pools that assume cross-account IAM roles. The trust policies of these roles must accept the cognito-identity.amazonaws.com
service principal and must contain the cognito-identity.amazonaws.com:aud
condition key to restrict role assumption to users from your intended identity pools. A policy that trusts Amazon Cognito identity pools without this condition creates a risk that a user from an unintended identity pool can assume the role. For more information, see Trust policies for IAM roles in Basic (Classic) authentication in the Amazon Cognito Developer Guide.
An identifier for the assumed role session. Typically, you pass the name or identifier that is associated with the user who is using your application. That way, the temporary security credentials that your application will use are associated with that user. This session name is included as part of the ARN and assumed role ID in the AssumedRoleUser
response element.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
" + "documentation":"An identifier for the assumed role session. Typically, you pass the name or identifier that is associated with the user who is using your application. That way, the temporary security credentials that your application will use are associated with that user. This session name is included as part of the ARN and assumed role ID in the AssumedRoleUser
response element.
For security purposes, administrators can view this field in CloudTrail logs to help identify who performed an action in Amazon Web Services. Your administrator might require that you specify your user name as the session name when you assume the role. For more information, see sts:RoleSessionName
.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
" }, "WebIdentityToken":{ "shape":"clientTokenType", - "documentation":"The OAuth 2.0 access token or OpenID Connect ID token that is provided by the identity provider. Your application must get this token by authenticating the user who is using your application with a web identity provider before the application makes an AssumeRoleWithWebIdentity
call. Only tokens with RSA algorithms (RS256) are supported.
The OAuth 2.0 access token or OpenID Connect ID token that is provided by the identity provider. Your application must get this token by authenticating the user who is using your application with a web identity provider before the application makes an AssumeRoleWithWebIdentity
call. Timestamps in the token must be formatted as either an integer or a long integer. Only tokens with RSA algorithms (RS256) are supported.
An IAM policy in JSON format that you want to use as an inline session policy.
This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list (\\u0020 through \\u00FF). It can also include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs, and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize
response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
An IAM policy in JSON format that you want to use as an inline session policy.
This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list (\\u0020 through \\u00FF). It can also include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
For more information about role session permissions, see Session policies.
An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs, and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize
response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
The value of the source identity that is returned in the JSON web token (JWT) from the identity provider.
You can require users to set a source identity value when they assume a role. You do this by using the sts:SourceIdentity
condition key in a role trust policy. That way, actions that are taken with the role are associated with that user. After the source identity is set, the value cannot be changed. It is present in the request for all actions that are taken by the role and persists across chained role sessions. You can configure your identity provider to use an attribute associated with your users, like user name or email, as the source identity when calling AssumeRoleWithWebIdentity
. You do this by adding a claim to the JSON web token. To learn more about OIDC tokens and claims, see Using Tokens with User Pools in the Amazon Cognito Developer Guide. For more information about using source identity, see Monitor and control actions taken with assumed roles in the IAM User Guide.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
" + "documentation":"The value of the source identity that is returned in the JSON web token (JWT) from the identity provider.
You can require users to set a source identity value when they assume a role. You do this by using the sts:SourceIdentity
condition key in a role trust policy. That way, actions that are taken with the role are associated with that user. After the source identity is set, the value cannot be changed. It is present in the request for all actions that are taken by the role and persists across chained role sessions. You can configure your identity provider to use an attribute associated with your users, like user name or email, as the source identity when calling AssumeRoleWithWebIdentity
. You do this by adding a claim to the JSON web token. To learn more about OIDC tokens and claims, see Using Tokens with User Pools in the Amazon Cognito Developer Guide. For more information about using source identity, see Monitor and control actions taken with assumed roles in the IAM User Guide.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
" } }, "documentation":"Contains the response to a successful AssumeRoleWithWebIdentity request, including temporary Amazon Web Services credentials that can be used to make Amazon Web Services requests.
" }, + "AssumeRootRequest":{ + "type":"structure", + "required":[ + "TargetPrincipal", + "TaskPolicyArn" + ], + "members":{ + "TargetPrincipal":{ + "shape":"TargetPrincipalType", + "documentation":"The member account principal ARN or account ID.
" + }, + "TaskPolicyArn":{ + "shape":"PolicyDescriptorType", + "documentation":"The identity based policy that scopes the session to the privileged tasks that can be performed. You can use one of following Amazon Web Services managed policies to scope root session actions. You can add additional customer managed policies to further limit the permissions for the root session.
The duration, in seconds, of the privileged session. The value can range from 0 seconds up to the maximum session duration of 900 seconds (15 minutes). If you specify a value higher than this setting, the operation fails.
By default, the value is set to 900
seconds.
The temporary security credentials, which include an access key ID, a secret access key, and a security token.
The size of the security token that STS API operations return is not fixed. We strongly recommend that you make no assumptions about the maximum size.
The source identity specified by the principal that is calling the AssumeRoot
operation.
You can use the aws:SourceIdentity
condition key to control access based on the value of source identity. For more information about using source identity, see Monitor and control actions taken with assumed roles in the IAM User Guide.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
" + } + } + }, "AssumedRoleUser":{ "type":"structure", "required":[ @@ -622,7 +675,7 @@ "members":{ "message":{"shape":"invalidAuthorizationMessage"} }, - "documentation":"The error returned if the message passed to DecodeAuthorizationMessage
was invalid. This can happen if the token contains invalid characters, such as linebreaks.
The error returned if the message passed to DecodeAuthorizationMessage
was invalid. This can happen if the token contains invalid characters, such as line breaks, or if the message has expired.
STS is not activated in the requested region for the account that is being asked to generate credentials. The account administrator must use the IAM console to activate STS in that region. For more information, see Activating and Deactivating Amazon Web Services STS in an Amazon Web Services Region in the IAM User Guide.
", + "documentation":"STS is not activated in the requested region for the account that is being asked to generate credentials. The account administrator must use the IAM console to activate STS in that region. For more information, see Activating and Deactivating STS in an Amazon Web Services Region in the IAM User Guide.
", "error":{ "code":"RegionDisabledException", "httpStatusCode":403, @@ -713,6 +766,11 @@ }, "exception":true }, + "RootDurationSecondsType":{ + "type":"integer", + "max":900, + "min":0 + }, "SAMLAssertionType":{ "type":"string", "max":100000, @@ -739,6 +797,11 @@ }, "documentation":"You can pass custom key-value pair attributes when you assume a role or federate a user. These are called session tags. You can then use the session tags to control access to resources. For more information, see Tagging Amazon Web Services STS Sessions in the IAM User Guide.
" }, + "TargetPrincipalType":{ + "type":"string", + "max":2048, + "min":12 + }, "accessKeyIdType":{ "type":"string", "max":128, diff --git a/tests/functional/endpoint-rules/partnercentral-selling/endpoint-tests-1.json b/tests/functional/endpoint-rules/partnercentral-selling/endpoint-tests-1.json new file mode 100644 index 0000000000..32cd845cd9 --- /dev/null +++ b/tests/functional/endpoint-rules/partnercentral-selling/endpoint-tests-1.json @@ -0,0 +1,314 @@ +{ + "testCases": [ + { + "documentation": "For region us-east-1 with FIPS enabled and DualStack enabled", + "expect": { + "endpoint": { + "url": "https://partnercentral-selling-fips.us-east-1.api.aws" + } + }, + "params": { + "Region": "us-east-1", + "UseFIPS": true, + "UseDualStack": true + } + }, + { + "documentation": "For region us-east-1 with FIPS enabled and DualStack disabled", + "expect": { + "endpoint": { + "url": "https://partnercentral-selling-fips.us-east-1.amazonaws.com" + } + }, + "params": { + "Region": "us-east-1", + "UseFIPS": true, + "UseDualStack": false + } + }, + { + "documentation": "For region us-east-1 with FIPS disabled and DualStack enabled", + "expect": { + "endpoint": { + "url": "https://partnercentral-selling.us-east-1.api.aws" + } + }, + "params": { + "Region": "us-east-1", + "UseFIPS": false, + "UseDualStack": true + } + }, + { + "documentation": "For region us-east-1 with FIPS disabled and DualStack disabled", + "expect": { + "endpoint": { + "url": "https://partnercentral-selling.us-east-1.amazonaws.com" + } + }, + "params": { + "Region": "us-east-1", + "UseFIPS": false, + "UseDualStack": false + } + }, + { + "documentation": "For region cn-north-1 with FIPS enabled and DualStack enabled", + "expect": { + "endpoint": { + "url": "https://partnercentral-selling-fips.cn-north-1.api.amazonwebservices.com.cn" + } + }, + "params": { + "Region": "cn-north-1", + "UseFIPS": true, + "UseDualStack": true + } + }, + { + "documentation": "For region cn-north-1 with FIPS enabled and DualStack disabled", + "expect": { + "endpoint": { + "url": "https://partnercentral-selling-fips.cn-north-1.amazonaws.com.cn" + } + }, + "params": { + "Region": "cn-north-1", + "UseFIPS": true, + "UseDualStack": false + } + }, + { + "documentation": "For region cn-north-1 with FIPS disabled and DualStack enabled", + "expect": { + "endpoint": { + "url": "https://partnercentral-selling.cn-north-1.api.amazonwebservices.com.cn" + } + }, + "params": { + "Region": "cn-north-1", + "UseFIPS": false, + "UseDualStack": true + } + }, + { + "documentation": "For region cn-north-1 with FIPS disabled and DualStack disabled", + "expect": { + "endpoint": { + "url": "https://partnercentral-selling.cn-north-1.amazonaws.com.cn" + } + }, + "params": { + "Region": "cn-north-1", + "UseFIPS": false, + "UseDualStack": false + } + }, + { + "documentation": "For region us-gov-east-1 with FIPS enabled and DualStack enabled", + "expect": { + "endpoint": { + "url": "https://partnercentral-selling-fips.us-gov-east-1.api.aws" + } + }, + "params": { + "Region": "us-gov-east-1", + "UseFIPS": true, + "UseDualStack": true + } + }, + { + "documentation": "For region us-gov-east-1 with FIPS enabled and DualStack disabled", + "expect": { + "endpoint": { + "url": "https://partnercentral-selling-fips.us-gov-east-1.amazonaws.com" + } + }, + "params": { + "Region": "us-gov-east-1", + "UseFIPS": true, + "UseDualStack": false + } + }, + { + "documentation": "For region us-gov-east-1 with FIPS disabled and DualStack enabled", + "expect": { + "endpoint": { + "url": "https://partnercentral-selling.us-gov-east-1.api.aws" + } + }, + "params": { + "Region": "us-gov-east-1", + "UseFIPS": false, + "UseDualStack": true + } + }, + { + "documentation": "For region us-gov-east-1 with FIPS disabled and DualStack disabled", + "expect": { + "endpoint": { + "url": "https://partnercentral-selling.us-gov-east-1.amazonaws.com" + } + }, + "params": { + "Region": "us-gov-east-1", + "UseFIPS": false, + "UseDualStack": false + } + }, + { + "documentation": "For region us-iso-east-1 with FIPS enabled and DualStack enabled", + "expect": { + "error": "FIPS and DualStack are enabled, but this partition does not support one or both" + }, + "params": { + "Region": "us-iso-east-1", + "UseFIPS": true, + "UseDualStack": true + } + }, + { + "documentation": "For region us-iso-east-1 with FIPS enabled and DualStack disabled", + "expect": { + "endpoint": { + "url": "https://partnercentral-selling-fips.us-iso-east-1.c2s.ic.gov" + } + }, + "params": { + "Region": "us-iso-east-1", + "UseFIPS": true, + "UseDualStack": false + } + }, + { + "documentation": "For region us-iso-east-1 with FIPS disabled and DualStack enabled", + "expect": { + "error": "DualStack is enabled but this partition does not support DualStack" + }, + "params": { + "Region": "us-iso-east-1", + "UseFIPS": false, + "UseDualStack": true + } + }, + { + "documentation": "For region us-iso-east-1 with FIPS disabled and DualStack disabled", + "expect": { + "endpoint": { + "url": "https://partnercentral-selling.us-iso-east-1.c2s.ic.gov" + } + }, + "params": { + "Region": "us-iso-east-1", + "UseFIPS": false, + "UseDualStack": false + } + }, + { + "documentation": "For region us-isob-east-1 with FIPS enabled and DualStack enabled", + "expect": { + "error": "FIPS and DualStack are enabled, but this partition does not support one or both" + }, + "params": { + "Region": "us-isob-east-1", + "UseFIPS": true, + "UseDualStack": true + } + }, + { + "documentation": "For region us-isob-east-1 with FIPS enabled and DualStack disabled", + "expect": { + "endpoint": { + "url": "https://partnercentral-selling-fips.us-isob-east-1.sc2s.sgov.gov" + } + }, + "params": { + "Region": "us-isob-east-1", + "UseFIPS": true, + "UseDualStack": false + } + }, + { + "documentation": "For region us-isob-east-1 with FIPS disabled and DualStack enabled", + "expect": { + "error": "DualStack is enabled but this partition does not support DualStack" + }, + "params": { + "Region": "us-isob-east-1", + "UseFIPS": false, + "UseDualStack": true + } + }, + { + "documentation": "For region us-isob-east-1 with FIPS disabled and DualStack disabled", + "expect": { + "endpoint": { + "url": "https://partnercentral-selling.us-isob-east-1.sc2s.sgov.gov" + } + }, + "params": { + "Region": "us-isob-east-1", + "UseFIPS": false, + "UseDualStack": false + } + }, + { + "documentation": "For custom endpoint with region set and fips disabled and dualstack disabled", + "expect": { + "endpoint": { + "url": "https://example.com" + } + }, + "params": { + "Region": "us-east-1", + "UseFIPS": false, + "UseDualStack": false, + "Endpoint": "https://example.com" + } + }, + { + "documentation": "For custom endpoint with region not set and fips disabled and dualstack disabled", + "expect": { + "endpoint": { + "url": "https://example.com" + } + }, + "params": { + "UseFIPS": false, + "UseDualStack": false, + "Endpoint": "https://example.com" + } + }, + { + "documentation": "For custom endpoint with fips enabled and dualstack disabled", + "expect": { + "error": "Invalid Configuration: FIPS and custom endpoint are not supported" + }, + "params": { + "Region": "us-east-1", + "UseFIPS": true, + "UseDualStack": false, + "Endpoint": "https://example.com" + } + }, + { + "documentation": "For custom endpoint with fips disabled and dualstack enabled", + "expect": { + "error": "Invalid Configuration: Dualstack and custom endpoint are not supported" + }, + "params": { + "Region": "us-east-1", + "UseFIPS": false, + "UseDualStack": true, + "Endpoint": "https://example.com" + } + }, + { + "documentation": "Missing region", + "expect": { + "error": "Invalid Configuration: Missing Region" + } + } + ], + "version": "1.0" +} \ No newline at end of file