Creates a classifier in the user's account. This may be a GrokClassifier, an XMLClassifier, a JsonClassifier, or a CsvClassifier, depending on which field of the request is present.
Creates a classifier in the user's account. This can be a GrokClassifier, an XMLClassifier, a JsonClassifier, or a CsvClassifier, depending on which field of the request is present.
Creates a new crawler with specified targets, role, configuration, and optional schedule. At least one crawl target must be specified, in the s3Targets field, the jdbcTargets field, or the DynamoDBTargets field.
" + "documentation":"Creates a new crawler with specified targets, role, configuration, and optional schedule. At least one crawl target must be specified, in the s3Targets field, the jdbcTargets field, or the DynamoDBTargets field.
Removes a specified crawler from the Data Catalog, unless the crawler state is RUNNING.
Removes a specified crawler from the AWS Glue Data Catalog, unless the crawler state is RUNNING.
A list of crawler names, which may be the names returned from the ListCrawlers operation.
A list of crawler names, which might be the names returned from the ListCrawlers operation.
A list of names of crawlers not found.
" + "documentation":"A list of names of crawlers that were not found.
" } } }, @@ -2081,7 +2081,7 @@ "documentation":"The name of the table in question.
" } }, - "documentation":"Specifies a table definition in the Data Catalog.
" + "documentation":"Specifies a table definition in the AWS Glue Data Catalog.
" }, "CatalogIdString":{ "type":"string", @@ -2107,28 +2107,55 @@ }, "documentation":"A structure containing migration status information.
" }, + "CatalogTablesList":{ + "type":"list", + "member":{"shape":"NameString"}, + "min":1 + }, + "CatalogTarget":{ + "type":"structure", + "required":[ + "DatabaseName", + "Tables" + ], + "members":{ + "DatabaseName":{ + "shape":"NameString", + "documentation":"The name of the database to be synchronized.
" + }, + "Tables":{ + "shape":"CatalogTablesList", + "documentation":"A list of the tables to be synchronized.
" + } + }, + "documentation":"Specifies an AWS Glue Data Catalog target.
" + }, + "CatalogTargetList":{ + "type":"list", + "member":{"shape":"CatalogTarget"} + }, "Classification":{"type":"string"}, "Classifier":{ "type":"structure", "members":{ "GrokClassifier":{ "shape":"GrokClassifier", - "documentation":"A GrokClassifier object.
A classifier that uses grok.
An XMLClassifier object.
A classifier for XML content.
" }, "JsonClassifier":{ "shape":"JsonClassifier", - "documentation":"A JsonClassifier object.
A classifier for JSON content.
" }, "CsvClassifier":{ "shape":"CsvClassifier", - "documentation":"A CSVClassifier object.
A classifier for comma-separated values (CSV).
" } }, - "documentation":"Classifiers are triggered during a crawl task. A classifier checks whether a given file is in a format it can handle, and if it is, the classifier creates a schema in the form of a StructType object that matches that data format.
You can use the standard classifiers that AWS Glue supplies, or you can write your own classifiers to best categorize your data sources and specify the appropriate schemas to use for them. A classifier can be a grok classifier, an XML classifier, a JSON classifier, or a custom CSV classifier as specified in one of the fields in the Classifier object.
Classifiers are triggered during a crawl task. A classifier checks whether a given file is in a format it can handle. If it is, the classifier creates a schema in the form of a StructType object that matches that data format.
You can use the standard classifiers that AWS Glue provides, or you can write your own classifiers to best categorize your data sources and specify the appropriate schemas to use for them. A classifier can be a grok classifier, an XML classifier, a JSON classifier, or a custom CSV classifier, as specified in one of the fields in the Classifier object.
The type of node this is.
" + "documentation":"The type of node that this is.
" }, "Args":{ "shape":"CodeGenNodeArgs", @@ -2484,11 +2511,11 @@ "members":{ "Name":{ "shape":"NameString", - "documentation":"The crawler name.
" + "documentation":"The name of the crawler.
" }, "Role":{ "shape":"Role", - "documentation":"The IAM role (or ARN of an IAM role) used to access customer resources, such as data in Amazon S3.
" + "documentation":"The Amazon Resource Name (ARN) of an IAM role that's used to access customer resources, such as Amazon Simple Storage Service (Amazon S3) data.
" }, "Targets":{ "shape":"CrawlerTargets", @@ -2496,7 +2523,7 @@ }, "DatabaseName":{ "shape":"DatabaseName", - "documentation":"The database where metadata is written by this crawler.
" + "documentation":"The name of the database in which the crawler's output is stored.
" }, "Description":{ "shape":"DescriptionString", @@ -2504,11 +2531,11 @@ }, "Classifiers":{ "shape":"ClassifierNameList", - "documentation":"A list of custom classifiers associated with the crawler.
" + "documentation":"A list of UTF-8 strings that specify the custom classifiers that are associated with the crawler.
" }, "SchemaChangePolicy":{ "shape":"SchemaChangePolicy", - "documentation":"Sets the behavior when the crawler finds a changed or deleted object.
" + "documentation":"The policy that specifies update and delete behaviors for the crawler.
" }, "State":{ "shape":"CrawlerState", @@ -2528,11 +2555,11 @@ }, "CreationTime":{ "shape":"Timestamp", - "documentation":"The time when the crawler was created.
" + "documentation":"The time that the crawler was created.
" }, "LastUpdated":{ "shape":"Timestamp", - "documentation":"The time the crawler was last updated.
" + "documentation":"The time that the crawler was last updated.
" }, "LastCrawl":{ "shape":"LastCrawlInfo", @@ -2548,7 +2575,7 @@ }, "CrawlerSecurityConfiguration":{ "shape":"CrawlerSecurityConfiguration", - "documentation":"The name of the SecurityConfiguration structure to be used by this Crawler.
" + "documentation":"The name of the SecurityConfiguration structure to be used by this crawler.
Specifies a crawler program that examines a data source and uses classifiers to try to determine its schema. If successful, the crawler records metadata concerning the data source in the AWS Glue Data Catalog.
" @@ -2657,7 +2684,7 @@ "members":{ "S3Targets":{ "shape":"S3TargetList", - "documentation":"Specifies Amazon S3 targets.
" + "documentation":"Specifies Amazon Simple Storage Service (Amazon S3) targets.
" }, "JdbcTargets":{ "shape":"JdbcTargetList", @@ -2665,7 +2692,11 @@ }, "DynamoDBTargets":{ "shape":"DynamoDBTargetList", - "documentation":"Specifies DynamoDB targets.
" + "documentation":"Specifies Amazon DynamoDB targets.
" + }, + "CatalogTargets":{ + "shape":"CatalogTargetList", + "documentation":"Specifies AWS Glue Data Catalog targets.
" } }, "documentation":"Specifies data stores to crawl.
" @@ -2720,7 +2751,6 @@ "required":[ "Name", "Role", - "DatabaseName", "Targets" ], "members":{ @@ -2730,7 +2760,7 @@ }, "Role":{ "shape":"Role", - "documentation":"The IAM role (or ARN of an IAM role) used by the new crawler to access customer resources.
" + "documentation":"The IAM role or Amazon Resource Name (ARN) of an IAM role used by the new crawler to access customer resources.
" }, "DatabaseName":{ "shape":"DatabaseName", @@ -2746,7 +2776,7 @@ }, "Schedule":{ "shape":"CronExpression", - "documentation":"A cron expression used to specify the schedule (see Time-Based Schedules for Jobs and Crawlers. For example, to run something every day at 12:15 UTC, you would specify: cron(15 12 * * ? *).
A cron expression used to specify the schedule. For more information, see Time-Based Schedules for Jobs and Crawlers. For example, to run something every day at 12:15 UTC, specify cron(15 12 * * ? *).
Policy for the crawler's update and deletion behavior.
" + "documentation":"The policy for the crawler's update and deletion behavior.
" }, "Configuration":{ "shape":"CrawlerConfiguration", - "documentation":"Crawler configuration information. This versioned JSON string allows users to specify aspects of a crawler's behavior. For more information, see Configuring a Crawler.
" + "documentation":"The crawler configuration information. This versioned JSON string allows users to specify aspects of a crawler's behavior. For more information, see Configuring a Crawler.
" }, "CrawlerSecurityConfiguration":{ "shape":"CrawlerSecurityConfiguration", - "documentation":"The name of the SecurityConfiguration structure to be used by this Crawler.
" + "documentation":"The name of the SecurityConfiguration structure to be used by this crawler.
The tags to use with this crawler request. You may use tags to limit access to the crawler. For more information about tags in AWS Glue, see AWS Tags in AWS Glue in the developer guide.
" + "documentation":"The tags to use with this crawler request. You can use tags to limit access to the crawler. For more information, see AWS Tags in AWS Glue.
" } } }, @@ -3088,7 +3118,7 @@ }, "JsonPath":{ "shape":"JsonPath", - "documentation":"A JsonPath string defining the JSON data for the classifier to classify. AWS Glue supports a subset of JsonPath, as described in Writing JsonPath Custom Classifiers.
A JsonPath string defining the JSON data for the classifier to classify. AWS Glue supports a subset of JsonPath, as described in Writing JsonPath Custom Classifiers.
Specifies a JSON classifier for CreateClassifier to create.
The XML tag designating the element that contains each record in an XML document being parsed. Note that this cannot identify a self-closing element (closed by />). An empty row element that contains only attributes can be parsed as long as it ends with a closing tag (for example, <row item_a=\"A\" item_b=\"B\"></row> is okay, but <row item_a=\"A\" item_b=\"B\" /> is not).
The XML tag designating the element that contains each record in an XML document being parsed. This can't identify a self-closing element (closed by />). An empty row element that contains only attributes can be parsed as long as it ends with a closing tag (for example, <row item_a=\"A\" item_b=\"B\"></row> is okay, but <row item_a=\"A\" item_b=\"B\" /> is not).
Specifies an XML classifier for CreateClassifier to create.
The time this classifier was registered.
" + "documentation":"The time that this classifier was registered.
" }, "LastUpdated":{ "shape":"Timestamp", - "documentation":"The time this classifier was last updated.
" + "documentation":"The time that this classifier was last updated.
" }, "Version":{ "shape":"VersionId", @@ -3336,7 +3366,7 @@ }, "QuoteSymbol":{ "shape":"CsvQuoteSymbol", - "documentation":"A custom symbol to denote what combines content into a single column value. Must be different from the column delimiter.
" + "documentation":"A custom symbol to denote what combines content into a single column value. It must be different from the column delimiter.
" }, "ContainsHeader":{ "shape":"CsvHeaderOption", @@ -3348,7 +3378,7 @@ }, "DisableValueTrimming":{ "shape":"NullableBoolean", - "documentation":"Specifies not to trim values before identifying the type of column values. The default value is true.
" + "documentation":"Specifies not to trim values before identifying the type of column values. The default value is true.
Name of the crawler to remove.
" + "documentation":"The name of the crawler to remove.
" } } }, @@ -3884,7 +3914,7 @@ "documentation":"The name of the DynamoDB table to crawl.
" } }, - "documentation":"Specifies a DynamoDB table to crawl.
" + "documentation":"Specifies an Amazon DynamoDB table to crawl.
" }, "DynamoDBTargetList":{ "type":"list", @@ -4033,7 +4063,7 @@ "members":{ "MaxResults":{ "shape":"PageSize", - "documentation":"Size of the list to return (optional).
" + "documentation":"The size of the list to return (optional).
" }, "NextToken":{ "shape":"Token", @@ -4169,7 +4199,7 @@ "members":{ "Name":{ "shape":"NameString", - "documentation":"Name of the crawler to retrieve metadata for.
" + "documentation":"The name of the crawler to retrieve metadata for.
" } } }, @@ -4587,7 +4617,7 @@ }, "Location":{ "shape":"Location", - "documentation":"Parameters for the mapping.
" + "documentation":"The parameters for the mapping.
" }, "Language":{ "shape":"Language", @@ -4604,7 +4634,7 @@ }, "ScalaCode":{ "shape":"ScalaCode", - "documentation":"Scala code to perform the mapping.
" + "documentation":"The Scala code to perform the mapping.
" } } }, @@ -5003,11 +5033,11 @@ }, "CreationTime":{ "shape":"Timestamp", - "documentation":"The time this classifier was registered.
" + "documentation":"The time that this classifier was registered.
" }, "LastUpdated":{ "shape":"Timestamp", - "documentation":"The time this classifier was last updated.
" + "documentation":"The time that this classifier was last updated.
" }, "Version":{ "shape":"VersionId", @@ -5015,11 +5045,11 @@ }, "GrokPattern":{ "shape":"GrokPattern", - "documentation":"The grok pattern applied to a data store by this classifier. For more information, see built-in patterns in Writing Custom Classifers.
" + "documentation":"The grok pattern applied to a data store by this classifier. For more information, see built-in patterns in Writing Custom Classifiers.
" }, "CustomPatterns":{ "shape":"CustomPatterns", - "documentation":"Optional custom grok patterns defined by this classifier. For more information, see custom patterns in Writing Custom Classifers.
" + "documentation":"Optional custom grok patterns defined by this classifier. For more information, see custom patterns in Writing Custom Classifiers.
" } }, "documentation":"A classifier that uses grok patterns.
The time this classifier was registered.
" + "documentation":"The time that this classifier was registered.
" }, "LastUpdated":{ "shape":"Timestamp", - "documentation":"The time this classifier was last updated.
" + "documentation":"The time that this classifier was last updated.
" }, "Version":{ "shape":"VersionId", @@ -5470,7 +5500,7 @@ }, "JsonPath":{ "shape":"JsonPath", - "documentation":"A JsonPath string defining the JSON data for the classifier to classify. AWS Glue supports a subset of JsonPath, as described in Writing JsonPath Custom Classifiers.
A JsonPath string defining the JSON data for the classifier to classify. AWS Glue supports a subset of JsonPath, as described in Writing JsonPath Custom Classifiers.
A classifier for JSON content.
An Amazon S3 location.
" + "documentation":"An Amazon Simple Storage Service (Amazon S3) location.
" }, "DynamoDB":{ "shape":"CodeGenNodeArgs", - "documentation":"A DynamoDB Table location.
" + "documentation":"An Amazon DynamoDB table location.
" } }, "documentation":"The location of resources.
" @@ -6200,7 +6230,7 @@ "documentation":"A list of glob patterns used to exclude from the crawl. For more information, see Catalog Tables with a Crawler.
" } }, - "documentation":"Specifies a data store in Amazon S3.
" + "documentation":"Specifies a data store in Amazon Simple Storage Service (Amazon S3).
" }, "S3TargetList":{ "type":"list", @@ -6212,7 +6242,7 @@ "members":{ "ScheduleExpression":{ "shape":"CronExpression", - "documentation":"A cron expression used to specify the schedule (see Time-Based Schedules for Jobs and Crawlers. For example, to run something every day at 12:15 UTC, you would specify: cron(15 12 * * ? *).
A cron expression used to specify the schedule. For more information, see Time-Based Schedules for Jobs and Crawlers. For example, to run something every day at 12:15 UTC, specify cron(15 12 * * ? *).
The deletion behavior when the crawler finds a deleted object.
" } }, - "documentation":"Crawler policy for update and deletion behavior.
" + "documentation":"A policy that specifies update and deletion behaviors for the crawler.
" }, "SchemaPathString":{"type":"string"}, "ScriptLocationString":{"type":"string"}, @@ -7015,7 +7045,7 @@ }, "Role":{ "shape":"Role", - "documentation":"The IAM role (or ARN of an IAM role) used by the new crawler to access customer resources.
" + "documentation":"The IAM role or Amazon Resource Name (ARN) of an IAM role that is used by the new crawler to access customer resources.
" }, "DatabaseName":{ "shape":"DatabaseName", @@ -7031,7 +7061,7 @@ }, "Schedule":{ "shape":"CronExpression", - "documentation":"A cron expression used to specify the schedule (see Time-Based Schedules for Jobs and Crawlers. For example, to run something every day at 12:15 UTC, you would specify: cron(15 12 * * ? *).
A cron expression used to specify the schedule. For more information, see Time-Based Schedules for Jobs and Crawlers. For example, to run something every day at 12:15 UTC, specify cron(15 12 * * ? *).
Policy for the crawler's update and deletion behavior.
" + "documentation":"The policy for the crawler's update and deletion behavior.
" }, "Configuration":{ "shape":"CrawlerConfiguration", - "documentation":"Crawler configuration information. This versioned JSON string allows users to specify aspects of a crawler's behavior. For more information, see Configuring a Crawler.
" + "documentation":"The crawler configuration information. This versioned JSON string allows users to specify aspects of a crawler's behavior. For more information, see Configuring a Crawler.
" }, "CrawlerSecurityConfiguration":{ "shape":"CrawlerSecurityConfiguration", - "documentation":"The name of the SecurityConfiguration structure to be used by this Crawler.
" + "documentation":"The name of the SecurityConfiguration structure to be used by this crawler.
Name of the crawler whose schedule to update.
" + "documentation":"The name of the crawler whose schedule to update.
" }, "Schedule":{ "shape":"CronExpression", - "documentation":"The updated cron expression used to specify the schedule (see Time-Based Schedules for Jobs and Crawlers. For example, to run something every day at 12:15 UTC, you would specify: cron(15 12 * * ? *).
The updated cron expression used to specify the schedule. For more information, see Time-Based Schedules for Jobs and Crawlers. For example, to run something every day at 12:15 UTC, specify cron(15 12 * * ? *).
A custom symbol to denote what combines content into a single column value. Must be different from the column delimiter.
" + "documentation":"A custom symbol to denote what combines content into a single column value. It must be different from the column delimiter.
" }, "ContainsHeader":{ "shape":"CsvHeaderOption", @@ -7242,7 +7272,7 @@ }, "JsonPath":{ "shape":"JsonPath", - "documentation":"A JsonPath string defining the JSON data for the classifier to classify. AWS Glue supports a subset of JsonPath, as described in Writing JsonPath Custom Classifiers.
A JsonPath string defining the JSON data for the classifier to classify. AWS Glue supports a subset of JsonPath, as described in Writing JsonPath Custom Classifiers.
Specifies a JSON classifier to be updated.
" @@ -7384,7 +7414,7 @@ }, "RowTag":{ "shape":"RowTag", - "documentation":"The XML tag designating the element that contains each record in an XML document being parsed. Note that this cannot identify a self-closing element (closed by />). An empty row element that contains only attributes can be parsed as long as it ends with a closing tag (for example, <row item_a=\"A\" item_b=\"B\"></row> is okay, but <row item_a=\"A\" item_b=\"B\" /> is not).
The XML tag designating the element that contains each record in an XML document being parsed. This cannot identify a self-closing element (closed by />). An empty row element that contains only attributes can be parsed as long as it ends with a closing tag (for example, <row item_a=\"A\" item_b=\"B\"></row> is okay, but <row item_a=\"A\" item_b=\"B\" /> is not).
Specifies an XML classifier to be updated.
" @@ -7516,11 +7546,11 @@ }, "CreationTime":{ "shape":"Timestamp", - "documentation":"The time this classifier was registered.
" + "documentation":"The time that this classifier was registered.
" }, "LastUpdated":{ "shape":"Timestamp", - "documentation":"The time this classifier was last updated.
" + "documentation":"The time that this classifier was last updated.
" }, "Version":{ "shape":"VersionId", @@ -7528,7 +7558,7 @@ }, "RowTag":{ "shape":"RowTag", - "documentation":"The XML tag designating the element that contains each record in an XML document being parsed. Note that this cannot identify a self-closing element (closed by />). An empty row element that contains only attributes can be parsed as long as it ends with a closing tag (for example, <row item_a=\"A\" item_b=\"B\"></row> is okay, but <row item_a=\"A\" item_b=\"B\" /> is not).
The XML tag designating the element that contains each record in an XML document being parsed. This can't identify a self-closing element (closed by />). An empty row element that contains only attributes can be parsed as long as it ends with a closing tag (for example, <row item_a=\"A\" item_b=\"B\"></row> is okay, but <row item_a=\"A\" item_b=\"B\" /> is not).
A classifier for XML content.
Returns a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to. These temporary credentials consist of an access key ID, a secret access key, and a security token. Typically, you use AssumeRole for cross-account access or federation. For a comparison of AssumeRole with other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS API operations in the IAM User Guide.
You cannot use AWS account root user credentials to call AssumeRole. You must use credentials for an IAM user or an IAM role to call AssumeRole.
For cross-account access, imagine that you own multiple accounts and need to access resources in each account. You could create long-term credentials in each account to access those resources. However, managing all those credentials and remembering which one can access which account can be time consuming. Instead, you can create one set of long-term credentials in one account and then use temporary security credentials to access all the other accounts by assuming roles in those accounts. For more information about roles, see IAM Roles (Delegation and Federation) in the IAM User Guide.
For federation, you can, for example, grant single sign-on access to the AWS Management Console. If you already have an identity and authentication system in your network, you don't have to recreate identities in AWS in order to grant them access to AWS. Instead, after a user has been authenticated, you call AssumeRole (and specify the role with the appropriate permissions) to get temporary security credentials for that user. With those temporary security credentials, you construct a sign-in URL from which users can access the console. For more information, see Common Scenarios for Temporary Credentials in the IAM User Guide.
By default, the temporary security credentials created by AssumeRole last for one hour. However, you can use the optional DurationSeconds parameter to specify the duration of your session. You can provide a value from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide. The maximum session duration limit applies when you use the AssumeRole* API operations or the assume-role* CLI commands. However the limit does not apply when you use those operations to create a console URL. For more information, see Using IAM Roles in the IAM User Guide.
The temporary security credentials created by AssumeRole can be used to make API calls to any AWS service with the following exception: You cannot call the AWS STS service's GetFederationToken or GetSessionToken API operations.
(Optional) You can pass an IAM permissions policy to this operation. If you pass a policy to this operation, the resulting temporary credentials have the permissions of the assumed role and the policy that you pass. This gives you a way to further restrict the permissions for the resulting temporary security credentials. You cannot use the passed policy to grant permissions that are in excess of those allowed by the permissions policy of the role that is being assumed. For more information, see Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity in the IAM User Guide.
To assume a role, your AWS account must be trusted by the role. The trust relationship is defined in the role's trust policy when the role is created. That trust policy states which accounts are allowed to delegate access to this account's role.
The user who wants to access the role must also have permissions delegated from the role's administrator. If the user and the role are in a different account, then the user's administrator must attach a policy. That attached policy must allow the user to call AssumeRole for the ARN of the role in the other account. If the user is in the same account as the role, then you can do either of the following:
Attach a policy to the user (identical to the previous user in a different account)
Add the user as a principal directly in the role's trust policy.
In this case, the trust policy acts as the only resource-based policy in IAM. Users in the same account as the role do not need explicit permission to assume the role. For more information about trust policies and resource-based policies, see IAM Policies in the IAM User Guide.
Using MFA with AssumeRole
(Optional) You can include multi-factor authentication (MFA) information when you call AssumeRole. This is useful for cross-account scenarios in which you want to make sure that the user who is assuming the role has been authenticated using an AWS MFA device. In that scenario, the trust policy of the role being assumed includes a condition that tests for MFA authentication. If the caller does not include valid MFA information, the request to assume the role is denied. The condition in a trust policy that tests for MFA authentication might look like the following example.
\"Condition\": {\"Bool\": {\"aws:MultiFactorAuthPresent\": true}}
For more information, see Configuring MFA-Protected API Access in the IAM User Guide guide.
To use MFA with AssumeRole, you pass values for the SerialNumber and TokenCode parameters. The SerialNumber value identifies the user's hardware or virtual MFA device. The TokenCode is the time-based one-time password (TOTP) that the MFA device produces.
Returns a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to. These temporary credentials consist of an access key ID, a secret access key, and a security token. Typically, you use AssumeRole within your account or for cross-account access. For a comparison of AssumeRole with other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS API operations in the IAM User Guide.
You cannot use AWS account root user credentials to call AssumeRole. You must use credentials for an IAM user or an IAM role to call AssumeRole.
For cross-account access, imagine that you own multiple accounts and need to access resources in each account. You could create long-term credentials in each account to access those resources. However, managing all those credentials and remembering which one can access which account can be time consuming. Instead, you can create one set of long-term credentials in one account. Then use temporary security credentials to access all the other accounts by assuming roles in those accounts. For more information about roles, see IAM Roles in the IAM User Guide.
By default, the temporary security credentials created by AssumeRole last for one hour. However, you can use the optional DurationSeconds parameter to specify the duration of your session. You can provide a value from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide. The maximum session duration limit applies when you use the AssumeRole* API operations or the assume-role* CLI commands. However the limit does not apply when you use those operations to create a console URL. For more information, see Using IAM Roles in the IAM User Guide.
The temporary security credentials created by AssumeRole can be used to make API calls to any AWS service with the following exception: You cannot call the AWS STS GetFederationToken or GetSessionToken API operations.
(Optional) You can pass inline or managed session policies to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plain text that you use for both inline and managed session policies shouldn't exceed 2048 characters. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
To assume a role from a different account, your AWS account must be trusted by the role. The trust relationship is defined in the role's trust policy when the role is created. That trust policy states which accounts are allowed to delegate that access to users in the account.
A user who wants to access a role in a different account must also have permissions that are delegated from the user account administrator. The administrator must attach a policy that allows the user to call AssumeRole for the ARN of the role in the other account. If the user is in the same account as the role, then you can do either of the following:
Attach a policy to the user (identical to the previous user in a different account).
Add the user as a principal directly in the role's trust policy.
In this case, the trust policy acts as an IAM resource-based policy. Users in the same account as the role do not need explicit permission to assume the role. For more information about trust policies and resource-based policies, see IAM Policies in the IAM User Guide.
Using MFA with AssumeRole
(Optional) You can include multi-factor authentication (MFA) information when you call AssumeRole. This is useful for cross-account scenarios to ensure that the user that assumes the role has been authenticated with an AWS MFA device. In that scenario, the trust policy of the role being assumed includes a condition that tests for MFA authentication. If the caller does not include valid MFA information, the request to assume the role is denied. The condition in a trust policy that tests for MFA authentication might look like the following example.
\"Condition\": {\"Bool\": {\"aws:MultiFactorAuthPresent\": true}}
For more information, see Configuring MFA-Protected API Access in the IAM User Guide guide.
To use MFA with AssumeRole, you pass values for the SerialNumber and TokenCode parameters. The SerialNumber value identifies the user's hardware or virtual MFA device. The TokenCode is the time-based one-time password (TOTP) that the MFA device produces.
Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response. This operation provides a mechanism for tying an enterprise identity store or directory to role-based AWS access without user-specific credentials or configuration. For a comparison of AssumeRoleWithSAML with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS API operations in the IAM User Guide.
The temporary security credentials returned by this operation consist of an access key ID, a secret access key, and a security token. Applications can use these temporary security credentials to sign calls to AWS services.
By default, the temporary security credentials created by AssumeRoleWithSAML last for one hour. However, you can use the optional DurationSeconds parameter to specify the duration of your session. Your role session lasts for the duration that you specify, or until the time specified in the SAML authentication response's SessionNotOnOrAfter value, whichever is shorter. You can provide a DurationSeconds value from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide. The maximum session duration limit applies when you use the AssumeRole* API operations or the assume-role* CLI commands. However the limit does not apply when you use those operations to create a console URL. For more information, see Using IAM Roles in the IAM User Guide.
The temporary security credentials created by AssumeRoleWithSAML can be used to make API calls to any AWS service with the following exception: you cannot call the STS service's GetFederationToken or GetSessionToken API operations.
Optionally, you can pass an IAM permissions policy to this operation. If you pass a policy to this operation, the resulting temporary credentials have the permissions of the assumed role and the policy that you pass. This gives you a way to further restrict the permissions for the resulting temporary security credentials. You cannot use the passed policy to grant permissions that are in excess of those allowed by the permissions policy of the role that is being assumed. For more information, see Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity in the IAM User Guide.
Before your application can call AssumeRoleWithSAML, you must configure your SAML identity provider (IdP) to issue the claims required by AWS. Additionally, you must use AWS Identity and Access Management (IAM) to create a SAML provider entity in your AWS account that represents your identity provider. You must also create an IAM role that specifies this SAML provider in its trust policy.
Calling AssumeRoleWithSAML does not require the use of AWS security credentials. The identity of the caller is validated by using keys in the metadata document that is uploaded for the SAML provider entity for your identity provider.
Calling AssumeRoleWithSAML can result in an entry in your AWS CloudTrail logs. The entry includes the value in the NameID element of the SAML assertion. We recommend that you use a NameIDType that is not associated with any personally identifiable information (PII). For example, you could instead use the Persistent Identifier (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent).
For more information, see the following resources:
About SAML 2.0-based Federation in the IAM User Guide.
Creating SAML Identity Providers in the IAM User Guide.
Configuring a Relying Party and Claims in the IAM User Guide.
Creating a Role for SAML 2.0 Federation in the IAM User Guide.
Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response. This operation provides a mechanism for tying an enterprise identity store or directory to role-based AWS access without user-specific credentials or configuration. For a comparison of AssumeRoleWithSAML with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS API operations in the IAM User Guide.
The temporary security credentials returned by this operation consist of an access key ID, a secret access key, and a security token. Applications can use these temporary security credentials to sign calls to AWS services.
By default, the temporary security credentials created by AssumeRoleWithSAML last for one hour. However, you can use the optional DurationSeconds parameter to specify the duration of your session. Your role session lasts for the duration that you specify, or until the time specified in the SAML authentication response's SessionNotOnOrAfter value, whichever is shorter. You can provide a DurationSeconds value from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide. The maximum session duration limit applies when you use the AssumeRole* API operations or the assume-role* CLI commands. However the limit does not apply when you use those operations to create a console URL. For more information, see Using IAM Roles in the IAM User Guide.
The temporary security credentials created by AssumeRoleWithSAML can be used to make API calls to any AWS service with the following exception: you cannot call the STS GetFederationToken or GetSessionToken API operations.
(Optional) You can pass inline or managed session policies to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plain text that you use for both inline and managed session policies shouldn't exceed 2048 characters. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
Before your application can call AssumeRoleWithSAML, you must configure your SAML identity provider (IdP) to issue the claims required by AWS. Additionally, you must use AWS Identity and Access Management (IAM) to create a SAML provider entity in your AWS account that represents your identity provider. You must also create an IAM role that specifies this SAML provider in its trust policy.
Calling AssumeRoleWithSAML does not require the use of AWS security credentials. The identity of the caller is validated by using keys in the metadata document that is uploaded for the SAML provider entity for your identity provider.
Calling AssumeRoleWithSAML can result in an entry in your AWS CloudTrail logs. The entry includes the value in the NameID element of the SAML assertion. We recommend that you use a NameIDType that is not associated with any personally identifiable information (PII). For example, you could instead use the Persistent Identifier (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent).
For more information, see the following resources:
About SAML 2.0-based Federation in the IAM User Guide.
Creating SAML Identity Providers in the IAM User Guide.
Configuring a Relying Party and Claims in the IAM User Guide.
Creating a Role for SAML 2.0 Federation in the IAM User Guide.
Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider. Example providers include Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible identity provider.
For mobile applications, we recommend that you use Amazon Cognito. You can use Amazon Cognito with the AWS SDK for iOS Developer Guide and the AWS SDK for Android Developer Guide to uniquely identify a user. You can also supply the user with a consistent identity throughout the lifetime of an application.
To learn more about Amazon Cognito, see Amazon Cognito Overview in the AWS SDK for Android Developer Guide guide and Amazon Cognito Overview in the AWS SDK for iOS Developer Guide.
Calling AssumeRoleWithWebIdentity does not require the use of AWS security credentials. Therefore, you can distribute an application (for example, on mobile devices) that requests temporary security credentials without including long-term AWS credentials in the application. You also don't need to deploy server-based proxy services that use long-term AWS credentials. Instead, the identity of the caller is validated by using a token from the web identity provider. For a comparison of AssumeRoleWithWebIdentity with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS API operations in the IAM User Guide.
The temporary security credentials returned by this API consist of an access key ID, a secret access key, and a security token. Applications can use these temporary security credentials to sign calls to AWS service API operations.
By default, the temporary security credentials created by AssumeRoleWithWebIdentity last for one hour. However, you can use the optional DurationSeconds parameter to specify the duration of your session. You can provide a value from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide. The maximum session duration limit applies when you use the AssumeRole* API operations or the assume-role* CLI commands. However the limit does not apply when you use those operations to create a console URL. For more information, see Using IAM Roles in the IAM User Guide.
The temporary security credentials created by AssumeRoleWithWebIdentity can be used to make API calls to any AWS service with the following exception: you cannot call the STS service's GetFederationToken or GetSessionToken API operations.
(Optional) You can pass an IAM permissions policy to this operation. If you pass a policy to this operation, the resulting temporary credentials have the permissions of the assumed role and the policy that you pass. This gives you a way to further restrict the permissions for the resulting temporary security credentials. You cannot use the passed policy to grant permissions that are in excess of those allowed by the permissions policy of the role that is being assumed. For more information, see Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity in the IAM User Guide.
Before your application can call AssumeRoleWithWebIdentity, you must have an identity token from a supported identity provider and create a role that the application can assume. The role that your application assumes must trust the identity provider that is associated with the identity token. In other words, the identity provider must be specified in the role's trust policy.
Calling AssumeRoleWithWebIdentity can result in an entry in your AWS CloudTrail logs. The entry includes the Subject of the provided Web Identity Token. We recommend that you avoid using any personally identifiable information (PII) in this field. For example, you could instead use a GUID or a pairwise identifier, as suggested in the OIDC specification.
For more information about how to use web identity federation and the AssumeRoleWithWebIdentity API, see the following resources:
Using Web Identity Federation API Operations for Mobile Apps and Federation Through a Web-based Identity Provider.
Web Identity Federation Playground. Walk through the process of authenticating through Login with Amazon, Facebook, or Google, getting temporary security credentials, and then using those credentials to make a request to AWS.
AWS SDK for iOS Developer Guide and AWS SDK for Android Developer Guide. These toolkits contain sample apps that show how to invoke the identity providers, and then how to use the information from these providers to get and use temporary security credentials.
Web Identity Federation with Mobile Applications. This article discusses web identity federation and shows an example of how to use web identity federation to get access to content in Amazon S3.
Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider. Example providers include Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible identity provider.
For mobile applications, we recommend that you use Amazon Cognito. You can use Amazon Cognito with the AWS SDK for iOS Developer Guide and the AWS SDK for Android Developer Guide to uniquely identify a user. You can also supply the user with a consistent identity throughout the lifetime of an application.
To learn more about Amazon Cognito, see Amazon Cognito Overview in AWS SDK for Android Developer Guide and Amazon Cognito Overview in the AWS SDK for iOS Developer Guide.
Calling AssumeRoleWithWebIdentity does not require the use of AWS security credentials. Therefore, you can distribute an application (for example, on mobile devices) that requests temporary security credentials without including long-term AWS credentials in the application. You also don't need to deploy server-based proxy services that use long-term AWS credentials. Instead, the identity of the caller is validated by using a token from the web identity provider. For a comparison of AssumeRoleWithWebIdentity with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS API operations in the IAM User Guide.
The temporary security credentials returned by this API consist of an access key ID, a secret access key, and a security token. Applications can use these temporary security credentials to sign calls to AWS service API operations.
By default, the temporary security credentials created by AssumeRoleWithWebIdentity last for one hour. However, you can use the optional DurationSeconds parameter to specify the duration of your session. You can provide a value from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide. The maximum session duration limit applies when you use the AssumeRole* API operations or the assume-role* CLI commands. However the limit does not apply when you use those operations to create a console URL. For more information, see Using IAM Roles in the IAM User Guide.
The temporary security credentials created by AssumeRoleWithWebIdentity can be used to make API calls to any AWS service with the following exception: you cannot call the STS GetFederationToken or GetSessionToken API operations.
(Optional) You can pass inline or managed session policies to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plain text that you use for both inline and managed session policies shouldn't exceed 2048 characters. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
Before your application can call AssumeRoleWithWebIdentity, you must have an identity token from a supported identity provider and create a role that the application can assume. The role that your application assumes must trust the identity provider that is associated with the identity token. In other words, the identity provider must be specified in the role's trust policy.
Calling AssumeRoleWithWebIdentity can result in an entry in your AWS CloudTrail logs. The entry includes the Subject of the provided Web Identity Token. We recommend that you avoid using any personally identifiable information (PII) in this field. For example, you could instead use a GUID or a pairwise identifier, as suggested in the OIDC specification.
For more information about how to use web identity federation and the AssumeRoleWithWebIdentity API, see the following resources:
Using Web Identity Federation API Operations for Mobile Apps and Federation Through a Web-based Identity Provider.
Web Identity Federation Playground. Walk through the process of authenticating through Login with Amazon, Facebook, or Google, getting temporary security credentials, and then using those credentials to make a request to AWS.
AWS SDK for iOS Developer Guide and AWS SDK for Android Developer Guide. These toolkits contain sample apps that show how to invoke the identity providers, and then how to use the information from these providers to get and use temporary security credentials.
Web Identity Federation with Mobile Applications. This article discusses web identity federation and shows an example of how to use web identity federation to get access to content in Amazon S3.
Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user. A typical use is in a proxy application that gets temporary security credentials on behalf of distributed applications inside a corporate network. You must call the GetFederationToken operation using the long-term security credentials of an IAM user. As a result, this call is appropriate in contexts where those credentials can be safely stored, usually in a server-based application. For a comparison of GetFederationToken with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS API operations in the IAM User Guide.
You can create a mobile-based or browser-based app that can authenticate users using a web identity provider like Login with Amazon, Facebook, Google, or an OpenID Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or AssumeRoleWithWebIdentity. For more information, see Federation Through a Web-based Identity Provider.
You can also call GetFederationToken using the security credentials of an AWS account root user, but we do not recommend it. Instead, we recommend that you create an IAM user for the purpose of the proxy application. Then attach a policy to the IAM user that limits federated users to only the actions and resources that they need to access. For more information, see IAM Best Practices in the IAM User Guide.
The temporary credentials are valid for the specified duration, from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default is 43,200 seconds (12 hours). Temporary credentials that are obtained by using AWS account root user credentials have a maximum duration of 3,600 seconds (1 hour).
The temporary security credentials created by GetFederationToken can be used to make API calls to any AWS service with the following exceptions:
You cannot use these credentials to call any IAM API operations.
You cannot call any STS API operations except GetCallerIdentity.
Permissions
You must pass an IAM permissions policy to GetFederationToken. When you pass a policy to this operation, the resulting temporary credentials are defined by the intersection of your IAM user policies and the passed policy . The passed policy defines the permissions of the federated user. AWS allows the federated user's request only when both the attached policy and the IAM user policy explicitly allow the federated user to perform the requested action. The passed policy cannot grant more permissions than those that are defined in the IAM user policy. For more information about how permissions work, see Permissions for GetFederationToken. For information about using GetFederationToken to create temporary security credentials, see GetFederationToken—Federation Through a Custom Identity Broker.
Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user. A typical use is in a proxy application that gets temporary security credentials on behalf of distributed applications inside a corporate network. You must call the GetFederationToken operation using the long-term security credentials of an IAM user. As a result, this call is appropriate in contexts where those credentials can be safely stored, usually in a server-based application. For a comparison of GetFederationToken with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS API operations in the IAM User Guide.
You can create a mobile-based or browser-based app that can authenticate users using a web identity provider like Login with Amazon, Facebook, Google, or an OpenID Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or AssumeRoleWithWebIdentity. For more information, see Federation Through a Web-based Identity Provider.
You can also call GetFederationToken using the security credentials of an AWS account root user, but we do not recommend it. Instead, we recommend that you create an IAM user for the purpose of the proxy application. Then attach a policy to the IAM user that limits federated users to only the actions and resources that they need to access. For more information, see IAM Best Practices in the IAM User Guide.
The temporary credentials are valid for the specified duration, from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default is 43,200 seconds (12 hours). Temporary credentials that are obtained by using AWS account root user credentials have a maximum duration of 3,600 seconds (1 hour).
The temporary security credentials created by GetFederationToken can be used to make API calls to any AWS service with the following exceptions:
You cannot use these credentials to call any IAM API operations.
You cannot call any STS API operations except GetCallerIdentity.
Permissions
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plain text that you use for both inline and managed session policies shouldn't exceed 2048 characters.
Though the session policy parameters are optional, if you do not pass a policy, then the resulting federated user session has no permissions. The only exception is when the credentials are used to access a resource that has a resource-based policy that specifically references the federated user session in the Principal element of the policy. When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide. For information about using GetFederationToken to create temporary security credentials, see GetFederationToken—Federation Through a Custom Identity Broker.
Returns a set of temporary credentials for an AWS account or IAM user. The credentials consist of an access key ID, a secret access key, and a security token. Typically, you use GetSessionToken if you want to use MFA to protect programmatic calls to specific AWS API operations like Amazon EC2 StopInstances. MFA-enabled IAM users would need to call GetSessionToken and submit an MFA code that is associated with their MFA device. Using the temporary security credentials that are returned from the call, IAM users can then make programmatic calls to API operations that require MFA authentication. If you do not supply a correct MFA code, then the API returns an access denied error. For a comparison of GetSessionToken with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS API operations in the IAM User Guide.
The GetSessionToken operation must be called by using the long-term AWS security credentials of the AWS account or an IAM user. Credentials that are created by IAM users are valid for the duration that you specify. This duration can range from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours), with a default of 43,200 seconds (12 hours). Credentials that are created by using account credentials can range from 900 seconds (15 minutes) up to a maximum of 3,600 seconds (1 hour), with a default of 1 hour.
The temporary security credentials created by GetSessionToken can be used to make API calls to any AWS service with the following exceptions:
You cannot call any IAM API operations unless MFA authentication information is included in the request.
You cannot call any STS API except AssumeRole or GetCallerIdentity.
We recommend that you do not call GetSessionToken with AWS account root user credentials. Instead, follow our best practices by creating one or more IAM users, giving them the necessary permissions, and using IAM users for everyday interaction with AWS.
The permissions associated with the temporary security credentials returned by GetSessionToken are based on the permissions associated with account or IAM user whose credentials are used to call the operation. If GetSessionToken is called using AWS account root user credentials, the temporary credentials have root user permissions. Similarly, if GetSessionToken is called using the credentials of an IAM user, the temporary credentials have the same permissions as the IAM user.
For more information about using GetSessionToken to create temporary credentials, go to Temporary Credentials for Users in Untrusted Environments in the IAM User Guide.
Returns a set of temporary credentials for an AWS account or IAM user. The credentials consist of an access key ID, a secret access key, and a security token. Typically, you use GetSessionToken if you want to use MFA to protect programmatic calls to specific AWS API operations like Amazon EC2 StopInstances. MFA-enabled IAM users would need to call GetSessionToken and submit an MFA code that is associated with their MFA device. Using the temporary security credentials that are returned from the call, IAM users can then make programmatic calls to API operations that require MFA authentication. If you do not supply a correct MFA code, then the API returns an access denied error. For a comparison of GetSessionToken with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS API operations in the IAM User Guide.
The GetSessionToken operation must be called by using the long-term AWS security credentials of the AWS account root user or an IAM user. Credentials that are created by IAM users are valid for the duration that you specify. This duration can range from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours), with a default of 43,200 seconds (12 hours). Credentials based on account credentials can range from 900 seconds (15 minutes) up to 3,600 seconds (1 hour), with a default of 1 hour.
The temporary security credentials created by GetSessionToken can be used to make API calls to any AWS service with the following exceptions:
You cannot call any IAM API operations unless MFA authentication information is included in the request.
You cannot call any STS API except AssumeRole or GetCallerIdentity.
We recommend that you do not call GetSessionToken with AWS account root user credentials. Instead, follow our best practices by creating one or more IAM users, giving them the necessary permissions, and using IAM users for everyday interaction with AWS.
The credentials that are returned by GetSessionToken are based on permissions associated with the user whose credentials were used to call the operation. If GetSessionToken is called using AWS account root user credentials, the temporary credentials have root user permissions. Similarly, if GetSessionToken is called using the credentials of an IAM user, the temporary credentials have the same permissions as the IAM user.
For more information about using GetSessionToken to create temporary credentials, go to Temporary Credentials for Users in Untrusted Environments in the IAM User Guide.
An identifier for the assumed role session.
Use the role session name to uniquely identify a session when the same role is assumed by different principals or for different reasons. In cross-account scenarios, the role session name is visible to, and can be logged by the account that owns the role. The role session name is also used in the ARN of the assumed role principal. This means that subsequent cross-account API requests that use the temporary security credentials will expose the role session name to the external account in their AWS CloudTrail logs.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
" }, + "PolicyArns":{ + "shape":"policyDescriptorListType", + "documentation":"The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as managed session policies. The policies must exist in the same account as the role.
This parameter is optional. You can provide up to 10 managed policy ARNs. However, the plain text that you use for both inline and managed session policies shouldn't exceed 2048 characters. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.
The characters in this parameter count towards the 2048 character session policy guideline. However, an AWS conversion compresses the session policies into a packed binary format that has a separate limit. This is the enforced limit. The PackedPolicySize response element indicates by percentage how close the policy is to the upper size limit.
Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
" + }, "Policy":{ "shape":"sessionPolicyDocumentType", - "documentation":"An IAM policy in JSON format.
This parameter is optional. If you pass a policy to this operation, the resulting temporary credentials have the permissions of the assumed role and the policy that you pass. This gives you a way to further restrict the permissions for the resulting temporary security credentials. You cannot use the passed policy to grant permissions that are in excess of those allowed by the permissions policy of the role that is being assumed. For more information, see Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity in the IAM User Guide.
The format for this parameter, as described by its regex pattern, is a string of characters up to 2048 characters in length. The characters can be any ASCII character from the space character to the end of the valid character list (\\u0020-\\u00FF). It can also include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
The policy plaintext must be 2048 bytes or shorter. However, an internal conversion compresses it into a packed binary format with a separate limit. The PackedPolicySize response element indicates by percentage how close to the upper size limit the policy is, where 100 percent is the maximum allowed size.
An IAM policy in JSON format that you want to use as an inline session policy.
This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
The plain text that you use for both inline and managed session policies shouldn't exceed 2048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list (\\u0020 through \\u00FF). It can also include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
The characters in this parameter count towards the 2048 character session policy guideline. However, an AWS conversion compresses the session policies into a packed binary format that has a separate limit. This is the enforced limit. The PackedPolicySize response element indicates by percentage how close the policy is to the upper size limit.
A unique identifier that might be required when you assume a role in another account. If the administrator of the account to which the role belongs provided you with an external ID, then provide that value in the ExternalId parameter. This value can be any string, such as a passphrase or account number. Because a cross-account role is usually set up to trust everyone in an account, the administrator of the trusting account might send an external ID to the administrator of the trusted account. That way, only someone with the ID can assume the role, rather than everyone in the account. For more information about the external ID, see How to Use an External ID When Granting Access to Your AWS Resources to a Third Party in the IAM User Guide.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:/-
" + "documentation":"A unique identifier that might be required when you assume a role in another account. If the administrator of the account to which the role belongs provided you with an external ID, then provide that value in the ExternalId parameter. This value can be any string, such as a passphrase or account number. A cross-account role is usually set up to trust everyone in an account. Therefore, the administrator of the trusting account might send an external ID to the administrator of the trusted account. That way, only someone with the ID can assume the role, rather than everyone in the account. For more information about the external ID, see How to Use an External ID When Granting Access to Your AWS Resources to a Third Party in the IAM User Guide.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:/-
" }, "SerialNumber":{ "shape":"serialNumberType", @@ -181,7 +185,7 @@ "members":{ "Credentials":{ "shape":"Credentials", - "documentation":"The temporary security credentials, which include an access key ID, a secret access key, and a security (or session) token.
The size of the security token that STS API operations return is not fixed. We strongly recommend that you make no assumptions about the maximum size. As of this writing, the typical size is less than 4096 bytes, but that can vary. Also, future updates to AWS might require larger sizes.
The temporary security credentials, which include an access key ID, a secret access key, and a security (or session) token.
The size of the security token that STS API operations return is not fixed. We strongly recommend that you make no assumptions about the maximum size.
The base-64 encoded SAML authentication response provided by the IdP.
For more information, see Configuring a Relying Party and Adding Claims in the IAM User Guide.
" }, + "PolicyArns":{ + "shape":"policyDescriptorListType", + "documentation":"The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as managed session policies. The policies must exist in the same account as the role.
This parameter is optional. You can provide up to 10 managed policy ARNs. However, the plain text that you use for both inline and managed session policies shouldn't exceed 2048 characters. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.
The characters in this parameter count towards the 2048 character session policy guideline. However, an AWS conversion compresses the session policies into a packed binary format that has a separate limit. This is the enforced limit. The PackedPolicySize response element indicates by percentage how close the policy is to the upper size limit.
Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
" + }, "Policy":{ "shape":"sessionPolicyDocumentType", - "documentation":"An IAM policy in JSON format.
The policy parameter is optional. If you pass a policy to this operation, the resulting temporary credentials have the permissions of the assumed role and the policy that you pass. This gives you a way to further restrict the permissions for the resulting temporary security credentials. You cannot use the passed policy to grant permissions that are in excess of those allowed by the permissions policy of the role that is being assumed. For more information, see Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity in the IAM User Guide.
The format for this parameter, as described by its regex pattern, is a string of characters up to 2048 characters in length. The characters can be any ASCII character from the space character to the end of the valid character list (\\u0020-\\u00FF). It can also include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
The policy plaintext must be 2048 bytes or shorter. However, an internal conversion compresses it into a packed binary format with a separate limit. The PackedPolicySize response element indicates by percentage how close to the upper size limit the policy is, where 100 percent is the maximum allowed size.
An IAM policy in JSON format that you want to use as an inline session policy.
This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
The plain text that you use for both inline and managed session policies shouldn't exceed 2048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list (\\u0020 through \\u00FF). It can also include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
The characters in this parameter count towards the 2048 character session policy guideline. However, an AWS conversion compresses the session policies into a packed binary format that has a separate limit. This is the enforced limit. The PackedPolicySize response element indicates by percentage how close the policy is to the upper size limit.
The temporary security credentials, which include an access key ID, a secret access key, and a security (or session) token.
The size of the security token that STS API operations return is not fixed. We strongly recommend that you make no assumptions about the maximum size. As of this writing, the typical size is less than 4096 bytes, but that can vary. Also, future updates to AWS might require larger sizes.
The temporary security credentials, which include an access key ID, a secret access key, and a security (or session) token.
The size of the security token that STS API operations return is not fixed. We strongly recommend that you make no assumptions about the maximum size.
The fully qualified host component of the domain name of the identity provider.
Specify this value only for OAuth 2.0 access tokens. Currently www.amazon.com and graph.facebook.com are the only supported identity providers for OAuth 2.0 access tokens. Do not include URL schemes and port numbers.
Do not specify this value for OpenID Connect ID tokens.
" }, + "PolicyArns":{ + "shape":"policyDescriptorListType", + "documentation":"The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as managed session policies. The policies must exist in the same account as the role.
This parameter is optional. You can provide up to 10 managed policy ARNs. However, the plain text that you use for both inline and managed session policies shouldn't exceed 2048 characters. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.
The characters in this parameter count towards the 2048 character session policy guideline. However, an AWS conversion compresses the session policies into a packed binary format that has a separate limit. This is the enforced limit. The PackedPolicySize response element indicates by percentage how close the policy is to the upper size limit.
Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
" + }, "Policy":{ "shape":"sessionPolicyDocumentType", - "documentation":"An IAM policy in JSON format.
The policy parameter is optional. If you pass a policy to this operation, the resulting temporary credentials have the permissions of the assumed role and the policy that you pass. This gives you a way to further restrict the permissions for the resulting temporary security credentials. You cannot use the passed policy to grant permissions that are in excess of those allowed by the permissions policy of the role that is being assumed. For more information, see Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity in the IAM User Guide.
The format for this parameter, as described by its regex pattern, is a string of characters up to 2048 characters in length. The characters can be any ASCII character from the space character to the end of the valid character list (\\u0020-\\u00FF). It can also include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
The policy plaintext must be 2048 bytes or shorter. However, an internal conversion compresses it into a packed binary format with a separate limit. The PackedPolicySize response element indicates by percentage how close to the upper size limit the policy is, where 100 percent is the maximum allowed size.
An IAM policy in JSON format that you want to use as an inline session policy.
This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
The plain text that you use for both inline and managed session policies shouldn't exceed 2048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list (\\u0020 through \\u00FF). It can also include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
The characters in this parameter count towards the 2048 character session policy guideline. However, an AWS conversion compresses the session policies into a packed binary format that has a separate limit. This is the enforced limit. The PackedPolicySize response element indicates by percentage how close the policy is to the upper size limit.
The temporary security credentials, which include an access key ID, a secret access key, and a security token.
The size of the security token that STS API operations return is not fixed. We strongly recommend that you make no assumptions about the maximum size. As of this writing, the typical size is less than 4096 bytes, but that can vary. Also, future updates to AWS might require larger sizes.
The temporary security credentials, which include an access key ID, a secret access key, and a security token.
The size of the security token that STS API operations return is not fixed. We strongly recommend that you make no assumptions about the maximum size.
An IAM policy in JSON format. You must pass an IAM permissions policy to GetFederationToken. When you pass a policy to this operation, the resulting temporary credentials are defined by the intersection of your IAM user policies and the policy that you pass. The passed policy defines the permissions of the federated user. AWS allows the federated user's request only when both the attached policy and the IAM user policy explicitly allow the federated user to perform the requested action. The passed policy cannot grant more permissions than those that are defined in the IAM user policy.
The format for this parameter, as described by its regex pattern, is a string of characters up to 2048 characters in length. The characters can be any ASCII character from the space character to the end of the valid character list (\\u0020-\\u00FF). It can also include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
The policy plaintext must be 2048 bytes or shorter. However, an internal conversion compresses it into a packed binary format with a separate limit. The PackedPolicySize response element indicates by percentage how close to the upper size limit the policy is, where 100 percent is the maximum allowed size.
For more information about how permissions work, see Permissions for GetFederationToken.
" + "documentation":"An IAM policy in JSON format that you want to use as an inline session policy.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies.
This parameter is optional. However, if you do not pass any session policies, then the resulting federated user session has no permissions. The only exception is when the credentials are used to access a resource that has a resource-based policy that specifically references the federated user session in the Principal element of the policy.
When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide.
The plain text that you use for both inline and managed session policies shouldn't exceed 2048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list (\\u0020 through \\u00FF). It can also include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
The characters in this parameter count towards the 2048 character session policy guideline. However, an AWS conversion compresses the session policies into a packed binary format that has a separate limit. This is the enforced limit. The PackedPolicySize response element indicates by percentage how close the policy is to the upper size limit.
The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as a managed session policy. The policies must exist in the same account as the IAM user that is requesting federated access.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plain text that you use for both inline and managed session policies shouldn't exceed 2048 characters. You can provide up to 10 managed policy ARNs. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.
This parameter is optional. However, if you do not pass any session policies, then the resulting federated user session has no permissions. The only exception is when the credentials are used to access a resource that has a resource-based policy that specifically references the federated user session in the Principal element of the policy.
When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide.
The characters in this parameter count towards the 2048 character session policy guideline. However, an AWS conversion compresses the session policies into a packed binary format that has a separate limit. This is the enforced limit. The PackedPolicySize response element indicates by percentage how close the policy is to the upper size limit.
The temporary security credentials, which include an access key ID, a secret access key, and a security (or session) token.
The size of the security token that STS API operations return is not fixed. We strongly recommend that you make no assumptions about the maximum size. As of this writing, the typical size is less than 4096 bytes, but that can vary. Also, future updates to AWS might require larger sizes.
The temporary security credentials, which include an access key ID, a secret access key, and a security (or session) token.
The size of the security token that STS API operations return is not fixed. We strongly recommend that you make no assumptions about the maximum size.
The temporary security credentials, which include an access key ID, a secret access key, and a security (or session) token.
The size of the security token that STS API operations return is not fixed. We strongly recommend that you make no assumptions about the maximum size. As of this writing, the typical size is less than 4096 bytes, but that can vary. Also, future updates to AWS might require larger sizes.
The temporary security credentials, which include an access key ID, a secret access key, and a security (or session) token.
The size of the security token that STS API operations return is not fixed. We strongly recommend that you make no assumptions about the maximum size.
Contains the response to a successful GetSessionToken request, including temporary AWS credentials that can be used to make AWS requests.
" @@ -590,6 +606,16 @@ }, "exception":true }, + "PolicyDescriptorType":{ + "type":"structure", + "members":{ + "arn":{ + "shape":"arnType", + "documentation":"The Amazon Resource Name (ARN) of the IAM managed policy to use as a session policy for the role. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.
" + } + }, + "documentation":"A reference to the IAM managed policy that is passed as a session policy for a role session or a federated user session.
" + }, "RegionDisabledException":{ "type":"structure", "members":{ @@ -670,6 +696,10 @@ "min":0 }, "packedPolicyTooLargeMessage":{"type":"string"}, + "policyDescriptorListType":{ + "type":"list", + "member":{"shape":"PolicyDescriptorType"} + }, "regionDisabledMessage":{"type":"string"}, "roleDurationSecondsType":{ "type":"integer", diff --git a/docs/source/conf.py b/docs/source/conf.py index 057fbe4218..dcd865bec2 100644 --- a/docs/source/conf.py +++ b/docs/source/conf.py @@ -54,7 +54,7 @@ # The short X.Y version. version = '1.12.1' # The full version, including alpha/beta/rc tags. -release = '1.12.145' +release = '1.12.146' # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages.