diff --git a/.changelog/43b41cd540ed412fab449da18eb2a0b1.json b/.changelog/43b41cd540ed412fab449da18eb2a0b1.json new file mode 100644 index 00000000000..47f2d499d5a --- /dev/null +++ b/.changelog/43b41cd540ed412fab449da18eb2a0b1.json @@ -0,0 +1,8 @@ +{ + "id": "43b41cd5-40ed-412f-ab44-9da18eb2a0b1", + "type": "feature", + "description": "Documentation updates for AWS Security Token Service.", + "modules": [ + "service/sts" + ] +} \ No newline at end of file diff --git a/.changelog/54bc945c3172442cb9abc0633eab41ed.json b/.changelog/54bc945c3172442cb9abc0633eab41ed.json new file mode 100644 index 00000000000..4cd14da699c --- /dev/null +++ b/.changelog/54bc945c3172442cb9abc0633eab41ed.json @@ -0,0 +1,8 @@ +{ + "id": "54bc945c-3172-442c-b9ab-c0633eab41ed", + "type": "feature", + "description": "Add AccessDeniedException 403 Error message code to support 3 Tagging related APIs", + "modules": [ + "service/guardduty" + ] +} \ No newline at end of file diff --git a/.changelog/615547aefa7e4a9ba1767173e447f473.json b/.changelog/615547aefa7e4a9ba1767173e447f473.json new file mode 100644 index 00000000000..f29a35c68f0 --- /dev/null +++ b/.changelog/615547aefa7e4a9ba1767173e447f473.json @@ -0,0 +1,8 @@ +{ + "id": "615547ae-fa7e-4a9b-a176-7173e447f473", + "type": "feature", + "description": "Provide support for 20,000 max results for GetAssetPropertyValueHistory/BatchGetAssetPropertyValueHistory and 15 minute aggregate resolution for GetAssetPropertyAggregates/BatchGetAssetPropertyAggregates", + "modules": [ + "service/iotsitewise" + ] +} \ No newline at end of file diff --git a/.changelog/951d777128ce4bf9a0f12a55fff42684.json b/.changelog/951d777128ce4bf9a0f12a55fff42684.json new file mode 100644 index 00000000000..06c967bf3f2 --- /dev/null +++ b/.changelog/951d777128ce4bf9a0f12a55fff42684.json @@ -0,0 +1,8 @@ +{ + "id": "951d7771-28ce-4bf9-a0f1-2a55fff42684", + "type": "feature", + "description": "We don't do release notes https://w.amazon.com/bin/view/AWSDocs/common-tasks/release-notes", + "modules": [ + "service/glue" + ] +} \ No newline at end of file diff --git a/service/glue/types/enums.go b/service/glue/types/enums.go index b470f13f229..aeb128b535c 100644 --- a/service/glue/types/enums.go +++ b/service/glue/types/enums.go @@ -1949,6 +1949,8 @@ const ( WorkerTypeG1x WorkerType = "G.1X" WorkerTypeG2x WorkerType = "G.2X" WorkerTypeG025x WorkerType = "G.025X" + WorkerTypeG4x WorkerType = "G.4X" + WorkerTypeG8x WorkerType = "G.8X" ) // Values returns all known values for WorkerType. Note that this can be expanded @@ -1960,6 +1962,8 @@ func (WorkerType) Values() []WorkerType { "G.1X", "G.2X", "G.025X", + "G.4X", + "G.8X", } } diff --git a/service/glue/types/types.go b/service/glue/types/types.go index d2b76393473..9d684549bef 100644 --- a/service/glue/types/types.go +++ b/service/glue/types/types.go @@ -3509,18 +3509,18 @@ type Job struct { // number of Glue data processing units (DPUs) that can be allocated when this job // runs. A DPU is a relative measure of processing power that consists of 4 vCPUs // of compute capacity and 16 GB of memory. For more information, see the Glue - // pricing page (https://aws.amazon.com/glue/pricing/) . Do not set Max Capacity - // if using WorkerType and NumberOfWorkers . The value that can be allocated for - // MaxCapacity depends on whether you are running a Python shell job, an Apache - // Spark ETL job, or an Apache Spark streaming ETL job: + // pricing page (https://aws.amazon.com/glue/pricing/) . For Glue version 2.0 or + // later jobs, you cannot specify a Maximum capacity . Instead, you should specify + // a Worker type and the Number of workers . Do not set MaxCapacity if using + // WorkerType and NumberOfWorkers . The value that can be allocated for MaxCapacity + // depends on whether you are running a Python shell job, an Apache Spark ETL job, + // or an Apache Spark streaming ETL job: // - When you specify a Python shell job ( JobCommand.Name ="pythonshell"), you // can allocate either 0.0625 or 1 DPU. The default is 0.0625 DPU. // - When you specify an Apache Spark ETL job ( JobCommand.Name ="glueetl") or // Apache Spark streaming ETL job ( JobCommand.Name ="gluestreaming"), you can // allocate from 2 to 100 DPUs. The default is 10 DPUs. This job type cannot have a // fractional DPU allocation. - // For Glue version 2.0 jobs, you cannot instead specify a Maximum capacity . - // Instead, you should specify a Worker type and the Number of workers . MaxCapacity *float64 // The maximum number of times to retry this job after a JobRun fails. @@ -3560,10 +3560,22 @@ type Job struct { // and a 50GB disk, and 2 executors per worker. // - For the G.1X worker type, each worker maps to 1 DPU (4 vCPU, 16 GB of // memory, 64 GB disk), and provides 1 executor per worker. We recommend this - // worker type for memory-intensive jobs. + // worker type for workloads such as data transforms, joins, and queries, to offers + // a scalable and cost effective way to run most jobs. // - For the G.2X worker type, each worker maps to 2 DPU (8 vCPU, 32 GB of // memory, 128 GB disk), and provides 1 executor per worker. We recommend this - // worker type for memory-intensive jobs. + // worker type for workloads such as data transforms, joins, and queries, to offers + // a scalable and cost effective way to run most jobs. + // - For the G.4X worker type, each worker maps to 4 DPU (16 vCPU, 64 GB of + // memory, 256 GB disk), and provides 1 executor per worker. We recommend this + // worker type for jobs whose workloads contain your most demanding transforms, + // aggregations, joins, and queries. This worker type is available only for Glue + // version 3.0 or later jobs. + // - For the G.8X worker type, each worker maps to 8 DPU (32 vCPU, 128 GB of + // memory, 512 GB disk), and provides 1 executor per worker. We recommend this + // worker type for jobs whose workloads contain your most demanding transforms, + // aggregations, joins, and queries. This worker type is available only for Glue + // version 3.0 or later jobs. // - For the G.025X worker type, each worker maps to 0.25 DPU (2 vCPU, 4 GB of // memory, 64 GB disk), and provides 1 executor per worker. We recommend this // worker type for low volume streaming jobs. This worker type is only available diff --git a/service/guardduty/deserializers.go b/service/guardduty/deserializers.go index 6f9b89a4230..e35c9ed1b84 100644 --- a/service/guardduty/deserializers.go +++ b/service/guardduty/deserializers.go @@ -7345,6 +7345,9 @@ func awsRestjson1_deserializeOpErrorListTagsForResource(response *smithyhttp.Res } switch { + case strings.EqualFold("AccessDeniedException", errorCode): + return awsRestjson1_deserializeErrorAccessDeniedException(response, errorBody) + case strings.EqualFold("BadRequestException", errorCode): return awsRestjson1_deserializeErrorBadRequestException(response, errorBody) @@ -8083,6 +8086,9 @@ func awsRestjson1_deserializeOpErrorTagResource(response *smithyhttp.Response, m } switch { + case strings.EqualFold("AccessDeniedException", errorCode): + return awsRestjson1_deserializeErrorAccessDeniedException(response, errorBody) + case strings.EqualFold("BadRequestException", errorCode): return awsRestjson1_deserializeErrorBadRequestException(response, errorBody) @@ -8255,6 +8261,9 @@ func awsRestjson1_deserializeOpErrorUntagResource(response *smithyhttp.Response, } switch { + case strings.EqualFold("AccessDeniedException", errorCode): + return awsRestjson1_deserializeErrorAccessDeniedException(response, errorBody) + case strings.EqualFold("BadRequestException", errorCode): return awsRestjson1_deserializeErrorBadRequestException(response, errorBody) @@ -9177,6 +9186,42 @@ func awsRestjson1_deserializeOpErrorUpdateThreatIntelSet(response *smithyhttp.Re } } +func awsRestjson1_deserializeErrorAccessDeniedException(response *smithyhttp.Response, errorBody *bytes.Reader) error { + output := &types.AccessDeniedException{} + var buff [1024]byte + ringBuffer := smithyio.NewRingBuffer(buff[:]) + + body := io.TeeReader(errorBody, ringBuffer) + decoder := json.NewDecoder(body) + decoder.UseNumber() + var shape interface{} + if err := decoder.Decode(&shape); err != nil && err != io.EOF { + var snapshot bytes.Buffer + io.Copy(&snapshot, ringBuffer) + err = &smithy.DeserializationError{ + Err: fmt.Errorf("failed to decode response body, %w", err), + Snapshot: snapshot.Bytes(), + } + return err + } + + err := awsRestjson1_deserializeDocumentAccessDeniedException(&output, shape) + + if err != nil { + var snapshot bytes.Buffer + io.Copy(&snapshot, ringBuffer) + err = &smithy.DeserializationError{ + Err: fmt.Errorf("failed to decode response body, %w", err), + Snapshot: snapshot.Bytes(), + } + return err + } + + errorBody.Seek(0, io.SeekStart) + + return output +} + func awsRestjson1_deserializeErrorBadRequestException(response *smithyhttp.Response, errorBody *bytes.Reader) error { output := &types.BadRequestException{} var buff [1024]byte @@ -9334,6 +9379,55 @@ func awsRestjson1_deserializeDocumentAccessControlList(v **types.AccessControlLi return nil } +func awsRestjson1_deserializeDocumentAccessDeniedException(v **types.AccessDeniedException, value interface{}) error { + if v == nil { + return fmt.Errorf("unexpected nil of type %T", v) + } + if value == nil { + return nil + } + + shape, ok := value.(map[string]interface{}) + if !ok { + return fmt.Errorf("unexpected JSON type %v", value) + } + + var sv *types.AccessDeniedException + if *v == nil { + sv = &types.AccessDeniedException{} + } else { + sv = *v + } + + for key, value := range shape { + switch key { + case "message": + if value != nil { + jtv, ok := value.(string) + if !ok { + return fmt.Errorf("expected String to be of type string, got %T instead", value) + } + sv.Message = ptr.String(jtv) + } + + case "__type": + if value != nil { + jtv, ok := value.(string) + if !ok { + return fmt.Errorf("expected String to be of type string, got %T instead", value) + } + sv.Type = ptr.String(jtv) + } + + default: + _, _ = key, value + + } + } + *v = sv + return nil +} + func awsRestjson1_deserializeDocumentAccessKeyDetails(v **types.AccessKeyDetails, value interface{}) error { if v == nil { return fmt.Errorf("unexpected nil of type %T", v) diff --git a/service/guardduty/types/errors.go b/service/guardduty/types/errors.go index 1ec8658217d..0e0d4c832b8 100644 --- a/service/guardduty/types/errors.go +++ b/service/guardduty/types/errors.go @@ -7,6 +7,34 @@ import ( smithy "github.com/aws/smithy-go" ) +// An access denied exception object. +type AccessDeniedException struct { + Message *string + + ErrorCodeOverride *string + + Type *string + + noSmithyDocumentSerde +} + +func (e *AccessDeniedException) Error() string { + return fmt.Sprintf("%s: %s", e.ErrorCode(), e.ErrorMessage()) +} +func (e *AccessDeniedException) ErrorMessage() string { + if e.Message == nil { + return "" + } + return *e.Message +} +func (e *AccessDeniedException) ErrorCode() string { + if e == nil || e.ErrorCodeOverride == nil { + return "AccessDeniedException" + } + return *e.ErrorCodeOverride +} +func (e *AccessDeniedException) ErrorFault() smithy.ErrorFault { return smithy.FaultClient } + // A bad request exception object. type BadRequestException struct { Message *string diff --git a/service/iotsitewise/api_op_BatchGetAssetPropertyAggregates.go b/service/iotsitewise/api_op_BatchGetAssetPropertyAggregates.go index 0865823ca7f..9ac4c6d60ef 100644 --- a/service/iotsitewise/api_op_BatchGetAssetPropertyAggregates.go +++ b/service/iotsitewise/api_op_BatchGetAssetPropertyAggregates.go @@ -40,8 +40,8 @@ type BatchGetAssetPropertyAggregatesInput struct { // The maximum number of results to return for each paginated request. A result // set is returned in the two cases, whichever occurs first. - // - The size of the result set is less than 1 MB. - // - The number of data points in the result set is less than the value of + // - The size of the result set is equal to 1 MB. + // - The number of data points in the result set is equal to the value of // maxResults . The maximum value of maxResults is 4000. MaxResults *int32 @@ -192,8 +192,8 @@ var _ BatchGetAssetPropertyAggregatesAPIClient = (*Client)(nil) type BatchGetAssetPropertyAggregatesPaginatorOptions struct { // The maximum number of results to return for each paginated request. A result // set is returned in the two cases, whichever occurs first. - // - The size of the result set is less than 1 MB. - // - The number of data points in the result set is less than the value of + // - The size of the result set is equal to 1 MB. + // - The number of data points in the result set is equal to the value of // maxResults . The maximum value of maxResults is 4000. Limit int32 diff --git a/service/iotsitewise/api_op_BatchGetAssetPropertyValueHistory.go b/service/iotsitewise/api_op_BatchGetAssetPropertyValueHistory.go index ebca041e62c..6e534389997 100644 --- a/service/iotsitewise/api_op_BatchGetAssetPropertyValueHistory.go +++ b/service/iotsitewise/api_op_BatchGetAssetPropertyValueHistory.go @@ -40,9 +40,9 @@ type BatchGetAssetPropertyValueHistoryInput struct { // The maximum number of results to return for each paginated request. A result // set is returned in the two cases, whichever occurs first. - // - The size of the result set is less than 1 MB. - // - The number of data points in the result set is less than the value of - // maxResults . The maximum value of maxResults is 4000. + // - The size of the result set is equal to 4 MB. + // - The number of data points in the result set is equal to the value of + // maxResults . The maximum value of maxResults is 20000. MaxResults *int32 // The token to be used for the next set of paginated results. @@ -192,9 +192,9 @@ var _ BatchGetAssetPropertyValueHistoryAPIClient = (*Client)(nil) type BatchGetAssetPropertyValueHistoryPaginatorOptions struct { // The maximum number of results to return for each paginated request. A result // set is returned in the two cases, whichever occurs first. - // - The size of the result set is less than 1 MB. - // - The number of data points in the result set is less than the value of - // maxResults . The maximum value of maxResults is 4000. + // - The size of the result set is equal to 4 MB. + // - The number of data points in the result set is equal to the value of + // maxResults . The maximum value of maxResults is 20000. Limit int32 // Set to true if pagination should stop if the service returns a pagination token diff --git a/service/iotsitewise/api_op_GetAssetPropertyAggregates.go b/service/iotsitewise/api_op_GetAssetPropertyAggregates.go index bd4f8e94b1a..b07c3f800df 100644 --- a/service/iotsitewise/api_op_GetAssetPropertyAggregates.go +++ b/service/iotsitewise/api_op_GetAssetPropertyAggregates.go @@ -64,7 +64,11 @@ type GetAssetPropertyAggregatesInput struct { // The ID of the asset. AssetId *string - // The maximum number of results to return for each paginated request. Default: 100 + // The maximum number of results to return for each paginated request. A result + // set is returned in the two cases, whichever occurs first. + // - The size of the result set is equal to 1 MB. + // - The number of data points in the result set is equal to the value of + // maxResults . The maximum value of maxResults is 250. MaxResults *int32 // The token to be used for the next set of paginated results. @@ -212,7 +216,11 @@ var _ GetAssetPropertyAggregatesAPIClient = (*Client)(nil) // GetAssetPropertyAggregatesPaginatorOptions is the paginator options for // GetAssetPropertyAggregates type GetAssetPropertyAggregatesPaginatorOptions struct { - // The maximum number of results to return for each paginated request. Default: 100 + // The maximum number of results to return for each paginated request. A result + // set is returned in the two cases, whichever occurs first. + // - The size of the result set is equal to 1 MB. + // - The number of data points in the result set is equal to the value of + // maxResults . The maximum value of maxResults is 250. Limit int32 // Set to true if pagination should stop if the service returns a pagination token diff --git a/service/iotsitewise/api_op_GetAssetPropertyValueHistory.go b/service/iotsitewise/api_op_GetAssetPropertyValueHistory.go index e17de132822..fc277d3017e 100644 --- a/service/iotsitewise/api_op_GetAssetPropertyValueHistory.go +++ b/service/iotsitewise/api_op_GetAssetPropertyValueHistory.go @@ -46,7 +46,11 @@ type GetAssetPropertyValueHistoryInput struct { // in seconds in Unix epoch time. EndDate *time.Time - // The maximum number of results to return for each paginated request. Default: 100 + // The maximum number of results to return for each paginated request. A result + // set is returned in the two cases, whichever occurs first. + // - The size of the result set is equal to 4 MB. + // - The number of data points in the result set is equal to the value of + // maxResults . The maximum value of maxResults is 20000. MaxResults *int32 // The token to be used for the next set of paginated results. @@ -195,7 +199,11 @@ var _ GetAssetPropertyValueHistoryAPIClient = (*Client)(nil) // GetAssetPropertyValueHistoryPaginatorOptions is the paginator options for // GetAssetPropertyValueHistory type GetAssetPropertyValueHistoryPaginatorOptions struct { - // The maximum number of results to return for each paginated request. Default: 100 + // The maximum number of results to return for each paginated request. A result + // set is returned in the two cases, whichever occurs first. + // - The size of the result set is equal to 4 MB. + // - The number of data points in the result set is equal to the value of + // maxResults . The maximum value of maxResults is 20000. Limit int32 // Set to true if pagination should stop if the service returns a pagination token diff --git a/service/kinesisanalytics/internal/endpoints/endpoints.go b/service/kinesisanalytics/internal/endpoints/endpoints.go index 4c60e12a5a2..b048b1c451e 100644 --- a/service/kinesisanalytics/internal/endpoints/endpoints.go +++ b/service/kinesisanalytics/internal/endpoints/endpoints.go @@ -167,6 +167,9 @@ var defaultPartitions = endpoints.Partitions{ endpoints.EndpointKey{ Region: "ap-southeast-3", }: endpoints.Endpoint{}, + endpoints.EndpointKey{ + Region: "ap-southeast-4", + }: endpoints.Endpoint{}, endpoints.EndpointKey{ Region: "ca-central-1", }: endpoints.Endpoint{}, diff --git a/service/kinesisanalyticsv2/internal/endpoints/endpoints.go b/service/kinesisanalyticsv2/internal/endpoints/endpoints.go index 14257d5a459..9ecb5a09d94 100644 --- a/service/kinesisanalyticsv2/internal/endpoints/endpoints.go +++ b/service/kinesisanalyticsv2/internal/endpoints/endpoints.go @@ -167,6 +167,9 @@ var defaultPartitions = endpoints.Partitions{ endpoints.EndpointKey{ Region: "ap-southeast-3", }: endpoints.Endpoint{}, + endpoints.EndpointKey{ + Region: "ap-southeast-4", + }: endpoints.Endpoint{}, endpoints.EndpointKey{ Region: "ca-central-1", }: endpoints.Endpoint{}, diff --git a/service/sagemakermetrics/internal/endpoints/endpoints.go b/service/sagemakermetrics/internal/endpoints/endpoints.go index d1ef326082d..0770df4bd4f 100644 --- a/service/sagemakermetrics/internal/endpoints/endpoints.go +++ b/service/sagemakermetrics/internal/endpoints/endpoints.go @@ -155,6 +155,9 @@ var defaultPartitions = endpoints.Partitions{ endpoints.EndpointKey{ Region: "ap-south-1", }: endpoints.Endpoint{}, + endpoints.EndpointKey{ + Region: "ap-south-2", + }: endpoints.Endpoint{}, endpoints.EndpointKey{ Region: "ap-southeast-1", }: endpoints.Endpoint{}, diff --git a/service/sns/internal/endpoints/endpoints.go b/service/sns/internal/endpoints/endpoints.go index 14e9f85964a..c9ac775b9b7 100644 --- a/service/sns/internal/endpoints/endpoints.go +++ b/service/sns/internal/endpoints/endpoints.go @@ -466,14 +466,14 @@ var defaultPartitions = endpoints.Partitions{ endpoints.EndpointKey{ Region: "us-gov-west-1", }: endpoints.Endpoint{ - Protocols: []string{"http", "https"}, + Protocols: []string{"https"}, }, endpoints.EndpointKey{ Region: "us-gov-west-1", Variant: endpoints.FIPSVariant, }: { Hostname: "sns.us-gov-west-1.amazonaws.com", - Protocols: []string{"http", "https"}, + Protocols: []string{"https"}, }, }, }, diff --git a/service/sts/api_op_AssumeRole.go b/service/sts/api_op_AssumeRole.go index 65a49259f21..db22efc0e82 100644 --- a/service/sts/api_op_AssumeRole.go +++ b/service/sts/api_op_AssumeRole.go @@ -34,19 +34,18 @@ import ( // the account that owns the role. You cannot use session policies to grant more // permissions than those allowed by the identity-based policy of the role that is // being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) -// in the IAM User Guide. When you create a role, you create two policies: A role -// trust policy that specifies who can assume the role and a permissions policy +// in the IAM User Guide. When you create a role, you create two policies: a role +// trust policy that specifies who can assume the role, and a permissions policy // that specifies what can be done with the role. You specify the trusted principal -// who is allowed to assume the role in the role trust policy. To assume a role +// that is allowed to assume the role in the role trust policy. To assume a role // from a different account, your Amazon Web Services account must be trusted by // the role. The trust relationship is defined in the role's trust policy when the // role is created. That trust policy states which accounts are allowed to delegate // that access to users in the account. A user who wants to access a role in a -// different account must also have permissions that are delegated from the user -// account administrator. The administrator must attach a policy that allows the -// user to call AssumeRole for the ARN of the role in the other account. To allow -// a user to assume a role in the same account, you can do either of the following: -// +// different account must also have permissions that are delegated from the account +// administrator. The administrator must attach a policy that allows the user to +// call AssumeRole for the ARN of the role in the other account. To allow a user +// to assume a role in the same account, you can do either of the following: // - Attach a policy to the user that allows the user to call AssumeRole (as long // as the role's trust policy trusts the account). // - Add the user as a principal directly in the role's trust policy. diff --git a/service/sts/api_op_AssumeRoleWithSAML.go b/service/sts/api_op_AssumeRoleWithSAML.go index 0071eaa6235..65dccc9ea08 100644 --- a/service/sts/api_op_AssumeRoleWithSAML.go +++ b/service/sts/api_op_AssumeRoleWithSAML.go @@ -229,8 +229,8 @@ type AssumeRoleWithSAMLOutput struct { // - The Amazon Web Services account ID. // - The friendly name (the last part of the ARN) of the SAML provider in IAM. // The combination of NameQualifier and Subject can be used to uniquely identify a - // federated user. The following pseudocode shows how the hash value is calculated: - // BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP" ) ) + // user. The following pseudocode shows how the hash value is calculated: BASE64 ( + // SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP" ) ) NameQualifier *string // A percentage value that indicates the packed size of the session policies and diff --git a/service/sts/api_op_AssumeRoleWithWebIdentity.go b/service/sts/api_op_AssumeRoleWithWebIdentity.go index 26418f72be0..f00f3076344 100644 --- a/service/sts/api_op_AssumeRoleWithWebIdentity.go +++ b/service/sts/api_op_AssumeRoleWithWebIdentity.go @@ -20,19 +20,17 @@ import ( // and the Amazon Web Services SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/) // to uniquely identify a user. You can also supply the user with a consistent // identity throughout the lifetime of an application. To learn more about Amazon -// Cognito, see Amazon Cognito Overview (https://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840) -// in Amazon Web Services SDK for Android Developer Guide and Amazon Cognito -// Overview (https://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664) -// in the Amazon Web Services SDK for iOS Developer Guide. Calling -// AssumeRoleWithWebIdentity does not require the use of Amazon Web Services -// security credentials. Therefore, you can distribute an application (for example, -// on mobile devices) that requests temporary security credentials without -// including long-term Amazon Web Services credentials in the application. You also -// don't need to deploy server-based proxy services that use long-term Amazon Web -// Services credentials. Instead, the identity of the caller is validated by using -// a token from the web identity provider. For a comparison of -// AssumeRoleWithWebIdentity with the other API operations that produce temporary -// credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) +// Cognito, see Amazon Cognito identity pools (https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html) +// in Amazon Cognito Developer Guide. Calling AssumeRoleWithWebIdentity does not +// require the use of Amazon Web Services security credentials. Therefore, you can +// distribute an application (for example, on mobile devices) that requests +// temporary security credentials without including long-term Amazon Web Services +// credentials in the application. You also don't need to deploy server-based proxy +// services that use long-term Amazon Web Services credentials. Instead, the +// identity of the caller is validated by using a token from the web identity +// provider. For a comparison of AssumeRoleWithWebIdentity with the other API +// operations that produce temporary credentials, see Requesting Temporary +// Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) // and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) // in the IAM User Guide. The temporary security credentials returned by this API // consist of an access key ID, a secret access key, and a security token. diff --git a/service/sts/api_op_GetCallerIdentity.go b/service/sts/api_op_GetCallerIdentity.go index 013ff8ca541..93823927b1d 100644 --- a/service/sts/api_op_GetCallerIdentity.go +++ b/service/sts/api_op_GetCallerIdentity.go @@ -12,11 +12,11 @@ import ( // Returns details about the IAM user or role whose credentials are used to call // the operation. No permissions are required to perform this operation. If an -// administrator adds a policy to your IAM user or role that explicitly denies -// access to the sts:GetCallerIdentity action, you can still perform this -// operation. Permissions are not required because the same information is returned -// when an IAM user or role is denied access. To view an example response, see I -// Am Not Authorized to Perform: iam:DeleteVirtualMFADevice (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa) +// administrator attaches a policy to your identity that explicitly denies access +// to the sts:GetCallerIdentity action, you can still perform this operation. +// Permissions are not required because the same information is returned when +// access is denied. To view an example response, see I Am Not Authorized to +// Perform: iam:DeleteVirtualMFADevice (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa) // in the IAM User Guide. func (c *Client) GetCallerIdentity(ctx context.Context, params *GetCallerIdentityInput, optFns ...func(*Options)) (*GetCallerIdentityOutput, error) { if params == nil { diff --git a/service/sts/api_op_GetFederationToken.go b/service/sts/api_op_GetFederationToken.go index 460f180399a..ccb7366e26f 100644 --- a/service/sts/api_op_GetFederationToken.go +++ b/service/sts/api_op_GetFederationToken.go @@ -12,34 +12,33 @@ import ( ) // Returns a set of temporary security credentials (consisting of an access key -// ID, a secret access key, and a security token) for a federated user. A typical -// use is in a proxy application that gets temporary security credentials on behalf -// of distributed applications inside a corporate network. You must call the +// ID, a secret access key, and a security token) for a user. A typical use is in a +// proxy application that gets temporary security credentials on behalf of +// distributed applications inside a corporate network. You must call the // GetFederationToken operation using the long-term security credentials of an IAM // user. As a result, this call is appropriate in contexts where those credentials -// can be safely stored, usually in a server-based application. For a comparison of +// can be safeguarded, usually in a server-based application. For a comparison of // GetFederationToken with the other API operations that produce temporary // credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) // and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) +// in the IAM User Guide. Although it is possible to call GetFederationToken using +// the security credentials of an Amazon Web Services account root user rather than +// an IAM user that you create for the purpose of a proxy application, we do not +// recommend it. For more information, see Safeguard your root user credentials +// and don't use them for everyday tasks (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials) // in the IAM User Guide. You can create a mobile-based or browser-based app that // can authenticate users using a web identity provider like Login with Amazon, // Facebook, Google, or an OpenID Connect-compatible identity provider. In this // case, we recommend that you use Amazon Cognito (http://aws.amazon.com/cognito/) // or AssumeRoleWithWebIdentity . For more information, see Federation Through a // Web-based Identity Provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity) -// in the IAM User Guide. You can also call GetFederationToken using the security -// credentials of an Amazon Web Services account root user, but we do not recommend -// it. Instead, we recommend that you create an IAM user for the purpose of the -// proxy application. Then attach a policy to the IAM user that limits federated -// users to only the actions and resources that they need to access. For more -// information, see IAM Best Practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) // in the IAM User Guide. Session duration The temporary credentials are valid for // the specified duration, from 900 seconds (15 minutes) up to a maximum of 129,600 // seconds (36 hours). The default session duration is 43,200 seconds (12 hours). -// Temporary credentials obtained by using the Amazon Web Services account root -// user credentials have a maximum duration of 3,600 seconds (1 hour). Permissions -// You can use the temporary credentials created by GetFederationToken in any -// Amazon Web Services service with the following exceptions: +// Temporary credentials obtained by using the root user credentials have a maximum +// duration of 3,600 seconds (1 hour). Permissions You can use the temporary +// credentials created by GetFederationToken in any Amazon Web Services service +// with the following exceptions: // - You cannot call any IAM operations using the CLI or the Amazon Web Services // API. This limitation does not apply to console sessions. // - You cannot call any STS operations except GetCallerIdentity . @@ -114,10 +113,9 @@ type GetFederationTokenInput struct { // The duration, in seconds, that the session should last. Acceptable durations // for federation sessions range from 900 seconds (15 minutes) to 129,600 seconds // (36 hours), with 43,200 seconds (12 hours) as the default. Sessions obtained - // using Amazon Web Services account root user credentials are restricted to a - // maximum of 3,600 seconds (one hour). If the specified duration is longer than - // one hour, the session obtained by using root user credentials defaults to one - // hour. + // using root user credentials are restricted to a maximum of 3,600 seconds (one + // hour). If the specified duration is longer than one hour, the session obtained + // by using root user credentials defaults to one hour. DurationSeconds *int32 // An IAM policy in JSON format that you want to use as an inline session policy. diff --git a/service/sts/api_op_GetSessionToken.go b/service/sts/api_op_GetSessionToken.go index 4ec3d42d895..4dfac4c9823 100644 --- a/service/sts/api_op_GetSessionToken.go +++ b/service/sts/api_op_GetSessionToken.go @@ -15,45 +15,42 @@ import ( // IAM user. The credentials consist of an access key ID, a secret access key, and // a security token. Typically, you use GetSessionToken if you want to use MFA to // protect programmatic calls to specific Amazon Web Services API operations like -// Amazon EC2 StopInstances . MFA-enabled IAM users would need to call -// GetSessionToken and submit an MFA code that is associated with their MFA device. -// Using the temporary security credentials that are returned from the call, IAM -// users can then make programmatic calls to API operations that require MFA -// authentication. If you do not supply a correct MFA code, then the API returns an -// access denied error. For a comparison of GetSessionToken with the other API -// operations that produce temporary credentials, see Requesting Temporary -// Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) +// Amazon EC2 StopInstances . MFA-enabled IAM users must call GetSessionToken and +// submit an MFA code that is associated with their MFA device. Using the temporary +// security credentials that the call returns, IAM users can then make programmatic +// calls to API operations that require MFA authentication. An incorrect MFA code +// causes the API to return an access denied error. For a comparison of +// GetSessionToken with the other API operations that produce temporary +// credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) // and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) // in the IAM User Guide. No permissions are required for users to perform this // operation. The purpose of the sts:GetSessionToken operation is to authenticate // the user using MFA. You cannot use policies to control authentication // operations. For more information, see Permissions for GetSessionToken (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html) // in the IAM User Guide. Session Duration The GetSessionToken operation must be -// called by using the long-term Amazon Web Services security credentials of the -// Amazon Web Services account root user or an IAM user. Credentials that are -// created by IAM users are valid for the duration that you specify. This duration -// can range from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 -// hours), with a default of 43,200 seconds (12 hours). Credentials based on -// account credentials can range from 900 seconds (15 minutes) up to 3,600 seconds -// (1 hour), with a default of 1 hour. Permissions The temporary security -// credentials created by GetSessionToken can be used to make API calls to any -// Amazon Web Services service with the following exceptions: +// called by using the long-term Amazon Web Services security credentials of an IAM +// user. Credentials that are created by IAM users are valid for the duration that +// you specify. This duration can range from 900 seconds (15 minutes) up to a +// maximum of 129,600 seconds (36 hours), with a default of 43,200 seconds (12 +// hours). Credentials based on account credentials can range from 900 seconds (15 +// minutes) up to 3,600 seconds (1 hour), with a default of 1 hour. Permissions The +// temporary security credentials created by GetSessionToken can be used to make +// API calls to any Amazon Web Services service with the following exceptions: // - You cannot call any IAM API operations unless MFA authentication // information is included in the request. // - You cannot call any STS API except AssumeRole or GetCallerIdentity . // -// We recommend that you do not call GetSessionToken with Amazon Web Services -// account root user credentials. Instead, follow our best practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users) -// by creating one or more IAM users, giving them the necessary permissions, and -// using IAM users for everyday interaction with Amazon Web Services. The -// credentials that are returned by GetSessionToken are based on permissions -// associated with the user whose credentials were used to call the operation. If -// GetSessionToken is called using Amazon Web Services account root user -// credentials, the temporary credentials have root user permissions. Similarly, if -// GetSessionToken is called using the credentials of an IAM user, the temporary -// credentials have the same permissions as the IAM user. For more information -// about using GetSessionToken to create temporary credentials, go to Temporary -// Credentials for Users in Untrusted Environments (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken) +// The credentials that GetSessionToken returns are based on permissions +// associated with the IAM user whose credentials were used to call the operation. +// The temporary credentials have the same permissions as the IAM user. Although it +// is possible to call GetSessionToken using the security credentials of an Amazon +// Web Services account root user rather than an IAM user, we do not recommend it. +// If GetSessionToken is called using root user credentials, the temporary +// credentials have root user permissions. For more information, see Safeguard +// your root user credentials and don't use them for everyday tasks (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials) +// in the IAM User Guide For more information about using GetSessionToken to +// create temporary credentials, see Temporary Credentials for Users in Untrusted +// Environments (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken) // in the IAM User Guide. func (c *Client) GetSessionToken(ctx context.Context, params *GetSessionTokenInput, optFns ...func(*Options)) (*GetSessionTokenOutput, error) { if params == nil { diff --git a/service/sts/doc.go b/service/sts/doc.go index 7f41c0a6db0..d963fd8d19a 100644 --- a/service/sts/doc.go +++ b/service/sts/doc.go @@ -4,9 +4,8 @@ // Security Token Service. // // Security Token Service Security Token Service (STS) enables you to request -// temporary, limited-privilege credentials for Identity and Access Management -// (IAM) users or for users that you authenticate (federated users). This guide -// provides descriptions of the STS API. For more information about using this -// service, see Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) +// temporary, limited-privilege credentials for users. This guide provides +// descriptions of the STS API. For more information about using this service, see +// Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) // . package sts