feat(client-iam): Make the LastUsedDate field in the GetAccessKeyLast…

…Used response optional. This may break customers who only call the API for access keys with a valid LastUsedDate. This fixes a deserialization issue for access keys without a LastUsedDate, because the field was marked as required but could be null.

clients/client-iam/src/commands/CreateOpenIDConnectProviderCommand.ts

@@ -60,12 +60,11 @@ export interface CreateOpenIDConnectProviderCommandOutput
  *          <p>You get all of this information from the OIDC IdP you want to use to access
  *             Amazon Web Services.</p>
  *          <note>
- *             <p>Amazon Web Services secures communication with some OIDC identity providers (IdPs) through our library
- *           of trusted root certificate authorities (CAs) instead of using a certificate thumbprint to
- *           verify your IdP server certificate. In these cases, your legacy thumbprint remains in your
- *           configuration, but is no longer used for validation. These OIDC IdPs include Auth0, GitHub,
- *           GitLab, Google, and those that use an Amazon S3 bucket to host a JSON Web Key Set (JWKS)
- *           endpoint.</p>
+ *             <p>Amazon Web Services secures communication with OIDC identity providers (IdPs) using our library of
+ *             trusted root certificate authorities (CAs) to verify the JSON Web Key Set (JWKS)
+ *             endpoint's TLS certificate. If your OIDC IdP relies on a certificate that is not signed
+ *             by one of these trusted CAs, only then we secure communication using the thumbprints set
+ *             in the IdP's configuration.</p>
  *          </note>
  *          <note>
  *             <p>The trust for the OIDC provider is derived from the IAM provider that this
@@ -130,7 +129,8 @@ export interface CreateOpenIDConnectProviderCommandOutput
  *       Amazon Web Services account limits. The error message describes the limit exceeded.</p>
  *
  * @throws {@link OpenIdIdpCommunicationErrorException} (client fault)
- *  <p>The request failed because IAM cannot connect to the OpenID Connect identity provider URL.</p>
+ *  <p>The request failed because IAM cannot connect to the OpenID Connect identity provider
+ *       URL.</p>
  *
  * @throws {@link ServiceFailureException} (server fault)
  *  <p>The request processing has failed because of an unknown error, exception or

clients/client-iam/src/commands/GetAccessKeyLastUsedCommand.ts

@@ -45,7 +45,7 @@ export interface GetAccessKeyLastUsedCommandOutput extends GetAccessKeyLastUsedR
  * // { // GetAccessKeyLastUsedResponse
  * //   UserName: "STRING_VALUE",
  * //   AccessKeyLastUsed: { // AccessKeyLastUsed
- * //     LastUsedDate: new Date("TIMESTAMP"), // required
+ * //     LastUsedDate: new Date("TIMESTAMP"),
  * //     ServiceName: "STRING_VALUE", // required
  * //     Region: "STRING_VALUE", // required
  * //   },

clients/client-iam/src/commands/ListAccountAliasesCommand.ts

@@ -29,9 +29,9 @@ export interface ListAccountAliasesCommandOutput extends ListAccountAliasesRespo
 
 /**
  * <p>Lists the account alias associated with the Amazon Web Services account (Note: you can have only
- *             one). For information about using an Amazon Web Services account alias, see <a href="https://docs.aws.amazon.com/signin/latest/userguide/CreateAccountAlias.html">Creating,
- *                 deleting, and listing an Amazon Web Services account alias</a> in the <i>Amazon Web Services Sign-In
- *                 User Guide</i>.</p>
+ *             one). For information about using an Amazon Web Services account alias, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html#CreateAccountAlias">Creating,
+ *                 deleting, and listing an Amazon Web Services account alias</a> in the
+ *                 <i>IAM User Guide</i>.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript

clients/client-iam/src/commands/UpdateOpenIDConnectProviderThumbprintCommand.ts

@@ -42,12 +42,11 @@ export interface UpdateOpenIDConnectProviderThumbprintCommandOutput extends __Me
  *             the OIDC provider as a principal fails until the certificate thumbprint is
  *             updated.</p>
  *          <note>
- *             <p>Amazon Web Services secures communication with some OIDC identity providers (IdPs) through our library
- *           of trusted root certificate authorities (CAs) instead of using a certificate thumbprint to
- *           verify your IdP server certificate. In these cases, your legacy thumbprint remains in your
- *           configuration, but is no longer used for validation. These OIDC IdPs include Auth0, GitHub,
- *           GitLab, Google, and those that use an Amazon S3 bucket to host a JSON Web Key Set (JWKS)
- *           endpoint.</p>
+ *             <p>Amazon Web Services secures communication with OIDC identity providers (IdPs) using our library of
+ *             trusted root certificate authorities (CAs) to verify the JSON Web Key Set (JWKS)
+ *             endpoint's TLS certificate. If your OIDC IdP relies on a certificate that is not signed
+ *             by one of these trusted CAs, only then we secure communication using the thumbprints set
+ *             in the IdP's configuration.</p>
  *          </note>
  *          <note>
  *             <p>Trust for the OIDC provider is derived from the provider certificate and is

clients/client-iam/src/models/models_0.ts

@@ -163,7 +163,7 @@ export interface AccessKeyLastUsed {
    *          </ul>
    * @public
    */
-  LastUsedDate: Date | undefined;
+  LastUsedDate?: Date;
 
   /**
    * <p>The name of the Amazon Web Services service with which this access key was most recently used. The
@@ -1275,7 +1275,8 @@ export interface CreateOpenIDConnectProviderResponse {
 }
 
 /**
- * <p>The request failed because IAM cannot connect to the OpenID Connect identity provider URL.</p>
+ * <p>The request failed because IAM cannot connect to the OpenID Connect identity provider
+ *       URL.</p>
  * @public
  */
 export class OpenIdIdpCommunicationErrorException extends __BaseException {

codegen/sdk-codegen/aws-models/iam.json

@@ -1995,8 +1995,7 @@
         "LastUsedDate": {
           "target": "com.amazonaws.iam#dateType",
           "traits": {
-            "smithy.api#documentation": "<p>The date and time, in <a href=\"http://www.iso.org/iso/iso8601\">ISO 8601 date-time\n            format</a>, when the access key was most recently used. This field is null in the\n         following situations:</p>\n         <ul>\n            <li>\n               <p>The user does not have an access key.</p>\n            </li>\n            <li>\n               <p>An access key exists but has not been used since IAM began tracking this\n               information.</p>\n            </li>\n            <li>\n               <p>There is no sign-in data associated with the user.</p>\n            </li>\n         </ul>",
-            "smithy.api#required": {}
+            "smithy.api#documentation": "<p>The date and time, in <a href=\"http://www.iso.org/iso/iso8601\">ISO 8601 date-time\n            format</a>, when the access key was most recently used. This field is null in the\n         following situations:</p>\n         <ul>\n            <li>\n               <p>The user does not have an access key.</p>\n            </li>\n            <li>\n               <p>An access key exists but has not been used since IAM began tracking this\n               information.</p>\n            </li>\n            <li>\n               <p>There is no sign-in data associated with the user.</p>\n            </li>\n         </ul>"
           }
         },
         "ServiceName": {
@@ -3140,7 +3139,7 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<p>Creates an IAM entity to describe an identity provider (IdP) that supports <a href=\"http://openid.net/connect/\">OpenID Connect (OIDC)</a>.</p>\n         <p>The OIDC provider that you create with this operation can be used as a principal in a\n            role's trust policy. Such a policy establishes a trust relationship between Amazon Web Services and\n            the OIDC provider.</p>\n         <p>If you are using an OIDC identity provider from Google, Facebook, or Amazon Cognito, you don't\n            need to create a separate IAM identity provider. These OIDC identity providers are\n            already built-in to Amazon Web Services and are available for your use. Instead, you can move directly\n            to creating new roles using your identity provider. To learn more, see <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html\">Creating\n                a role for web identity or OpenID connect federation</a> in the <i>IAM\n                User Guide</i>.</p>\n         <p>When you create the IAM OIDC provider, you specify the following:</p>\n         <ul>\n            <li>\n               <p>The URL of the OIDC identity provider (IdP) to trust</p>\n            </li>\n            <li>\n               <p>A list of client IDs (also known as audiences) that identify the application\n                    or applications allowed to authenticate using the OIDC provider</p>\n            </li>\n            <li>\n               <p>A list of tags that are attached to the specified IAM OIDC provider</p>\n            </li>\n            <li>\n               <p>A list of thumbprints of one or more server certificates that the IdP\n                    uses</p>\n            </li>\n         </ul>\n         <p>You get all of this information from the OIDC IdP you want to use to access\n            Amazon Web Services.</p>\n         <note>\n            <p>Amazon Web Services secures communication with some OIDC identity providers (IdPs) through our library\n          of trusted root certificate authorities (CAs) instead of using a certificate thumbprint to\n          verify your IdP server certificate. In these cases, your legacy thumbprint remains in your\n          configuration, but is no longer used for validation. These OIDC IdPs include Auth0, GitHub,\n          GitLab, Google, and those that use an Amazon S3 bucket to host a JSON Web Key Set (JWKS)\n          endpoint.</p>\n         </note>\n         <note>\n            <p>The trust for the OIDC provider is derived from the IAM provider that this\n                operation creates. Therefore, it is best to limit access to the <a>CreateOpenIDConnectProvider</a> operation to highly privileged\n                users.</p>\n         </note>",
+        "smithy.api#documentation": "<p>Creates an IAM entity to describe an identity provider (IdP) that supports <a href=\"http://openid.net/connect/\">OpenID Connect (OIDC)</a>.</p>\n         <p>The OIDC provider that you create with this operation can be used as a principal in a\n            role's trust policy. Such a policy establishes a trust relationship between Amazon Web Services and\n            the OIDC provider.</p>\n         <p>If you are using an OIDC identity provider from Google, Facebook, or Amazon Cognito, you don't\n            need to create a separate IAM identity provider. These OIDC identity providers are\n            already built-in to Amazon Web Services and are available for your use. Instead, you can move directly\n            to creating new roles using your identity provider. To learn more, see <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html\">Creating\n                a role for web identity or OpenID connect federation</a> in the <i>IAM\n                User Guide</i>.</p>\n         <p>When you create the IAM OIDC provider, you specify the following:</p>\n         <ul>\n            <li>\n               <p>The URL of the OIDC identity provider (IdP) to trust</p>\n            </li>\n            <li>\n               <p>A list of client IDs (also known as audiences) that identify the application\n                    or applications allowed to authenticate using the OIDC provider</p>\n            </li>\n            <li>\n               <p>A list of tags that are attached to the specified IAM OIDC provider</p>\n            </li>\n            <li>\n               <p>A list of thumbprints of one or more server certificates that the IdP\n                    uses</p>\n            </li>\n         </ul>\n         <p>You get all of this information from the OIDC IdP you want to use to access\n            Amazon Web Services.</p>\n         <note>\n            <p>Amazon Web Services secures communication with OIDC identity providers (IdPs) using our library of\n            trusted root certificate authorities (CAs) to verify the JSON Web Key Set (JWKS)\n            endpoint's TLS certificate. If your OIDC IdP relies on a certificate that is not signed\n            by one of these trusted CAs, only then we secure communication using the thumbprints set\n            in the IdP's configuration.</p>\n         </note>\n         <note>\n            <p>The trust for the OIDC provider is derived from the IAM provider that this\n                operation creates. Therefore, it is best to limit access to the <a>CreateOpenIDConnectProvider</a> operation to highly privileged\n                users.</p>\n         </note>",
         "smithy.api#examples": [
           {
             "title": "To create an instance profile",
@@ -8215,7 +8214,7 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<p>Lists the account alias associated with the Amazon Web Services account (Note: you can have only\n            one). For information about using an Amazon Web Services account alias, see <a href=\"https://docs.aws.amazon.com/signin/latest/userguide/CreateAccountAlias.html\">Creating,\n                deleting, and listing an Amazon Web Services account alias</a> in the <i>Amazon Web Services Sign-In\n                User Guide</i>.</p>",
+        "smithy.api#documentation": "<p>Lists the account alias associated with the Amazon Web Services account (Note: you can have only\n            one). For information about using an Amazon Web Services account alias, see <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html#CreateAccountAlias\">Creating,\n                deleting, and listing an Amazon Web Services account alias</a> in the\n                <i>IAM User Guide</i>.</p>",
         "smithy.api#examples": [
           {
             "title": "To list account aliases",
@@ -11310,7 +11309,7 @@
           "code": "OpenIdIdpCommunicationError",
           "httpResponseCode": 400
         },
-        "smithy.api#documentation": "<p>The request failed because IAM cannot connect to the OpenID Connect identity provider URL.</p>",
+        "smithy.api#documentation": "<p>The request failed because IAM cannot connect to the OpenID Connect identity provider\n      URL.</p>",
         "smithy.api#error": "client",
         "smithy.api#httpError": 400
       }
@@ -14924,7 +14923,7 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<p>Replaces the existing list of server certificate thumbprints associated with an OpenID\n            Connect (OIDC) provider resource object with a new list of thumbprints.</p>\n         <p>The list that you pass with this operation completely replaces the existing list of\n            thumbprints. (The lists are not merged.)</p>\n         <p>Typically, you need to update a thumbprint only when the identity provider certificate\n            changes, which occurs rarely. However, if the provider's certificate\n                <i>does</i> change, any attempt to assume an IAM role that specifies\n            the OIDC provider as a principal fails until the certificate thumbprint is\n            updated.</p>\n         <note>\n            <p>Amazon Web Services secures communication with some OIDC identity providers (IdPs) through our library\n          of trusted root certificate authorities (CAs) instead of using a certificate thumbprint to\n          verify your IdP server certificate. In these cases, your legacy thumbprint remains in your\n          configuration, but is no longer used for validation. These OIDC IdPs include Auth0, GitHub,\n          GitLab, Google, and those that use an Amazon S3 bucket to host a JSON Web Key Set (JWKS)\n          endpoint.</p>\n         </note>\n         <note>\n            <p>Trust for the OIDC provider is derived from the provider certificate and is\n                validated by the thumbprint. Therefore, it is best to limit access to the\n                    <code>UpdateOpenIDConnectProviderThumbprint</code> operation to highly\n                privileged users.</p>\n         </note>"
+        "smithy.api#documentation": "<p>Replaces the existing list of server certificate thumbprints associated with an OpenID\n            Connect (OIDC) provider resource object with a new list of thumbprints.</p>\n         <p>The list that you pass with this operation completely replaces the existing list of\n            thumbprints. (The lists are not merged.)</p>\n         <p>Typically, you need to update a thumbprint only when the identity provider certificate\n            changes, which occurs rarely. However, if the provider's certificate\n                <i>does</i> change, any attempt to assume an IAM role that specifies\n            the OIDC provider as a principal fails until the certificate thumbprint is\n            updated.</p>\n         <note>\n            <p>Amazon Web Services secures communication with OIDC identity providers (IdPs) using our library of\n            trusted root certificate authorities (CAs) to verify the JSON Web Key Set (JWKS)\n            endpoint's TLS certificate. If your OIDC IdP relies on a certificate that is not signed\n            by one of these trusted CAs, only then we secure communication using the thumbprints set\n            in the IdP's configuration.</p>\n         </note>\n         <note>\n            <p>Trust for the OIDC provider is derived from the provider certificate and is\n                validated by the thumbprint. Therefore, it is best to limit access to the\n                    <code>UpdateOpenIDConnectProviderThumbprint</code> operation to highly\n                privileged users.</p>\n         </note>"
       }
     },
     "com.amazonaws.iam#UpdateOpenIDConnectProviderThumbprintRequest": {