lib/aws-sdk-iam/client.rb in aws-sdk-iam-1.18.0 vs lib/aws-sdk-iam/client.rb in aws-sdk-iam-1.19.0

- old
+ new

@@ -1110,18 +1110,17 @@ # # * A list of client IDs (also known as audiences) that identify the # application or applications that are allowed to authenticate using # the OIDC provider # - # * A list of thumbprints of the server certificate(s) that the IdP - # uses. + # * A list of thumbprints of the server certificate(s) that the IdP uses # # You get all of this information from the OIDC IdP that you want to use # to access AWS. # - # <note markdown="1"> Because trust for the OIDC provider is derived from the IAM provider - # that this operation creates, it is best to limit access to the + # <note markdown="1"> The trust for the OIDC provider is derived from the IAM provider that + # this operation creates. Therefore, it is best to limit access to the # CreateOpenIDConnectProvider operation to highly privileged users. # # </note> # # @@ -1612,11 +1611,11 @@ # Creates an IAM resource that describes an identity provider (IdP) that # supports SAML 2.0. # # The SAML provider resource that you create with this operation can be # used as a principal in an IAM role's trust policy. Such a policy can - # enable federated users who sign-in using the SAML IdP to assume the + # enable federated users who sign in using the SAML IdP to assume the # role. You can create an IAM role that supports Web-based single # sign-on (SSO) to the AWS Management Console or one that supports API # access to AWS. # # When you create the SAML provider resource, you upload a SAML metadata @@ -1712,12 +1711,12 @@ # attached. You use a string similar to a URL but without the http:// in # front. For example: `elasticbeanstalk.amazonaws.com`. # # Service principals are unique and case-sensitive. To find the exact # service principal for your service-linked role, see [AWS Services That - # Work with IAM][1] in the *IAM User Guide* and look for the services - # that have <b>Yes </b>in the **Service-Linked Role** column. Choose the + # Work with IAM][1] in the *IAM User Guide*. Look for the services that + # have <b>Yes </b>in the **Service-Linked Role** column. Choose the # **Yes** link to view the service-linked role documentation for that # service. # # # @@ -1975,14 +1974,14 @@ # # For information about limits on the number of MFA devices you can # create, see [Limitations on Entities][2] in the *IAM User Guide*. # # The seed information contained in the QR code and the Base32 string - # should be treated like any other secret access information, such as - # your AWS access keys or your passwords. After you provision your - # virtual device, you should ensure that the information is destroyed - # following secure procedures. + # should be treated like any other secret access information. In other + # words, protect the seed information as you would your AWS access keys + # or your passwords. After you provision your virtual device, you should + # ensure that the information is destroyed following secure procedures. # # # # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_VirtualMFA.html # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html @@ -2636,12 +2635,12 @@ end # Deletes the permissions boundary for the specified IAM role. # # Deleting the permissions boundary for a role might increase its - # permissions by allowing anyone who assumes the role to perform all the - # actions granted in its permissions policies. + # permissions. For example, it might allow anyone who assumes the role + # to perform all the actions granted in its permissions policies. # # @option params [required, String] :role_name # The name (friendly name, not ARN) of the IAM role from which you want # to remove the permissions boundary. # @@ -3022,14 +3021,39 @@ def delete_signing_certificate(params = {}, options = {}) req = build_request(:delete_signing_certificate, params) req.send_request(options) end - # Deletes the specified IAM user. The user must not belong to any groups - # or have any access keys, signing certificates, MFA devices enabled for - # AWS, or attached policies. + # Deletes the specified IAM user. Unlike the AWS Management Console, + # when you delete a user programmatically, you must delete the items + # attached to the user manually, or the deletion fails. For more + # information, see [Deleting an IAM User][1]. Before attempting to + # delete a user, remove the following items: # + # * Password (DeleteLoginProfile) + # + # * Access keys (DeleteAccessKey) + # + # * Signing certificate (DeleteSigningCertificate) + # + # * SSH public key (DeleteSSHPublicKey) + # + # * Git credentials (DeleteServiceSpecificCredential) + # + # * Multi-factor authentication (MFA) device (DeactivateMFADevice, + # DeleteVirtualMFADevice) + # + # * Inline policies (DeleteUserPolicy) + # + # * Attached managed policies (DetachUserPolicy) + # + # * Group memberships (RemoveUserFromGroup) + # + # + # + # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_manage.html#id_users_deleting_cli + # # @option params [required, String] :user_name # The name of the user to delete. # # This parameter allows (through its [regex pattern][1]) a string of # characters consisting of upper and lowercase alphanumeric characters @@ -3471,11 +3495,11 @@ # Generates a request for a report that includes details about when an # IAM resource (user, group, role, or policy) was last used in an # attempt to access AWS services. Recent activity usually appears within # four hours. IAM reports activity for the last 365 days, or less if - # your region began supporting this feature within the last year. For + # your Region began supporting this feature within the last year. For # more information, see [Regions Where Data Is Tracked][1]. # # The service last accessed data includes all attempts to access an AWS # API, not just the successful ones. This includes all attempts that # were made using the AWS Management Console, the AWS API through any of @@ -3572,11 +3596,11 @@ req.send_request(options) end # Retrieves information about when the specified access key was last # used. The information includes the date and time of last use, along - # with the AWS service and region that were specified in the last + # with the AWS service and Region that were specified in the last # request made with that key. # # @option params [required, String] :access_key_id # The identifier of an access key. # @@ -3867,10 +3891,11 @@ # "AccountMFAEnabled" => 0, # "AccountSigningCertificatesPresent" => 0, # "AttachedPoliciesPerGroupQuota" => 10, # "AttachedPoliciesPerRoleQuota" => 10, # "AttachedPoliciesPerUserQuota" => 10, + # "GlobalEndpointTokenVersion" => 2, # "GroupPolicySizeQuota" => 5120, # "Groups" => 15, # "GroupsPerUserQuota" => 10, # "GroupsQuota" => 100, # "MFADevices" => 6, @@ -4931,14 +4956,14 @@ # details about the most recent attempt to access the service. If the # operation fails, the `GetServiceLastAccessedDetails` operation returns # the reason that it failed. # # The `GetServiceLastAccessedDetails` operation returns a list of - # services that includes the number of entities that have attempted to - # access the service and the date and time of the last attempt. It also - # returns the ARN of the following entity, depending on the resource ARN - # that you used to generate the report: + # services. This list includes the number of entities that have + # attempted to access the service and the date and time of the last + # attempt. It also returns the ARN of the following entity, depending on + # the resource ARN that you used to generate the report: # # * **User** – Returns the user ARN that you used to generate the report # # * **Group** – Returns the ARN of the group member (user) that last # attempted to access the service @@ -5083,11 +5108,11 @@ # namespace to learn when the IAM entity last attempted to access the # specified service. # # To learn the service namespace for a service, go to [Actions, # Resources, and Condition Keys for AWS Services][1] in the *IAM User - # Guide* and choose the name of the service to view details for that + # Guide*. Choose the name of the service to view details for that # service. In the first paragraph, find the service prefix. For example, # `(service prefix: a4b)`. For more information about service # namespaces, see [AWS Service Namespaces][2] in the *AWS General # Reference*. # @@ -5322,11 +5347,11 @@ # # </note> # # An IAM user can also have managed policies attached to it. To retrieve # a managed policy document that is attached to a user, use GetPolicy to - # determine the policy's default version, then use GetPolicyVersion to + # determine the policy's default version. Then use GetPolicyVersion to # retrieve the policy document. # # For more information about policies, see [Managed Policies and Inline # Policies][2] in the *IAM User Guide*. # @@ -6984,12 +7009,12 @@ # [1]: http://wikipedia.org/wiki/regex # # @option params [String] :marker # Use this parameter only when paginating results and only after you # receive a response indicating that the results are truncated. Set it - # to the value of the `Marker` element in the response to indicate where - # the next call should start. + # to the value of the `Marker` element in the response that you received + # to indicate where the next call should start. # # @option params [Integer] :max_items # (Optional) Use this only when paginating results to indicate the # maximum number of items that you want in the response. If additional # items exist beyond the maximum that you specify, the `IsTruncated` @@ -7173,12 +7198,12 @@ req = build_request(:list_saml_providers, params) req.send_request(options) end # Returns information about the SSH public keys associated with the - # specified IAM user. If there none exists, the operation returns an - # empty list. + # specified IAM user. If none exists, the operation returns an empty + # list. # # The SSH public keys returned by this operation are used only for # authenticating the IAM user to an AWS CodeCommit repository. For more # information about using SSH keys to authenticate to an AWS CodeCommit # repository, see [Set up AWS CodeCommit for SSH Connections][1] in the @@ -7400,12 +7425,12 @@ req = build_request(:list_service_specific_credentials, params) req.send_request(options) end # Returns information about the signing certificates associated with the - # specified IAM user. If there none exists, the operation returns an - # empty list. + # specified IAM user. If none exists, the operation returns an empty + # list. # # Although each user is limited to a small number of signing # certificates, you can still paginate the results using the `MaxItems` # and `Marker` parameters. # @@ -7597,12 +7622,12 @@ # [1]: http://wikipedia.org/wiki/regex # # @option params [String] :marker # Use this parameter only when paginating results and only after you # receive a response indicating that the results are truncated. Set it - # to the value of the `Marker` element in the response to indicate where - # the next call should start. + # to the value of the `Marker` element in the response that you received + # to indicate where the next call should start. # # @option params [Integer] :max_items # (Optional) Use this only when paginating results to indicate the # maximum number of items that you want in the response. If additional # items exist beyond the maximum that you specify, the `IsTruncated` @@ -8603,10 +8628,80 @@ def set_default_policy_version(params = {}, options = {}) req = build_request(:set_default_policy_version, params) req.send_request(options) end + # Sets the specified version of the global endpoint token as the token + # version used for the AWS account. + # + # By default, AWS Security Token Service (STS) is available as a global + # service, and all STS requests go to a single endpoint at + # `https://sts.amazonaws.com`. AWS recommends using Regional STS + # endpoints to reduce latency, build in redundancy, and increase session + # token availability. For information about Regional endpoints for STS, + # see [AWS Regions and Endpoints][1] in the *AWS General Reference*. + # + # If you make an STS call to the global endpoint, the resulting session + # tokens might be valid in some Regions but not others. It depends on + # the version that is set in this operation. Version 1 tokens are valid + # only in AWS Regions that are available by default. These tokens do not + # work in manually enabled Regions, such as Asia Pacific (Hong Kong). + # Version 2 tokens are valid in all Regions. However, version 2 tokens + # are longer and might affect systems where you temporarily store + # tokens. For information, see [Activating and Deactivating STS in an + # AWS Region][2] in the *IAM User Guide*. + # + # To view the current session token version, see the + # `GlobalEndpointTokenVersion` entry in the response of the + # GetAccountSummary operation. + # + # + # + # [1]: https://docs.aws.amazon.com/general/latest/gr/rande.html#sts_region + # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html + # + # @option params [required, String] :global_endpoint_token_version + # The version of the global endpoint token. Version 1 tokens are valid + # only in AWS Regions that are available by default. These tokens do not + # work in manually enabled Regions, such as Asia Pacific (Hong Kong). + # Version 2 tokens are valid in all Regions. However, version 2 tokens + # are longer and might affect systems where you temporarily store + # tokens. + # + # For information, see [Activating and Deactivating STS in an AWS + # Region][1] in the *IAM User Guide*. + # + # + # + # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html + # + # @return [Struct] Returns an empty {Seahorse::Client::Response response}. + # + # + # @example Example: To delete an access key for an IAM user + # + # # The following command sets the STS global endpoint token to version 2. Version 2 tokens are valid in all Regions. + # + # resp = client.set_security_token_service_preferences({ + # global_endpoint_token_version: "v2Token", + # }) + # + # @example Request syntax with placeholder values + # + # resp = client.set_security_token_service_preferences({ + # global_endpoint_token_version: "v1Token", # required, accepts v1Token, v2Token + # }) + # + # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/SetSecurityTokenServicePreferences AWS API Documentation + # + # @overload set_security_token_service_preferences(params = {}) + # @param [Hash] params ({}) + def set_security_token_service_preferences(params = {}, options = {}) + req = build_request(:set_security_token_service_preferences, params) + req.send_request(options) + end + # Simulate how a set of IAM policies and optionally a resource-based # policy works with a list of API operations and AWS resources to # determine the policies' effective permissions. The policies are # provided as strings. # @@ -8656,11 +8751,12 @@ # [3]: http://wikipedia.org/wiki/regex # # @option params [required, Array<String>] :action_names # A list of names of API operations to evaluate in the simulation. Each # operation is evaluated against each resource. Each operation must - # include the service identifier, such as `iam:CreateUser`. + # include the service identifier, such as `iam:CreateUser`. This + # operation does not support using wildcards (*) in an action name. # # @option params [Array<String>] :resource_arns # A list of ARNs of AWS resources to include in the simulation. If this # parameter is not provided, then the value defaults to `*` (all # resources). Each API in the `ActionNames` parameter is evaluated for @@ -8707,18 +8803,19 @@ # [1]: http://wikipedia.org/wiki/regex # # @option params [String] :resource_owner # An ARN representing the AWS account ID that specifies the owner of any # simulated resource that does not identify its owner in the resource - # ARN, such as an S3 bucket or object. If `ResourceOwner` is specified, - # it is also used as the account owner of any `ResourcePolicy` included - # in the simulation. If the `ResourceOwner` parameter is not specified, - # then the owner of the resources and the resource policy defaults to - # the account of the identity provided in `CallerArn`. This parameter is - # required only if you specify a resource-based policy and account that - # owns the resource is different from the account that owns the - # simulated calling user `CallerArn`. + # ARN. Examples of resource ARNs include an S3 bucket or object. If + # `ResourceOwner` is specified, it is also used as the account owner of + # any `ResourcePolicy` included in the simulation. If the + # `ResourceOwner` parameter is not specified, then the owner of the + # resources and the resource policy defaults to the account of the + # identity provided in `CallerArn`. This parameter is required only if + # you specify a resource-based policy and account that owns the resource + # is different from the account that owns the simulated calling user + # `CallerArn`. # # The ARN for an account uses the following syntax: # `arn:aws:iam::AWS-account-ID:root`. For example, to represent the # account with the 112233445566 ID, use the following ARN: # `arn:aws:iam::112233445566-ID:root`. @@ -8733,11 +8830,11 @@ # ARN of an assumed role, federated user, or a service principal. # # @option params [Array<Types::ContextEntry>] :context_entries # A list of context keys and corresponding values for the simulation to # use. Whenever a context key is evaluated in one of the simulated IAM - # permission policies, the corresponding value is supplied. + # permissions policies, the corresponding value is supplied. # # @option params [String] :resource_handling_option # Specifies the type of simulation to run. Different API operations that # support resource-based policies require different combinations of # resources. By specifying the type of simulation to run, you enable the @@ -8884,11 +8981,11 @@ # instead. # # You can also optionally include one resource-based policy to be # evaluated with each of the resources included in the simulation. # - # The simulation does not perform the API operations, it only checks the + # The simulation does not perform the API operations; it only checks the # authorization to determine if the simulated policies allow or deny the # operations. # # **Note:** This API discloses information about the permissions granted # to other users. If you do not want users to see other user's @@ -8987,19 +9084,19 @@ # # [1]: http://wikipedia.org/wiki/regex # # @option params [String] :resource_owner # An AWS account ID that specifies the owner of any simulated resource - # that does not identify its owner in the resource ARN, such as an S3 - # bucket or object. If `ResourceOwner` is specified, it is also used as - # the account owner of any `ResourcePolicy` included in the simulation. - # If the `ResourceOwner` parameter is not specified, then the owner of - # the resources and the resource policy defaults to the account of the - # identity provided in `CallerArn`. This parameter is required only if - # you specify a resource-based policy and account that owns the resource - # is different from the account that owns the simulated calling user - # `CallerArn`. + # that does not identify its owner in the resource ARN. Examples of + # resource ARNs include an S3 bucket or object. If `ResourceOwner` is + # specified, it is also used as the account owner of any + # `ResourcePolicy` included in the simulation. If the `ResourceOwner` + # parameter is not specified, then the owner of the resources and the + # resource policy defaults to the account of the identity provided in + # `CallerArn`. This parameter is required only if you specify a + # resource-based policy and account that owns the resource is different + # from the account that owns the simulated calling user `CallerArn`. # # @option params [String] :caller_arn # The ARN of the IAM user that you want to specify as the simulated # caller of the API operations. If you do not specify a `CallerArn`, it # defaults to the ARN of the user that you specify in `PolicySourceArn`, @@ -9472,11 +9569,11 @@ # Changes the status of the specified access key from Active to # Inactive, or vice versa. This operation can be used to disable a # user's key as part of a key rotation workflow. # - # If the `UserName` field is not specified, the user name is determined + # If the `UserName` is not specified, the user name is determined # implicitly based on the AWS access key ID used to sign the request. # This operation works for access keys under the AWS account. # Consequently, you can use this operation to manage AWS account root # user credentials even if the AWS account has no associated users. # @@ -10593,11 +10690,11 @@ # # </note> # # # - # [1]: https://docs.aws.amazon.com/certificate-manager/ + # [1]: https://docs.aws.amazon.com/acm/ # [2]: https://docs.aws.amazon.com/acm/latest/userguide/ # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html # [5]: https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/programming.html @@ -10756,13 +10853,13 @@ # Uploads an X.509 signing certificate and associates it with the # specified IAM user. Some AWS services use X.509 signing certificates # to validate requests that are signed with a corresponding private key. # When you upload the certificate, its default status is `Active`. # - # If the `UserName` field is not specified, the IAM user name is - # determined implicitly based on the AWS access key ID used to sign the - # request. This operation works for access keys under the AWS account. + # If the `UserName` is not specified, the IAM user name is determined + # implicitly based on the AWS access key ID used to sign the request. + # This operation works for access keys under the AWS account. # Consequently, you can use this operation to manage AWS account root # user credentials even if the AWS account has no associated users. # # <note markdown="1"> Because the body of an X.509 certificate can be large, you should use # POST rather than GET when calling `UploadSigningCertificate`. For @@ -10869,11 +10966,11 @@ operation: config.api.operation(operation_name), client: self, params: params, config: config) context[:gem_name] = 'aws-sdk-iam' - context[:gem_version] = '1.18.0' + context[:gem_version] = '1.19.0' Seahorse::Client::Request.new(handlers, context) end # Polls an API operation until a resource enters a desired state. # @@ -10938,10 +11035,12 @@ # and the default `:delay` and `:max_attempts` values. # # | waiter_name | params | :delay | :max_attempts | # | ----------------------- | ----------------------- | -------- | ------------- | # | instance_profile_exists | {#get_instance_profile} | 1 | 40 | + # | policy_exists | {#get_policy} | 1 | 20 | + # | role_exists | {#get_role} | 1 | 20 | # | user_exists | {#get_user} | 1 | 20 | # # @raise [Errors::FailureStateError] Raised when the waiter terminates # because the waiter has entered a state that it will not transition # out of, preventing success. @@ -10990,9 +11089,11 @@ end def waiters { instance_profile_exists: Waiters::InstanceProfileExists, + policy_exists: Waiters::PolicyExists, + role_exists: Waiters::RoleExists, user_exists: Waiters::UserExists } end class << self