@aws-sdk/client-sts - npm Package Compare versions

Comparing version 3.42.0 to 3.43.0

CHANGELOG.md

		@@ -6,2 +6,13 @@ # Change Log

		# [3.43.0](https://github.com/aws/aws-sdk-js-v3/compare/v3.42.0...v3.43.0) (2021-11-29)


		### Features

		* clients: update clients as of 11/28/2021 ([#3072](https://github.com/aws/aws-sdk-js-v3/issues/3072)) ([2ad1622](https://github.com/aws/aws-sdk-js-v3/commit/2ad1622ba8586b926fe508055211803bb29e3976))





		# [3.42.0](https://github.com/aws/aws-sdk-js-v3/compare/v3.41.0...v3.42.0) (2021-11-19)
		@@ -8,0 +19,0 @@

dist-types/commands/AssumeRoleCommand.d.ts

		@@ -11,10 +11,9 @@ import { Command as $Command } from "@aws-sdk/smithy-client";
		* <p>Returns a set of temporary security credentials that you can use to access Amazon Web Services
		* resources that you might not normally have access to. These temporary credentials
		* consist of an access key ID, a secret access key, and a security token. Typically, you
		* use <code>AssumeRole</code> within your account or for cross-account access. For a
		* comparison of <code>AssumeRole</code> with other API operations that produce temporary
		* credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html">Requesting Temporary Security
		* Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing
		* the STS API operations</a> in the
		* <i>IAM User Guide</i>.</p>
		* resources that you might not normally have access to. These temporary credentials consist
		* of an access key ID, a secret access key, and a security token. Typically, you use
		* <code>AssumeRole</code> within your account or for cross-account access. For a
		* comparison of <code>AssumeRole</code> with other API operations that produce temporary
		* credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html">Requesting Temporary Security
		* Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing the
		* Amazon Web Services STS API operations</a> in the <i>IAM User Guide</i>.</p>
		* <p>
		@@ -25,3 +24,3 @@ * <b>Permissions</b>
		* make API calls to any Amazon Web Services service with the following exception: You cannot call the
		* STS <code>GetFederationToken</code> or <code>GetSessionToken</code> API
		* Amazon Web Services STS <code>GetFederationToken</code> or <code>GetSessionToken</code> API
		* operations.</p>
		@@ -40,3 +39,7 @@ * <p>(Optional) You can pass inline or managed <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">session policies</a> to
		* Policies</a> in the <i>IAM User Guide</i>.</p>
		* <p>To assume a role from a different account, your account must be trusted by the
		* <p>When you create a role, you create two policies: A role trust policy that specifies
		* <i>who</i> can assume the role and a permissions policy that specifies
		* <i>what</i> can be done with the role. You specify the trusted principal
		* who is allowed to assume the role in the role trust policy.</p>
		* <p>To assume a role from a different account, your Amazon Web Services account must be trusted by the
		* role. The trust relationship is defined in the role's trust policy when the role is
		@@ -48,8 +51,9 @@ * created. That trust policy states which accounts are allowed to delegate that access to
		* that allows the user to call <code>AssumeRole</code> for the ARN of the role in the other
		* account. If the user is in the same account as the role, then you can do either of the
		* account.</p>
		* <p>To allow a user to assume a role in the same account, you can do either of the
		* following:</p>
		* <ul>
		* <li>
		* <p>Attach a policy to the user (identical to the previous user in a different
		* account).</p>
		* <p>Attach a policy to the user that allows the user to call
		* <code>AssumeRole</code> (as long as the role's trust policy trusts the account).</p>
		* </li>
		@@ -60,6 +64,8 @@ * <li>
		* </ul>
		* <p>In this case, the trust policy acts as an IAM resource-based policy. Users in the same
		* account as the role do not need explicit permission to assume the role. For more
		* information about trust policies and resource-based policies, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html">IAM Policies</a> in
		* the <i>IAM User Guide</i>.</p>
		* <p>You can do either because the role’s trust policy acts as an IAM resource-based
		* policy. When a resource-based policy grants access to a principal in the same account, no
		* additional identity-based policy is required. For more information about trust policies and
		* resource-based policies, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html">IAM Policies</a> in the
		* <i>IAM User Guide</i>.</p>
		*
		* <p>
		@@ -66,0 +72,0 @@ * <b>Tags</b>

dist-types/commands/AssumeRoleWithSAMLCommand.d.ts

		@@ -16,3 +16,3 @@ import { Command as $Command } from "@aws-sdk/smithy-client";
		* Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing the
		* STS API operations</a> in the <i>IAM User Guide</i>.</p>
		* Amazon Web Services STS API operations</a> in the <i>IAM User Guide</i>.</p>
		* <p>The temporary security credentials returned by this operation consist of an access key
		@@ -39,11 +39,11 @@ * ID, a secret access key, and a security token. Applications can use these temporary
		* <note>
		* <p>
		* <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining">Role chaining</a> limits your CLI or Amazon Web Services API
		* role session to a maximum of one hour. When you use the <code>AssumeRole</code> API
		* operation to assume a role, you can specify the duration of your role session with
		* the <code>DurationSeconds</code> parameter. You can specify a parameter value of up
		* to 43200 seconds (12 hours), depending on the maximum session duration setting for
		* your role. However, if you assume a role using role chaining and provide a
		* <code>DurationSeconds</code> parameter value greater than one hour, the
		* operation fails.</p>
		* <p>
		* <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining">Role chaining</a> limits your CLI or Amazon Web Services API role
		* session to a maximum of one hour. When you use the <code>AssumeRole</code> API operation
		* to assume a role, you can specify the duration of your role session with the
		* <code>DurationSeconds</code> parameter. You can specify a parameter value of up to
		* 43200 seconds (12 hours), depending on the maximum session duration setting for your
		* role. However, if you assume a role using role chaining and provide a
		* <code>DurationSeconds</code> parameter value greater than one hour, the operation
		* fails.</p>
		* </note>
		@@ -100,5 +100,5 @@ * <p>
		* </note>
		* <p>You can pass a session tag with the same key as a tag that is
		* attached to the role. When you do, session tags override the role's tags with the same
		* key.</p>
		*
		* <p>You can pass a session tag with the same key as a tag that is attached to the role. When
		* you do, session tags override the role's tags with the same key.</p>
		* <p>An administrator must grant you the permissions necessary to pass session tags. The
		@@ -105,0 +105,0 @@ * administrator can also create granular permissions to allow you to pass only specific

dist-types/commands/AssumeRoleWithWebIdentityCommand.d.ts

		@@ -32,3 +32,3 @@ import { Command as $Command } from "@aws-sdk/smithy-client";
		* Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing the
		* STS API operations</a> in the <i>IAM User Guide</i>.</p>
		* Amazon Web Services STS API operations</a> in the <i>IAM User Guide</i>.</p>
		* <p>The temporary security credentials returned by this API consist of an access key ID, a
		@@ -91,5 +91,5 @@ * secret access key, and a security token. Applications can use these temporary security
		* </note>
		* <p>You can pass a session tag with the same key as a tag that is
		* attached to the role. When you do, the session tag overrides the role tag with the same
		* key.</p>
		*
		* <p>You can pass a session tag with the same key as a tag that is attached to the role. When
		* you do, the session tag overrides the role tag with the same key.</p>
		* <p>An administrator must grant you the permissions necessary to pass session tags. The
		@@ -96,0 +96,0 @@ * administrator can also create granular permissions to allow you to pass only specific

dist-types/commands/DecodeAuthorizationMessageCommand.d.ts

		@@ -21,5 +21,5 @@ import { Command as $Command } from "@aws-sdk/smithy-client";
		* </note>
		* <p>The message is encoded because the details of the authorization status can constitute
		* <p>The message is encoded because the details of the authorization status can contain
		* privileged information that the user who requested the operation should not see. To decode
		* an authorization status message, a user must be granted permissions via an IAM policy to
		* an authorization status message, a user must be granted permissions through an IAM <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html">policy</a> to
		* request the <code>DecodeAuthorizationMessage</code>
		@@ -26,0 +26,0 @@ * (<code>sts:DecodeAuthorizationMessage</code>) action. </p>

dist-types/commands/GetAccessKeyInfoCommand.d.ts

		@@ -11,19 +11,19 @@ import { Command as $Command } from "@aws-sdk/smithy-client";
		* <p>Returns the account identifier for the specified access key ID.</p>
		* <p>Access keys consist of two parts: an access key ID (for example,
		* <code>AKIAIOSFODNN7EXAMPLE</code>) and a secret access key (for example,
		* <code>wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY</code>). For more information about
		* access keys, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html">Managing Access Keys for IAM
		* Users</a> in the <i>IAM User Guide</i>.</p>
		* <p>When you pass an access key ID to this operation, it returns the ID of the Amazon Web Services
		* account to which the keys belong. Access key IDs beginning with <code>AKIA</code> are
		* long-term credentials for an IAM user or the Amazon Web Services account root user. Access key IDs
		* beginning with <code>ASIA</code> are temporary credentials that are created using STS
		* operations. If the account in the response belongs to you, you can sign in as the root
		* user and review your root user access keys. Then, you can pull a <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html">credentials report</a> to learn which IAM user owns the keys. To learn who
		* requested the temporary credentials for an <code>ASIA</code> access key, view the STS
		* events in your <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html">CloudTrail logs</a> in the
		* <i>IAM User Guide</i>.</p>
		* <p>This operation does not indicate the state of the access key. The key might be active,
		* inactive, or deleted. Active keys might not have permissions to perform an operation.
		* Providing a deleted access key might return an error that the key doesn't exist.</p>
		* <p>Access keys consist of two parts: an access key ID (for example,
		* <code>AKIAIOSFODNN7EXAMPLE</code>) and a secret access key (for example,
		* <code>wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY</code>). For more information about
		* access keys, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html">Managing Access Keys for IAM
		* Users</a> in the <i>IAM User Guide</i>.</p>
		* <p>When you pass an access key ID to this operation, it returns the ID of the Amazon Web Services account
		* to which the keys belong. Access key IDs beginning with <code>AKIA</code> are long-term
		* credentials for an IAM user or the Amazon Web Services account root user. Access key IDs beginning with
		* <code>ASIA</code> are temporary credentials that are created using STS operations. If
		* the account in the response belongs to you, you can sign in as the root user and review
		* your root user access keys. Then, you can pull a <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html">credentials report</a> to
		* learn which IAM user owns the keys. To learn who requested the temporary credentials for
		* an <code>ASIA</code> access key, view the STS events in your <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html">CloudTrail logs</a> in the
		* <i>IAM User Guide</i>.</p>
		* <p>This operation does not indicate the state of the access key. The key might be active,
		* inactive, or deleted. Active keys might not have permissions to perform an operation.
		* Providing a deleted access key might return an error that the key doesn't exist.</p>
		* @example
		@@ -30,0 +30,0 @@ * Use a bare-bones client and the command you need to make an API call.

dist-types/commands/GetCallerIdentityCommand.d.ts

		@@ -11,11 +11,11 @@ import { Command as $Command } from "@aws-sdk/smithy-client";
		* <p>Returns details about the IAM user or role whose credentials are used to call the
		* operation.</p>
		* <note>
		* operation.</p>
		* <note>
		* <p>No permissions are required to perform this operation. If an administrator adds a
		* policy to your IAM user or role that explicitly denies access to the
		* <code>sts:GetCallerIdentity</code> action, you can still perform this operation.
		* Permissions are not required because the same information is returned when an IAM
		* user or role is denied access. To view an example response, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa">I Am Not Authorized to Perform: iam:DeleteVirtualMFADevice</a> in the
		* <i>IAM User Guide</i>.</p>
		* </note>
		* policy to your IAM user or role that explicitly denies access to the
		* <code>sts:GetCallerIdentity</code> action, you can still perform this operation.
		* Permissions are not required because the same information is returned when an IAM user
		* or role is denied access. To view an example response, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa">I Am Not Authorized to Perform: iam:DeleteVirtualMFADevice</a> in the
		* <i>IAM User Guide</i>.</p>
		* </note>
		* @example
		@@ -22,0 +22,0 @@ * Use a bare-bones client and the command you need to make an API call.

dist-types/commands/GetFederationTokenCommand.d.ts

		@@ -19,3 +19,3 @@ import { Command as $Command } from "@aws-sdk/smithy-client";
		* Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing the
		* STS API operations</a> in the <i>IAM User Guide</i>.</p>
		* Amazon Web Services STS API operations</a> in the <i>IAM User Guide</i>.</p>
		* <note>
		@@ -39,4 +39,4 @@ * <p>You can create a mobile-based or browser-based app that can authenticate users using
		* minutes) up to a maximum of 129,600 seconds (36 hours). The default session duration is
		* 43,200 seconds (12 hours). Temporary credentials that are obtained by using Amazon Web Services account
		* root user credentials have a maximum duration of 3,600 seconds (1 hour).</p>
		* 43,200 seconds (12 hours). Temporary credentials obtained by using the Amazon Web Services account root
		* user credentials have a maximum duration of 3,600 seconds (1 hour).</p>
		* <p>
		@@ -79,74 +79,21 @@ * <b>Permissions</b>
		* <i>IAM User Guide</i>.</p>
		* <note>
		* <p>You can create a mobile-based or browser-based app that can authenticate users
		* using a web identity provider like Login with Amazon, Facebook, Google, or an OpenID
		* Connect-compatible identity provider. In this case, we recommend that you use <a href="http://aws.amazon.com/cognito/">Amazon Cognito</a> or
		* <code>AssumeRoleWithWebIdentity</code>. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity">Federation Through a Web-based Identity Provider</a> in the
		* <i>IAM User Guide</i>.</p>
		* </note>
		* <p>You can also call <code>GetFederationToken</code> using the security credentials of an
		* Amazon Web Services account root user, but we do not recommend it. Instead, we recommend that you
		* create an IAM user for the purpose of the proxy application. Then attach a policy to
		* the IAM user that limits federated users to only the actions and resources that they
		* need to access. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html">IAM Best Practices</a> in the
		* <i>IAM User Guide</i>. </p>
		* <p>
		* <b>Session duration</b>
		* </p>
		* <p>The temporary credentials are valid for the specified duration, from 900 seconds (15
		* minutes) up to a maximum of 129,600 seconds (36 hours). The default session duration is
		* 43,200 seconds (12 hours). Temporary credentials that are obtained by using Amazon Web Services
		* account root user credentials have a maximum duration of 3,600 seconds (1 hour).</p>
		* <p>
		* <b>Permissions</b>
		* </p>
		* <p>You can use the temporary credentials created by <code>GetFederationToken</code> in
		* any Amazon Web Services service except the following:</p>
		* <ul>
		* <li>
		* <p>You cannot call any IAM operations using the CLI or the Amazon Web Services API.
		* </p>
		* </li>
		* <li>
		* <p>You cannot call any STS operations except
		* <code>GetCallerIdentity</code>.</p>
		* </li>
		* </ul>
		* <p>You must pass an inline or managed <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">session policy</a> to
		* this operation. You can pass a single JSON policy document to use as an inline session
		* policy. You can also specify up to 10 managed policies to use as managed session
		* policies. The plain text that you use for both inline and managed session policies can't
		* exceed 2,048 characters.</p>
		* <p>Though the session policy parameters are optional, if you do not pass a policy, then
		* the resulting federated user session has no permissions. When you pass session policies,
		* the session permissions are the intersection of the IAM user policies and the session
		* policies that you pass. This gives you a way to further restrict the permissions for a
		* federated user. You cannot use session policies to grant more permissions than those
		* that are defined in the permissions policy of the IAM user. For more information, see
		* <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session Policies</a>
		* in the <i>IAM User Guide</i>. For information about using
		* <code>GetFederationToken</code> to create temporary security credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken">GetFederationToken—Federation Through a Custom Identity Broker</a>. </p>
		* <p>You can use the credentials to access a resource that has a resource-based policy. If
		* that policy specifically references the federated user session in the
		* <code>Principal</code> element of the policy, the session has the permissions
		* allowed by the policy. These permissions are granted in addition to the permissions
		* granted by the session policies.</p>
		* <p>
		* <b>Tags</b>
		* </p>
		* <p>(Optional) You can pass tag key-value pairs to your session. These are called session
		* tags. For more information about session tags, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html">Passing Session Tags in STS</a> in
		* the <i>IAM User Guide</i>.</p>
		* <p>An administrator must grant you the permissions necessary to pass session tags. The
		* administrator can also create granular permissions to allow you to pass only specific
		* session tags. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html">Tutorial: Using
		* Tags for Attribute-Based Access Control</a> in the
		* <i>IAM User Guide</i>.</p>
		* <p>Tag key–value pairs are not case sensitive, but case is preserved. This means that you
		* cannot have separate <code>Department</code> and <code>department</code> tag keys.
		* Assume that the user that you are federating has the
		* <code>Department</code>=<code>Marketing</code> tag and you pass the
		* <code>department</code>=<code>engineering</code> session tag.
		* <code>Department</code> and <code>department</code> are not saved as separate tags,
		* and the session tag passed in the request takes precedence over the user tag.</p>
		* <note>
		* <p>You can create a mobile-based or browser-based app that can authenticate users using
		* a web identity provider like Login with Amazon, Facebook, Google, or an OpenID
		* Connect-compatible identity provider. In this case, we recommend that you use <a href="http://aws.amazon.com/cognito/">Amazon Cognito</a> or
		* <code>AssumeRoleWithWebIdentity</code>. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity">Federation Through a Web-based Identity Provider</a> in the
		* <i>IAM User Guide</i>.</p>
		* </note>
		* <p>An administrator must grant you the permissions necessary to pass session tags. The
		* administrator can also create granular permissions to allow you to pass only specific
		* session tags. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html">Tutorial: Using Tags
		* for Attribute-Based Access Control</a> in the
		* <i>IAM User Guide</i>.</p>
		* <p>Tag key–value pairs are not case sensitive, but case is preserved. This means that you
		* cannot have separate <code>Department</code> and <code>department</code> tag keys. Assume
		* that the user that you are federating has the
		* <code>Department</code>=<code>Marketing</code> tag and you pass the
		* <code>department</code>=<code>engineering</code> session tag. <code>Department</code>
		* and <code>department</code> are not saved as separate tags, and the session tag passed in
		* the request takes precedence over the user tag.</p>
		* @example
		@@ -153,0 +100,0 @@ * Use a bare-bones client and the command you need to make an API call.

dist-types/commands/GetSessionTokenCommand.d.ts

		@@ -21,3 +21,3 @@ import { Command as $Command } from "@aws-sdk/smithy-client";
		* Temporary Security Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing the
		* STS API operations</a> in the <i>IAM User Guide</i>.</p>
		* Amazon Web Services STS API operations</a> in the <i>IAM User Guide</i>.</p>
		* <p>
		@@ -24,0 +24,0 @@ * <b>Session Duration</b>

227

dist-types/STS.d.ts

		@@ -21,10 +21,9 @@ import { HttpHandlerOptions as __HttpHandlerOptions } from "@aws-sdk/types";
		* <p>Returns a set of temporary security credentials that you can use to access Amazon Web Services
		* resources that you might not normally have access to. These temporary credentials
		* consist of an access key ID, a secret access key, and a security token. Typically, you
		* use <code>AssumeRole</code> within your account or for cross-account access. For a
		* comparison of <code>AssumeRole</code> with other API operations that produce temporary
		* credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html">Requesting Temporary Security
		* Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing
		* the STS API operations</a> in the
		* <i>IAM User Guide</i>.</p>
		* resources that you might not normally have access to. These temporary credentials consist
		* of an access key ID, a secret access key, and a security token. Typically, you use
		* <code>AssumeRole</code> within your account or for cross-account access. For a
		* comparison of <code>AssumeRole</code> with other API operations that produce temporary
		* credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html">Requesting Temporary Security
		* Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing the
		* Amazon Web Services STS API operations</a> in the <i>IAM User Guide</i>.</p>
		* <p>
		@@ -35,3 +34,3 @@ * <b>Permissions</b>
		* make API calls to any Amazon Web Services service with the following exception: You cannot call the
		* STS <code>GetFederationToken</code> or <code>GetSessionToken</code> API
		* Amazon Web Services STS <code>GetFederationToken</code> or <code>GetSessionToken</code> API
		* operations.</p>
		@@ -50,3 +49,7 @@ * <p>(Optional) You can pass inline or managed <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">session policies</a> to
		* Policies</a> in the <i>IAM User Guide</i>.</p>
		* <p>To assume a role from a different account, your account must be trusted by the
		* <p>When you create a role, you create two policies: A role trust policy that specifies
		* <i>who</i> can assume the role and a permissions policy that specifies
		* <i>what</i> can be done with the role. You specify the trusted principal
		* who is allowed to assume the role in the role trust policy.</p>
		* <p>To assume a role from a different account, your Amazon Web Services account must be trusted by the
		* role. The trust relationship is defined in the role's trust policy when the role is
		@@ -58,8 +61,9 @@ * created. That trust policy states which accounts are allowed to delegate that access to
		* that allows the user to call <code>AssumeRole</code> for the ARN of the role in the other
		* account. If the user is in the same account as the role, then you can do either of the
		* account.</p>
		* <p>To allow a user to assume a role in the same account, you can do either of the
		* following:</p>
		* <ul>
		* <li>
		* <p>Attach a policy to the user (identical to the previous user in a different
		* account).</p>
		* <p>Attach a policy to the user that allows the user to call
		* <code>AssumeRole</code> (as long as the role's trust policy trusts the account).</p>
		* </li>
		@@ -70,6 +74,8 @@ * <li>
		* </ul>
		* <p>In this case, the trust policy acts as an IAM resource-based policy. Users in the same
		* account as the role do not need explicit permission to assume the role. For more
		* information about trust policies and resource-based policies, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html">IAM Policies</a> in
		* the <i>IAM User Guide</i>.</p>
		* <p>You can do either because the role’s trust policy acts as an IAM resource-based
		* policy. When a resource-based policy grants access to a principal in the same account, no
		* additional identity-based policy is required. For more information about trust policies and
		* resource-based policies, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html">IAM Policies</a> in the
		* <i>IAM User Guide</i>.</p>
		*
		* <p>
		@@ -120,3 +126,3 @@ * <b>Tags</b>
		* Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing the
		* STS API operations</a> in the <i>IAM User Guide</i>.</p>
		* Amazon Web Services STS API operations</a> in the <i>IAM User Guide</i>.</p>
		* <p>The temporary security credentials returned by this operation consist of an access key
		@@ -143,11 +149,11 @@ * ID, a secret access key, and a security token. Applications can use these temporary
		* <note>
		* <p>
		* <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining">Role chaining</a> limits your CLI or Amazon Web Services API
		* role session to a maximum of one hour. When you use the <code>AssumeRole</code> API
		* operation to assume a role, you can specify the duration of your role session with
		* the <code>DurationSeconds</code> parameter. You can specify a parameter value of up
		* to 43200 seconds (12 hours), depending on the maximum session duration setting for
		* your role. However, if you assume a role using role chaining and provide a
		* <code>DurationSeconds</code> parameter value greater than one hour, the
		* operation fails.</p>
		* <p>
		* <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining">Role chaining</a> limits your CLI or Amazon Web Services API role
		* session to a maximum of one hour. When you use the <code>AssumeRole</code> API operation
		* to assume a role, you can specify the duration of your role session with the
		* <code>DurationSeconds</code> parameter. You can specify a parameter value of up to
		* 43200 seconds (12 hours), depending on the maximum session duration setting for your
		* role. However, if you assume a role using role chaining and provide a
		* <code>DurationSeconds</code> parameter value greater than one hour, the operation
		* fails.</p>
		* </note>
		@@ -204,5 +210,5 @@ * <p>
		* </note>
		* <p>You can pass a session tag with the same key as a tag that is
		* attached to the role. When you do, session tags override the role's tags with the same
		* key.</p>
		*
		* <p>You can pass a session tag with the same key as a tag that is attached to the role. When
		* you do, session tags override the role's tags with the same key.</p>
		* <p>An administrator must grant you the permissions necessary to pass session tags. The
		@@ -276,3 +282,3 @@ * administrator can also create granular permissions to allow you to pass only specific
		* Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing the
		* STS API operations</a> in the <i>IAM User Guide</i>.</p>
		* Amazon Web Services STS API operations</a> in the <i>IAM User Guide</i>.</p>
		* <p>The temporary security credentials returned by this API consist of an access key ID, a
		@@ -335,5 +341,5 @@ * secret access key, and a security token. Applications can use these temporary security
		* </note>
		* <p>You can pass a session tag with the same key as a tag that is
		* attached to the role. When you do, the session tag overrides the role tag with the same
		* key.</p>
		*
		* <p>You can pass a session tag with the same key as a tag that is attached to the role. When
		* you do, the session tag overrides the role tag with the same key.</p>
		* <p>An administrator must grant you the permissions necessary to pass session tags. The
		@@ -408,5 +414,5 @@ * administrator can also create granular permissions to allow you to pass only specific
		* </note>
		* <p>The message is encoded because the details of the authorization status can constitute
		* <p>The message is encoded because the details of the authorization status can contain
		* privileged information that the user who requested the operation should not see. To decode
		* an authorization status message, a user must be granted permissions via an IAM policy to
		* an authorization status message, a user must be granted permissions through an IAM <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html">policy</a> to
		* request the <code>DecodeAuthorizationMessage</code>
		@@ -440,19 +446,19 @@ * (<code>sts:DecodeAuthorizationMessage</code>) action. </p>
		* <p>Returns the account identifier for the specified access key ID.</p>
		* <p>Access keys consist of two parts: an access key ID (for example,
		* <code>AKIAIOSFODNN7EXAMPLE</code>) and a secret access key (for example,
		* <code>wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY</code>). For more information about
		* access keys, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html">Managing Access Keys for IAM
		* Users</a> in the <i>IAM User Guide</i>.</p>
		* <p>When you pass an access key ID to this operation, it returns the ID of the Amazon Web Services
		* account to which the keys belong. Access key IDs beginning with <code>AKIA</code> are
		* long-term credentials for an IAM user or the Amazon Web Services account root user. Access key IDs
		* beginning with <code>ASIA</code> are temporary credentials that are created using STS
		* operations. If the account in the response belongs to you, you can sign in as the root
		* user and review your root user access keys. Then, you can pull a <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html">credentials report</a> to learn which IAM user owns the keys. To learn who
		* requested the temporary credentials for an <code>ASIA</code> access key, view the STS
		* events in your <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html">CloudTrail logs</a> in the
		* <i>IAM User Guide</i>.</p>
		* <p>This operation does not indicate the state of the access key. The key might be active,
		* inactive, or deleted. Active keys might not have permissions to perform an operation.
		* Providing a deleted access key might return an error that the key doesn't exist.</p>
		* <p>Access keys consist of two parts: an access key ID (for example,
		* <code>AKIAIOSFODNN7EXAMPLE</code>) and a secret access key (for example,
		* <code>wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY</code>). For more information about
		* access keys, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html">Managing Access Keys for IAM
		* Users</a> in the <i>IAM User Guide</i>.</p>
		* <p>When you pass an access key ID to this operation, it returns the ID of the Amazon Web Services account
		* to which the keys belong. Access key IDs beginning with <code>AKIA</code> are long-term
		* credentials for an IAM user or the Amazon Web Services account root user. Access key IDs beginning with
		* <code>ASIA</code> are temporary credentials that are created using STS operations. If
		* the account in the response belongs to you, you can sign in as the root user and review
		* your root user access keys. Then, you can pull a <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html">credentials report</a> to
		* learn which IAM user owns the keys. To learn who requested the temporary credentials for
		* an <code>ASIA</code> access key, view the STS events in your <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html">CloudTrail logs</a> in the
		* <i>IAM User Guide</i>.</p>
		* <p>This operation does not indicate the state of the access key. The key might be active,
		* inactive, or deleted. Active keys might not have permissions to perform an operation.
		* Providing a deleted access key might return an error that the key doesn't exist.</p>
		*/
		@@ -464,11 +470,11 @@ getAccessKeyInfo(args: GetAccessKeyInfoCommandInput, options?: __HttpHandlerOptions): Promise<GetAccessKeyInfoCommandOutput>;
		* <p>Returns details about the IAM user or role whose credentials are used to call the
		* operation.</p>
		* <note>
		* operation.</p>
		* <note>
		* <p>No permissions are required to perform this operation. If an administrator adds a
		* policy to your IAM user or role that explicitly denies access to the
		* <code>sts:GetCallerIdentity</code> action, you can still perform this operation.
		* Permissions are not required because the same information is returned when an IAM
		* user or role is denied access. To view an example response, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa">I Am Not Authorized to Perform: iam:DeleteVirtualMFADevice</a> in the
		* <i>IAM User Guide</i>.</p>
		* </note>
		* policy to your IAM user or role that explicitly denies access to the
		* <code>sts:GetCallerIdentity</code> action, you can still perform this operation.
		* Permissions are not required because the same information is returned when an IAM user
		* or role is denied access. To view an example response, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa">I Am Not Authorized to Perform: iam:DeleteVirtualMFADevice</a> in the
		* <i>IAM User Guide</i>.</p>
		* </note>
		*/
		@@ -488,3 +494,3 @@ getCallerIdentity(args: GetCallerIdentityCommandInput, options?: __HttpHandlerOptions): Promise<GetCallerIdentityCommandOutput>;
		* Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing the
		* STS API operations</a> in the <i>IAM User Guide</i>.</p>
		* Amazon Web Services STS API operations</a> in the <i>IAM User Guide</i>.</p>
		* <note>
		@@ -508,4 +514,4 @@ * <p>You can create a mobile-based or browser-based app that can authenticate users using
		* minutes) up to a maximum of 129,600 seconds (36 hours). The default session duration is
		* 43,200 seconds (12 hours). Temporary credentials that are obtained by using Amazon Web Services account
		* root user credentials have a maximum duration of 3,600 seconds (1 hour).</p>
		* 43,200 seconds (12 hours). Temporary credentials obtained by using the Amazon Web Services account root
		* user credentials have a maximum duration of 3,600 seconds (1 hour).</p>
		* <p>
		@@ -548,74 +554,21 @@ * <b>Permissions</b>
		* <i>IAM User Guide</i>.</p>
		* <note>
		* <p>You can create a mobile-based or browser-based app that can authenticate users
		* using a web identity provider like Login with Amazon, Facebook, Google, or an OpenID
		* Connect-compatible identity provider. In this case, we recommend that you use <a href="http://aws.amazon.com/cognito/">Amazon Cognito</a> or
		* <code>AssumeRoleWithWebIdentity</code>. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity">Federation Through a Web-based Identity Provider</a> in the
		* <i>IAM User Guide</i>.</p>
		* </note>
		* <p>You can also call <code>GetFederationToken</code> using the security credentials of an
		* Amazon Web Services account root user, but we do not recommend it. Instead, we recommend that you
		* create an IAM user for the purpose of the proxy application. Then attach a policy to
		* the IAM user that limits federated users to only the actions and resources that they
		* need to access. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html">IAM Best Practices</a> in the
		* <i>IAM User Guide</i>. </p>
		* <p>
		* <b>Session duration</b>
		* </p>
		* <p>The temporary credentials are valid for the specified duration, from 900 seconds (15
		* minutes) up to a maximum of 129,600 seconds (36 hours). The default session duration is
		* 43,200 seconds (12 hours). Temporary credentials that are obtained by using Amazon Web Services
		* account root user credentials have a maximum duration of 3,600 seconds (1 hour).</p>
		* <p>
		* <b>Permissions</b>
		* </p>
		* <p>You can use the temporary credentials created by <code>GetFederationToken</code> in
		* any Amazon Web Services service except the following:</p>
		* <ul>
		* <li>
		* <p>You cannot call any IAM operations using the CLI or the Amazon Web Services API.
		* </p>
		* </li>
		* <li>
		* <p>You cannot call any STS operations except
		* <code>GetCallerIdentity</code>.</p>
		* </li>
		* </ul>
		* <p>You must pass an inline or managed <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">session policy</a> to
		* this operation. You can pass a single JSON policy document to use as an inline session
		* policy. You can also specify up to 10 managed policies to use as managed session
		* policies. The plain text that you use for both inline and managed session policies can't
		* exceed 2,048 characters.</p>
		* <p>Though the session policy parameters are optional, if you do not pass a policy, then
		* the resulting federated user session has no permissions. When you pass session policies,
		* the session permissions are the intersection of the IAM user policies and the session
		* policies that you pass. This gives you a way to further restrict the permissions for a
		* federated user. You cannot use session policies to grant more permissions than those
		* that are defined in the permissions policy of the IAM user. For more information, see
		* <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session Policies</a>
		* in the <i>IAM User Guide</i>. For information about using
		* <code>GetFederationToken</code> to create temporary security credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken">GetFederationToken—Federation Through a Custom Identity Broker</a>. </p>
		* <p>You can use the credentials to access a resource that has a resource-based policy. If
		* that policy specifically references the federated user session in the
		* <code>Principal</code> element of the policy, the session has the permissions
		* allowed by the policy. These permissions are granted in addition to the permissions
		* granted by the session policies.</p>
		* <p>
		* <b>Tags</b>
		* </p>
		* <p>(Optional) You can pass tag key-value pairs to your session. These are called session
		* tags. For more information about session tags, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html">Passing Session Tags in STS</a> in
		* the <i>IAM User Guide</i>.</p>
		* <p>An administrator must grant you the permissions necessary to pass session tags. The
		* administrator can also create granular permissions to allow you to pass only specific
		* session tags. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html">Tutorial: Using
		* Tags for Attribute-Based Access Control</a> in the
		* <i>IAM User Guide</i>.</p>
		* <p>Tag key–value pairs are not case sensitive, but case is preserved. This means that you
		* cannot have separate <code>Department</code> and <code>department</code> tag keys.
		* Assume that the user that you are federating has the
		* <code>Department</code>=<code>Marketing</code> tag and you pass the
		* <code>department</code>=<code>engineering</code> session tag.
		* <code>Department</code> and <code>department</code> are not saved as separate tags,
		* and the session tag passed in the request takes precedence over the user tag.</p>
		* <note>
		* <p>You can create a mobile-based or browser-based app that can authenticate users using
		* a web identity provider like Login with Amazon, Facebook, Google, or an OpenID
		* Connect-compatible identity provider. In this case, we recommend that you use <a href="http://aws.amazon.com/cognito/">Amazon Cognito</a> or
		* <code>AssumeRoleWithWebIdentity</code>. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity">Federation Through a Web-based Identity Provider</a> in the
		* <i>IAM User Guide</i>.</p>
		* </note>
		* <p>An administrator must grant you the permissions necessary to pass session tags. The
		* administrator can also create granular permissions to allow you to pass only specific
		* session tags. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html">Tutorial: Using Tags
		* for Attribute-Based Access Control</a> in the
		* <i>IAM User Guide</i>.</p>
		* <p>Tag key–value pairs are not case sensitive, but case is preserved. This means that you
		* cannot have separate <code>Department</code> and <code>department</code> tag keys. Assume
		* that the user that you are federating has the
		* <code>Department</code>=<code>Marketing</code> tag and you pass the
		* <code>department</code>=<code>engineering</code> session tag. <code>Department</code>
		* and <code>department</code> are not saved as separate tags, and the session tag passed in
		* the request takes precedence over the user tag.</p>
		*/
		@@ -637,3 +590,3 @@ getFederationToken(args: GetFederationTokenCommandInput, options?: __HttpHandlerOptions): Promise<GetFederationTokenCommandOutput>;
		* Temporary Security Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing the
		* STS API operations</a> in the <i>IAM User Guide</i>.</p>
		* Amazon Web Services STS API operations</a> in the <i>IAM User Guide</i>.</p>
		* <p>
		@@ -640,0 +593,0 @@ * <b>Session Duration</b>

package.json

		{
		"name": "@aws-sdk/client-sts",
		"description": "AWS SDK for JavaScript Sts Client for Node.js, Browser and React Native",
		"version": "3.42.0",
		"version": "3.43.0",
		"scripts": {
		@@ -6,0 +6,0 @@ "build": "yarn build:cjs && yarn build:es && yarn build:types",

dist-types/models/models_0.d.ts

Sorry, the diff of this file is too big to display

@aws-sdk/client-sts - npm Package Compare versions

New alerts

Fixed alerts

Worsened metrics