Permanently bans a member from a channel. Moderators can't add banned members to a channel. To undo a ban, you first have to DeleteChannelBan, and then CreateChannelMembership. Bans are cleaned up when you delete users or channels.
If you ban a user who is already part of a channel, that user is automatically kicked from the channel.
The x-amz-chime-bearer request header is mandatory. Use the AppInstanceUserArn of the user that makes the API call as the value in the header.
Adds a user to a channel. The InvitedBy response field is derived from the request header. A channel member can:
List messages
Send messages
Receive messages
Edit their own messages
Leave the channel
Privacy settings impact this action as follows:
Public Channels: You do not need to be a member to list messages, but you must be a member to send messages.
Private Channels: You must be a member to list or send messages.
The x-amz-chime-bearer request header is mandatory. Use the AppInstanceUserArn of the user that makes the API call as the value in the header.
Creates a new ChannelModerator. A channel moderator can:
Add and remove other members of the channel.
Add and remove other moderators of the channel.
Add and remove user bans for the channel.
Redact messages in the channel.
List messages in the channel.
The x-amz-chime-bearer request header is mandatory. Use the AppInstanceUserArn of the user that makes the API call as the value in the header.
Creates a media capture pipeline.
", "CreateMeeting": "Creates a new Amazon Chime SDK meeting in the specified media Region with no initial attendees. For more information about specifying media Regions, see Amazon Chime SDK Media Regions in the Amazon Chime Developer Guide . For more information about the Amazon Chime SDK, see Using the Amazon Chime SDK in the Amazon Chime Developer Guide .
", "CreateMeetingDialOut": "Uses the join token and call metadata in a meeting request (From number, To number, and so forth) to initiate an outbound call to a public switched telephone network (PSTN) and join them into a Chime meeting. Also ensures that the From number belongs to the customer.
To play welcome audio or implement an interactive voice response (IVR), use the CreateSipMediaApplicationCall action with the corresponding SIP media application ID.
Creates a new Amazon Chime SDK meeting in the specified media Region, with attendees. For more information about specifying media Regions, see Amazon Chime SDK Media Regions in the Amazon Chime Developer Guide . For more information about the Amazon Chime SDK, see Using the Amazon Chime SDK in the Amazon Chime Developer Guide .
", @@ -49,6 +50,7 @@ "DeleteChannelMessage": "Deletes a channel message. Only admins can perform this action. Deletion makes messages inaccessible immediately. A background process deletes any revisions created by UpdateChannelMessage.
The x-amz-chime-bearer request header is mandatory. Use the AppInstanceUserArn of the user that makes the API call as the value in the header.
Deletes a channel moderator.
The x-amz-chime-bearer request header is mandatory. Use the AppInstanceUserArn of the user that makes the API call as the value in the header.
Deletes the events configuration that allows a bot to receive outgoing events.
", + "DeleteMediaCapturePipeline": "Deletes the media capture pipeline.
", "DeleteMeeting": "Deletes the specified Amazon Chime SDK meeting. The operation deletes all attendees, disconnects all clients, and prevents new clients from joining the meeting. For more information about the Amazon Chime SDK, see Using the Amazon Chime SDK in the Amazon Chime Developer Guide.
", "DeletePhoneNumber": "Moves the specified phone number into the Deletion queue. A phone number must be disassociated from any users or Amazon Chime Voice Connectors before it can be deleted.
Deleted phone numbers remain in the Deletion queue for 7 days before they are deleted permanently.
", "DeleteProxySession": "Deletes the specified proxy session from the specified Amazon Chime Voice Connector.
", @@ -86,6 +88,7 @@ "GetChannelMessage": "Gets the full details of a channel message.
The x-amz-chime-bearer request header is mandatory. Use the AppInstanceUserArn of the user that makes the API call as the value in the header.
Gets details for an events configuration that allows a bot to receive outgoing events, such as an HTTPS endpoint or Lambda function ARN.
", "GetGlobalSettings": "Retrieves global settings for the administrator's AWS account, such as Amazon Chime Business Calling and Amazon Chime Voice Connector settings.
", + "GetMediaCapturePipeline": "Gets an existing media capture pipeline.
", "GetMeeting": "Gets the Amazon Chime SDK meeting details for the specified meeting ID. For more information about the Amazon Chime SDK, see Using the Amazon Chime SDK in the Amazon Chime Developer Guide .
", "GetMessagingSessionEndpoint": "The details of the endpoint for the messaging session.
", "GetPhoneNumber": "Retrieves details for the specified phone number ID, such as associations, capabilities, and product type.
", @@ -123,6 +126,7 @@ "ListChannelModerators": "Lists all the moderators for a channel.
The x-amz-chime-bearer request header is mandatory. Use the AppInstanceUserArn of the user that makes the API call as the value in the header.
Lists all Channels created under a single Chime App as a paginated list. You can specify filters to narrow results.
Functionality & restrictions
Use privacy = PUBLIC to retrieve all public channels in the account.
Only an AppInstanceAdmin can set privacy = PRIVATE to list the private channels in an account.
The x-amz-chime-bearer request header is mandatory. Use the AppInstanceUserArn of the user that makes the API call as the value in the header.
A list of the channels moderated by an AppInstanceUser.
The x-amz-chime-bearer request header is mandatory. Use the AppInstanceUserArn of the user that makes the API call as the value in the header.
Returns a list of media capture pipelines.
", "ListMeetingTags": "Lists the tags applied to an Amazon Chime SDK meeting resource.
", "ListMeetings": "Lists up to 100 active Amazon Chime SDK meetings. For more information about the Amazon Chime SDK, see Using the Amazon Chime SDK in the Amazon Chime Developer Guide.
", "ListPhoneNumberOrders": "Lists the phone number orders for the administrator's Amazon Chime account.
", @@ -344,7 +348,11 @@ "base": null, "refs": { "AppInstanceStreamingConfiguration$ResourceArn": "The resource ARN.
", + "CreateMediaCapturePipelineRequest$SourceArn": "ARN of the source from which the media artifacts are captured.
", + "CreateMediaCapturePipelineRequest$SinkArn": "The ARN of the sink type.
", "ListTagsForResourceRequest$ResourceARN": "The resource ARN.
", + "MediaCapturePipeline$SourceArn": "ARN of the source from which the media artifacts will be saved.
", + "MediaCapturePipeline$SinkArn": "ARN of the destination to which the media artifacts are saved.
", "MeetingNotificationConfiguration$SnsTopicArn": "The SNS topic ARN.
", "MeetingNotificationConfiguration$SqsQueueArn": "The SQS queue ARN.
", "TagResourceRequest$ResourceARN": "The resource ARN.
", @@ -927,6 +935,7 @@ "CreateAppInstanceRequest$ClientRequestToken": "The ClientRequestToken of the AppInstance.
The token assigned to the user requesting an AppInstance.
The client token for the request. An Idempotency token.
The token assigned to the client making the pipeline request.
", "CreateMeetingRequest$ClientRequestToken": "The unique identifier for the client request. Use a different token for different meetings.
", "CreateMeetingWithAttendeesRequest$ClientRequestToken": "The unique identifier for the client request. Use a different token for different meetings.
", "CreateRoomRequest$ClientRequestToken": "The idempotency token for the request.
", @@ -1090,6 +1099,16 @@ "refs": { } }, + "CreateMediaCapturePipelineRequest": { + "base": null, + "refs": { + } + }, + "CreateMediaCapturePipelineResponse": { + "base": null, + "refs": { + } + }, "CreateMeetingDialOutRequest": { "base": null, "refs": { @@ -1321,6 +1340,11 @@ "refs": { } }, + "DeleteMediaCapturePipelineRequest": { + "base": null, + "refs": { + } + }, "DeleteMeetingRequest": { "base": null, "refs": { @@ -1739,6 +1763,16 @@ "refs": { } }, + "GetMediaCapturePipelineRequest": { + "base": null, + "refs": { + } + }, + "GetMediaCapturePipelineResponse": { + "base": null, + "refs": { + } + }, "GetMeetingRequest": { "base": null, "refs": { @@ -1964,15 +1998,18 @@ "CreateMeetingDialOutResponse$TransactionId": "Unique ID that tracks API calls.
", "DeleteAttendeeRequest$MeetingId": "The Amazon Chime SDK meeting ID.
", "DeleteAttendeeRequest$AttendeeId": "The Amazon Chime SDK attendee ID.
", + "DeleteMediaCapturePipelineRequest$MediaPipelineId": "The ID of the media capture pipeline being deleted.
", "DeleteMeetingRequest$MeetingId": "The Amazon Chime SDK meeting ID.
", "GetAttendeeRequest$MeetingId": "The Amazon Chime SDK meeting ID.
", "GetAttendeeRequest$AttendeeId": "The Amazon Chime SDK attendee ID.
", + "GetMediaCapturePipelineRequest$MediaPipelineId": "The ID of the pipeline that you want to get.
", "GetMeetingRequest$MeetingId": "The Amazon Chime SDK meeting ID.
", "GetPhoneNumberOrderRequest$PhoneNumberOrderId": "The ID for the phone number order.
", "ListAttendeeTagsRequest$MeetingId": "The Amazon Chime SDK meeting ID.
", "ListAttendeeTagsRequest$AttendeeId": "The Amazon Chime SDK attendee ID.
", "ListAttendeesRequest$MeetingId": "The Amazon Chime SDK meeting ID.
", "ListMeetingTagsRequest$MeetingId": "The Amazon Chime SDK meeting ID.
", + "MediaCapturePipeline$MediaPipelineId": "The ID of a media capture pipeline.
", "Meeting$MeetingId": "The Amazon Chime SDK meeting ID.
", "PhoneNumberOrder$PhoneNumberOrderId": "The phone number order ID.
", "SipMediaApplicationCall$TransactionId": "The transaction ID of a call.
", @@ -2053,6 +2090,8 @@ "Bot$UpdatedTimestamp": "The updated bot timestamp, in ISO 8601 format.
", "GetPhoneNumberSettingsResponse$CallingNameUpdatedTimestamp": "The updated outbound calling name timestamp, in ISO 8601 format.
", "GetRetentionSettingsResponse$InitiateDeletionTimestamp": "The timestamp representing the time at which the specified items are permanently deleted, in ISO 8601 format.
", + "MediaCapturePipeline$CreatedTimestamp": "The time at which the capture pipeline was created, in ISO 8601 format.
", + "MediaCapturePipeline$UpdatedTimestamp": "The time at which the capture pipeline was updated, in ISO 8601 format.
", "PhoneNumber$CreatedTimestamp": "The phone number creation timestamp, in ISO 8601 format.
", "PhoneNumber$UpdatedTimestamp": "The updated phone number timestamp, in ISO 8601 format.
", "PhoneNumber$DeletionTimestamp": "The deleted phone number timestamp, in ISO 8601 format.
", @@ -2243,6 +2282,16 @@ "refs": { } }, + "ListMediaCapturePipelinesRequest": { + "base": null, + "refs": { + } + }, + "ListMediaCapturePipelinesResponse": { + "base": null, + "refs": { + } + }, "ListMeetingTagsRequest": { "base": null, "refs": { @@ -2426,6 +2475,40 @@ "ListChannelsRequest$MaxResults": "The maximum number of channels that you want to return.
" } }, + "MediaCapturePipeline": { + "base": "A media capture pipeline object. A string consisting of an ID, source type, a source ARN, a sink type, and a sink ARN.
", + "refs": { + "CreateMediaCapturePipelineResponse$MediaCapturePipeline": "A media capture pipeline object, the ID, source type, source ARN, sink type, and sink ARN of a media capture pipeline object.
", + "GetMediaCapturePipelineResponse$MediaCapturePipeline": "The media capture pipeline object.
", + "MediaCapturePipelineList$member": null + } + }, + "MediaCapturePipelineList": { + "base": null, + "refs": { + "ListMediaCapturePipelinesResponse$MediaCapturePipelines": "The media capture pipeline objects in the list.
" + } + }, + "MediaPipelineSinkType": { + "base": null, + "refs": { + "CreateMediaCapturePipelineRequest$SinkType": "Destination type to which the media artifacts are saved. You must use an S3 bucket.
", + "MediaCapturePipeline$SinkType": "Destination type to which the media artifacts are saved. You must use an S3 Bucket.
" + } + }, + "MediaPipelineSourceType": { + "base": null, + "refs": { + "CreateMediaCapturePipelineRequest$SourceType": "Source type from which the media artifacts will be captured. A Chime SDK Meeting is the only supported source.
", + "MediaCapturePipeline$SourceType": "Source type from which media artifacts are saved. You must use ChimeMeeting.
The status of the media capture pipeline.
" + } + }, "MediaPlacement": { "base": "A set of endpoints used by clients to connect to the media service group for a Amazon Chime SDK meeting.
", "refs": { @@ -3268,6 +3351,7 @@ "refs": { "ListAttendeesRequest$MaxResults": "The maximum number of results to return in a single call.
", "ListBotsRequest$MaxResults": "The maximum number of results to return in a single call. The default is 10.
", + "ListMediaCapturePipelinesRequest$MaxResults": "The maximum number of results to return in a single call. Valid Range: 1 - 99.
", "ListMeetingsRequest$MaxResults": "The maximum number of results to return in a single call.
", "ListPhoneNumberOrdersRequest$MaxResults": "The maximum number of results to return in a single call.
", "ListPhoneNumbersRequest$MaxResults": "The maximum number of results to return in a single call.
", @@ -3586,6 +3670,8 @@ "ListAttendeesResponse$NextToken": "The token to use to retrieve the next page of results.
", "ListBotsRequest$NextToken": "The token to use to retrieve the next page of results.
", "ListBotsResponse$NextToken": "The token to use to retrieve the next page of results.
", + "ListMediaCapturePipelinesRequest$NextToken": "The token used to retrieve the next page of results.
", + "ListMediaCapturePipelinesResponse$NextToken": "The token used to retrieve the next page of results.
", "ListMeetingsRequest$NextToken": "The token to use to retrieve the next page of results.
", "ListMeetingsResponse$NextToken": "The token to use to retrieve the next page of results.
", "ListPhoneNumberOrdersRequest$NextToken": "The token to use to retrieve the next page of results.
", diff --git a/models/apis/chime/2018-05-01/paginators-1.json b/models/apis/chime/2018-05-01/paginators-1.json index 8021a1e8848..0f87c882ba3 100644 --- a/models/apis/chime/2018-05-01/paginators-1.json +++ b/models/apis/chime/2018-05-01/paginators-1.json @@ -65,6 +65,11 @@ "output_token": "NextToken", "limit_key": "MaxResults" }, + "ListMediaCapturePipelines": { + "input_token": "NextToken", + "output_token": "NextToken", + "limit_key": "MaxResults" + }, "ListMeetings": { "input_token": "NextToken", "output_token": "NextToken", diff --git a/models/apis/cloudfront/2020-05-31/api-2.json b/models/apis/cloudfront/2020-05-31/api-2.json index 136d971cfb0..b3585b86a96 100644 --- a/models/apis/cloudfront/2020-05-31/api-2.json +++ b/models/apis/cloudfront/2020-05-31/api-2.json @@ -12,6 +12,22 @@ "uid":"cloudfront-2020-05-31" }, "operations":{ + "AssociateAlias":{ + "name":"AssociateAlias2020_05_31", + "http":{ + "method":"PUT", + "requestUri":"/2020-05-31/distribution/{TargetDistributionId}/associate-alias", + "responseCode":200 + }, + "input":{"shape":"AssociateAliasRequest"}, + "errors":[ + {"shape":"InvalidArgument"}, + {"shape":"NoSuchDistribution"}, + {"shape":"TooManyDistributionCNAMEs"}, + {"shape":"IllegalUpdate"}, + {"shape":"AccessDenied"} + ] + }, "CreateCachePolicy":{ "name":"CreateCachePolicy2020_05_31", "http":{ @@ -245,7 +261,8 @@ {"shape":"TooManyFunctions"}, {"shape":"FunctionAlreadyExists"}, {"shape":"FunctionSizeLimitExceeded"}, - {"shape":"InvalidArgument"} + {"shape":"InvalidArgument"}, + {"shape":"UnsupportedOperation"} ] }, "CreateInvalidation":{ @@ -494,7 +511,8 @@ {"shape":"InvalidIfMatchVersion"}, {"shape":"NoSuchFunctionExists"}, {"shape":"FunctionInUse"}, - {"shape":"PreconditionFailed"} + {"shape":"PreconditionFailed"}, + {"shape":"UnsupportedOperation"} ] }, "DeleteKeyGroup":{ @@ -603,7 +621,8 @@ "input":{"shape":"DescribeFunctionRequest"}, "output":{"shape":"DescribeFunctionResult"}, "errors":[ - {"shape":"NoSuchFunctionExists"} + {"shape":"NoSuchFunctionExists"}, + {"shape":"UnsupportedOperation"} ] }, "GetCachePolicy":{ @@ -745,7 +764,8 @@ "input":{"shape":"GetFunctionRequest"}, "output":{"shape":"GetFunctionResult"}, "errors":[ - {"shape":"NoSuchFunctionExists"} + {"shape":"NoSuchFunctionExists"}, + {"shape":"UnsupportedOperation"} ] }, "GetInvalidation":{ @@ -922,6 +942,20 @@ {"shape":"InvalidArgument"} ] }, + "ListConflictingAliases":{ + "name":"ListConflictingAliases2020_05_31", + "http":{ + "method":"GET", + "requestUri":"/2020-05-31/conflicting-alias", + "responseCode":200 + }, + "input":{"shape":"ListConflictingAliasesRequest"}, + "output":{"shape":"ListConflictingAliasesResult"}, + "errors":[ + {"shape":"InvalidArgument"}, + {"shape":"NoSuchDistribution"} + ] + }, "ListDistributions":{ "name":"ListDistributions2020_05_31", "http":{ @@ -1037,7 +1071,8 @@ "input":{"shape":"ListFunctionsRequest"}, "output":{"shape":"ListFunctionsResult"}, "errors":[ - {"shape":"InvalidArgument"} + {"shape":"InvalidArgument"}, + {"shape":"UnsupportedOperation"} ] }, "ListInvalidations":{ @@ -1145,7 +1180,8 @@ {"shape":"InvalidArgument"}, {"shape":"InvalidIfMatchVersion"}, {"shape":"NoSuchFunctionExists"}, - {"shape":"PreconditionFailed"} + {"shape":"PreconditionFailed"}, + {"shape":"UnsupportedOperation"} ] }, "TagResource":{ @@ -1179,7 +1215,8 @@ {"shape":"InvalidArgument"}, {"shape":"InvalidIfMatchVersion"}, {"shape":"NoSuchFunctionExists"}, - {"shape":"TestFunctionFailed"} + {"shape":"TestFunctionFailed"}, + {"shape":"UnsupportedOperation"} ] }, "UntagResource":{ @@ -1368,7 +1405,8 @@ {"shape":"InvalidIfMatchVersion"}, {"shape":"NoSuchFunctionExists"}, {"shape":"PreconditionFailed"}, - {"shape":"FunctionSizeLimitExceeded"} + {"shape":"FunctionSizeLimitExceeded"}, + {"shape":"UnsupportedOperation"} ] }, "UpdateKeyGroup":{ @@ -1545,6 +1583,25 @@ "CachedMethods":{"shape":"CachedMethods"} } }, + "AssociateAliasRequest":{ + "type":"structure", + "required":[ + "TargetDistributionId", + "Alias" + ], + "members":{ + "TargetDistributionId":{ + "shape":"string", + "location":"uri", + "locationName":"TargetDistributionId" + }, + "Alias":{ + "shape":"string", + "location":"querystring", + "locationName":"Alias" + } + } + }, "AwsAccountNumberList":{ "type":"list", "member":{ @@ -1861,6 +1918,30 @@ "type":"string", "sensitive":true }, + "ConflictingAlias":{ + "type":"structure", + "members":{ + "Alias":{"shape":"string"}, + "DistributionId":{"shape":"string"}, + "AccountId":{"shape":"string"} + } + }, + "ConflictingAliases":{ + "type":"list", + "member":{ + "shape":"ConflictingAlias", + "locationName":"ConflictingAlias" + } + }, + "ConflictingAliasesList":{ + "type":"structure", + "members":{ + "NextMarker":{"shape":"string"}, + "MaxItems":{"shape":"integer"}, + "Quantity":{"shape":"integer"}, + "Items":{"shape":"ConflictingAliases"} + } + }, "ContentTypeProfile":{ "type":"structure", "required":[ @@ -4241,6 +4322,42 @@ }, "payload":"CloudFrontOriginAccessIdentityList" }, + "ListConflictingAliasesRequest":{ + "type":"structure", + "required":[ + "DistributionId", + "Alias" + ], + "members":{ + "DistributionId":{ + "shape":"distributionIdString", + "location":"querystring", + "locationName":"DistributionId" + }, + "Alias":{ + "shape":"aliasString", + "location":"querystring", + "locationName":"Alias" + }, + "Marker":{ + "shape":"string", + "location":"querystring", + "locationName":"Marker" + }, + "MaxItems":{ + "shape":"listConflictingAliasesMaxItemsInteger", + "location":"querystring", + "locationName":"MaxItems" + } + } + }, + "ListConflictingAliasesResult":{ + "type":"structure", + "members":{ + "ConflictingAliasesList":{"shape":"ConflictingAliasesList"} + }, + "payload":"ConflictingAliasesList" + }, "ListDistributionsByCachePolicyIdRequest":{ "type":"structure", "required":["CachePolicyId"], @@ -6559,8 +6676,20 @@ "redirect-to-https" ] }, + "aliasString":{ + "type":"string", + "max":253 + }, "boolean":{"type":"boolean"}, + "distributionIdString":{ + "type":"string", + "max":25 + }, "integer":{"type":"integer"}, + "listConflictingAliasesMaxItemsInteger":{ + "type":"integer", + "max":100 + }, "long":{"type":"long"}, "string":{"type":"string"}, "timestamp":{"type":"timestamp"} diff --git a/models/apis/cloudfront/2020-05-31/docs-2.json b/models/apis/cloudfront/2020-05-31/docs-2.json index 0118d92f522..96e4608a6fa 100644 --- a/models/apis/cloudfront/2020-05-31/docs-2.json +++ b/models/apis/cloudfront/2020-05-31/docs-2.json @@ -2,6 +2,7 @@ "version": "2.0", "service": "This is the Amazon CloudFront API Reference. This guide is for developers who need detailed information about CloudFront API actions, data types, and errors. For detailed information about CloudFront features, see the Amazon CloudFront Developer Guide.
", "operations": { + "AssociateAlias": "Associates an alias (also known as a CNAME or an alternate domain name) with a CloudFront distribution.
With this operation you can move an alias that’s already in use on a CloudFront distribution to a different distribution in one step. This prevents the downtime that could occur if you first remove the alias from one distribution and then separately add the alias to another distribution.
To use this operation to associate an alias with a distribution, you provide the alias and the ID of the target distribution for the alias. For more information, including how to set up the target distribution, prerequisites that you must complete, and other restrictions, see Moving an alternate domain name to a different distribution in the Amazon CloudFront Developer Guide.
", "CreateCachePolicy": "Creates a cache policy.
After you create a cache policy, you can attach it to one or more cache behaviors. When it’s attached to a cache behavior, the cache policy determines the following:
The values that CloudFront includes in the cache key. These values can include HTTP headers, cookies, and URL query strings. CloudFront uses the cache key to find an object in its cache that it can return to the viewer.
The default, minimum, and maximum time to live (TTL) values that you want objects to stay in the CloudFront cache.
The headers, cookies, and query strings that are included in the cache key are automatically included in requests that CloudFront sends to the origin. CloudFront sends a request when it can’t find an object in its cache that matches the request’s cache key. If you want to send values to the origin but not include them in the cache key, use OriginRequestPolicy.
For more information about cache policies, see Controlling the cache key in the Amazon CloudFront Developer Guide.
", "CreateCloudFrontOriginAccessIdentity": "Creates a new origin access identity. If you're using Amazon S3 for your origin, you can use an origin access identity to require users to access your content using a CloudFront URL instead of the Amazon S3 URL. For more information about how to use origin access identities, see Serving Private Content through CloudFront in the Amazon CloudFront Developer Guide.
", "CreateDistribution": "Creates a new web distribution. You create a CloudFront distribution to tell CloudFront where you want content to be delivered from, and the details about how to track and manage content delivery. Send a POST request to the /CloudFront API version/distribution/distribution ID resource.
When you update a distribution, there are more required fields than when you create a distribution. When you update your distribution by using UpdateDistribution, follow the steps included in the documentation to get the current configuration and then make your updates. This helps to make sure that you include all of the required fields. To view a summary, see Required Fields for Create Distribution and Update Distribution in the Amazon CloudFront Developer Guide.
Gets a real-time log configuration.
To get a real-time log configuration, you can provide the configuration’s name or its Amazon Resource Name (ARN). You must provide at least one. If you provide both, CloudFront uses the name to identify the real-time log configuration to get.
", "GetStreamingDistribution": "Gets information about a specified RTMP distribution, including the distribution configuration.
", "GetStreamingDistributionConfig": "Get the configuration information about a streaming distribution.
", - "ListCachePolicies": "Gets a list of cache policies.
You can optionally apply a filter to return only the managed policies created by AWS, or only the custom policies created in your AWS account.
You can optionally specify the maximum number of items to receive in the response. If the total number of items in the list exceeds the maximum that you specify, or the default maximum, the response is paginated. To get the next page of items, send a subsequent request that specifies the NextMarker value from the current response as the Marker value in the subsequent request.
Gets a list of cache policies.
You can optionally apply a filter to return only the managed policies created by Amazon Web Services, or only the custom policies created in your account.
You can optionally specify the maximum number of items to receive in the response. If the total number of items in the list exceeds the maximum that you specify, or the default maximum, the response is paginated. To get the next page of items, send a subsequent request that specifies the NextMarker value from the current response as the Marker value in the subsequent request.
Lists origin access identities.
", + "ListConflictingAliases": "Gets a list of aliases (also called CNAMEs or alternate domain names) that conflict or overlap with the provided alias, and the associated CloudFront distributions and Amazon Web Services accounts for each conflicting alias. In the returned list, the distribution and account IDs are partially hidden, which allows you to identify the distributions and accounts that you own, but helps to protect the information of ones that you don’t own.
Use this operation to find aliases that are in use in CloudFront that conflict or overlap with the provided alias. For example, if you provide www.example.com as input, the returned list can include www.example.com and the overlapping wildcard alternate domain name (*.example.com), if they exist. If you provide *.example.com as input, the returned list can include *.example.com and any alternate domain names covered by that wildcard (for example, www.example.com, test.example.com, dev.example.com, and so on), if they exist.
To list conflicting aliases, you provide the alias to search and the ID of a distribution in your account that has an attached SSL/TLS certificate that includes the provided alias. For more information, including how to set up the distribution and certificate, see Moving an alternate domain name to a different distribution in the Amazon CloudFront Developer Guide.
You can optionally specify the maximum number of items to receive in the response. If the total number of items in the list exceeds the maximum that you specify, or the default maximum, the response is paginated. To get the next page of items, send a subsequent request that specifies the NextMarker value from the current response as the Marker value in the subsequent request.
List CloudFront distributions.
", "ListDistributionsByCachePolicyId": "Gets a list of distribution IDs for distributions that have a cache behavior that’s associated with the specified cache policy.
You can optionally specify the maximum number of items to receive in the response. If the total number of items in the list exceeds the maximum that you specify, or the default maximum, the response is paginated. To get the next page of items, send a subsequent request that specifies the NextMarker value from the current response as the Marker value in the subsequent request.
Gets a list of distribution IDs for distributions that have a cache behavior that references the specified key group.
You can optionally specify the maximum number of items to receive in the response. If the total number of items in the list exceeds the maximum that you specify, or the default maximum, the response is paginated. To get the next page of items, send a subsequent request that specifies the NextMarker value from the current response as the Marker value in the subsequent request.
Gets a list of distribution IDs for distributions that have a cache behavior that’s associated with the specified origin request policy.
You can optionally specify the maximum number of items to receive in the response. If the total number of items in the list exceeds the maximum that you specify, or the default maximum, the response is paginated. To get the next page of items, send a subsequent request that specifies the NextMarker value from the current response as the Marker value in the subsequent request.
Gets a list of distributions that have a cache behavior that’s associated with the specified real-time log configuration.
You can specify the real-time log configuration by its name or its Amazon Resource Name (ARN). You must provide at least one. If you provide both, CloudFront uses the name to identify the real-time log configuration to list distributions for.
You can optionally specify the maximum number of items to receive in the response. If the total number of items in the list exceeds the maximum that you specify, or the default maximum, the response is paginated. To get the next page of items, send a subsequent request that specifies the NextMarker value from the current response as the Marker value in the subsequent request.
List the distributions that are associated with a specified AWS WAF web ACL.
", + "ListDistributionsByWebACLId": "List the distributions that are associated with a specified WAF web ACL.
", "ListFieldLevelEncryptionConfigs": "List all field-level encryption configurations that have been created in CloudFront for this account.
", "ListFieldLevelEncryptionProfiles": "Request a list of field-level encryption profiles that have been created in CloudFront for this account.
", - "ListFunctions": "Gets a list of all CloudFront functions in your AWS account.
You can optionally apply a filter to return only the functions that are in the specified stage, either DEVELOPMENT or LIVE.
You can optionally specify the maximum number of items to receive in the response. If the total number of items in the list exceeds the maximum that you specify, or the default maximum, the response is paginated. To get the next page of items, send a subsequent request that specifies the NextMarker value from the current response as the Marker value in the subsequent request.
Gets a list of all CloudFront functions in your account.
You can optionally apply a filter to return only the functions that are in the specified stage, either DEVELOPMENT or LIVE.
You can optionally specify the maximum number of items to receive in the response. If the total number of items in the list exceeds the maximum that you specify, or the default maximum, the response is paginated. To get the next page of items, send a subsequent request that specifies the NextMarker value from the current response as the Marker value in the subsequent request.
Lists invalidation batches.
", "ListKeyGroups": "Gets a list of key groups.
You can optionally specify the maximum number of items to receive in the response. If the total number of items in the list exceeds the maximum that you specify, or the default maximum, the response is paginated. To get the next page of items, send a subsequent request that specifies the NextMarker value from the current response as the Marker value in the subsequent request.
Gets a list of origin request policies.
You can optionally apply a filter to return only the managed policies created by AWS, or only the custom policies created in your AWS account.
You can optionally specify the maximum number of items to receive in the response. If the total number of items in the list exceeds the maximum that you specify, or the default maximum, the response is paginated. To get the next page of items, send a subsequent request that specifies the NextMarker value from the current response as the Marker value in the subsequent request.
Gets a list of origin request policies.
You can optionally apply a filter to return only the managed policies created by Amazon Web Services, or only the custom policies created in your account.
You can optionally specify the maximum number of items to receive in the response. If the total number of items in the list exceeds the maximum that you specify, or the default maximum, the response is paginated. To get the next page of items, send a subsequent request that specifies the NextMarker value from the current response as the Marker value in the subsequent request.
List all public keys that have been added to CloudFront for this account.
", "ListRealtimeLogConfigs": "Gets a list of real-time log configurations.
You can optionally specify the maximum number of items to receive in the response. If the total number of items in the list exceeds the maximum that you specify, or the default maximum, the response is paginated. To get the next page of items, send a subsequent request that specifies the NextMarker value from the current response as the Marker value in the subsequent request.
List streaming distributions.
", @@ -99,14 +101,14 @@ } }, "ActiveTrustedSigners": { - "base": "A list of AWS accounts and the active CloudFront key pairs in each account that CloudFront can use to verify the signatures of signed URLs and signed cookies.
", + "base": "A list of accounts and the active CloudFront key pairs in each account that CloudFront can use to verify the signatures of signed URLs and signed cookies.
", "refs": { - "Distribution$ActiveTrustedSigners": "We recommend using TrustedKeyGroups instead of TrustedSigners.
CloudFront automatically adds this field to the response if you’ve configured a cache behavior in this distribution to serve private content using trusted signers. This field contains a list of AWS account IDs and the active CloudFront key pairs in each account that CloudFront can use to verify the signatures of signed URLs or signed cookies.
", - "StreamingDistribution$ActiveTrustedSigners": "A complex type that lists the AWS accounts, if any, that you included in the TrustedSigners complex type for this distribution. These are the accounts that you want to allow to create signed URLs for private content.
The Signer complex type lists the AWS account number of the trusted signer or self if the signer is the AWS account that created the distribution. The Signer element also includes the IDs of any active CloudFront key pairs that are associated with the trusted signer's AWS account. If no KeyPairId element appears for a Signer, that signer can't create signed URLs.
For more information, see Serving Private Content through CloudFront in the Amazon CloudFront Developer Guide.
" + "Distribution$ActiveTrustedSigners": "We recommend using TrustedKeyGroups instead of TrustedSigners.
CloudFront automatically adds this field to the response if you’ve configured a cache behavior in this distribution to serve private content using trusted signers. This field contains a list of account IDs and the active CloudFront key pairs in each account that CloudFront can use to verify the signatures of signed URLs or signed cookies.
", + "StreamingDistribution$ActiveTrustedSigners": "A complex type that lists the accounts, if any, that you included in the TrustedSigners complex type for this distribution. These are the accounts that you want to allow to create signed URLs for private content.
The Signer complex type lists the account number of the trusted signer or self if the signer is the account that created the distribution. The Signer element also includes the IDs of any active CloudFront key pairs that are associated with the trusted signer's account. If no KeyPairId element appears for a Signer, that signer can't create signed URLs.
For more information, see Serving Private Content through CloudFront in the Amazon CloudFront Developer Guide.
" } }, "AliasICPRecordal": { - "base": "AWS services in China customers must file for an Internet Content Provider (ICP) recordal if they want to serve content publicly on an alternate domain name, also known as a CNAME, that they've added to CloudFront. AliasICPRecordal provides the ICP recordal status for CNAMEs associated with distributions. The status is returned in the CloudFront response; you can't configure it yourself.
For more information about ICP recordals, see Signup, Accounts, and Credentials in Getting Started with AWS services in China.
", + "base": "Amazon Web Services services in China customers must file for an Internet Content Provider (ICP) recordal if they want to serve content publicly on an alternate domain name, also known as a CNAME, that they've added to CloudFront. AliasICPRecordal provides the ICP recordal status for CNAMEs associated with distributions. The status is returned in the CloudFront response; you can't configure it yourself.
For more information about ICP recordals, see Signup, Accounts, and Credentials in Getting Started with Amazon Web Services services in China.
", "refs": { "AliasICPRecordals$member": null } @@ -114,8 +116,8 @@ "AliasICPRecordals": { "base": null, "refs": { - "Distribution$AliasICPRecordals": "AWS services in China customers must file for an Internet Content Provider (ICP) recordal if they want to serve content publicly on an alternate domain name, also known as a CNAME, that they've added to CloudFront. AliasICPRecordal provides the ICP recordal status for CNAMEs associated with distributions.
For more information about ICP recordals, see Signup, Accounts, and Credentials in Getting Started with AWS services in China.
", - "DistributionSummary$AliasICPRecordals": "AWS services in China customers must file for an Internet Content Provider (ICP) recordal if they want to serve content publicly on an alternate domain name, also known as a CNAME, that they've added to CloudFront. AliasICPRecordal provides the ICP recordal status for CNAMEs associated with distributions.
For more information about ICP recordals, see Signup, Accounts, and Credentials in Getting Started with AWS services in China.
" + "Distribution$AliasICPRecordals": "Amazon Web Services services in China customers must file for an Internet Content Provider (ICP) recordal if they want to serve content publicly on an alternate domain name, also known as a CNAME, that they've added to CloudFront. AliasICPRecordal provides the ICP recordal status for CNAMEs associated with distributions.
For more information about ICP recordals, see Signup, Accounts, and Credentials in Getting Started with Amazon Web Services services in China.
", + "DistributionSummary$AliasICPRecordals": "Amazon Web Services services in China customers must file for an Internet Content Provider (ICP) recordal if they want to serve content publicly on an alternate domain name, also known as a CNAME, that they've added to CloudFront. AliasICPRecordal provides the ICP recordal status for CNAMEs associated with distributions.
For more information about ICP recordals, see Signup, Accounts, and Credentials in Getting Started with Amazon Web Services services in China.
" } }, "AliasList": { @@ -140,10 +142,15 @@ "DefaultCacheBehavior$AllowedMethods": null } }, + "AssociateAliasRequest": { + "base": null, + "refs": { + } + }, "AwsAccountNumberList": { "base": null, "refs": { - "TrustedSigners$Items": "A list of AWS account identifiers.
" + "TrustedSigners$Items": "A list of account identifiers.
" } }, "BatchTooLarge": { @@ -260,8 +267,8 @@ "CachePolicyType": { "base": null, "refs": { - "CachePolicySummary$Type": "The type of cache policy, either managed (created by AWS) or custom (created in this AWS account).
A filter to return only the specified kinds of cache policies. Valid values are:
managed – Returns only the managed policies created by AWS.
custom – Returns only the custom policies created in your AWS account.
The type of cache policy, either managed (created by Amazon Web Services) or custom (created in this account).
A filter to return only the specified kinds of cache policies. Valid values are:
managed – Returns only the managed policies created by Amazon Web Services.
custom – Returns only the custom policies created in your account.
A complex type that contains one CloudFrontOriginAccessIdentitySummary element for each origin access identity that was created by the current AWS account.
A complex type that contains one CloudFrontOriginAccessIdentitySummary element for each origin access identity that was created by the current account.
An optional comment to describe the distribution. The comment cannot be longer than 128 characters.
" } }, + "ConflictingAlias": { + "base": "An alias (also called a CNAME) and the CloudFront distribution and Amazon Web Services account ID that it’s associated with. The distribution and account IDs are partially hidden, which allows you to identify the distributions and accounts that you own, but helps to protect the information of ones that you don’t own.
", + "refs": { + "ConflictingAliases$member": null + } + }, + "ConflictingAliases": { + "base": null, + "refs": { + "ConflictingAliasesList$Items": "Contains the conflicting aliases in the list.
" + } + }, + "ConflictingAliasesList": { + "base": "A list of aliases (also called CNAMEs) and the CloudFront distributions and Amazon Web Services accounts that they are associated with. In the list, the distribution and account IDs are partially hidden, which allows you to identify the distributions and accounts that you own, but helps to protect the information of ones that you don’t own.
", + "refs": { + "ListConflictingAliasesResult$ConflictingAliasesList": "A list of conflicting aliases.
" + } + }, "ContentTypeProfile": { "base": "A field-level encryption content type profile.
", "refs": { @@ -367,7 +392,7 @@ "base": "Contains a list of cookie names.
", "refs": { "CachePolicyCookiesConfig$Cookies": null, - "CookiePreference$WhitelistedNames": "This field is deprecated. We recommend that you use a cache policy or an origin request policy instead of this field.
If you want to include cookies in the cache key, use a cache policy. For more information, see Creating cache policies in the Amazon CloudFront Developer Guide.
If you want to send cookies to the origin but not include them in the cache key, use an origin request policy. For more information, see Creating origin request policies in the Amazon CloudFront Developer Guide.
Required if you specify whitelist for the value of Forward. A complex type that specifies how many different cookies you want CloudFront to forward to the origin for this cache behavior and, if you want to forward selected cookies, the names of those cookies.
If you specify all or none for the value of Forward, omit WhitelistedNames. If you change the value of Forward from whitelist to all or none and you don't delete the WhitelistedNames element and its child elements, CloudFront deletes them automatically.
For the current limit on the number of cookie names that you can whitelist for each cache behavior, see CloudFront Limits in the AWS General Reference.
", + "CookiePreference$WhitelistedNames": "This field is deprecated. We recommend that you use a cache policy or an origin request policy instead of this field.
If you want to include cookies in the cache key, use a cache policy. For more information, see Creating cache policies in the Amazon CloudFront Developer Guide.
If you want to send cookies to the origin but not include them in the cache key, use an origin request policy. For more information, see Creating origin request policies in the Amazon CloudFront Developer Guide.
Required if you specify whitelist for the value of Forward. A complex type that specifies how many different cookies you want CloudFront to forward to the origin for this cache behavior and, if you want to forward selected cookies, the names of those cookies.
If you specify all or none for the value of Forward, omit WhitelistedNames. If you change the value of Forward from whitelist to all or none and you don't delete the WhitelistedNames element and its child elements, CloudFront deletes them automatically.
For the current limit on the number of cookie names that you can whitelist for each cache behavior, see CloudFront Limits in the Amazon Web Services General Reference.
", "OriginRequestPolicyCookiesConfig$Cookies": null } }, @@ -706,7 +731,7 @@ "DistributionSummaryList": { "base": null, "refs": { - "DistributionList$Items": "A complex type that contains one DistributionSummary element for each distribution that was created by the current AWS account.
A complex type that contains one DistributionSummary element for each distribution that was created by the current account.
The event type of the function, either viewer-request or viewer-response. You cannot use origin-facing event types (origin-request and origin-response) with a CloudFront function.
Specifies the event type that triggers a Lambda function invocation. You can specify the following values:
viewer-request: The function executes when CloudFront receives a request from a viewer and before it checks to see whether the requested object is in the edge cache.
origin-request: The function executes only when CloudFront sends a request to your origin. When the requested object is in the edge cache, the function doesn't execute.
origin-response: The function executes after CloudFront receives a response from the origin and before it caches the object in the response. When the requested object is in the edge cache, the function doesn't execute.
viewer-response: The function executes before CloudFront returns the requested object to the viewer. The function executes regardless of whether the object was already in the edge cache.
If the origin returns an HTTP status code other than HTTP 200 (OK), the function doesn't execute.
Specifies the event type that triggers a Lambda@Edge function invocation. You can specify the following values:
viewer-request: The function executes when CloudFront receives a request from a viewer and before it checks to see whether the requested object is in the edge cache.
origin-request: The function executes only when CloudFront sends a request to your origin. When the requested object is in the edge cache, the function doesn't execute.
origin-response: The function executes after CloudFront receives a response from the origin and before it caches the object in the response. When the requested object is in the edge cache, the function doesn't execute.
viewer-response: The function executes before CloudFront returns the requested object to the viewer. The function executes regardless of whether the object was already in the edge cache.
If the origin returns an HTTP status code other than HTTP 200 (OK), the function doesn't execute.
A function with the same name already exists in this AWS account. To create a function, you must provide a unique name. To update an existing function, use UpdateFunction.
A function with the same name already exists in this account. To create a function, you must provide a unique name. To update an existing function, use UpdateFunction.
The specified Lambda function association is invalid.
", + "base": "The specified Lambda@Edge function association is invalid.
", "refs": { } }, @@ -1392,7 +1417,7 @@ } }, "InvalidWebACLId": { - "base": "A web ACL ID specified is not valid. To specify a web ACL created using the latest version of AWS WAF, use the ACL ARN, for example arn:aws:wafv2:us-east-1:123456789012:global/webacl/ExampleWebACL/473e64fd-f30b-4765-81a0-62ad96dd167a. To specify a web ACL created using AWS WAF Classic, use the ACL ID, for example 473e64fd-f30b-4765-81a0-62ad96dd167a.
A web ACL ID specified is not valid. To specify a web ACL created using the latest version of WAF, use the ACL ARN, for example arn:aws:wafv2:us-east-1:123456789012:global/webacl/ExampleWebACL/473e64fd-f30b-4765-81a0-62ad96dd167a. To specify a web ACL created using WAF Classic, use the ACL ID, for example 473e64fd-f30b-4765-81a0-62ad96dd167a.
A complex type that contains one InvalidationSummary element for each invalidation batch created by the current AWS account.
A complex type that contains one InvalidationSummary element for each invalidation batch created by the current account.
The ARN of the Lambda function. You must specify the ARN of a function version; you can't specify a Lambda alias or $LATEST.
" + "LambdaFunctionAssociation$LambdaFunctionARN": "The ARN of the Lambda@Edge function. You must specify the ARN of a function version; you can't specify an alias or $LATEST.
" } }, "LambdaFunctionAssociation": { - "base": "A complex type that contains a Lambda function association.
", + "base": "A complex type that contains a Lambda@Edge function association.
", "refs": { "LambdaFunctionAssociationList$member": null } @@ -1525,10 +1550,10 @@ } }, "LambdaFunctionAssociations": { - "base": "A complex type that specifies a list of Lambda functions associations for a cache behavior.
If you want to invoke one or more Lambda functions triggered by requests that match the PathPattern of the cache behavior, specify the applicable values for Quantity and Items. Note that there can be up to 4 LambdaFunctionAssociation items in this list (one for each possible value of EventType) and each EventType can be associated with the Lambda function only once.
If you don't want to invoke any Lambda functions for the requests that match PathPattern, specify 0 for Quantity and omit Items.
A complex type that specifies a list of Lambda@Edge functions associations for a cache behavior.
If you want to invoke one or more Lambda@Edge functions triggered by requests that match the PathPattern of the cache behavior, specify the applicable values for Quantity and Items. Note that there can be up to 4 LambdaFunctionAssociation items in this list (one for each possible value of EventType) and each EventType can be associated with only one function.
If you don't want to invoke any Lambda@Edge functions for the requests that match PathPattern, specify 0 for Quantity and omit Items.
A complex type that contains zero or more Lambda function associations for a cache behavior.
", - "DefaultCacheBehavior$LambdaFunctionAssociations": "A complex type that contains zero or more Lambda function associations for a cache behavior.
" + "CacheBehavior$LambdaFunctionAssociations": "A complex type that contains zero or more Lambda@Edge function associations for a cache behavior.
", + "DefaultCacheBehavior$LambdaFunctionAssociations": "A complex type that contains zero or more Lambda@Edge function associations for a cache behavior.
" } }, "ListCachePoliciesRequest": { @@ -1551,6 +1576,16 @@ "refs": { } }, + "ListConflictingAliasesRequest": { + "base": null, + "refs": { + } + }, + "ListConflictingAliasesResult": { + "base": null, + "refs": { + } + }, "ListDistributionsByCachePolicyIdRequest": { "base": null, "refs": { @@ -1592,12 +1627,12 @@ } }, "ListDistributionsByWebACLIdRequest": { - "base": "The request to list distributions that are associated with a specified AWS WAF web ACL.
", + "base": "The request to list distributions that are associated with a specified WAF web ACL.
", "refs": { } }, "ListDistributionsByWebACLIdResult": { - "base": "The response to a request to list the distributions that are associated with a specified AWS WAF web ACL.
", + "base": "The response to a request to list the distributions that are associated with a specified WAF web ACL.
", "refs": { } }, @@ -1739,7 +1774,7 @@ "MinimumProtocolVersion": { "base": null, "refs": { - "ViewerCertificate$MinimumProtocolVersion": "If the distribution uses Aliases (alternate domain names or CNAMEs), specify the security policy that you want CloudFront to use for HTTPS connections with viewers. The security policy determines two settings:
The minimum SSL/TLS protocol that CloudFront can use to communicate with viewers.
The ciphers that CloudFront can use to encrypt the content that it returns to viewers.
For more information, see Security Policy and Supported Protocols and Ciphers Between Viewers and CloudFront in the Amazon CloudFront Developer Guide.
On the CloudFront console, this setting is called Security Policy.
When you’re using SNI only (you set SSLSupportMethod to sni-only), you must specify TLSv1 or higher.
If the distribution uses the CloudFront domain name such as d111111abcdef8.cloudfront.net (you set CloudFrontDefaultCertificate to true), CloudFront automatically sets the security policy to TLSv1 regardless of the value that you set here.
If the distribution uses Aliases (alternate domain names or CNAMEs), specify the security policy that you want CloudFront to use for HTTPS connections with viewers. The security policy determines two settings:
The minimum SSL/TLS protocol that CloudFront can use to communicate with viewers.
The ciphers that CloudFront can use to encrypt the content that it returns to viewers.
For more information, see Security Policy and Supported Protocols and Ciphers Between Viewers and CloudFront in the Amazon CloudFront Developer Guide.
On the CloudFront console, this setting is called Security Policy.
When you’re using SNI only (you set SSLSupportMethod to sni-only), you must specify TLSv1 or higher.
If the distribution uses the CloudFront domain name such as d111111abcdef8.cloudfront.net (you set CloudFrontDefaultCertificate to true), CloudFront automatically sets the security policy to TLSv1 regardless of the value that you set here.
A filter to return only the specified kinds of origin request policies. Valid values are:
managed – Returns only the managed policies created by AWS.
custom – Returns only the custom policies created in your AWS account.
The type of origin request policy, either managed (created by AWS) or custom (created in this AWS account).
A filter to return only the specified kinds of origin request policies. Valid values are:
managed – Returns only the managed policies created by Amazon Web Services.
custom – Returns only the custom policies created in your account.
The type of origin request policy, either managed (created by Amazon Web Services) or custom (created in this account).
The AWS Region for Origin Shield.
Specify the AWS Region that has the lowest latency to your origin. To specify a region, use the region code, not the region name. For example, specify the US East (Ohio) region as us-east-2.
When you enable CloudFront Origin Shield, you must specify the AWS Region for Origin Shield. For the list of AWS Regions that you can specify, and for help choosing the best Region for your origin, see Choosing the AWS Region for Origin Shield in the Amazon CloudFront Developer Guide.
" + "OriginShield$OriginShieldRegion": "The Region for Origin Shield.
Specify the Region that has the lowest latency to your origin. To specify a region, use the region code, not the region name. For example, specify the US East (Ohio) region as us-east-2.
When you enable CloudFront Origin Shield, you must specify the Region for Origin Shield. For the list of Regions that you can specify, and for help choosing the best Region for your origin, see Choosing the Region for Origin Shield in the Amazon CloudFront Developer Guide.
" } }, "OriginSslProtocols": { @@ -2181,7 +2216,7 @@ } }, "RealtimeLogConfigOwnerMismatch": { - "base": "The specified real-time log configuration belongs to a different AWS account.
", + "base": "The specified real-time log configuration belongs to a different account.
", "refs": { } }, @@ -2239,11 +2274,11 @@ "SSLSupportMethod": { "base": null, "refs": { - "ViewerCertificate$SSLSupportMethod": "If the distribution uses Aliases (alternate domain names or CNAMEs), specify which viewers the distribution accepts HTTPS connections from.
sni-only – The distribution accepts HTTPS connections from only viewers that support server name indication (SNI). This is recommended. Most browsers and clients support SNI.
vip – The distribution accepts HTTPS connections from all viewers including those that don’t support SNI. This is not recommended, and results in additional monthly charges from CloudFront.
static-ip - Do not specify this value unless your distribution has been enabled for this feature by the CloudFront team. If you have a use case that requires static IP addresses for a distribution, contact CloudFront through the AWS Support Center.
If the distribution uses the CloudFront domain name such as d111111abcdef8.cloudfront.net, don’t set a value for this field.
If the distribution uses Aliases (alternate domain names or CNAMEs), specify which viewers the distribution accepts HTTPS connections from.
sni-only – The distribution accepts HTTPS connections from only viewers that support server name indication (SNI). This is recommended. Most browsers and clients support SNI.
vip – The distribution accepts HTTPS connections from all viewers including those that don’t support SNI. This is not recommended, and results in additional monthly charges from CloudFront.
static-ip - Do not specify this value unless your distribution has been enabled for this feature by the CloudFront team. If you have a use case that requires static IP addresses for a distribution, contact CloudFront through the Amazon Web Services Support Center.
If the distribution uses the CloudFront domain name such as d111111abcdef8.cloudfront.net, don’t set a value for this field.
A list of AWS accounts and the active CloudFront key pairs in each account that CloudFront can use to verify the signatures of signed URLs and signed cookies.
", + "base": "A list of accounts and the active CloudFront key pairs in each account that CloudFront can use to verify the signatures of signed URLs and signed cookies.
", "refs": { "SignerList$member": null } @@ -2251,7 +2286,7 @@ "SignerList": { "base": null, "refs": { - "ActiveTrustedSigners$Items": "A list of AWS accounts and the identifiers of active CloudFront key pairs in each account that CloudFront can use to verify the signatures of signed URLs and signed cookies.
" + "ActiveTrustedSigners$Items": "A list of accounts and the identifiers of active CloudFront key pairs in each account that CloudFront can use to verify the signatures of signed URLs and signed cookies.
" } }, "SslProtocol": { @@ -2328,7 +2363,7 @@ "StreamingDistributionSummaryList": { "base": null, "refs": { - "StreamingDistributionList$Items": "A complex type that contains one StreamingDistributionSummary element for each distribution that was created by the current AWS account.
A complex type that contains one StreamingDistributionSummary element for each distribution that was created by the current account.
You have reached the maximum number of cache policies for this AWS account. For more information, see Quotas (formerly known as limits) in the Amazon CloudFront Developer Guide.
", + "base": "You have reached the maximum number of cache policies for this account. For more information, see Quotas (formerly known as limits) in the Amazon CloudFront Developer Guide.
", "refs": { } }, @@ -2480,12 +2515,12 @@ } }, "TooManyDistributionsWithLambdaAssociations": { - "base": "Processing your request would cause the maximum number of distributions with Lambda function associations per owner to be exceeded.
", + "base": "Processing your request would cause the maximum number of distributions with Lambda@Edge function associations per owner to be exceeded.
", "refs": { } }, "TooManyDistributionsWithSingleFunctionARN": { - "base": "The maximum number of distributions have been associated with the specified Lambda function.
", + "base": "The maximum number of distributions have been associated with the specified Lambda@Edge function.
", "refs": { } }, @@ -2525,7 +2560,7 @@ } }, "TooManyFunctions": { - "base": "You have reached the maximum number of CloudFront functions for this AWS account. For more information, see Quotas (formerly known as limits) in the Amazon CloudFront Developer Guide.
", + "base": "You have reached the maximum number of CloudFront functions for this account. For more information, see Quotas (formerly known as limits) in the Amazon CloudFront Developer Guide.
", "refs": { } }, @@ -2550,7 +2585,7 @@ } }, "TooManyKeyGroups": { - "base": "You have reached the maximum number of key groups for this AWS account. For more information, see Quotas (formerly known as limits) in the Amazon CloudFront Developer Guide.
", + "base": "You have reached the maximum number of key groups for this account. For more information, see Quotas (formerly known as limits) in the Amazon CloudFront Developer Guide.
", "refs": { } }, @@ -2560,7 +2595,7 @@ } }, "TooManyLambdaFunctionAssociations": { - "base": "Your request contains more Lambda function associations than are allowed per distribution.
", + "base": "Your request contains more Lambda@Edge function associations than are allowed per distribution.
", "refs": { } }, @@ -2575,7 +2610,7 @@ } }, "TooManyOriginRequestPolicies": { - "base": "You have reached the maximum number of origin request policies for this AWS account. For more information, see Quotas (formerly known as limits) in the Amazon CloudFront Developer Guide.
", + "base": "You have reached the maximum number of origin request policies for this account. For more information, see Quotas (formerly known as limits) in the Amazon CloudFront Developer Guide.
", "refs": { } }, @@ -2610,7 +2645,7 @@ } }, "TooManyRealtimeLogConfigs": { - "base": "You have reached the maximum number of real-time log configurations for this AWS account. For more information, see Quotas (formerly known as limits) in the Amazon CloudFront Developer Guide.
", + "base": "You have reached the maximum number of real-time log configurations for this account. For more information, see Quotas (formerly known as limits) in the Amazon CloudFront Developer Guide.
", "refs": { } }, @@ -2653,12 +2688,12 @@ } }, "TrustedSigners": { - "base": "A list of AWS accounts whose public keys CloudFront can use to verify the signatures of signed URLs and signed cookies.
", + "base": "A list of accounts whose public keys CloudFront can use to verify the signatures of signed URLs and signed cookies.
", "refs": { - "CacheBehavior$TrustedSigners": "We recommend using TrustedKeyGroups instead of TrustedSigners.
A list of AWS account IDs whose public keys CloudFront can use to validate signed URLs or signed cookies.
When a cache behavior contains trusted signers, CloudFront requires signed URLs or signed cookies for all requests that match the cache behavior. The URLs or cookies must be signed with the private key of a CloudFront key pair in the trusted signer’s AWS account. The signed URL or cookie contains information about which public key CloudFront should use to verify the signature. For more information, see Serving private content in the Amazon CloudFront Developer Guide.
", - "DefaultCacheBehavior$TrustedSigners": "We recommend using TrustedKeyGroups instead of TrustedSigners.
A list of AWS account IDs whose public keys CloudFront can use to validate signed URLs or signed cookies.
When a cache behavior contains trusted signers, CloudFront requires signed URLs or signed cookies for all requests that match the cache behavior. The URLs or cookies must be signed with the private key of a CloudFront key pair in a trusted signer’s AWS account. The signed URL or cookie contains information about which public key CloudFront should use to verify the signature. For more information, see Serving private content in the Amazon CloudFront Developer Guide.
", - "StreamingDistributionConfig$TrustedSigners": "A complex type that specifies any AWS accounts that you want to permit to create signed URLs for private content. If you want the distribution to use signed URLs, include this element; if you want the distribution to use public URLs, remove this element. For more information, see Serving Private Content through CloudFront in the Amazon CloudFront Developer Guide.
", - "StreamingDistributionSummary$TrustedSigners": "A complex type that specifies the AWS accounts, if any, that you want to allow to create signed URLs for private content. If you want to require signed URLs in requests for objects in the target origin that match the PathPattern for this cache behavior, specify true for Enabled, and specify the applicable values for Quantity and Items.If you don't want to require signed URLs in requests for objects that match PathPattern, specify false for Enabled and 0 for Quantity. Omit Items. To add, change, or remove one or more trusted signers, change Enabled to true (if it's currently false), change Quantity as applicable, and specify all of the trusted signers that you want to include in the updated distribution.
For more information, see Serving Private Content through CloudFront in the Amazon CloudFront Developer Guide.
" + "CacheBehavior$TrustedSigners": "We recommend using TrustedKeyGroups instead of TrustedSigners.
A list of account IDs whose public keys CloudFront can use to validate signed URLs or signed cookies.
When a cache behavior contains trusted signers, CloudFront requires signed URLs or signed cookies for all requests that match the cache behavior. The URLs or cookies must be signed with the private key of a CloudFront key pair in the trusted signer’s account. The signed URL or cookie contains information about which public key CloudFront should use to verify the signature. For more information, see Serving private content in the Amazon CloudFront Developer Guide.
", + "DefaultCacheBehavior$TrustedSigners": "We recommend using TrustedKeyGroups instead of TrustedSigners.
A list of account IDs whose public keys CloudFront can use to validate signed URLs or signed cookies.
When a cache behavior contains trusted signers, CloudFront requires signed URLs or signed cookies for all requests that match the cache behavior. The URLs or cookies must be signed with the private key of a CloudFront key pair in a trusted signer’s account. The signed URL or cookie contains information about which public key CloudFront should use to verify the signature. For more information, see Serving private content in the Amazon CloudFront Developer Guide.
", + "StreamingDistributionConfig$TrustedSigners": "A complex type that specifies any accounts that you want to permit to create signed URLs for private content. If you want the distribution to use signed URLs, include this element; if you want the distribution to use public URLs, remove this element. For more information, see Serving Private Content through CloudFront in the Amazon CloudFront Developer Guide.
", + "StreamingDistributionSummary$TrustedSigners": "A complex type that specifies the accounts, if any, that you want to allow to create signed URLs for private content. If you want to require signed URLs in requests for objects in the target origin that match the PathPattern for this cache behavior, specify true for Enabled, and specify the applicable values for Quantity and Items.If you don't want to require signed URLs in requests for objects that match PathPattern, specify false for Enabled and 0 for Quantity. Omit Items. To add, change, or remove one or more trusted signers, change Enabled to true (if it's currently false), change Quantity as applicable, and specify all of the trusted signers that you want to include in the updated distribution.
For more information, see Serving Private Content through CloudFront in the Amazon CloudFront Developer Guide.
" } }, "UnsupportedOperation": { @@ -2782,7 +2817,7 @@ } }, "ViewerCertificate": { - "base": "A complex type that determines the distribution’s SSL/TLS configuration for communicating with viewers.
If the distribution doesn’t use Aliases (also known as alternate domain names or CNAMEs)—that is, if the distribution uses the CloudFront domain name such as d111111abcdef8.cloudfront.net—set CloudFrontDefaultCertificate to true and leave all other fields empty.
If the distribution uses Aliases (alternate domain names or CNAMEs), use the fields in this type to specify the following settings:
Which viewers the distribution accepts HTTPS connections from: only viewers that support server name indication (SNI) (recommended), or all viewers including those that don’t support SNI.
To accept HTTPS connections from only viewers that support SNI, set SSLSupportMethod to sni-only. This is recommended. Most browsers and clients support SNI.
To accept HTTPS connections from all viewers, including those that don’t support SNI, set SSLSupportMethod to vip. This is not recommended, and results in additional monthly charges from CloudFront.
The minimum SSL/TLS protocol version that the distribution can use to communicate with viewers. To specify a minimum version, choose a value for MinimumProtocolVersion. For more information, see Security Policy in the Amazon CloudFront Developer Guide.
The location of the SSL/TLS certificate, AWS Certificate Manager (ACM) (recommended) or AWS Identity and Access Management (AWS IAM). You specify the location by setting a value in one of the following fields (not both):
ACMCertificateArn
IAMCertificateId
All distributions support HTTPS connections from viewers. To require viewers to use HTTPS only, or to redirect them from HTTP to HTTPS, use ViewerProtocolPolicy in the CacheBehavior or DefaultCacheBehavior. To specify how CloudFront should use SSL/TLS to communicate with your custom origin, use CustomOriginConfig.
For more information, see Using HTTPS with CloudFront and Using Alternate Domain Names and HTTPS in the Amazon CloudFront Developer Guide.
", + "base": "A complex type that determines the distribution’s SSL/TLS configuration for communicating with viewers.
If the distribution doesn’t use Aliases (also known as alternate domain names or CNAMEs)—that is, if the distribution uses the CloudFront domain name such as d111111abcdef8.cloudfront.net—set CloudFrontDefaultCertificate to true and leave all other fields empty.
If the distribution uses Aliases (alternate domain names or CNAMEs), use the fields in this type to specify the following settings:
Which viewers the distribution accepts HTTPS connections from: only viewers that support server name indication (SNI) (recommended), or all viewers including those that don’t support SNI.
To accept HTTPS connections from only viewers that support SNI, set SSLSupportMethod to sni-only. This is recommended. Most browsers and clients support SNI.
To accept HTTPS connections from all viewers, including those that don’t support SNI, set SSLSupportMethod to vip. This is not recommended, and results in additional monthly charges from CloudFront.
The minimum SSL/TLS protocol version that the distribution can use to communicate with viewers. To specify a minimum version, choose a value for MinimumProtocolVersion. For more information, see Security Policy in the Amazon CloudFront Developer Guide.
The location of the SSL/TLS certificate, Certificate Manager (ACM) (recommended) or Identity and Access Management (IAM). You specify the location by setting a value in one of the following fields (not both):
ACMCertificateArn
IAMCertificateId
All distributions support HTTPS connections from viewers. To require viewers to use HTTPS only, or to redirect them from HTTP to HTTPS, use ViewerProtocolPolicy in the CacheBehavior or DefaultCacheBehavior. To specify how CloudFront should use SSL/TLS to communicate with your custom origin, use CustomOriginConfig.
For more information, see Using HTTPS with CloudFront and Using Alternate Domain Names and HTTPS in the Amazon CloudFront Developer Guide.
", "refs": { "DistributionConfig$ViewerCertificate": "A complex type that determines the distribution’s SSL/TLS configuration for communicating with viewers.
", "DistributionSummary$ViewerCertificate": "A complex type that determines the distribution’s SSL/TLS configuration for communicating with viewers.
" @@ -2795,11 +2830,17 @@ "DefaultCacheBehavior$ViewerProtocolPolicy": "The protocol that viewers can use to access the files in the origin specified by TargetOriginId when a request matches the path pattern in PathPattern. You can specify the following options:
allow-all: Viewers can use HTTP or HTTPS.
redirect-to-https: If a viewer submits an HTTP request, CloudFront returns an HTTP status code of 301 (Moved Permanently) to the viewer along with the HTTPS URL. The viewer then resubmits the request using the new URL.
https-only: If a viewer sends an HTTP request, CloudFront returns an HTTP status code of 403 (Forbidden).
For more information about requiring the HTTPS protocol, see Requiring HTTPS Between Viewers and CloudFront in the Amazon CloudFront Developer Guide.
The only way to guarantee that viewers retrieve an object that was fetched from the origin using HTTPS is never to use any other protocol to fetch the object. If you have recently changed from HTTP to HTTPS, we recommend that you clear your objects’ cache because cached objects are protocol agnostic. That means that an edge location will return an object from the cache regardless of whether the current request protocol matches the protocol used previously. For more information, see Managing Cache Expiration in the Amazon CloudFront Developer Guide.
The alias (also called a CNAME) to search for conflicting aliases.
" + } + }, "boolean": { "base": null, "refs": { "ActiveTrustedKeyGroups$Enabled": "This field is true if any of the key groups have public keys that CloudFront can use to verify the signatures of signed URLs and signed cookies. If not, this field is false.
This field is true if any of the AWS accounts in the list have active CloudFront key pairs that CloudFront can use to verify the signatures of signed URLs and signed cookies. If not, this field is false.
This field is true if any of the accounts in the list have active CloudFront key pairs that CloudFront can use to verify the signatures of signed URLs and signed cookies. If not, this field is false.
Indicates whether you want to distribute media files in the Microsoft Smooth Streaming format using the origin that is associated with this cache behavior. If so, specify true; if not, specify false. If you specify true for SmoothStreaming, you can still distribute other content using this cache behavior if the content matches the value of PathPattern.
Whether you want CloudFront to automatically compress certain files for this cache behavior. If so, specify true; if not, specify false. For more information, see Serving Compressed Files in the Amazon CloudFront Developer Guide.
", "CloudFrontOriginAccessIdentityList$IsTruncated": "A flag that indicates whether more origin access identities remain to be listed. If your results were truncated, you can make a follow-up pagination request using the Marker request parameter to retrieve more items in the list.
Indicates whether you want to distribute media files in the Microsoft Smooth Streaming format using the origin that is associated with this cache behavior. If so, specify true; if not, specify false. If you specify true for SmoothStreaming, you can still distribute other content using this cache behavior if the content matches the value of PathPattern.
Whether you want CloudFront to automatically compress certain files for this cache behavior. If so, specify true; if not, specify false. For more information, see Serving Compressed Files in the Amazon CloudFront Developer Guide.
From this field, you can enable or disable the selected distribution.
", - "DistributionConfig$IsIPV6Enabled": "If you want CloudFront to respond to IPv6 DNS requests with an IPv6 address for your distribution, specify true. If you specify false, CloudFront responds to IPv6 DNS requests with the DNS response code NOERROR and with no IP addresses. This allows viewers to submit a second request, for an IPv4 address for your distribution.
In general, you should enable IPv6 if you have users on IPv6 networks who want to access your content. However, if you're using signed URLs or signed cookies to restrict access to your content, and if you're using a custom policy that includes the IpAddress parameter to restrict the IP addresses that can access your content, don't enable IPv6. If you want to restrict access to some content by IP address and not restrict access to other content (or restrict access but not by IP address), you can create two distributions. For more information, see Creating a Signed URL Using a Custom Policy in the Amazon CloudFront Developer Guide.
If you're using an Amazon Route 53 alias resource record set to route traffic to your CloudFront distribution, you need to create a second alias resource record set when both of the following are true:
You enable IPv6 for the distribution
You're using alternate domain names in the URLs for your objects
For more information, see Routing Traffic to an Amazon CloudFront Web Distribution by Using Your Domain Name in the Amazon Route 53 Developer Guide.
If you created a CNAME resource record set, either with Amazon Route 53 or with another DNS service, you don't need to make any changes. A CNAME record will route traffic to your distribution regardless of the IP address format of the viewer request.
", + "DistributionConfig$IsIPV6Enabled": "If you want CloudFront to respond to IPv6 DNS requests with an IPv6 address for your distribution, specify true. If you specify false, CloudFront responds to IPv6 DNS requests with the DNS response code NOERROR and with no IP addresses. This allows viewers to submit a second request, for an IPv4 address for your distribution.
In general, you should enable IPv6 if you have users on IPv6 networks who want to access your content. However, if you're using signed URLs or signed cookies to restrict access to your content, and if you're using a custom policy that includes the IpAddress parameter to restrict the IP addresses that can access your content, don't enable IPv6. If you want to restrict access to some content by IP address and not restrict access to other content (or restrict access but not by IP address), you can create two distributions. For more information, see Creating a Signed URL Using a Custom Policy in the Amazon CloudFront Developer Guide.
If you're using an Route 53 Amazon Web Services Integration alias resource record set to route traffic to your CloudFront distribution, you need to create a second alias resource record set when both of the following are true:
You enable IPv6 for the distribution
You're using alternate domain names in the URLs for your objects
For more information, see Routing Traffic to an Amazon CloudFront Web Distribution by Using Your Domain Name in the Route 53 Amazon Web Services Integration Developer Guide.
If you created a CNAME resource record set, either with Route 53 Amazon Web Services Integration or with another DNS service, you don't need to make any changes. A CNAME record will route traffic to your distribution regardless of the IP address format of the viewer request.
", "DistributionIdList$IsTruncated": "A flag that indicates whether more distribution IDs remain to be listed. If your results were truncated, you can make a subsequent request using the Marker request field to retrieve more distribution IDs in the list.
A flag that indicates whether more distributions remain to be listed. If your results were truncated, you can make a follow-up pagination request using the Marker request parameter to retrieve more distributions in the list.
Whether the distribution is enabled to accept user requests for content.
", "DistributionSummary$IsIPV6Enabled": "Whether CloudFront responds to IPv6 DNS requests with an IPv6 address for your distribution.
", "ForwardedValues$QueryString": "This field is deprecated. We recommend that you use a cache policy or an origin request policy instead of this field.
If you want to include query strings in the cache key, use a cache policy. For more information, see Creating cache policies in the Amazon CloudFront Developer Guide.
If you want to send query strings to the origin but not include them in the cache key, use an origin request policy. For more information, see Creating origin request policies in the Amazon CloudFront Developer Guide.
Indicates whether you want CloudFront to forward query strings to the origin that is associated with this cache behavior and cache based on the query string parameters. CloudFront behavior depends on the value of QueryString and on the values that you specify for QueryStringCacheKeys, if any:
If you specify true for QueryString and you don't specify any values for QueryStringCacheKeys, CloudFront forwards all query string parameters to the origin and caches based on all query string parameters. Depending on how many query string parameters and values you have, this can adversely affect performance because CloudFront must forward more requests to the origin.
If you specify true for QueryString and you specify one or more values for QueryStringCacheKeys, CloudFront forwards all query string parameters to the origin, but it only caches based on the query string parameters that you specify.
If you specify false for QueryString, CloudFront doesn't forward any query string parameters to the origin, and doesn't cache based on query string parameters.
For more information, see Configuring CloudFront to Cache Based on Query String Parameters in the Amazon CloudFront Developer Guide.
", "InvalidationList$IsTruncated": "A flag that indicates whether more invalidation batch requests remain to be listed. If your results were truncated, you can make a follow-up pagination request using the Marker request parameter to retrieve more invalidation batches in the list.
A flag that allows a Lambda function to have read access to the body content. For more information, see Accessing the Request Body by Choosing the Include Body Option in the Amazon CloudFront Developer Guide.
", + "LambdaFunctionAssociation$IncludeBody": "A flag that allows a Lambda@Edge function to have read access to the body content. For more information, see Accessing the Request Body by Choosing the Include Body Option in the Amazon CloudFront Developer Guide.
", "LoggingConfig$Enabled": "Specifies whether you want CloudFront to save access logs to an Amazon S3 bucket. If you don't want to enable logging when you create a distribution or if you want to disable logging for an existing distribution, specify false for Enabled, and specify empty Bucket and Prefix elements. If you specify false for Enabled but you specify values for Bucket, prefix, and IncludeCookies, the values are automatically deleted.
Specifies whether you want CloudFront to include cookies in access logs, specify true for IncludeCookies. If you choose to include cookies in logs, CloudFront logs all cookies regardless of how you configure the cache behaviors for this distribution. If you don't want to include cookies when you create a distribution or if you want to disable include cookies for an existing distribution, specify false for IncludeCookies.
A flag that specifies whether Origin Shield is enabled.
When it’s enabled, CloudFront routes all requests through Origin Shield, which can help protect your origin. When it’s disabled, CloudFront might send requests directly to your origin from multiple edge locations or regional edge caches.
", @@ -2827,15 +2868,21 @@ "StreamingDistributionSummary$Enabled": "Whether the distribution is enabled to accept end user requests for content.
", "StreamingLoggingConfig$Enabled": "Specifies whether you want CloudFront to save access logs to an Amazon S3 bucket. If you don't want to enable logging when you create a streaming distribution or if you want to disable logging for an existing streaming distribution, specify false for Enabled, and specify empty Bucket and Prefix elements. If you specify false for Enabled but you specify values for Bucket and Prefix, the values are automatically deleted.
This field is true if any of the key groups in the list have public keys that CloudFront can use to verify the signatures of signed URLs and signed cookies. If not, this field is false.
This field is true if any of the AWS accounts have public keys that CloudFront can use to verify the signatures of signed URLs and signed cookies. If not, this field is false.
This field is true if any of the accounts have public keys that CloudFront can use to verify the signatures of signed URLs and signed cookies. If not, this field is false.
If the distribution uses the CloudFront domain name such as d111111abcdef8.cloudfront.net, set this field to true.
If the distribution uses Aliases (alternate domain names or CNAMEs), set this field to false and specify values for the following fields:
ACMCertificateArn or IAMCertificateId (specify a value for one, not both)
MinimumProtocolVersion
SSLSupportMethod
The ID of a distribution in your account that has an attached SSL/TLS certificate that includes the provided alias.
" + } + }, "integer": { "base": null, "refs": { "ActiveTrustedKeyGroups$Quantity": "The number of key groups in the list.
", - "ActiveTrustedSigners$Quantity": "The number of AWS accounts in the list.
", + "ActiveTrustedSigners$Quantity": "The number of accounts in the list.
", "Aliases$Quantity": "The number of CNAME aliases, if any, that you want to associate with this distribution.
", "AllowedMethods$Quantity": "The number of HTTP methods that you want CloudFront to forward to your origin. Valid values are 2 (for GET and HEAD requests), 3 (for GET, HEAD, and OPTIONS requests) and 7 (for GET, HEAD, OPTIONS, PUT, PATCH, POST, and DELETE requests).
The number of cache behaviors for this distribution.
", @@ -2843,7 +2890,9 @@ "CachePolicyList$Quantity": "The total number of cache policies returned in the response.
", "CachedMethods$Quantity": "The number of HTTP methods for which you want CloudFront to cache responses. Valid values are 2 (for caching responses to GET and HEAD requests) and 3 (for caching responses to GET, HEAD, and OPTIONS requests).
The maximum number of origin access identities you want in the response body.
", - "CloudFrontOriginAccessIdentityList$Quantity": "The number of CloudFront origin access identities that were created by the current AWS account.
", + "CloudFrontOriginAccessIdentityList$Quantity": "The number of CloudFront origin access identities that were created by the current account.
", + "ConflictingAliasesList$MaxItems": "The maximum number of conflicting aliases requested.
", + "ConflictingAliasesList$Quantity": "The number of conflicting aliases returned in the response.
", "ContentTypeProfiles$Quantity": "The number of field-level encryption content type-profile mappings.
", "CookieNames$Quantity": "The number of cookie names in the Items list.
The HTTP status code for which you want to specify a custom error page and/or a caching duration.
", @@ -2857,7 +2906,7 @@ "DistributionIdList$MaxItems": "The maximum number of distribution IDs requested.
", "DistributionIdList$Quantity": "The total number of distribution IDs returned in the response.
", "DistributionList$MaxItems": "The value you provided for the MaxItems request parameter.
The number of distributions that were created by the current AWS account.
", + "DistributionList$Quantity": "The number of distributions that were created by the current account.
", "EncryptionEntities$Quantity": "Number of field pattern items in a field-level encryption content type-profile mapping.
", "FieldLevelEncryptionList$MaxItems": "The maximum number of elements you want in the response body.
", "FieldLevelEncryptionList$Quantity": "The number of field-level encryption items.
", @@ -2870,11 +2919,11 @@ "GeoRestriction$Quantity": "When geo restriction is enabled, this is the number of countries in your whitelist or blacklist. Otherwise, when it is not enabled, Quantity is 0, and you can omit Items.
The number of header names in the Items list.
The value that you provided for the MaxItems request parameter.
The number of invalidation batches that were created by the current AWS account.
", + "InvalidationList$Quantity": "The number of invalidation batches that were created by the current account.
", "KeyGroupList$MaxItems": "The maximum number of key groups requested.
", "KeyGroupList$Quantity": "The number of key groups returned in the response.
", "KeyPairIds$Quantity": "The number of key pair identifiers in the list.
", - "LambdaFunctionAssociations$Quantity": "The number of Lambda function associations for this cache behavior.
", + "LambdaFunctionAssociations$Quantity": "The number of Lambda@Edge function associations for this cache behavior.
", "Origin$ConnectionAttempts": "The number of times that CloudFront attempts to connect to the origin. The minimum number is 1, the maximum is 3, and the default (if you don’t specify otherwise) is 3.
For a custom origin (including an Amazon S3 bucket that’s configured with static website hosting), this value also specifies the number of times that CloudFront attempts to get a response from the origin, in the case of an Origin Response Timeout.
For more information, see Origin Connection Attempts in the Amazon CloudFront Developer Guide.
", "Origin$ConnectionTimeout": "The number of seconds that CloudFront waits when trying to establish a connection to the origin. The minimum timeout is 1 second, the maximum is 10 seconds, and the default (if you don’t specify otherwise) is 10 seconds.
For more information, see Origin Connection Timeout in the Amazon CloudFront Developer Guide.
", "OriginGroupMembers$Quantity": "The number of origins in an origin group.
", @@ -2893,9 +2942,15 @@ "StatusCodeList$member": null, "StatusCodes$Quantity": "The number of status codes.
", "StreamingDistributionList$MaxItems": "The value you provided for the MaxItems request parameter.
The number of streaming distributions that were created by the current AWS account.
", + "StreamingDistributionList$Quantity": "The number of streaming distributions that were created by the current account.
", "TrustedKeyGroups$Quantity": "The number of key groups in the list.
", - "TrustedSigners$Quantity": "The number of AWS accounts in the list.
" + "TrustedSigners$Quantity": "The number of accounts in the list.
" + } + }, + "listConflictingAliasesMaxItemsInteger": { + "base": null, + "refs": { + "ListConflictingAliasesRequest$MaxItems": "The maximum number of conflicting aliases that you want in the response.
" } }, "long": { @@ -2922,6 +2977,8 @@ "AccessDenied$Message": null, "AliasICPRecordal$CNAME": "A domain name associated with a distribution.
", "AliasList$member": null, + "AssociateAliasRequest$TargetDistributionId": "The ID of the distribution that you’re associating the alias with.
", + "AssociateAliasRequest$Alias": "The alias (also known as a CNAME) to add to the target distribution.
", "AwsAccountNumberList$member": null, "BatchTooLarge$Message": null, "CNAMEAlreadyExists$Message": null, @@ -2949,6 +3006,10 @@ "CloudFrontOriginAccessIdentitySummary$Id": "The ID for the origin access identity. For example: E74FTE3AJFJ256A.
The Amazon S3 canonical user ID for the origin access identity, which you use when giving the origin access identity read permission to an object in Amazon S3.
", "CloudFrontOriginAccessIdentitySummary$Comment": "The comment for this origin access identity, as originally specified when created.
", + "ConflictingAlias$Alias": "An alias (also called a CNAME).
", + "ConflictingAlias$DistributionId": "The (partially hidden) ID of the CloudFront distribution associated with the alias.
", + "ConflictingAlias$AccountId": "The (partially hidden) ID of the Amazon Web Services account that owns the distribution that’s associated with the alias.
", + "ConflictingAliasesList$NextMarker": "If there are more items in the list than are in this response, this element is present. It contains the value that you should use in the Marker field of a subsequent request to continue listing conflicting aliases where you left off.
The profile ID for a field-level encryption content type-profile mapping.
", "ContentTypeProfile$ContentType": "The content type for a field-level encryption content type-profile mapping.
", "CookieNameList$member": null, @@ -3013,13 +3074,13 @@ "DescribeFunctionRequest$Name": "The name of the function that you are getting information about.
", "DescribeFunctionResult$ETag": "The version identifier for the current version of the CloudFront function.
", "Distribution$Id": "The identifier for the distribution. For example: EDFDVBD632BHDS5.
The ARN (Amazon Resource Name) for the distribution. For example: arn:aws:cloudfront::123456789012:distribution/EDFDVBD632BHDS5, where 123456789012 is your AWS account ID.
The ARN (Amazon Resource Name) for the distribution. For example: arn:aws:cloudfront::123456789012:distribution/EDFDVBD632BHDS5, where 123456789012 is your account ID.
This response element indicates the current status of the distribution. When the status is Deployed, the distribution's information is fully propagated to all CloudFront edge locations.
The domain name corresponding to the distribution, for example, d111111abcdef8.cloudfront.net.
A unique value (for example, a date-time stamp) that ensures that the request can't be replayed.
If the value of CallerReference is new (regardless of the content of the DistributionConfig object), CloudFront creates a new distribution.
If CallerReference is a value that you already sent in a previous request to create a distribution, CloudFront returns a DistributionAlreadyExists error.
The object that you want CloudFront to request from your origin (for example, index.html) when a viewer requests the root URL for your distribution (http://www.example.com) instead of an object in your distribution (http://www.example.com/product-description.html). Specifying a default root object avoids exposing the contents of your distribution.
Specify only the object name, for example, index.html. Don't add a / before the object name.
If you don't want to specify a default root object when you create a distribution, include an empty DefaultRootObject element.
To delete the default root object from an existing distribution, update the distribution configuration and include an empty DefaultRootObject element.
To replace the default root object, update the distribution configuration and specify the new object.
For more information about the default root object, see Creating a Default Root Object in the Amazon CloudFront Developer Guide.
", - "DistributionConfig$WebACLId": "A unique identifier that specifies the AWS WAF web ACL, if any, to associate with this distribution. To specify a web ACL created using the latest version of AWS WAF, use the ACL ARN, for example arn:aws:wafv2:us-east-1:123456789012:global/webacl/ExampleWebACL/473e64fd-f30b-4765-81a0-62ad96dd167a. To specify a web ACL created using AWS WAF Classic, use the ACL ID, for example 473e64fd-f30b-4765-81a0-62ad96dd167a.
AWS WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to CloudFront, and lets you control access to your content. Based on conditions that you specify, such as the IP addresses that requests originate from or the values of query strings, CloudFront responds to requests either with the requested content or with an HTTP 403 status code (Forbidden). You can also configure CloudFront to return a custom error page when a request is blocked. For more information about AWS WAF, see the AWS WAF Developer Guide.
", + "DistributionConfig$WebACLId": "A unique identifier that specifies the WAF web ACL, if any, to associate with this distribution. To specify a web ACL created using the latest version of WAF, use the ACL ARN, for example arn:aws:wafv2:us-east-1:123456789012:global/webacl/ExampleWebACL/473e64fd-f30b-4765-81a0-62ad96dd167a. To specify a web ACL created using WAF Classic, use the ACL ID, for example 473e64fd-f30b-4765-81a0-62ad96dd167a.
WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to CloudFront, and lets you control access to your content. Based on conditions that you specify, such as the IP addresses that requests originate from or the values of query strings, CloudFront responds to requests either with the requested content or with an HTTP 403 status code (Forbidden). You can also configure CloudFront to return a custom error page when a request is blocked. For more information about WAF, see the WAF Developer Guide.
", "DistributionIdList$Marker": "The value provided in the Marker request field.
Contains the value that you should use in the Marker field of a subsequent request to continue listing distribution IDs where you left off.
If IsTruncated is true, this element is present and contains the value you can use for the Marker request parameter to continue listing your distributions where they left off.
The identifier for the distribution. For example: EDFDVBD632BHDS5.
The ARN (Amazon Resource Name) for the distribution. For example: arn:aws:cloudfront::123456789012:distribution/EDFDVBD632BHDS5, where 123456789012 is your AWS account ID.
The ARN (Amazon Resource Name) for the distribution. For example: arn:aws:cloudfront::123456789012:distribution/EDFDVBD632BHDS5, where 123456789012 is your account ID.
The current status of the distribution. When the status is Deployed, the distribution's information is propagated to all CloudFront edge locations.
The domain name that corresponds to the distribution, for example, d111111abcdef8.cloudfront.net.
The comment originally specified when this distribution was created.
", @@ -3151,12 +3212,13 @@ "KeyGroupConfig$Comment": "A comment to describe the key group. The comment cannot be longer than 128 characters.
", "KeyGroupList$NextMarker": "If there are more items in the list than are in this response, this element is present. It contains the value that you should use in the Marker field of a subsequent request to continue listing key groups.
The Amazon Resource Name (ARN) of an AWS Identity and Access Management (IAM) role that CloudFront can use to send real-time log data to your Kinesis data stream.
For more information the IAM role, see Real-time log configuration IAM role in the Amazon CloudFront Developer Guide.
", + "KinesisStreamConfig$RoleARN": "The Amazon Resource Name (ARN) of an Identity and Access Management (IAM) role that CloudFront can use to send real-time log data to your Kinesis data stream.
For more information the IAM role, see Real-time log configuration IAM role in the Amazon CloudFront Developer Guide.
", "KinesisStreamConfig$StreamARN": "The Amazon Resource Name (ARN) of the Kinesis data stream where you are sending real-time log data.
", "ListCachePoliciesRequest$Marker": "Use this field when paginating results to indicate where to begin in your list of cache policies. The response includes cache policies in the list that occur after the marker. To get the next page of the list, set this field’s value to the value of NextMarker from the current page’s response.
The maximum number of cache policies that you want in the response.
", "ListCloudFrontOriginAccessIdentitiesRequest$Marker": "Use this when paginating results to indicate where to begin in your list of origin access identities. The results include identities in the list that occur after the marker. To get the next page of results, set the Marker to the value of the NextMarker from the current page's response (which is also the ID of the last identity on that page).
The maximum number of origin access identities you want in the response body.
", + "ListConflictingAliasesRequest$Marker": "Use this field when paginating results to indicate where to begin in the list of conflicting aliases. The response includes conflicting aliases in the list that occur after the marker. To get the next page of the list, set this field’s value to the value of NextMarker from the current page’s response.
Use this field when paginating results to indicate where to begin in your list of distribution IDs. The response includes distribution IDs in the list that occur after the marker. To get the next page of the list, set this field’s value to the value of NextMarker from the current page’s response.
The maximum number of distribution IDs that you want in the response.
", "ListDistributionsByCachePolicyIdRequest$CachePolicyId": "The ID of the cache policy whose associated distribution IDs you want to list.
", @@ -3172,7 +3234,7 @@ "ListDistributionsByRealtimeLogConfigRequest$RealtimeLogConfigArn": "The Amazon Resource Name (ARN) of the real-time log configuration whose associated distributions you want to list.
", "ListDistributionsByWebACLIdRequest$Marker": "Use Marker and MaxItems to control pagination of results. If you have more than MaxItems distributions that satisfy the request, the response includes a NextMarker element. To get the next page of results, submit another request. For the value of Marker, specify the value of NextMarker from the last response. (For the first request, omit Marker.)
The maximum number of distributions that you want CloudFront to return in the response body. The maximum and default values are both 100.
", - "ListDistributionsByWebACLIdRequest$WebACLId": "The ID of the AWS WAF web ACL that you want to list the associated distributions. If you specify \"null\" for the ID, the request returns a list of the distributions that aren't associated with a web ACL.
", + "ListDistributionsByWebACLIdRequest$WebACLId": "The ID of the WAF web ACL that you want to list the associated distributions. If you specify \"null\" for the ID, the request returns a list of the distributions that aren't associated with a web ACL.
", "ListDistributionsRequest$Marker": "Use this when paginating results to indicate where to begin in your list of distributions. The results include distributions in the list that occur after the marker. To get the next page of results, set the Marker to the value of the NextMarker from the current page's response (which is also the ID of the last distribution on that page).
The maximum number of distributions you want in the response body.
", "ListFieldLevelEncryptionConfigsRequest$Marker": "Use this when paginating results to indicate where to begin in your list of configurations. The results include configurations in the list that occur after the marker. To get the next page of results, set the Marker to the value of the NextMarker from the current page's response (which is also the ID of the last configuration on that page).
The DNS name of the Amazon S3 origin.
", "S3Origin$OriginAccessIdentity": "The CloudFront origin access identity to associate with the distribution. Use an origin access identity to configure the distribution so that end users can only access objects in an Amazon S3 bucket through CloudFront.
If you want end users to be able to access objects using either the CloudFront URL or the Amazon S3 URL, specify an empty OriginAccessIdentity element.
To delete the origin access identity from an existing distribution, update the distribution configuration and include an empty OriginAccessIdentity element.
To replace the origin access identity, update the distribution configuration and specify the new origin access identity.
For more information, see Using an Origin Access Identity to Restrict Access to Your Amazon S3 Content in the Amazon CloudFront Developer Guide.
", "S3OriginConfig$OriginAccessIdentity": "The CloudFront origin access identity to associate with the origin. Use an origin access identity to configure the origin so that viewers can only access objects in an Amazon S3 bucket through CloudFront. The format of the value is:
origin-access-identity/cloudfront/ID-of-origin-access-identity
where ID-of-origin-access-identity is the value that CloudFront returned in the ID element when you created the origin access identity.
If you want viewers to be able to access objects using either the CloudFront URL or the Amazon S3 URL, specify an empty OriginAccessIdentity element.
To delete the origin access identity from an existing distribution, update the distribution configuration and include an empty OriginAccessIdentity element.
To replace the origin access identity, update the distribution configuration and specify the new origin access identity.
For more information about the origin access identity, see Serving Private Content through CloudFront in the Amazon CloudFront Developer Guide.
", - "Signer$AwsAccountNumber": "An AWS account number that contains active CloudFront key pairs that CloudFront can use to verify the signatures of signed URLs and signed cookies. If the AWS account that owns the key pairs is the same account that owns the CloudFront distribution, the value of this field is self.
An account number that contains active CloudFront key pairs that CloudFront can use to verify the signatures of signed URLs and signed cookies. If the account that owns the key pairs is the same account that owns the CloudFront distribution, the value of this field is self.
The identifier for the RTMP distribution. For example: EGTXBD79EXAMPLE.
The ARN (Amazon Resource Name) for the distribution. For example: arn:aws:cloudfront::123456789012:distribution/EDFDVBD632BHDS5, where 123456789012 is your AWS account ID.
The ARN (Amazon Resource Name) for the distribution. For example: arn:aws:cloudfront::123456789012:distribution/EDFDVBD632BHDS5, where 123456789012 is your account ID.
The current status of the RTMP distribution. When the status is Deployed, the distribution's information is propagated to all CloudFront edge locations.
The domain name that corresponds to the streaming distribution, for example, s5c39gqb8ow64r.cloudfront.net.
If IsTruncated is true, this element is present and contains the value you can use for the Marker request parameter to continue listing your RTMP distributions where they left off.
The identifier for the distribution, for example, EDFDVBD632BHDS5.
The ARN (Amazon Resource Name) for the streaming distribution. For example: arn:aws:cloudfront::123456789012:streaming-distribution/EDFDVBD632BHDS5, where 123456789012 is your AWS account ID.
The ARN (Amazon Resource Name) for the streaming distribution. For example: arn:aws:cloudfront::123456789012:streaming-distribution/EDFDVBD632BHDS5, where 123456789012 is your account ID.
Indicates the current status of the distribution. When the status is Deployed, the distribution's information is fully propagated throughout the Amazon CloudFront system.
The domain name corresponding to the distribution, for example, d111111abcdef8.cloudfront.net.
The comment originally specified when this distribution was created.
", @@ -3361,8 +3423,8 @@ "UpdateStreamingDistributionRequest$Id": "The streaming distribution's id.
", "UpdateStreamingDistributionRequest$IfMatch": "The value of the ETag header that you received when retrieving the streaming distribution's configuration. For example: E2QWRUHAPOMQZL.
The current version of the configuration. For example: E2QWRUHAPOMQZL.
If the distribution uses Aliases (alternate domain names or CNAMEs) and the SSL/TLS certificate is stored in AWS Identity and Access Management (AWS IAM), provide the ID of the IAM certificate.
If you specify an IAM certificate ID, you must also specify values for MinimumProtocolVersion and SSLSupportMethod.
If the distribution uses Aliases (alternate domain names or CNAMEs) and the SSL/TLS certificate is stored in AWS Certificate Manager (ACM), provide the Amazon Resource Name (ARN) of the ACM certificate. CloudFront only supports ACM certificates in the US East (N. Virginia) Region (us-east-1).
If you specify an ACM certificate ARN, you must also specify values for MinimumProtocolVersion and SSLSupportMethod.
If the distribution uses Aliases (alternate domain names or CNAMEs) and the SSL/TLS certificate is stored in Identity and Access Management (IAM), provide the ID of the IAM certificate.
If you specify an IAM certificate ID, you must also specify values for MinimumProtocolVersion and SSLSupportMethod.
If the distribution uses Aliases (alternate domain names or CNAMEs) and the SSL/TLS certificate is stored in Certificate Manager (ACM), provide the Amazon Resource Name (ARN) of the ACM certificate. CloudFront only supports ACM certificates in the US East (N. Virginia) Region (us-east-1).
If you specify an ACM certificate ARN, you must also specify values for MinimumProtocolVersion and SSLSupportMethod.
This field is deprecated. Use one of the following fields instead:
ACMCertificateArn
IAMCertificateId
CloudFrontDefaultCertificate
Associates an Elastic IP address, or carrier IP address (for instances that are in subnets in Wavelength Zones) with an instance or a network interface. Before you can use an Elastic IP address, you must allocate it to your account.
An Elastic IP address is for use in either the EC2-Classic platform or in a VPC. For more information, see Elastic IP Addresses in the Amazon Elastic Compute Cloud User Guide.
[EC2-Classic, VPC in an EC2-VPC-only account] If the Elastic IP address is already associated with a different instance, it is disassociated from that instance and associated with the specified instance. If you associate an Elastic IP address with an instance that has an existing Elastic IP address, the existing address is disassociated from the instance, but remains allocated to your account.
[VPC in an EC2-Classic account] If you don't specify a private IP address, the Elastic IP address is associated with the primary IP address. If the Elastic IP address is already associated with a different instance or a network interface, you get an error unless you allow reassociation. You cannot associate an Elastic IP address with an instance or network interface that has an existing Elastic IP address.
[Subnets in Wavelength Zones] You can associate an IP address from the telecommunication carrier to the instance or network interface.
You cannot associate an Elastic IP address with an interface in a different network border group.
This is an idempotent operation. If you perform the operation more than once, Amazon EC2 doesn't return an error, and you may be charged for each time the Elastic IP address is remapped to the same instance. For more information, see the Elastic IP Addresses section of Amazon EC2 Pricing.
Associates a target network with a Client VPN endpoint. A target network is a subnet in a VPC. You can associate multiple subnets from the same VPC with a Client VPN endpoint. You can associate only one subnet in each Availability Zone. We recommend that you associate at least two subnets to provide Availability Zone redundancy.
If you specified a VPC when you created the Client VPN endpoint or if you have previous subnet associations, the specified subnet must be in the same VPC. To specify a subnet that's in a different VPC, you must first modify the Client VPN endpoint (ModifyClientVpnEndpoint) and change the VPC that's associated with it.
", "AssociateDhcpOptions": "Associates a set of DHCP options (that you've previously created) with the specified VPC, or associates no DHCP options with the VPC.
After you associate the options with the VPC, any existing instances and all new instances that you launch in that VPC use the options. You don't need to restart or relaunch the instances. They automatically pick up the changes within a few hours, depending on how frequently the instance renews its DHCP lease. You can explicitly renew the lease using the operating system on the instance.
For more information, see DHCP Options Sets in the Amazon Virtual Private Cloud User Guide.
", - "AssociateEnclaveCertificateIamRole": "Associates an AWS Identity and Access Management (IAM) role with an AWS Certificate Manager (ACM) certificate. This enables the certificate to be used by the ACM for Nitro Enclaves application inside an enclave. For more information, see AWS Certificate Manager for Nitro Enclaves in the AWS Nitro Enclaves User Guide.
When the IAM role is associated with the ACM certificate, the certificate, certificate chain, and encrypted private key are placed in an Amazon S3 bucket that only the associated IAM role can access. The private key of the certificate is encrypted with an AWS-managed KMS customer master (CMK) that has an attached attestation-based CMK policy.
To enable the IAM role to access the Amazon S3 object, you must grant it permission to call s3:GetObject on the Amazon S3 bucket returned by the command. To enable the IAM role to access the AWS KMS CMK, you must grant it permission to call kms:Decrypt on the AWS KMS CMK returned by the command. For more information, see Grant the role permission to access the certificate and encryption key in the AWS Nitro Enclaves User Guide.
Associates an Identity and Access Management (IAM) role with an Certificate Manager (ACM) certificate. This enables the certificate to be used by the ACM for Nitro Enclaves application inside an enclave. For more information, see Certificate Manager for Nitro Enclaves in the Amazon Web Services Nitro Enclaves User Guide.
When the IAM role is associated with the ACM certificate, the certificate, certificate chain, and encrypted private key are placed in an Amazon S3 bucket that only the associated IAM role can access. The private key of the certificate is encrypted with an Amazon Web Services managed key that has an attached attestation-based key policy.
To enable the IAM role to access the Amazon S3 object, you must grant it permission to call s3:GetObject on the Amazon S3 bucket returned by the command. To enable the IAM role to access the KMS key, you must grant it permission to call kms:Decrypt on the KMS key returned by the command. For more information, see Grant the role permission to access the certificate and encryption key in the Amazon Web Services Nitro Enclaves User Guide.
Associates an IAM instance profile with a running or stopped instance. You cannot associate more than one IAM instance profile with an instance.
", "AssociateRouteTable": "Associates a subnet in your VPC or an internet gateway or virtual private gateway attached to your VPC with a route table in your VPC. This association causes traffic from the subnet or gateway to be routed according to the routes in the route table. The action returns an association ID, which you need in order to disassociate the route table later. A route table can be associated with multiple subnets.
For more information, see Route Tables in the Amazon Virtual Private Cloud User Guide.
", "AssociateSubnetCidrBlock": "Associates a CIDR block with your subnet. You can only associate a single IPv6 CIDR block with your subnet. An IPv6 CIDR block must have a prefix length of /64.
", @@ -31,8 +31,8 @@ "AttachVolume": "Attaches an EBS volume to a running or stopped instance and exposes it to the instance with the specified device name.
Encrypted EBS volumes must be attached to instances that support Amazon EBS encryption. For more information, see Amazon EBS encryption in the Amazon Elastic Compute Cloud User Guide.
After you attach an EBS volume, you must make it available. For more information, see Making an EBS volume available for use.
If a volume has an AWS Marketplace product code:
The volume can be attached only to a stopped instance.
AWS Marketplace product codes are copied from the volume to the instance.
You must be subscribed to the product.
The instance type and operating system of the instance must support the product. For example, you can't detach a volume from a Windows instance and attach it to a Linux instance.
For more information, see Attaching Amazon EBS volumes in the Amazon Elastic Compute Cloud User Guide.
", "AttachVpnGateway": "Attaches a virtual private gateway to a VPC. You can attach one virtual private gateway to one VPC at a time.
For more information, see AWS Site-to-Site VPN in the AWS Site-to-Site VPN User Guide.
", "AuthorizeClientVpnIngress": "Adds an ingress authorization rule to a Client VPN endpoint. Ingress authorization rules act as firewall rules that grant access to networks. You must configure ingress authorization rules to enable clients to access resources in AWS or on-premises networks.
", - "AuthorizeSecurityGroupEgress": "[VPC only] Adds the specified egress rules to a security group for use with a VPC.
An outbound rule permits instances to send traffic to the specified IPv4 or IPv6 CIDR address ranges, or to the instances associated with the specified destination security groups.
You specify a protocol for each rule (for example, TCP). For the TCP and UDP protocols, you must also specify the destination port or port range. For the ICMP protocol, you must also specify the ICMP type and code. You can use -1 for the type or code to mean all types or all codes.
Rule changes are propagated to affected instances as quickly as possible. However, a small delay might occur.
For more information about VPC security group limits, see Amazon VPC Limits.
", - "AuthorizeSecurityGroupIngress": "Adds the specified ingress rules to a security group.
An inbound rule permits instances to receive traffic from the specified IPv4 or IPv6 CIDR address ranges, or from the instances associated with the specified destination security groups.
You specify a protocol for each rule (for example, TCP). For TCP and UDP, you must also specify the destination port or port range. For ICMP/ICMPv6, you must also specify the ICMP/ICMPv6 type and code. You can use -1 to mean all types or all codes.
Rule changes are propagated to instances within the security group as quickly as possible. However, a small delay might occur.
For more information about VPC security group limits, see Amazon VPC Limits.
", + "AuthorizeSecurityGroupEgress": "[VPC only] Adds the specified outbound (egress) rules to a security group for use with a VPC.
An outbound rule permits instances to send traffic to the specified IPv4 or IPv6 CIDR address ranges, or to the instances that are associated with the specified destination security groups.
You specify a protocol for each rule (for example, TCP). For the TCP and UDP protocols, you must also specify the destination port or port range. For the ICMP protocol, you must also specify the ICMP type and code. You can use -1 for the type or code to mean all types or all codes.
Rule changes are propagated to affected instances as quickly as possible. However, a small delay might occur.
For information about VPC security group quotas, see Amazon VPC quotas.
", + "AuthorizeSecurityGroupIngress": "Adds the specified inbound (ingress) rules to a security group.
An inbound rule permits instances to receive traffic from the specified IPv4 or IPv6 CIDR address range, or from the instances that are associated with the specified destination security groups.
You specify a protocol for each rule (for example, TCP). For TCP and UDP, you must also specify the destination port or port range. For ICMP/ICMPv6, you must also specify the ICMP/ICMPv6 type and code. You can use -1 to mean all types or all codes.
Rule changes are propagated to instances within the security group as quickly as possible. However, a small delay might occur.
For more information about VPC security group quotas, see Amazon VPC quotas.
", "BundleInstance": "Bundles an Amazon instance store-backed Windows instance.
During bundling, only the root device volume (C:\\) is bundled. Data on other instance store volumes is not preserved.
This action is not applicable for Linux/Unix instances or Windows instances that are backed by Amazon EBS.
Cancels a bundling operation for an instance store-backed Windows instance.
", "CancelCapacityReservation": "Cancels the specified Capacity Reservation, releases the reserved capacity, and changes the Capacity Reservation's state to cancelled.
Instances running in the reserved capacity continue running until you stop them. Stopped instances that target the Capacity Reservation can no longer launch. Modify these instances to either target a different Capacity Reservation, launch On-Demand Instance capacity, or run in any open Capacity Reservation that has matching attributes and sufficient capacity.
", @@ -248,6 +248,7 @@ "DescribeScheduledInstanceAvailability": "Finds available schedules that meet the specified criteria.
You can search for an available schedule no more than 3 months in advance. You must meet the minimum required duration of 1,200 hours per year. For example, the minimum daily schedule is 4 hours, the minimum weekly schedule is 24 hours, and the minimum monthly schedule is 100 hours.
After you find a schedule that meets your needs, call PurchaseScheduledInstances to purchase Scheduled Instances with that schedule.
", "DescribeScheduledInstances": "Describes the specified Scheduled Instances or all your Scheduled Instances.
", "DescribeSecurityGroupReferences": "[VPC only] Describes the VPCs on the other side of a VPC peering connection that are referencing the security groups you've specified in this request.
", + "DescribeSecurityGroupRules": "Describes one or more of your security group rules.
", "DescribeSecurityGroups": "Describes the specified security groups or all of your security groups.
A security group is for use with instances either in the EC2-Classic platform or in a specific VPC. For more information, see Amazon EC2 Security Groups in the Amazon Elastic Compute Cloud User Guide and Security Groups for Your VPC in the Amazon Virtual Private Cloud User Guide.
", "DescribeSnapshotAttribute": "Describes the specified attribute of the specified snapshot. You can specify only one attribute at a time.
For more information about EBS snapshots, see Amazon EBS snapshots in the Amazon Elastic Compute Cloud User Guide.
", "DescribeSnapshots": "Describes the specified EBS snapshots available to you or all of the EBS snapshots available to you.
The snapshots available to you include public snapshots, private snapshots that you own, and private snapshots owned by other AWS accounts for which you have explicit create volume permissions.
The create volume permissions fall into the following categories:
public: The owner of the snapshot granted create volume permissions for the snapshot to the all group. All AWS accounts have create volume permissions for these snapshots.
explicit: The owner of the snapshot granted create volume permissions to a specific AWS account.
implicit: An AWS account has implicit create volume permissions for all snapshots it owns.
The list of snapshots returned can be filtered by specifying snapshot IDs, snapshot owners, or AWS accounts with create volume permissions. If no options are specified, Amazon EC2 returns all snapshots for which you have create volume permissions.
If you specify one or more snapshot IDs, only snapshots that have the specified IDs are returned. If you specify an invalid snapshot ID, an error is returned. If you specify a snapshot ID for which you do not have access, it is not included in the returned results.
If you specify one or more snapshot owners using the OwnerIds option, only snapshots from the specified owners and for which you have access are returned. The results can include the AWS account IDs of the specified owners, amazon for snapshots owned by Amazon, or self for snapshots that you own.
If you specify a list of restorable users, only snapshots with create snapshot permissions for those users are returned. You can specify AWS account IDs (if you own the snapshots), self for snapshots for which you own or have explicit permissions, or all for public snapshots.
If you are describing a long list of snapshots, we recommend that you paginate the output to make the list more manageable. The MaxResults parameter sets the maximum number of results returned in a single page. If the list of results exceeds your MaxResults value, then that number of results is returned along with a NextToken value that can be passed to a subsequent DescribeSnapshots request to retrieve the remaining results.
To get the state of fast snapshot restores for a snapshot, use DescribeFastSnapshotRestores.
For more information about EBS snapshots, see Amazon EBS snapshots in the Amazon Elastic Compute Cloud User Guide.
", @@ -305,7 +306,7 @@ "DisableVpcClassicLinkDnsSupport": "Disables ClassicLink DNS support for a VPC. If disabled, DNS hostnames resolve to public IP addresses when addressed between a linked EC2-Classic instance and instances in the VPC to which it's linked. For more information, see ClassicLink in the Amazon Elastic Compute Cloud User Guide.
You must specify a VPC ID in the request.
", "DisassociateAddress": "Disassociates an Elastic IP address from the instance or network interface it's associated with.
An Elastic IP address is for use in either the EC2-Classic platform or in a VPC. For more information, see Elastic IP Addresses in the Amazon Elastic Compute Cloud User Guide.
This is an idempotent operation. If you perform the operation more than once, Amazon EC2 doesn't return an error.
", "DisassociateClientVpnTargetNetwork": "Disassociates a target network from the specified Client VPN endpoint. When you disassociate the last target network from a Client VPN, the following happens:
The route that was automatically added for the VPC is deleted
All active client connections are terminated
New client connections are disallowed
The Client VPN endpoint's status changes to pending-associate
Disassociates an IAM role from an AWS Certificate Manager (ACM) certificate. Disassociating an IAM role from an ACM certificate removes the Amazon S3 object that contains the certificate, certificate chain, and encrypted private key from the Amazon S3 bucket. It also revokes the IAM role's permission to use the AWS Key Management Service (KMS) customer master key (CMK) used to encrypt the private key. This effectively revokes the role's permission to use the certificate.
", + "DisassociateEnclaveCertificateIamRole": "Disassociates an IAM role from an Certificate Manager (ACM) certificate. Disassociating an IAM role from an ACM certificate removes the Amazon S3 object that contains the certificate, certificate chain, and encrypted private key from the Amazon S3 bucket. It also revokes the IAM role's permission to use the KMS key used to encrypt the private key. This effectively revokes the role's permission to use the certificate.
", "DisassociateIamInstanceProfile": "Disassociates an IAM instance profile from a running or stopped instance.
Use DescribeIamInstanceProfileAssociations to get the association ID.
", "DisassociateRouteTable": "Disassociates a subnet or gateway from a route table.
After you perform this action, the subnet no longer uses the routes in the route table. Instead, it uses the routes in the VPC's main route table. For more information about route tables, see Route Tables in the Amazon Virtual Private Cloud User Guide.
", "DisassociateSubnetCidrBlock": "Disassociates a CIDR block from a subnet. Currently, you can disassociate an IPv6 CIDR block only. You must detach or delete all gateways and resources that are associated with the CIDR block before you can disassociate it.
", @@ -326,7 +327,7 @@ "ExportClientVpnClientConfiguration": "Downloads the contents of the Client VPN endpoint configuration file for the specified Client VPN endpoint. The Client VPN endpoint configuration file includes the Client VPN endpoint and certificate information clients need to establish a connection with the Client VPN endpoint.
", "ExportImage": "Exports an Amazon Machine Image (AMI) to a VM file. For more information, see Exporting a VM directly from an Amazon Machine Image (AMI) in the VM Import/Export User Guide.
", "ExportTransitGatewayRoutes": "Exports routes from the specified transit gateway route table to the specified S3 bucket. By default, all routes are exported. Alternatively, you can filter by CIDR range.
The routes are saved to the specified bucket in a JSON file. For more information, see Export Route Tables to Amazon S3 in Transit Gateways.
", - "GetAssociatedEnclaveCertificateIamRoles": "Returns the IAM roles that are associated with the specified AWS Certificate Manager (ACM) certificate. It also returns the name of the Amazon S3 bucket and the Amazon S3 object key where the certificate, certificate chain, and encrypted private key bundle are stored, and the ARN of the AWS Key Management Service (KMS) customer master key (CMK) that's used to encrypt the private key.
", + "GetAssociatedEnclaveCertificateIamRoles": "Returns the IAM roles that are associated with the specified ACM (ACM) certificate. It also returns the name of the Amazon S3 bucket and the Amazon S3 object key where the certificate, certificate chain, and encrypted private key bundle are stored, and the ARN of the KMS key that's used to encrypt the private key.
", "GetAssociatedIpv6PoolCidrs": "Gets information about the IPv6 CIDR block associations for a specified IPv6 address pool.
", "GetCapacityReservationUsage": "Gets usage information about a Capacity Reservation. If the Capacity Reservation is shared, it shows usage information for the Capacity Reservation owner and each account that is currently using the shared capacity. If the Capacity Reservation is not shared, it shows only the Capacity Reservation owner's usage.
", "GetCoipPoolUsage": "Describes the allocations from the specified customer-owned address pool.
", @@ -352,7 +353,7 @@ "ImportClientVpnClientCertificateRevocationList": "Uploads a client certificate revocation list to the specified Client VPN endpoint. Uploading a client certificate revocation list overwrites the existing client certificate revocation list.
Uploading a client certificate revocation list resets existing client connections.
", "ImportImage": "Import single or multi-volume disk images or EBS snapshots into an Amazon Machine Image (AMI).
For more information, see Importing a VM as an image using VM Import/Export in the VM Import/Export User Guide.
", "ImportInstance": "Creates an import instance task using metadata from the specified disk image.
This API action supports only single-volume VMs. To import multi-volume VMs, use ImportImage instead.
This API action is not supported by the AWS Command Line Interface (AWS CLI). For information about using the Amazon EC2 CLI, which is deprecated, see Importing a VM to Amazon EC2 in the Amazon EC2 CLI Reference PDF file.
For information about the import manifest referenced by this API action, see VM Import Manifest.
", - "ImportKeyPair": "Imports the public key from an RSA key pair that you created with a third-party tool. Compare this with CreateKeyPair, in which AWS creates the key pair and gives the keys to you (AWS keeps a copy of the public key). With ImportKeyPair, you create the key pair and give AWS just the public key. The private key is never transferred between you and AWS.
For more information about key pairs, see Key Pairs in the Amazon Elastic Compute Cloud User Guide.
", + "ImportKeyPair": "Imports the public key from an RSA key pair that you created with a third-party tool. Compare this with CreateKeyPair, in which Amazon Web Services creates the key pair and gives the keys to you (Amazon Web Services keeps a copy of the public key). With ImportKeyPair, you create the key pair and give Amazon Web Services just the public key. The private key is never transferred between you and Amazon Web Services.
For more information about key pairs, see Key Pairs in the Amazon Elastic Compute Cloud User Guide.
", "ImportSnapshot": "Imports a disk into an EBS snapshot.
For more information, see Importing a disk as a snapshot using VM Import/Export in the VM Import/Export User Guide.
", "ImportVolume": "Creates an import volume task using metadata from the specified disk image.
This API action supports only single-volume VMs. To import multi-volume VMs, use ImportImage instead. To import a disk to a snapshot, use ImportSnapshot instead.
This API action is not supported by the AWS Command Line Interface (AWS CLI). For information about using the Amazon EC2 CLI, which is deprecated, see Importing Disks to Amazon EBS in the Amazon EC2 CLI Reference PDF file.
For information about the import manifest referenced by this API action, see VM Import Manifest.
", "ModifyAddressAttribute": "Modifies an attribute of the specified Elastic IP address. For requirements, see Using reverse DNS for email applications.
", @@ -377,6 +378,7 @@ "ModifyManagedPrefixList": "Modifies the specified managed prefix list.
Adding or removing entries in a prefix list creates a new version of the prefix list. Changing the name of the prefix list does not affect the version.
If you specify a current version number that does not match the true current version number, the request fails.
", "ModifyNetworkInterfaceAttribute": "Modifies the specified network interface attribute. You can specify only one attribute at a time. You can use this action to attach and detach security groups from an existing EC2 instance.
", "ModifyReservedInstances": "Modifies the Availability Zone, instance count, instance type, or network platform (EC2-Classic or EC2-VPC) of your Reserved Instances. The Reserved Instances to be modified must be identical, except for Availability Zone, network platform, and instance type.
For more information, see Modifying Reserved Instances in the Amazon EC2 User Guide.
", + "ModifySecurityGroupRules": "Modifies the rules of a security group.
", "ModifySnapshotAttribute": "Adds or removes permission settings for the specified snapshot. You may add or remove specified AWS account IDs from a snapshot's list of create volume permissions, but you cannot do both in a single operation. If you need to both add and remove account IDs for a snapshot, you must use multiple operations. You can make up to 500 modifications to a snapshot in a single operation.
Encrypted snapshots and snapshots with AWS Marketplace product codes cannot be made public. Snapshots encrypted with your default CMK cannot be shared with other accounts.
For more information about modifying snapshot permissions, see Sharing snapshots in the Amazon Elastic Compute Cloud User Guide.
", "ModifySpotFleetRequest": "Modifies the specified Spot Fleet request.
You can only modify a Spot Fleet request of type maintain.
While the Spot Fleet request is being modified, it is in the modifying state.
To scale up your Spot Fleet, increase its target capacity. The Spot Fleet launches the additional Spot Instances according to the allocation strategy for the Spot Fleet request. If the allocation strategy is lowestPrice, the Spot Fleet launches instances using the Spot Instance pool with the lowest price. If the allocation strategy is diversified, the Spot Fleet distributes the instances across the Spot Instance pools. If the allocation strategy is capacityOptimized, Spot Fleet launches instances from Spot Instance pools with optimal capacity for the number of instances that are launching.
To scale down your Spot Fleet, decrease its target capacity. First, the Spot Fleet cancels any open requests that exceed the new target capacity. You can request that the Spot Fleet terminate Spot Instances until the size of the fleet no longer exceeds the new target capacity. If the allocation strategy is lowestPrice, the Spot Fleet terminates the instances with the highest price per unit. If the allocation strategy is capacityOptimized, the Spot Fleet terminates the instances in the Spot Instance pools that have the least available Spot Instance capacity. If the allocation strategy is diversified, the Spot Fleet terminates instances across the Spot Instance pools. Alternatively, you can request that the Spot Fleet keep the fleet at its current size, but not replace any Spot Instances that are interrupted or that you terminate manually.
If you are finished with your Spot Fleet for now, but will use it again later, you can set the target capacity to 0.
", "ModifySubnetAttribute": "Modifies a subnet attribute. You can only modify one attribute at a time.
", @@ -436,8 +438,8 @@ "RestoreAddressToClassic": "Restores an Elastic IP address that was previously moved to the EC2-VPC platform back to the EC2-Classic platform. You cannot move an Elastic IP address that was originally allocated for use in EC2-VPC. The Elastic IP address must not be associated with an instance or network interface.
", "RestoreManagedPrefixListVersion": "Restores the entries from a previous version of a managed prefix list to a new version of the prefix list.
", "RevokeClientVpnIngress": "Removes an ingress authorization rule from a Client VPN endpoint.
", - "RevokeSecurityGroupEgress": "[VPC only] Removes the specified egress rules from a security group for EC2-VPC. This action does not apply to security groups for use in EC2-Classic. To remove a rule, the values that you specify (for example, ports) must match the existing rule's values exactly.
[Default VPC] If the values you specify do not match the existing rule's values, no error is returned, and the output describes the security group rules that were not revoked.
AWS recommends that you use DescribeSecurityGroups to verify that the rule has been removed.
Each rule consists of the protocol and the IPv4 or IPv6 CIDR range or source security group. For the TCP and UDP protocols, you must also specify the destination port or range of ports. For the ICMP protocol, you must also specify the ICMP type and code. If the security group rule has a description, you do not have to specify the description to revoke the rule.
Rule changes are propagated to instances within the security group as quickly as possible. However, a small delay might occur.
", - "RevokeSecurityGroupIngress": "Removes the specified ingress rules from a security group. To remove a rule, the values that you specify (for example, ports) must match the existing rule's values exactly.
[EC2-Classic , default VPC] If the values you specify do not match the existing rule's values, no error is returned, and the output describes the security group rules that were not revoked.
AWS recommends that you use DescribeSecurityGroups to verify that the rule has been removed.
Each rule consists of the protocol and the CIDR range or source security group. For the TCP and UDP protocols, you must also specify the destination port or range of ports. For the ICMP protocol, you must also specify the ICMP type and code. If the security group rule has a description, you do not have to specify the description to revoke the rule.
Rule changes are propagated to instances within the security group as quickly as possible. However, a small delay might occur.
", + "RevokeSecurityGroupEgress": "[VPC only] Removes the specified outbound (egress) rules from a security group for EC2-VPC. This action does not apply to security groups for use in EC2-Classic.
You can specify rules using either rule IDs or security group rule properties. If you use rule properties, the values that you specify (for example, ports) must match the existing rule's values exactly. Each rule has a protocol, from and to ports, and destination (CIDR range, security group, or prefix list). For the TCP and UDP protocols, you must also specify the destination port or range of ports. For the ICMP protocol, you must also specify the ICMP type and code. If the security group rule has a description, you do not need to specify the description to revoke the rule.
[Default VPC] If the values you specify do not match the existing rule's values, no error is returned, and the output describes the security group rules that were not revoked.
Amazon Web Services recommends that you describe the security group to verify that the rules were removed.
Rule changes are propagated to instances within the security group as quickly as possible. However, a small delay might occur.
", + "RevokeSecurityGroupIngress": "Removes the specified inbound (ingress) rules from a security group.
You can specify rules using either rule IDs or security group rule properties. If you use rule properties, the values that you specify (for example, ports) must match the existing rule's values exactly. Each rule has a protocol, from and to ports, and source (CIDR range, security group, or prefix list). For the TCP and UDP protocols, you must also specify the destination port or range of ports. For the ICMP protocol, you must also specify the ICMP type and code. If the security group rule has a description, you do not need to specify the description to revoke the rule.
[EC2-Classic, default VPC] If the values you specify do not match the existing rule's values, no error is returned, and the output describes the security group rules that were not revoked.
Amazon Web Services recommends that you describe the security group to verify that the rules were removed.
Rule changes are propagated to instances within the security group as quickly as possible. However, a small delay might occur.
", "RunInstances": "Launches the specified number of instances using an AMI for which you have permissions.
You can specify a number of options, or leave the default options. The following rules apply:
[EC2-VPC] If you don't specify a subnet ID, we choose a default subnet from your default VPC for you. If you don't have a default VPC, you must specify a subnet ID in the request.
[EC2-Classic] If don't specify an Availability Zone, we choose one for you.
Some instance types must be launched into a VPC. If you do not have a default VPC, or if you do not specify a subnet ID, the request fails. For more information, see Instance types available only in a VPC.
[EC2-VPC] All instances have a network interface with a primary private IPv4 address. If you don't specify this address, we choose one from the IPv4 range of your subnet.
Not all instance types support IPv6 addresses. For more information, see Instance types.
If you don't specify a security group ID, we use the default security group. For more information, see Security groups.
If any of the AMIs have a product code attached for which the user has not subscribed, the request fails.
You can create a launch template, which is a resource that contains the parameters to launch an instance. When you launch an instance using RunInstances, you can specify the launch template instead of specifying the launch parameters.
To ensure faster instance launches, break up large requests into smaller batches. For example, create five separate launch requests for 100 instances each instead of one launch request for 500 instances.
An instance is ready for you to use when it's in the running state. You can check the state of your instance using DescribeInstances. You can tag instances and EBS volumes during launch, after launch, or both. For more information, see CreateTags and Tagging your Amazon EC2 resources.
Linux instances have access to the public key of the key pair at boot. You can use this key to provide secure access to the instance. Amazon EC2 public images use this feature to provide secure access without passwords. For more information, see Key pairs.
For troubleshooting, see What to do if an instance immediately terminates, and Troubleshooting connecting to your instance.
", "RunScheduledInstances": "Launches the specified Scheduled Instances.
Before you can launch a Scheduled Instance, you must purchase it and obtain an identifier using PurchaseScheduledInstances.
You must launch a Scheduled Instance during its scheduled time period. You can't stop or reboot a Scheduled Instance, but you can terminate it as needed. If you terminate a Scheduled Instance before the current scheduled time period ends, you can launch it again after a few minutes. For more information, see Scheduled Instances in the Amazon EC2 User Guide.
", "SearchLocalGatewayRoutes": "Searches for routes in the specified local gateway route table.
", @@ -453,8 +455,8 @@ "UnassignIpv6Addresses": "Unassigns one or more IPv6 addresses from a network interface.
", "UnassignPrivateIpAddresses": "Unassigns one or more secondary private IP addresses from a network interface.
", "UnmonitorInstances": "Disables detailed monitoring for a running instance. For more information, see Monitoring your instances and volumes in the Amazon EC2 User Guide.
", - "UpdateSecurityGroupRuleDescriptionsEgress": "[VPC only] Updates the description of an egress (outbound) security group rule. You can replace an existing description, or add a description to a rule that did not have one previously.
You specify the description as part of the IP permissions structure. You can remove a description for a security group rule by omitting the description parameter in the request.
", - "UpdateSecurityGroupRuleDescriptionsIngress": "Updates the description of an ingress (inbound) security group rule. You can replace an existing description, or add a description to a rule that did not have one previously.
You specify the description as part of the IP permissions structure. You can remove a description for a security group rule by omitting the description parameter in the request.
", + "UpdateSecurityGroupRuleDescriptionsEgress": "[VPC only] Updates the description of an egress (outbound) security group rule. You can replace an existing description, or add a description to a rule that did not have one previously. You can remove a description for a security group rule by omitting the description parameter in the request.
", + "UpdateSecurityGroupRuleDescriptionsIngress": "Updates the description of an ingress (inbound) security group rule. You can replace an existing description, or add a description to a rule that did not have one previously. You can remove a description for a security group rule by omitting the description parameter in the request.
", "WithdrawByoipCidr": "Stops advertising an address range that is provisioned as an address pool.
You can perform this operation at most once every 10 seconds, even if you specify different address ranges each time.
It can take a few minutes before traffic to the specified addresses stops routing to Amazon Web Services because of BGP propagation delays.
" }, "shapes": { @@ -1188,11 +1190,21 @@ "refs": { } }, + "AuthorizeSecurityGroupEgressResult": { + "base": null, + "refs": { + } + }, "AuthorizeSecurityGroupIngressRequest": { "base": null, "refs": { } }, + "AuthorizeSecurityGroupIngressResult": { + "base": null, + "refs": { + } + }, "AutoAcceptSharedAssociationsValue": { "base": null, "refs": { @@ -1395,7 +1407,9 @@ "AuthorizeClientVpnIngressRequest$AuthorizeAllGroups": "Indicates whether to grant access to all clients. Specify true to grant all clients who successfully establish a VPN connection access to the network. Must be set to true if AccessGroupId is not specified.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Returns true if the request succeeds; otherwise, returns an error.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Returns true if the request succeeds; otherwise, returns an error.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Returns true if the request succeeds; otherwise, returns an error.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Is true if the request succeeds, and an error otherwise.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Indicates whether there are additional routes available.
", + "SecurityGroupRule$IsEgress": "Indicates whether the security group rule is an outbound rule.
", "SendDiagnosticInterruptRequest$DryRun": "Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
Indicates whether requests from other AWS accounts to create an endpoint to the service must first be accepted.
", "ServiceConfiguration$ManagesVpcEndpoints": "Indicates whether the service manages its VPC endpoints. Management of the service VPC endpoints using the VPC endpoint API is restricted.
", @@ -5347,6 +5365,22 @@ "refs": { } }, + "DescribeSecurityGroupRulesMaxResults": { + "base": null, + "refs": { + "DescribeSecurityGroupRulesRequest$MaxResults": "The maximum number of results to return in a single call. To retrieve the remaining results, make another request with the returned NextToken value. This value can be between 5 and 1000. If this parameter is not specified, then all results are returned.
One or more filters.
association.route-table-association-id - The ID of an association ID for the route table.
association.route-table-id - The ID of the route table involved in the association.
association.subnet-id - The ID of the subnet involved in the association.
association.main - Indicates whether the route table is the main route table for the VPC (true | false). Route tables that do not have an association ID are not returned in the response.
owner-id - The ID of the AWS account that owns the route table.
route-table-id - The ID of the route table.
route.destination-cidr-block - The IPv4 CIDR range specified in a route in the table.
route.destination-ipv6-cidr-block - The IPv6 CIDR range specified in a route in the route table.
route.destination-prefix-list-id - The ID (prefix) of the AWS service specified in a route in the table.
route.egress-only-internet-gateway-id - The ID of an egress-only Internet gateway specified in a route in the route table.
route.gateway-id - The ID of a gateway specified in a route in the table.
route.instance-id - The ID of an instance specified in a route in the table.
route.nat-gateway-id - The ID of a NAT gateway.
route.transit-gateway-id - The ID of a transit gateway.
route.origin - Describes how the route was created. CreateRouteTable indicates that the route was automatically created when the route table was created; CreateRoute indicates that the route was manually added to the route table; EnableVgwRoutePropagation indicates that the route was propagated by route propagation.
route.state - The state of a route in the route table (active | blackhole). The blackhole state indicates that the route's target isn't available (for example, the specified gateway isn't attached to the VPC, the specified NAT instance has been terminated, and so on).
route.vpc-peering-connection-id - The ID of a VPC peering connection specified in a route in the table.
tag:<key> - The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
vpc-id - The ID of the VPC for the route table.
The filters.
availability-zone - The Availability Zone (for example, us-west-2a).
instance-type - The instance type (for example, c4.large).
network-platform - The network platform (EC2-Classic or EC2-VPC).
platform - The platform (Linux/UNIX or Windows).
The filters.
availability-zone - The Availability Zone (for example, us-west-2a).
instance-type - The instance type (for example, c4.large).
network-platform - The network platform (EC2-Classic or EC2-VPC).
platform - The platform (Linux/UNIX or Windows).
The filters. If using multiple filters for rules, the results include security groups for which any combination of rules - not necessarily a single rule - match all filters.
description - The description of the security group.
egress.ip-permission.cidr - An IPv4 CIDR block for an outbound security group rule.
egress.ip-permission.from-port - For an outbound rule, the start of port range for the TCP and UDP protocols, or an ICMP type number.
egress.ip-permission.group-id - The ID of a security group that has been referenced in an outbound security group rule.
egress.ip-permission.group-name - The name of a security group that is referenced in an outbound security group rule.
egress.ip-permission.ipv6-cidr - An IPv6 CIDR block for an outbound security group rule.
egress.ip-permission.prefix-list-id - The ID of a prefix list to which a security group rule allows outbound access.
egress.ip-permission.protocol - The IP protocol for an outbound security group rule (tcp | udp | icmp, a protocol number, or -1 for all protocols).
egress.ip-permission.to-port - For an outbound rule, the end of port range for the TCP and UDP protocols, or an ICMP code.
egress.ip-permission.user-id - The ID of an AWS account that has been referenced in an outbound security group rule.
group-id - The ID of the security group.
group-name - The name of the security group.
ip-permission.cidr - An IPv4 CIDR block for an inbound security group rule.
ip-permission.from-port - For an inbound rule, the start of port range for the TCP and UDP protocols, or an ICMP type number.
ip-permission.group-id - The ID of a security group that has been referenced in an inbound security group rule.
ip-permission.group-name - The name of a security group that is referenced in an inbound security group rule.
ip-permission.ipv6-cidr - An IPv6 CIDR block for an inbound security group rule.
ip-permission.prefix-list-id - The ID of a prefix list from which a security group rule allows inbound access.
ip-permission.protocol - The IP protocol for an inbound security group rule (tcp | udp | icmp, a protocol number, or -1 for all protocols).
ip-permission.to-port - For an inbound rule, the end of port range for the TCP and UDP protocols, or an ICMP code.
ip-permission.user-id - The ID of an AWS account that has been referenced in an inbound security group rule.
owner-id - The AWS account ID of the owner of the security group.
tag:<key> - The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
vpc-id - The ID of the VPC specified when the security group was created.
One or more filters.
group-id - The ID of the security group.
security-group-rule-id - The ID of the security group rule.
tag:<key> - The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
The filters. If using multiple filters for rules, the results include security groups for which any combination of rules - not necessarily a single rule - match all filters.
description - The description of the security group.
egress.ip-permission.cidr - An IPv4 CIDR block for an outbound security group rule.
egress.ip-permission.from-port - For an outbound rule, the start of port range for the TCP and UDP protocols, or an ICMP type number.
egress.ip-permission.group-id - The ID of a security group that has been referenced in an outbound security group rule.
egress.ip-permission.group-name - The name of a security group that is referenced in an outbound security group rule.
egress.ip-permission.ipv6-cidr - An IPv6 CIDR block for an outbound security group rule.
egress.ip-permission.prefix-list-id - The ID of a prefix list to which a security group rule allows outbound access.
egress.ip-permission.protocol - The IP protocol for an outbound security group rule (tcp | udp | icmp, a protocol number, or -1 for all protocols).
egress.ip-permission.to-port - For an outbound rule, the end of port range for the TCP and UDP protocols, or an ICMP code.
egress.ip-permission.user-id - The ID of an Amazon Web Services account that has been referenced in an outbound security group rule.
group-id - The ID of the security group.
group-name - The name of the security group.
ip-permission.cidr - An IPv4 CIDR block for an inbound security group rule.
ip-permission.from-port - For an inbound rule, the start of port range for the TCP and UDP protocols, or an ICMP type number.
ip-permission.group-id - The ID of a security group that has been referenced in an inbound security group rule.
ip-permission.group-name - The name of a security group that is referenced in an inbound security group rule.
ip-permission.ipv6-cidr - An IPv6 CIDR block for an inbound security group rule.
ip-permission.prefix-list-id - The ID of a prefix list from which a security group rule allows inbound access.
ip-permission.protocol - The IP protocol for an inbound security group rule (tcp | udp | icmp, a protocol number, or -1 for all protocols).
ip-permission.to-port - For an inbound rule, the end of port range for the TCP and UDP protocols, or an ICMP code.
ip-permission.user-id - The ID of an Amazon Web Services account that has been referenced in an inbound security group rule.
owner-id - The Amazon Web Services account ID of the owner of the security group.
tag:<key> - The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
vpc-id - The ID of the VPC specified when the security group was created.
The filters.
description - A description of the snapshot.
encrypted - Indicates whether the snapshot is encrypted (true | false)
owner-alias - The owner alias, from an Amazon-maintained list (amazon). This is not the user-configured AWS account alias set using the IAM console. We recommend that you use the related parameter instead of this filter.
owner-id - The AWS account ID of the owner. We recommend that you use the related parameter instead of this filter.
progress - The progress of the snapshot, as a percentage (for example, 80%).
snapshot-id - The snapshot ID.
start-time - The time stamp when the snapshot was initiated.
status - The status of the snapshot (pending | completed | error).
tag:<key> - The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
volume-id - The ID of the volume the snapshot is for.
volume-size - The size of the volume, in GiB.
One or more filters.
availability-zone-group - The Availability Zone group.
create-time - The time stamp when the Spot Instance request was created.
fault-code - The fault code related to the request.
fault-message - The fault message related to the request.
instance-id - The ID of the instance that fulfilled the request.
launch-group - The Spot Instance launch group.
launch.block-device-mapping.delete-on-termination - Indicates whether the EBS volume is deleted on instance termination.
launch.block-device-mapping.device-name - The device name for the volume in the block device mapping (for example, /dev/sdh or xvdh).
launch.block-device-mapping.snapshot-id - The ID of the snapshot for the EBS volume.
launch.block-device-mapping.volume-size - The size of the EBS volume, in GiB.
launch.block-device-mapping.volume-type - The type of EBS volume: gp2 for General Purpose SSD, io1 or io2 for Provisioned IOPS SSD, st1 for Throughput Optimized HDD, sc1for Cold HDD, or standard for Magnetic.
launch.group-id - The ID of the security group for the instance.
launch.group-name - The name of the security group for the instance.
launch.image-id - The ID of the AMI.
launch.instance-type - The type of instance (for example, m3.medium).
launch.kernel-id - The kernel ID.
launch.key-name - The name of the key pair the instance launched with.
launch.monitoring-enabled - Whether detailed monitoring is enabled for the Spot Instance.
launch.ramdisk-id - The RAM disk ID.
launched-availability-zone - The Availability Zone in which the request is launched.
network-interface.addresses.primary - Indicates whether the IP address is the primary private IP address.
network-interface.delete-on-termination - Indicates whether the network interface is deleted when the instance is terminated.
network-interface.description - A description of the network interface.
network-interface.device-index - The index of the device for the network interface attachment on the instance.
network-interface.group-id - The ID of the security group associated with the network interface.
network-interface.network-interface-id - The ID of the network interface.
network-interface.private-ip-address - The primary private IP address of the network interface.
network-interface.subnet-id - The ID of the subnet for the instance.
product-description - The product description associated with the instance (Linux/UNIX | Windows).
spot-instance-request-id - The Spot Instance request ID.
spot-price - The maximum hourly price for any Spot Instance launched to fulfill the request.
state - The state of the Spot Instance request (open | active | closed | cancelled | failed). Spot request status information can help you track your Amazon EC2 Spot Instance requests. For more information, see Spot request status in the Amazon EC2 User Guide for Linux Instances.
status-code - The short code describing the most recent evaluation of your Spot Instance request.
status-message - The message explaining the status of the Spot Instance request.
tag:<key> - The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
type - The type of Spot Instance request (one-time | persistent).
valid-from - The start date of the request.
valid-until - The end date of the request.
One or more filters.
availability-zone - The Availability Zone for which prices should be returned.
instance-type - The type of instance (for example, m3.medium).
product-description - The product description for the Spot price (Linux/UNIX | Red Hat Enterprise Linux | SUSE Linux | Windows | Linux/UNIX (Amazon VPC) | Red Hat Enterprise Linux (Amazon VPC) | SUSE Linux (Amazon VPC) | Windows (Amazon VPC)).
spot-price - The Spot price. The value must match exactly (or use wildcards; greater than or less than comparison is not supported).
timestamp - The time stamp of the Spot price history, in UTC format (for example, YYYY-MM-DDTHH:MM:SSZ). You can use wildcards (* and ?). Greater than or less than comparison is not supported.
The ID of one or more of the VPC's security groups. You cannot specify security groups from a different VPC.
", - "DescribeSecurityGroupsRequest$GroupIds": "The IDs of the security groups. Required for security groups in a nondefault VPC.
Default: Describes all your security groups.
", + "DescribeSecurityGroupsRequest$GroupIds": "The IDs of the security groups. Required for security groups in a nondefault VPC.
Default: Describes all of your security groups.
", "LaunchTemplateInstanceNetworkInterfaceSpecification$Groups": "The IDs of one or more security groups.
", "ModifyInstanceAttributeRequest$Groups": "[EC2-VPC] Replaces the security groups of the instance with the specified security groups. You must specify at least one security group, even if it's just the default security group for the VPC. You must specify the security group ID, not the security group name.
" } @@ -7674,7 +7709,7 @@ "GroupNameStringList": { "base": null, "refs": { - "DescribeSecurityGroupsRequest$GroupNames": "[EC2-Classic and default VPC only] The names of the security groups. You can specify either the security group name or the security group ID. For security groups in a nondefault VPC, use the group-name filter to describe security groups by name.
Default: Describes all your security groups.
", + "DescribeSecurityGroupsRequest$GroupNames": "[EC2-Classic and default VPC only] The names of the security groups. You can specify either the security group name or the security group ID. For security groups in a nondefault VPC, use the group-name filter to describe security groups by name.
Default: Describes all of your security groups.
", "ModifySnapshotAttributeRequest$GroupNames": "The group to modify for the snapshot.
" } }, @@ -8941,6 +8976,10 @@ "ScheduledInstancesNetworkInterface$DeviceIndex": "The index of the device for the network interface attachment.
", "ScheduledInstancesNetworkInterface$Ipv6AddressCount": "The number of IPv6 addresses to assign to the network interface. The IPv6 addresses are automatically selected from the subnet range.
", "ScheduledInstancesNetworkInterface$SecondaryPrivateIpAddressCount": "The number of secondary private IPv4 addresses.
", + "SecurityGroupRule$FromPort": "The start of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 type. A value of -1 indicates all ICMP/ICMPv6 types. If you specify all ICMP/ICMPv6 types, you must specify all codes.
", + "SecurityGroupRule$ToPort": "The end of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 code. A value of -1 indicates all ICMP/ICMPv6 codes. If you specify all ICMP/ICMPv6 types, you must specify all codes.
The start of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 type. A value of -1 indicates all ICMP/ICMPv6 types. If you specify all ICMP/ICMPv6 types, you must specify all codes.
", + "SecurityGroupRuleRequest$ToPort": "The end of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 code. A value of -1 indicates all ICMP/ICMPv6 codes. If you specify all ICMP/ICMPv6 types, you must specify all codes.
The size of the volume, in GiB.
", "SnapshotInfo$VolumeSize": "Size of the volume from which this snapshot was created.
", "SpotFleetRequestConfigData$TargetCapacity": "The number of units to request for the Spot Fleet. You can choose to set the target capacity in terms of instances or a performance characteristic that is important to your application workload, such as vCPUs, memory, or I/O. If the request type is maintain, you can specify a target capacity of 0 and add capacity later.
The inbound rules that were unknown to the service. In some cases, unknownIpPermissionSet might be in a different format from the request parameter.
The inbound rules associated with the security group.
", "SecurityGroup$IpPermissionsEgress": "[VPC only] The outbound rules associated with the security group.
", - "UpdateSecurityGroupRuleDescriptionsEgressRequest$IpPermissions": "The IP permissions for the security group rule.
", - "UpdateSecurityGroupRuleDescriptionsIngressRequest$IpPermissions": "The IP permissions for the security group rule.
" + "UpdateSecurityGroupRuleDescriptionsEgressRequest$IpPermissions": "The IP permissions for the security group rule. You must specify either the IP permissions or the description.
", + "UpdateSecurityGroupRuleDescriptionsIngressRequest$IpPermissions": "The IP permissions for the security group rule. You must specify either IP permissions or a description.
" } }, "IpRange": { @@ -9237,7 +9276,7 @@ "KeyNameStringList": { "base": null, "refs": { - "DescribeKeyPairsRequest$KeyNames": "The key pair names.
Default: Describes all your key pairs.
" + "DescribeKeyPairsRequest$KeyNames": "The key pair names.
Default: Describes all of your key pairs.
" } }, "KeyPair": { @@ -10392,6 +10431,16 @@ "refs": { } }, + "ModifySecurityGroupRulesRequest": { + "base": null, + "refs": { + } + }, + "ModifySecurityGroupRulesResult": { + "base": null, + "refs": { + } + }, "ModifySnapshotAttributeRequest": { "base": null, "refs": { @@ -11604,6 +11653,8 @@ "PrefixListResourceIdStringList$member": null, "ReplaceRouteRequest$DestinationPrefixListId": "The ID of the prefix list for the route.
", "RestoreManagedPrefixListVersionRequest$PrefixListId": "The ID of the prefix list.
", + "SecurityGroupRule$PrefixListId": "The ID of the prefix list.
", + "SecurityGroupRuleRequest$PrefixListId": "The ID of the prefix list.
", "TransitGatewayPrefixListReference$PrefixListId": "The ID of the prefix list.
", "TransitGatewayRoute$PrefixListId": "The ID of the prefix list used for destination matches.
" } @@ -11979,6 +12030,12 @@ "ReservedInstancesOffering$RecurringCharges": "The recurring charge tag assigned to the resource.
" } }, + "ReferencedSecurityGroup": { + "base": "Describes the security group that is referenced in the security group rule.
", + "refs": { + "SecurityGroupRule$ReferencedGroupInfo": "Describes the security group that is referenced in the rule.
" + } + }, "Region": { "base": "Describes a Region.
", "refs": { @@ -12997,7 +13054,7 @@ } }, "SecurityGroup": { - "base": "Describes a security group
", + "base": "Describes a security group.
", "refs": { "SecurityGroupList$member": null } @@ -13010,11 +13067,14 @@ "ClientVpnSecurityGroupIdSet$member": null, "DeleteSecurityGroupRequest$GroupId": "The ID of the security group. Required for a nondefault VPC.
", "GroupIds$member": null, + "ModifySecurityGroupRulesRequest$GroupId": "The ID of the security group.
", "RequestSpotLaunchSpecificationSecurityGroupIdList$member": null, "RevokeSecurityGroupEgressRequest$GroupId": "The ID of the security group.
", "RevokeSecurityGroupIngressRequest$GroupId": "The ID of the security group. You must specify either the security group ID or the security group name in the request. For security groups in a nondefault VPC, you must specify the security group ID.
", "ScheduledInstancesSecurityGroupIdSet$member": null, "SecurityGroupIdStringList$member": null, + "SecurityGroupRule$GroupId": "The ID of the security group.
", + "SecurityGroupRuleRequest$ReferencedGroupId": "The ID of the security group that is referenced in the security group rule.
", "UpdateSecurityGroupRuleDescriptionsEgressRequest$GroupId": "The ID of the security group. You must specify either the security group ID or the security group name in the request. For security groups in a nondefault VPC, you must specify the security group ID.
", "UpdateSecurityGroupRuleDescriptionsIngressRequest$GroupId": "The ID of the security group. You must specify either the security group ID or the security group name in the request. For security groups in a nondefault VPC, you must specify the security group ID.
", "VpcEndpointSecurityGroupIdList$member": null @@ -13068,6 +13128,66 @@ "DescribeSecurityGroupReferencesResult$SecurityGroupReferenceSet": "Information about the VPCs with the referencing security groups.
" } }, + "SecurityGroupRule": { + "base": "Describes a security group rule.
", + "refs": { + "SecurityGroupRuleList$member": null + } + }, + "SecurityGroupRuleDescription": { + "base": "Describes the description of a security group rule.
You can use this when you want to update the security group rule description for either an inbound or outbound rule.
", + "refs": { + "SecurityGroupRuleDescriptionList$member": null + } + }, + "SecurityGroupRuleDescriptionList": { + "base": null, + "refs": { + "UpdateSecurityGroupRuleDescriptionsEgressRequest$SecurityGroupRuleDescriptions": "The description for the egress security group rules. You must specify either the description or the IP permissions.
", + "UpdateSecurityGroupRuleDescriptionsIngressRequest$SecurityGroupRuleDescriptions": "[VPC only] The description for the ingress security group rules. You must specify either a description or IP permissions.
" + } + }, + "SecurityGroupRuleId": { + "base": null, + "refs": { + "SecurityGroupRule$SecurityGroupRuleId": "The ID of the security group rule.
", + "SecurityGroupRuleUpdate$SecurityGroupRuleId": "The ID of the security group rule.
" + } + }, + "SecurityGroupRuleIdList": { + "base": null, + "refs": { + "DescribeSecurityGroupRulesRequest$SecurityGroupRuleIds": "The IDs of the security group rules.
", + "RevokeSecurityGroupEgressRequest$SecurityGroupRuleIds": "The IDs of the security group rules.
", + "RevokeSecurityGroupIngressRequest$SecurityGroupRuleIds": "The IDs of the security group rules.
" + } + }, + "SecurityGroupRuleList": { + "base": null, + "refs": { + "AuthorizeSecurityGroupEgressResult$SecurityGroupRules": "Information about the outbound (egress) security group rules that were added.
", + "AuthorizeSecurityGroupIngressResult$SecurityGroupRules": "Information about the inbound (ingress) security group rules that were added.
", + "DescribeSecurityGroupRulesResult$SecurityGroupRules": "Information about security group rules.
" + } + }, + "SecurityGroupRuleRequest": { + "base": "Describes a security group rule.
You must specify exactly one of the following parameters, based on the rule type:
CidrIpv4
CidrIpv6
PrefixListId
ReferencedGroupId
When you modify a rule, you cannot change the rule type. For example, if the rule uses an IPv4 address range, you must use CidrIpv4 to specify a new IPv4 address range.
Information about the security group rule.
" + } + }, + "SecurityGroupRuleUpdate": { + "base": "Describes an update to a security group rule.
", + "refs": { + "SecurityGroupRuleUpdateList$member": null + } + }, + "SecurityGroupRuleUpdateList": { + "base": null, + "refs": { + "ModifySecurityGroupRulesRequest$SecurityGroupRules": "Information about the security group properties to update.
" + } + }, "SecurityGroupStringList": { "base": null, "refs": { @@ -13643,7 +13763,7 @@ "AssociateClientVpnTargetNetworkResult$AssociationId": "The unique ID of the target network association.
", "AssociateEnclaveCertificateIamRoleResult$CertificateS3BucketName": "The name of the Amazon S3 bucket to which the certificate was uploaded.
", "AssociateEnclaveCertificateIamRoleResult$CertificateS3ObjectKey": "The Amazon S3 object key where the certificate, certificate chain, and encrypted private key bundle are stored. The object key is formatted as follows: role_arn/certificate_arn.
The ID of the AWS KMS CMK used to encrypt the private key of the certificate.
", + "AssociateEnclaveCertificateIamRoleResult$EncryptionKmsKeyId": "The ID of the KMS key used to encrypt the private key of the certificate.
", "AssociateRouteTableResult$AssociationId": "The route table association ID. This ID is required for disassociating the route table.
", "AssociateSubnetCidrBlockRequest$Ipv6CidrBlock": "The IPv6 CIDR block for your subnet. The subnet must have a /64 prefix length.
", "AssociateSubnetCidrBlockResult$SubnetId": "The ID of the subnet.
", @@ -13677,7 +13797,7 @@ "AuthorizeSecurityGroupIngressRequest$CidrIp": "The IPv4 address range, in CIDR format. You can't specify this parameter when specifying a source security group. To specify an IPv6 address range, use a set of IP permissions.
Alternatively, use a set of IP permissions to specify multiple rules and a description for the rule.
", "AuthorizeSecurityGroupIngressRequest$IpProtocol": "The IP protocol name (tcp, udp, icmp) or number (see Protocol Numbers). To specify icmpv6, use a set of IP permissions.
[VPC only] Use -1 to specify all protocols. If you specify -1 or a protocol other than tcp, udp, or icmp, traffic on all ports is allowed, regardless of any ports you specify.
Alternatively, use a set of IP permissions to specify multiple rules and a description for the rule.
", "AuthorizeSecurityGroupIngressRequest$SourceSecurityGroupName": "[EC2-Classic, default VPC] The name of the source security group. You can't specify this parameter in combination with the following parameters: the CIDR IP address range, the start of the port range, the IP protocol, and the end of the port range. Creates rules that grant full ICMP, UDP, and TCP access. To create a rule with a specific IP protocol and port range, use a set of IP permissions instead. For EC2-VPC, the source security group must be in the same VPC.
", - "AuthorizeSecurityGroupIngressRequest$SourceSecurityGroupOwnerId": "[nondefault VPC] The AWS account ID for the source security group, if the source security group is in a different account. You can't specify this parameter in combination with the following parameters: the CIDR IP address range, the IP protocol, the start of the port range, and the end of the port range. Creates rules that grant full ICMP, UDP, and TCP access. To create a rule with a specific IP protocol and port range, use a set of IP permissions instead.
", + "AuthorizeSecurityGroupIngressRequest$SourceSecurityGroupOwnerId": "[nondefault VPC] The Amazon Web Services account ID for the source security group, if the source security group is in a different account. You can't specify this parameter in combination with the following parameters: the CIDR IP address range, the IP protocol, the start of the port range, and the end of the port range. Creates rules that grant full ICMP, UDP, and TCP access. To create a rule with a specific IP protocol and port range, use a set of IP permissions instead.
", "AvailabilityZone$RegionName": "The name of the Region.
", "AvailabilityZone$ZoneName": "The name of the Availability Zone, Local Zone, or Wavelength Zone.
", "AvailabilityZone$ZoneId": "The ID of the Availability Zone, Local Zone, or Wavelength Zone.
", @@ -14059,6 +14179,8 @@ "DescribeScheduledInstanceAvailabilityResult$NextToken": "The token required to retrieve the next set of results. This value is null when there are no more results to return.
The token for the next set of results.
", "DescribeScheduledInstancesResult$NextToken": "The token required to retrieve the next set of results. This value is null when there are no more results to return.
The token for the next page of results.
", + "DescribeSecurityGroupRulesResult$NextToken": "The token to use to retrieve the next page of results. This value is null when there are no more results to return.
The token to request the next page of results.
", "DescribeSecurityGroupsResult$NextToken": "The token to use to retrieve the next page of results. This value is null when there are no more results to return.
The ID of the EBS snapshot.
", @@ -14387,7 +14509,7 @@ "ImportInstanceVolumeDetailItem$StatusMessage": "The status information or errors related to the disk image.
", "ImportKeyPairRequest$KeyName": "A unique name for the key pair.
", "ImportKeyPairResult$KeyFingerprint": "The MD5 public key fingerprint as specified in section 4 of RFC 4716.
", - "ImportKeyPairResult$KeyName": "The key pair name you provided.
", + "ImportKeyPairResult$KeyName": "The key pair name that you provided.
", "ImportKeyPairResult$KeyPairId": "The ID of the resulting key pair.
", "ImportSnapshotRequest$ClientToken": "Token to enable idempotency for VM import requests.
", "ImportSnapshotRequest$Description": "The description string for the import snapshot task.
", @@ -14480,7 +14602,7 @@ "KeyPair$KeyName": "The name of the key pair.
", "KeyPair$KeyPairId": "The ID of the key pair.
", "KeyPairInfo$KeyPairId": "The ID of the key pair.
", - "KeyPairInfo$KeyFingerprint": "If you used CreateKeyPair to create the key pair, this is the SHA-1 digest of the DER encoded private key. If you used ImportKeyPair to provide AWS the public key, this is the MD5 public key fingerprint as specified in section 4 of RFC4716.
", + "KeyPairInfo$KeyFingerprint": "If you used CreateKeyPair to create the key pair, this is the SHA-1 digest of the DER encoded private key. If you used ImportKeyPair to provide Amazon Web Services the public key, this is the MD5 public key fingerprint as specified in section 4 of RFC4716.
", "KeyPairInfo$KeyName": "The name of the key pair.
", "LastError$Message": "The error message for the VPC endpoint error.
", "LastError$Code": "The error code for the VPC endpoint error.
", @@ -14740,6 +14862,11 @@ "PurchaseRequest$PurchaseToken": "The purchase token.
", "PurchaseReservedInstancesOfferingResult$ReservedInstancesId": "The IDs of the purchased Reserved Instances. If your purchase crosses into a discounted pricing tier, the final Reserved Instances IDs might change. For more information, see Crossing pricing tiers in the Amazon Elastic Compute Cloud User Guide.
", "PurchaseScheduledInstancesRequest$ClientToken": "Unique, case-sensitive identifier that ensures the idempotency of the request. For more information, see Ensuring Idempotency.
", + "ReferencedSecurityGroup$GroupId": "The ID of the security group.
", + "ReferencedSecurityGroup$PeeringStatus": "The status of a VPC peering connection, if applicable.
", + "ReferencedSecurityGroup$UserId": "The account ID.
", + "ReferencedSecurityGroup$VpcId": "The ID of the VPC.
", + "ReferencedSecurityGroup$VpcPeeringConnectionId": "The ID of the VPC peering connection.
", "Region$Endpoint": "The Region service endpoint.
", "Region$RegionName": "The name of the Region.
", "Region$OptInStatus": "The Region opt-in status. The possible values are opt-in-not-required, opted-in, and not-opted-in.
The CIDR IP address range. You can't specify this parameter when specifying a source security group.
", "RevokeSecurityGroupIngressRequest$IpProtocol": "The IP protocol name (tcp, udp, icmp) or number (see Protocol Numbers). Use -1 to specify all.
[EC2-Classic, default VPC] The name of the source security group. You can't specify this parameter in combination with the following parameters: the CIDR IP address range, the start of the port range, the IP protocol, and the end of the port range. For EC2-VPC, the source security group must be in the same VPC. To revoke a specific rule for an IP protocol and port range, use a set of IP permissions instead.
", - "RevokeSecurityGroupIngressRequest$SourceSecurityGroupOwnerId": "[EC2-Classic] The AWS account ID of the source security group, if the source security group is in a different account. You can't specify this parameter in combination with the following parameters: the CIDR IP address range, the IP protocol, the start of the port range, and the end of the port range. To revoke a specific rule for an IP protocol and port range, use a set of IP permissions instead.
", + "RevokeSecurityGroupIngressRequest$SourceSecurityGroupOwnerId": "[EC2-Classic] The Amazon Web Services account ID of the source security group, if the source security group is in a different account. You can't specify this parameter in combination with the following parameters: the CIDR IP address range, the IP protocol, the start of the port range, and the end of the port range. To revoke a specific rule for an IP protocol and port range, use a set of IP permissions instead.
", "Route$DestinationCidrBlock": "The IPv4 CIDR block used for the destination match.
", "Route$DestinationIpv6CidrBlock": "The IPv6 CIDR block used for the destination match.
", "Route$DestinationPrefixListId": "The prefix of the AWS service.
", @@ -14889,7 +15016,7 @@ "SearchTransitGatewayMulticastGroupsResult$NextToken": "The token to use to retrieve the next page of results. This value is null when there are no more results to return.
A description of the security group.
", "SecurityGroup$GroupName": "The name of the security group.
", - "SecurityGroup$OwnerId": "The AWS account ID of the owner of the security group.
", + "SecurityGroup$OwnerId": "The Amazon Web Services account ID of the owner of the security group.
", "SecurityGroup$GroupId": "The ID of the security group.
", "SecurityGroup$VpcId": "[VPC only] The ID of the VPC for the security group.
", "SecurityGroupIdentifier$GroupId": "The ID of the security group.
", @@ -14897,6 +15024,18 @@ "SecurityGroupReference$GroupId": "The ID of your security group.
", "SecurityGroupReference$ReferencingVpcId": "The ID of the VPC with the referencing security group.
", "SecurityGroupReference$VpcPeeringConnectionId": "The ID of the VPC peering connection.
", + "SecurityGroupRule$GroupOwnerId": "The ID of the account that owns the security group.
", + "SecurityGroupRule$IpProtocol": "The IP protocol name (tcp, udp, icmp, icmpv6) or number (see Protocol Numbers).
Use -1 to specify all protocols.
The IPv4 CIDR range.
", + "SecurityGroupRule$CidrIpv6": "The IPv6 CIDR range.
", + "SecurityGroupRule$Description": "The security group rule description.
", + "SecurityGroupRuleDescription$SecurityGroupRuleId": "The ID of the security group rule.
", + "SecurityGroupRuleDescription$Description": "The description of the security group rule.
", + "SecurityGroupRuleIdList$member": null, + "SecurityGroupRuleRequest$IpProtocol": "The IP protocol name (tcp, udp, icmp, icmpv6) or number (see Protocol Numbers).
Use -1 to specify all protocols.
The IPv4 CIDR range. To specify a single IPv4 address, use the /32 prefix length.
", + "SecurityGroupRuleRequest$CidrIpv6": "The IPv6 CIDR range. To specify a single IPv6 address, use the /128 prefix length.
", + "SecurityGroupRuleRequest$Description": "The description of the security group rule.
", "ServiceConfiguration$ServiceId": "The ID of the service.
", "ServiceConfiguration$ServiceName": "The name of the service.
", "ServiceConfiguration$PrivateDnsName": "The private DNS name for the service.
", @@ -15123,7 +15262,7 @@ "UserIdGroupPair$GroupId": "The ID of the security group.
", "UserIdGroupPair$GroupName": "The name of the security group. In a request, use this parameter for a security group in EC2-Classic or a default VPC only. For a security group in a nondefault VPC, use the security group ID.
For a referenced security group in another VPC, this value is not returned if the referenced security group is deleted.
", "UserIdGroupPair$PeeringStatus": "The status of a VPC peering connection, if applicable.
", - "UserIdGroupPair$UserId": "The ID of an AWS account.
For a referenced security group in another VPC, the account ID of the referenced security group is returned in the response. If the referenced security group is deleted, this value is not returned.
[EC2-Classic] Required when adding or removing rules that reference a security group in another AWS account.
", + "UserIdGroupPair$UserId": "The ID of an Amazon Web Services account.
For a referenced security group in another VPC, the account ID of the referenced security group is returned in the response. If the referenced security group is deleted, this value is not returned.
[EC2-Classic] Required when adding or removing rules that reference a security group in another Amazon Web Services account.
", "UserIdGroupPair$VpcId": "The ID of the VPC for the referenced security group, if applicable.
", "UserIdGroupPair$VpcPeeringConnectionId": "The ID of the VPC peering connection, if applicable.
", "UserIdStringList$member": null, @@ -15422,6 +15561,7 @@ "ReservedInstancesListing$Tags": "Any tags assigned to the resource.
", "RouteTable$Tags": "Any tags assigned to the route table.
", "SecurityGroup$Tags": "Any tags assigned to the security group.
", + "SecurityGroupRule$Tags": "The tags applied to the security group rule.
", "ServiceConfiguration$Tags": "Any tags assigned to the service.
", "ServiceDetail$Tags": "Any tags assigned to the service.
", "Snapshot$Tags": "Any tags assigned to the snapshot.
", @@ -15463,6 +15603,8 @@ "refs": { "AllocateAddressRequest$TagSpecifications": "The tags to assign to the Elastic IP address.
", "AllocateHostsRequest$TagSpecifications": "The tags to apply to the Dedicated Host during creation.
", + "AuthorizeSecurityGroupEgressRequest$TagSpecifications": "The tags applied to the security group rule.
", + "AuthorizeSecurityGroupIngressRequest$TagSpecifications": "[VPC Only] The tags applied to the security group rule.
", "CopySnapshotRequest$TagSpecifications": "The tags to apply to the new snapshot.
", "CreateCapacityReservationRequest$TagSpecifications": "The tags to apply to the Capacity Reservation during launch.
", "CreateCarrierGatewayRequest$TagSpecifications": "The tags to associate with the carrier gateway.
", @@ -16676,7 +16818,7 @@ } }, "UserIdGroupPair": { - "base": "Describes a security group and AWS account ID pair.
", + "base": "Describes a security group and Amazon Web Services account ID pair.
", "refs": { "UserIdGroupPairList$member": null, "UserIdGroupPairSet$member": null @@ -16685,7 +16827,7 @@ "UserIdGroupPairList": { "base": null, "refs": { - "IpPermission$UserIdGroupPairs": "The security group and AWS account ID pairs.
" + "IpPermission$UserIdGroupPairs": "The security group and Amazon Web Services account ID pairs.
" } }, "UserIdGroupPairSet": { diff --git a/models/apis/ec2/2016-11-15/paginators-1.json b/models/apis/ec2/2016-11-15/paginators-1.json index fde6975e311..e1d041efc2c 100755 --- a/models/apis/ec2/2016-11-15/paginators-1.json +++ b/models/apis/ec2/2016-11-15/paginators-1.json @@ -374,6 +374,12 @@ "output_token": "NextToken", "result_key": "ScheduledInstanceSet" }, + "DescribeSecurityGroupRules": { + "input_token": "NextToken", + "limit_key": "MaxResults", + "output_token": "NextToken", + "result_key": "SecurityGroupRules" + }, "DescribeSecurityGroups": { "input_token": "NextToken", "limit_key": "MaxResults", diff --git a/models/apis/iam/2010-05-08/docs-2.json b/models/apis/iam/2010-05-08/docs-2.json index 80b5868cc29..8aa5232c8fe 100644 --- a/models/apis/iam/2010-05-08/docs-2.json +++ b/models/apis/iam/2010-05-08/docs-2.json @@ -1,36 +1,36 @@ { "version": "2.0", - "service": "AWS Identity and Access Management (IAM) is a web service for securely controlling access to AWS services. With IAM, you can centrally manage users, security credentials such as access keys, and permissions that control which AWS resources users and applications can access. For more information about IAM, see AWS Identity and Access Management (IAM) and the AWS Identity and Access Management User Guide.
", + "service": "Identity and Access Management (IAM) is a web service for securely controlling access to Amazon Web Services services. With IAM, you can centrally manage users, security credentials such as access keys, and permissions that control which Amazon Web Services resources users and applications can access. For more information about IAM, see Identity and Access Management (IAM) and the Identity and Access Management User Guide.
", "operations": { "AddClientIDToOpenIDConnectProvider": "Adds a new client ID (also known as audience) to the list of client IDs already registered for the specified IAM OpenID Connect (OIDC) provider resource.
This operation is idempotent; it does not fail or return an error if you add an existing client ID to the provider.
", - "AddRoleToInstanceProfile": "Adds the specified IAM role to the specified instance profile. An instance profile can contain only one role, and this quota cannot be increased. You can remove the existing role and then add a different role to an instance profile. You must then wait for the change to appear across all of AWS because of eventual consistency. To force the change, you must disassociate the instance profile and then associate the instance profile, or you can stop your instance and then restart it.
The caller of this operation must be granted the PassRole permission on the IAM role by a permissions policy.
For more information about roles, see Working with roles. For more information about instance profiles, see About instance profiles.
", + "AddRoleToInstanceProfile": "Adds the specified IAM role to the specified instance profile. An instance profile can contain only one role, and this quota cannot be increased. You can remove the existing role and then add a different role to an instance profile. You must then wait for the change to appear across all of Amazon Web Services because of eventual consistency. To force the change, you must disassociate the instance profile and then associate the instance profile, or you can stop your instance and then restart it.
The caller of this operation must be granted the PassRole permission on the IAM role by a permissions policy.
For more information about roles, see Working with roles. For more information about instance profiles, see About instance profiles.
", "AddUserToGroup": "Adds the specified user to the specified group.
", "AttachGroupPolicy": "Attaches the specified managed policy to the specified IAM group.
You use this operation to attach a managed policy to a group. To embed an inline policy in a group, use PutGroupPolicy.
As a best practice, you can validate your IAM policies. To learn more, see Validating IAM policies in the IAM User Guide.
For more information about policies, see Managed policies and inline policies in the IAM User Guide.
", "AttachRolePolicy": "Attaches the specified managed policy to the specified IAM role. When you attach a managed policy to a role, the managed policy becomes part of the role's permission (access) policy.
You cannot use a managed policy as the role's trust policy. The role's trust policy is created at the same time as the role, using CreateRole. You can update a role's trust policy using UpdateAssumeRolePolicy.
Use this operation to attach a managed policy to a role. To embed an inline policy in a role, use PutRolePolicy. For more information about policies, see Managed policies and inline policies in the IAM User Guide.
As a best practice, you can validate your IAM policies. To learn more, see Validating IAM policies in the IAM User Guide.
", "AttachUserPolicy": "Attaches the specified managed policy to the specified user.
You use this operation to attach a managed policy to a user. To embed an inline policy in a user, use PutUserPolicy.
As a best practice, you can validate your IAM policies. To learn more, see Validating IAM policies in the IAM User Guide.
For more information about policies, see Managed policies and inline policies in the IAM User Guide.
", - "ChangePassword": "Changes the password of the IAM user who is calling this operation. This operation can be performed using the AWS CLI, the AWS API, or the My Security Credentials page in the AWS Management Console. The AWS account root user password is not affected by this operation.
Use UpdateLoginProfile to use the AWS CLI, the AWS API, or the Users page in the IAM console to change the password for any IAM user. For more information about modifying passwords, see Managing passwords in the IAM User Guide.
", - "CreateAccessKey": " Creates a new AWS secret access key and corresponding AWS access key ID for the specified user. The default status for new keys is Active.
If you do not specify a user name, IAM determines the user name implicitly based on the AWS access key ID signing the request. This operation works for access keys under the AWS account. Consequently, you can use this operation to manage AWS account root user credentials. This is true even if the AWS account has no associated users.
For information about quotas on the number of keys you can create, see IAM and STS quotas in the IAM User Guide.
To ensure the security of your AWS account, the secret access key is accessible only during key and user creation. You must save the key (for example, in a text file) if you want to be able to access it again. If a secret key is lost, you can delete the access keys for the associated user and then create new keys.
Creates an alias for your AWS account. For information about using an AWS account alias, see Using an alias for your AWS account ID in the IAM User Guide.
", + "ChangePassword": "Changes the password of the IAM user who is calling this operation. This operation can be performed using the CLI, the Amazon Web Services API, or the My Security Credentials page in the Management Console. The account root user password is not affected by this operation.
Use UpdateLoginProfile to use the CLI, the Amazon Web Services API, or the Users page in the IAM console to change the password for any IAM user. For more information about modifying passwords, see Managing passwords in the IAM User Guide.
", + "CreateAccessKey": " Creates a new Amazon Web Services secret access key and corresponding Amazon Web Services access key ID for the specified user. The default status for new keys is Active.
If you do not specify a user name, IAM determines the user name implicitly based on the Amazon Web Services access key ID signing the request. This operation works for access keys under the account. Consequently, you can use this operation to manage account root user credentials. This is true even if the account has no associated users.
For information about quotas on the number of keys you can create, see IAM and STS quotas in the IAM User Guide.
To ensure the security of your account, the secret access key is accessible only during key and user creation. You must save the key (for example, in a text file) if you want to be able to access it again. If a secret key is lost, you can delete the access keys for the associated user and then create new keys.
Creates an alias for your account. For information about using an account alias, see Using an alias for your account ID in the IAM User Guide.
", "CreateGroup": "Creates a new group.
For information about the number of groups you can create, see IAM and STS quotas in the IAM User Guide.
", "CreateInstanceProfile": "Creates a new instance profile. For information about instance profiles, see Using roles for applications on Amazon EC2 in the IAM User Guide, and Instance profiles in the Amazon EC2 User Guide.
For information about the number of instance profiles you can create, see IAM object quotas in the IAM User Guide.
", - "CreateLoginProfile": "Creates a password for the specified IAM user. A password allows an IAM user to access AWS services through the AWS Management Console.
You can use the AWS CLI, the AWS API, or the Users page in the IAM console to create a password for any IAM user. Use ChangePassword to update your own existing password in the My Security Credentials page in the AWS Management Console.
For more information about managing passwords, see Managing passwords in the IAM User Guide.
", - "CreateOpenIDConnectProvider": "Creates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC).
The OIDC provider that you create with this operation can be used as a principal in a role's trust policy. Such a policy establishes a trust relationship between AWS and the OIDC provider.
If you are using an OIDC identity provider from Google, Facebook, or Amazon Cognito, you don't need to create a separate IAM identity provider. These OIDC identity providers are already built-in to AWS and are available for your use. Instead, you can move directly to creating new roles using your identity provider. To learn more, see Creating a role for web identity or OpenID connect federation in the IAM User Guide.
When you create the IAM OIDC provider, you specify the following:
The URL of the OIDC identity provider (IdP) to trust
A list of client IDs (also known as audiences) that identify the application or applications that are allowed to authenticate using the OIDC provider
A list of thumbprints of one or more server certificates that the IdP uses
You get all of this information from the OIDC IdP that you want to use to access AWS.
The trust for the OIDC provider is derived from the IAM provider that this operation creates. Therefore, it is best to limit access to the CreateOpenIDConnectProvider operation to highly privileged users.
Creates a new managed policy for your AWS account.
This operation creates a policy version with a version identifier of v1 and sets v1 as the policy's default version. For more information about policy versions, see Versioning for managed policies in the IAM User Guide.
As a best practice, you can validate your IAM policies. To learn more, see Validating IAM policies in the IAM User Guide.
For more information about managed policies in general, see Managed policies and inline policies in the IAM User Guide.
", + "CreateLoginProfile": "Creates a password for the specified IAM user. A password allows an IAM user to access Amazon Web Services services through the Management Console.
You can use the CLI, the Amazon Web Services API, or the Users page in the IAM console to create a password for any IAM user. Use ChangePassword to update your own existing password in the My Security Credentials page in the Management Console.
For more information about managing passwords, see Managing passwords in the IAM User Guide.
", + "CreateOpenIDConnectProvider": "Creates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC).
The OIDC provider that you create with this operation can be used as a principal in a role's trust policy. Such a policy establishes a trust relationship between Amazon Web Services and the OIDC provider.
If you are using an OIDC identity provider from Google, Facebook, or Amazon Cognito, you don't need to create a separate IAM identity provider. These OIDC identity providers are already built-in to Amazon Web Services and are available for your use. Instead, you can move directly to creating new roles using your identity provider. To learn more, see Creating a role for web identity or OpenID connect federation in the IAM User Guide.
When you create the IAM OIDC provider, you specify the following:
The URL of the OIDC identity provider (IdP) to trust
A list of client IDs (also known as audiences) that identify the application or applications allowed to authenticate using the OIDC provider
A list of thumbprints of one or more server certificates that the IdP uses
You get all of this information from the OIDC IdP that you want to use to access Amazon Web Services.
The trust for the OIDC provider is derived from the IAM provider that this operation creates. Therefore, it is best to limit access to the CreateOpenIDConnectProvider operation to highly privileged users.
Creates a new managed policy for your account.
This operation creates a policy version with a version identifier of v1 and sets v1 as the policy's default version. For more information about policy versions, see Versioning for managed policies in the IAM User Guide.
As a best practice, you can validate your IAM policies. To learn more, see Validating IAM policies in the IAM User Guide.
For more information about managed policies in general, see Managed policies and inline policies in the IAM User Guide.
", "CreatePolicyVersion": "Creates a new version of the specified managed policy. To update a managed policy, you create a new policy version. A managed policy can have up to five versions. If the policy has five versions, you must delete an existing version using DeletePolicyVersion before you create a new version.
Optionally, you can set the new version as the policy's default version. The default version is the version that is in effect for the IAM users, groups, and roles to which the policy is attached.
For more information about managed policy versions, see Versioning for managed policies in the IAM User Guide.
", - "CreateRole": "Creates a new role for your AWS account. For more information about roles, see IAM roles. For information about quotas for role names and the number of roles you can create, see IAM and STS quotas in the IAM User Guide.
", - "CreateSAMLProvider": "Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2.0.
The SAML provider resource that you create with this operation can be used as a principal in an IAM role's trust policy. Such a policy can enable federated users who sign in using the SAML IdP to assume the role. You can create an IAM role that supports Web-based single sign-on (SSO) to the AWS Management Console or one that supports API access to AWS.
When you create the SAML provider resource, you upload a SAML metadata document that you get from your IdP. That document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that the IdP sends. You must generate the metadata document using the identity management software that is used as your organization's IdP.
This operation requires Signature Version 4.
For more information, see Enabling SAML 2.0 federated users to access the AWS Management Console and About SAML 2.0-based federation in the IAM User Guide.
", - "CreateServiceLinkedRole": "Creates an IAM role that is linked to a specific AWS service. The service controls the attached policies and when the role can be deleted. This helps ensure that the service is not broken by an unexpectedly changed or deleted role, which could put your AWS resources into an unknown state. Allowing the service to control the role helps improve service stability and proper cleanup when a service and its role are no longer needed. For more information, see Using service-linked roles in the IAM User Guide.
To attach a policy to this service-linked role, you must make the request using the AWS service that depends on this role.
", - "CreateServiceSpecificCredential": "Generates a set of credentials consisting of a user name and password that can be used to access the service specified in the request. These credentials are generated by IAM, and can be used only for the specified service.
You can have a maximum of two sets of service-specific credentials for each supported service per user.
You can create service-specific credentials for AWS CodeCommit and Amazon Keyspaces (for Apache Cassandra).
You can reset the password to a new service-generated value by calling ResetServiceSpecificCredential.
For more information about service-specific credentials, see Using IAM with AWS CodeCommit: Git credentials, SSH keys, and AWS access keys in the IAM User Guide.
", - "CreateUser": "Creates a new IAM user for your AWS account.
For information about quotas for the number of IAM users you can create, see IAM and STS quotas in the IAM User Guide.
", - "CreateVirtualMFADevice": "Creates a new virtual MFA device for the AWS account. After creating the virtual MFA, use EnableMFADevice to attach the MFA device to an IAM user. For more information about creating and working with virtual MFA devices, see Using a virtual MFA device in the IAM User Guide.
For information about the maximum number of MFA devices you can create, see IAM and STS quotas in the IAM User Guide.
The seed information contained in the QR code and the Base32 string should be treated like any other secret access information. In other words, protect the seed information as you would your AWS access keys or your passwords. After you provision your virtual device, you should ensure that the information is destroyed following secure procedures.
Creates a new role for your account. For more information about roles, see IAM roles. For information about quotas for role names and the number of roles you can create, see IAM and STS quotas in the IAM User Guide.
", + "CreateSAMLProvider": "Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2.0.
The SAML provider resource that you create with this operation can be used as a principal in an IAM role's trust policy. Such a policy can enable federated users who sign in using the SAML IdP to assume the role. You can create an IAM role that supports Web-based single sign-on (SSO) to the Management Console or one that supports API access to Amazon Web Services.
When you create the SAML provider resource, you upload a SAML metadata document that you get from your IdP. That document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that the IdP sends. You must generate the metadata document using the identity management software that is used as your organization's IdP.
This operation requires Signature Version 4.
For more information, see Enabling SAML 2.0 federated users to access the Management Console and About SAML 2.0-based federation in the IAM User Guide.
", + "CreateServiceLinkedRole": "Creates an IAM role that is linked to a specific Amazon Web Services service. The service controls the attached policies and when the role can be deleted. This helps ensure that the service is not broken by an unexpectedly changed or deleted role, which could put your Amazon Web Services resources into an unknown state. Allowing the service to control the role helps improve service stability and proper cleanup when a service and its role are no longer needed. For more information, see Using service-linked roles in the IAM User Guide.
To attach a policy to this service-linked role, you must make the request using the Amazon Web Services service that depends on this role.
", + "CreateServiceSpecificCredential": "Generates a set of credentials consisting of a user name and password that can be used to access the service specified in the request. These credentials are generated by IAM, and can be used only for the specified service.
You can have a maximum of two sets of service-specific credentials for each supported service per user.
You can create service-specific credentials for CodeCommit and Amazon Keyspaces (for Apache Cassandra).
You can reset the password to a new service-generated value by calling ResetServiceSpecificCredential.
For more information about service-specific credentials, see Using IAM with CodeCommit: Git credentials, SSH keys, and Amazon Web Services access keys in the IAM User Guide.
", + "CreateUser": "Creates a new IAM user for your account.
For information about quotas for the number of IAM users you can create, see IAM and STS quotas in the IAM User Guide.
", + "CreateVirtualMFADevice": "Creates a new virtual MFA device for the account. After creating the virtual MFA, use EnableMFADevice to attach the MFA device to an IAM user. For more information about creating and working with virtual MFA devices, see Using a virtual MFA device in the IAM User Guide.
For information about the maximum number of MFA devices you can create, see IAM and STS quotas in the IAM User Guide.
The seed information contained in the QR code and the Base32 string should be treated like any other secret access information. In other words, protect the seed information as you would your Amazon Web Services access keys or your passwords. After you provision your virtual device, you should ensure that the information is destroyed following secure procedures.
Deactivates the specified MFA device and removes it from association with the user name for which it was originally enabled.
For more information about creating and working with virtual MFA devices, see Enabling a virtual multi-factor authentication (MFA) device in the IAM User Guide.
", - "DeleteAccessKey": "Deletes the access key pair associated with the specified IAM user.
If you do not specify a user name, IAM determines the user name implicitly based on the AWS access key ID signing the request. This operation works for access keys under the AWS account. Consequently, you can use this operation to manage AWS account root user credentials even if the AWS account has no associated users.
", - "DeleteAccountAlias": "Deletes the specified AWS account alias. For information about using an AWS account alias, see Using an alias for your AWS account ID in the IAM User Guide.
", - "DeleteAccountPasswordPolicy": "Deletes the password policy for the AWS account. There are no parameters.
", + "DeleteAccessKey": "Deletes the access key pair associated with the specified IAM user.
If you do not specify a user name, IAM determines the user name implicitly based on the Amazon Web Services access key ID signing the request. This operation works for access keys under the account. Consequently, you can use this operation to manage account root user credentials even if the account has no associated users.
", + "DeleteAccountAlias": "Deletes the specified account alias. For information about using an Amazon Web Services account alias, see Using an alias for your account ID in the IAM User Guide.
", + "DeleteAccountPasswordPolicy": "Deletes the password policy for the account. There are no parameters.
", "DeleteGroup": "Deletes the specified IAM group. The group must not contain any users or have any attached policies.
", "DeleteGroupPolicy": "Deletes the specified inline policy that is embedded in the specified IAM group.
A group can also have managed policies attached to it. To detach a managed policy from a group, use DetachGroupPolicy. For more information about policies, refer to Managed policies and inline policies in the IAM User Guide.
", "DeleteInstanceProfile": "Deletes the specified instance profile. The instance profile must not have an associated role.
Make sure that you do not have any Amazon EC2 instances running with the instance profile you are about to delete. Deleting a role or instance profile that is associated with a running instance will break any applications running on the instance.
For more information about instance profiles, see About instance profiles.
", - "DeleteLoginProfile": "Deletes the password for the specified IAM user, which terminates the user's ability to access AWS services through the AWS Management Console.
You can use the AWS CLI, the AWS API, or the Users page in the IAM console to delete a password for any IAM user. You can use ChangePassword to update, but not delete, your own password in the My Security Credentials page in the AWS Management Console.
Deleting a user's password does not prevent a user from accessing AWS through the command line interface or the API. To prevent all user access, you must also either make any access keys inactive or delete them. For more information about making keys inactive or deleting them, see UpdateAccessKey and DeleteAccessKey.
Deletes the password for the specified IAM user, which terminates the user's ability to access Amazon Web Services services through the Management Console.
You can use the CLI, the Amazon Web Services API, or the Users page in the IAM console to delete a password for any IAM user. You can use ChangePassword to update, but not delete, your own password in the My Security Credentials page in the Management Console.
Deleting a user's password does not prevent a user from accessing Amazon Web Services through the command line interface or the API. To prevent all user access, you must also either make any access keys inactive or delete them. For more information about making keys inactive or deleting them, see UpdateAccessKey and DeleteAccessKey.
Deletes an OpenID Connect identity provider (IdP) resource object in IAM.
Deleting an IAM OIDC provider resource does not update any roles that reference the provider as a principal in their trust policies. Any attempt to assume a role that references a deleted provider fails.
This operation is idempotent; it does not fail or return an error if you call the operation for a provider that does not exist.
", "DeletePolicy": "Deletes the specified managed policy.
Before you can delete a managed policy, you must first detach the policy from all users, groups, and roles that it is attached to. In addition, you must delete all the policy's versions. The following steps describe the process for deleting a managed policy:
Detach the policy from all users, groups, and roles that the policy is attached to, using DetachUserPolicy, DetachGroupPolicy, or DetachRolePolicy. To list all the users, groups, and roles that a policy is attached to, use ListEntitiesForPolicy.
Delete all versions of the policy using DeletePolicyVersion. To list the policy's versions, use ListPolicyVersions. You cannot use DeletePolicyVersion to delete the version that is marked as the default version. You delete the policy's default version in the next step of the process.
Delete the policy (this automatically deletes the policy's default version) using this operation.
For information about managed policies, see Managed policies and inline policies in the IAM User Guide.
", "DeletePolicyVersion": "Deletes the specified version from the specified managed policy.
You cannot delete the default version from a policy using this operation. To delete the default version from a policy, use DeletePolicy. To find out which version of a policy is marked as the default version, use ListPolicyVersions.
For information about versions for managed policies, see Versioning for managed policies in the IAM User Guide.
", @@ -38,12 +38,12 @@ "DeleteRolePermissionsBoundary": "Deletes the permissions boundary for the specified IAM role.
Deleting the permissions boundary for a role might increase its permissions. For example, it might allow anyone who assumes the role to perform all the actions granted in its permissions policies.
Deletes the specified inline policy that is embedded in the specified IAM role.
A role can also have managed policies attached to it. To detach a managed policy from a role, use DetachRolePolicy. For more information about policies, refer to Managed policies and inline policies in the IAM User Guide.
", "DeleteSAMLProvider": "Deletes a SAML provider resource in IAM.
Deleting the provider resource from IAM does not update any roles that reference the SAML provider resource's ARN as a principal in their trust policies. Any attempt to assume a role that references a non-existent provider resource ARN fails.
This operation requires Signature Version 4.
Deletes the specified SSH public key.
The SSH public key deleted by this operation is used only for authenticating the associated IAM user to an AWS CodeCommit repository. For more information about using SSH keys to authenticate to an AWS CodeCommit repository, see Set up AWS CodeCommit for SSH connections in the AWS CodeCommit User Guide.
", - "DeleteServerCertificate": "Deletes the specified server certificate.
For more information about working with server certificates, see Working with server certificates in the IAM User Guide. This topic also includes a list of AWS services that can use the server certificates that you manage with IAM.
If you are using a server certificate with Elastic Load Balancing, deleting the certificate could have implications for your application. If Elastic Load Balancing doesn't detect the deletion of bound certificates, it may continue to use the certificates. This could cause Elastic Load Balancing to stop accepting traffic. We recommend that you remove the reference to the certificate from Elastic Load Balancing before using this command to delete the certificate. For more information, see DeleteLoadBalancerListeners in the Elastic Load Balancing API Reference.
Submits a service-linked role deletion request and returns a DeletionTaskId, which you can use to check the status of the deletion. Before you call this operation, confirm that the role has no active sessions and that any resources used by the role in the linked service are deleted. If you call this operation more than once for the same service-linked role and an earlier deletion task is not complete, then the DeletionTaskId of the earlier request is returned.
If you submit a deletion request for a service-linked role whose linked service is still accessing a resource, then the deletion task fails. If it fails, the GetServiceLinkedRoleDeletionStatus operation returns the reason for the failure, usually including the resources that must be deleted. To delete the service-linked role, you must first remove those resources from the linked service and then submit the deletion request again. Resources are specific to the service that is linked to the role. For more information about removing resources from a service, see the AWS documentation for your service.
For more information about service-linked roles, see Roles terms and concepts: AWS service-linked role in the IAM User Guide.
", + "DeleteSSHPublicKey": "Deletes the specified SSH public key.
The SSH public key deleted by this operation is used only for authenticating the associated IAM user to an CodeCommit repository. For more information about using SSH keys to authenticate to an CodeCommit repository, see Set up CodeCommit for SSH connections in the CodeCommit User Guide.
", + "DeleteServerCertificate": "Deletes the specified server certificate.
For more information about working with server certificates, see Working with server certificates in the IAM User Guide. This topic also includes a list of Amazon Web Services services that can use the server certificates that you manage with IAM.
If you are using a server certificate with Elastic Load Balancing, deleting the certificate could have implications for your application. If Elastic Load Balancing doesn't detect the deletion of bound certificates, it may continue to use the certificates. This could cause Elastic Load Balancing to stop accepting traffic. We recommend that you remove the reference to the certificate from Elastic Load Balancing before using this command to delete the certificate. For more information, see DeleteLoadBalancerListeners in the Elastic Load Balancing API Reference.
Submits a service-linked role deletion request and returns a DeletionTaskId, which you can use to check the status of the deletion. Before you call this operation, confirm that the role has no active sessions and that any resources used by the role in the linked service are deleted. If you call this operation more than once for the same service-linked role and an earlier deletion task is not complete, then the DeletionTaskId of the earlier request is returned.
If you submit a deletion request for a service-linked role whose linked service is still accessing a resource, then the deletion task fails. If it fails, the GetServiceLinkedRoleDeletionStatus operation returns the reason for the failure, usually including the resources that must be deleted. To delete the service-linked role, you must first remove those resources from the linked service and then submit the deletion request again. Resources are specific to the service that is linked to the role. For more information about removing resources from a service, see the Amazon Web Services documentation for your service.
For more information about service-linked roles, see Roles terms and concepts: Amazon Web Services service-linked role in the IAM User Guide.
", "DeleteServiceSpecificCredential": "Deletes the specified service-specific credential.
", - "DeleteSigningCertificate": "Deletes a signing certificate associated with the specified IAM user.
If you do not specify a user name, IAM determines the user name implicitly based on the AWS access key ID signing the request. This operation works for access keys under the AWS account. Consequently, you can use this operation to manage AWS account root user credentials even if the AWS account has no associated IAM users.
", - "DeleteUser": "Deletes the specified IAM user. Unlike the AWS Management Console, when you delete a user programmatically, you must delete the items attached to the user manually, or the deletion fails. For more information, see Deleting an IAM user. Before attempting to delete a user, remove the following items:
Password (DeleteLoginProfile)
Access keys (DeleteAccessKey)
Signing certificate (DeleteSigningCertificate)
SSH public key (DeleteSSHPublicKey)
Git credentials (DeleteServiceSpecificCredential)
Multi-factor authentication (MFA) device (DeactivateMFADevice, DeleteVirtualMFADevice)
Inline policies (DeleteUserPolicy)
Attached managed policies (DetachUserPolicy)
Group memberships (RemoveUserFromGroup)
Deletes a signing certificate associated with the specified IAM user.
If you do not specify a user name, IAM determines the user name implicitly based on the Amazon Web Services access key ID signing the request. This operation works for access keys under the account. Consequently, you can use this operation to manage account root user credentials even if the account has no associated IAM users.
", + "DeleteUser": "Deletes the specified IAM user. Unlike the Management Console, when you delete a user programmatically, you must delete the items attached to the user manually, or the deletion fails. For more information, see Deleting an IAM user. Before attempting to delete a user, remove the following items:
Password (DeleteLoginProfile)
Access keys (DeleteAccessKey)
Signing certificate (DeleteSigningCertificate)
SSH public key (DeleteSSHPublicKey)
Git credentials (DeleteServiceSpecificCredential)
Multi-factor authentication (MFA) device (DeactivateMFADevice, DeleteVirtualMFADevice)
Inline policies (DeleteUserPolicy)
Attached managed policies (DetachUserPolicy)
Group memberships (RemoveUserFromGroup)
Deletes the permissions boundary for the specified IAM user.
Deleting the permissions boundary for a user might increase its permissions by allowing the user to perform all the actions granted in its permissions policies.
Deletes the specified inline policy that is embedded in the specified IAM user.
A user can also have managed policies attached to it. To detach a managed policy from a user, use DetachUserPolicy. For more information about policies, refer to Managed policies and inline policies in the IAM User Guide.
", "DeleteVirtualMFADevice": "Deletes a virtual MFA device.
You must deactivate a user's virtual MFA device before you can delete it. For information about deactivating MFA devices, see DeactivateMFADevice.
Removes the specified managed policy from the specified role.
A role can also have inline policies embedded with it. To delete an inline policy, use DeleteRolePolicy. For information about policies, see Managed policies and inline policies in the IAM User Guide.
", "DetachUserPolicy": "Removes the specified managed policy from the specified user.
A user can also have inline policies embedded with it. To delete an inline policy, use DeleteUserPolicy. For information about policies, see Managed policies and inline policies in the IAM User Guide.
", "EnableMFADevice": "Enables the specified MFA device and associates it with the specified IAM user. When enabled, the MFA device is required for every subsequent login by the IAM user associated with the device.
", - "GenerateCredentialReport": "Generates a credential report for the AWS account. For more information about the credential report, see Getting credential reports in the IAM User Guide.
", - "GenerateOrganizationsAccessReport": "Generates a report for service last accessed data for AWS Organizations. You can generate a report for any entities (organization root, organizational unit, or account) or policies in your organization.
To call this operation, you must be signed in using your AWS Organizations management account credentials. You can use your long-term IAM user or root user credentials, or temporary credentials from assuming an IAM role. SCPs must be enabled for your organization root. You must have the required IAM and AWS Organizations permissions. For more information, see Refining permissions using service last accessed data in the IAM User Guide.
You can generate a service last accessed data report for entities by specifying only the entity's path. This data includes a list of services that are allowed by any service control policies (SCPs) that apply to the entity.
You can generate a service last accessed data report for a policy by specifying an entity's path and an optional AWS Organizations policy ID. This data includes a list of services that are allowed by the specified SCP.
For each service in both report types, the data includes the most recent account activity that the policy allows to account principals in the entity or the entity's children. For important information about the data, reporting period, permissions required, troubleshooting, and supported Regions see Reducing permissions using service last accessed data in the IAM User Guide.
The data includes all attempts to access AWS, not just the successful ones. This includes all attempts that were made using the AWS Management Console, the AWS API through any of the SDKs, or any of the command line tools. An unexpected entry in the service last accessed data does not mean that an account has been compromised, because the request might have been denied. Refer to your CloudTrail logs as the authoritative source for information about all API calls and whether they were successful or denied access. For more information, see Logging IAM events with CloudTrail in the IAM User Guide.
This operation returns a JobId. Use this parameter in the GetOrganizationsAccessReport operation to check the status of the report generation. To check the status of this request, use the JobId parameter in the GetOrganizationsAccessReport operation and test the JobStatus response parameter. When the job is complete, you can retrieve the report.
To generate a service last accessed data report for entities, specify an entity path without specifying the optional AWS Organizations policy ID. The type of entity that you specify determines the data returned in the report.
Root – When you specify the organizations root as the entity, the resulting report lists all of the services allowed by SCPs that are attached to your root. For each service, the report includes data for all accounts in your organization except the management account, because the management account is not limited by SCPs.
OU – When you specify an organizational unit (OU) as the entity, the resulting report lists all of the services allowed by SCPs that are attached to the OU and its parents. For each service, the report includes data for all accounts in the OU or its children. This data excludes the management account, because the management account is not limited by SCPs.
management account – When you specify the management account, the resulting report lists all AWS services, because the management account is not limited by SCPs. For each service, the report includes data for only the management account.
Account – When you specify another account as the entity, the resulting report lists all of the services allowed by SCPs that are attached to the account and its parents. For each service, the report includes data for only the specified account.
To generate a service last accessed data report for policies, specify an entity path and the optional AWS Organizations policy ID. The type of entity that you specify determines the data returned for each service.
Root – When you specify the root entity and a policy ID, the resulting report lists all of the services that are allowed by the specified SCP. For each service, the report includes data for all accounts in your organization to which the SCP applies. This data excludes the management account, because the management account is not limited by SCPs. If the SCP is not attached to any entities in the organization, then the report will return a list of services with no data.
OU – When you specify an OU entity and a policy ID, the resulting report lists all of the services that are allowed by the specified SCP. For each service, the report includes data for all accounts in the OU or its children to which the SCP applies. This means that other accounts outside the OU that are affected by the SCP might not be included in the data. This data excludes the management account, because the management account is not limited by SCPs. If the SCP is not attached to the OU or one of its children, the report will return a list of services with no data.
management account – When you specify the management account, the resulting report lists all AWS services, because the management account is not limited by SCPs. If you specify a policy ID in the CLI or API, the policy is ignored. For each service, the report includes data for only the management account.
Account – When you specify another account entity and a policy ID, the resulting report lists all of the services that are allowed by the specified SCP. For each service, the report includes data for only the specified account. This means that other accounts in the organization that are affected by the SCP might not be included in the data. If the SCP is not attached to the account, the report will return a list of services with no data.
Service last accessed data does not use other policy types when determining whether a principal could access a service. These other policy types include identity-based policies, resource-based policies, access control lists, IAM permissions boundaries, and STS assume role policies. It only applies SCP logic. For more about the evaluation of policy types, see Evaluating policies in the IAM User Guide.
For more information about service last accessed data, see Reducing policy scope by viewing user activity in the IAM User Guide.
", - "GenerateServiceLastAccessedDetails": "Generates a report that includes details about when an IAM resource (user, group, role, or policy) was last used in an attempt to access AWS services. Recent activity usually appears within four hours. IAM reports activity for the last 365 days, or less if your Region began supporting this feature within the last year. For more information, see Regions where data is tracked.
The service last accessed data includes all attempts to access an AWS API, not just the successful ones. This includes all attempts that were made using the AWS Management Console, the AWS API through any of the SDKs, or any of the command line tools. An unexpected entry in the service last accessed data does not mean that your account has been compromised, because the request might have been denied. Refer to your CloudTrail logs as the authoritative source for information about all API calls and whether they were successful or denied access. For more information, see Logging IAM events with CloudTrail in the IAM User Guide.
The GenerateServiceLastAccessedDetails operation returns a JobId. Use this parameter in the following operations to retrieve the following details from your report:
GetServiceLastAccessedDetails – Use this operation for users, groups, roles, or policies to list every AWS service that the resource could access using permissions policies. For each service, the response includes information about the most recent access attempt.
The JobId returned by GenerateServiceLastAccessedDetail must be used by the same role within a session, or by the same user when used to call GetServiceLastAccessedDetail.
GetServiceLastAccessedDetailsWithEntities – Use this operation for groups and policies to list information about the associated entities (users or roles) that attempted to access a specific AWS service.
To check the status of the GenerateServiceLastAccessedDetails request, use the JobId parameter in the same operations and test the JobStatus response parameter.
For additional information about the permissions policies that allow an identity (user, group, or role) to access specific services, use the ListPoliciesGrantingServiceAccess operation.
Service last accessed data does not use other policy types when determining whether a resource could access a service. These other policy types include resource-based policies, access control lists, AWS Organizations policies, IAM permissions boundaries, and AWS STS assume role policies. It only applies permissions policy logic. For more about the evaluation of policy types, see Evaluating policies in the IAM User Guide.
For more information about service and action last accessed data, see Reducing permissions using service last accessed data in the IAM User Guide.
", - "GetAccessKeyLastUsed": "Retrieves information about when the specified access key was last used. The information includes the date and time of last use, along with the AWS service and Region that were specified in the last request made with that key.
", - "GetAccountAuthorizationDetails": "Retrieves information about all IAM users, groups, roles, and policies in your AWS account, including their relationships to one another. Use this operation to obtain a snapshot of the configuration of IAM permissions (users, groups, roles, and policies) in your account.
Policies returned by this operation are URL-encoded compliant with RFC 3986. You can use a URL decoding method to convert the policy back to plain JSON text. For example, if you use Java, you can use the decode method of the java.net.URLDecoder utility class in the Java SDK. Other languages and SDKs provide similar functionality.
You can optionally filter the results using the Filter parameter. You can paginate the results using the MaxItems and Marker parameters.
Retrieves the password policy for the AWS account. This tells you the complexity requirements and mandatory rotation periods for the IAM user passwords in your account. For more information about using a password policy, see Managing an IAM password policy.
", - "GetAccountSummary": "Retrieves information about IAM entity usage and IAM quotas in the AWS account.
For information about IAM quotas, see IAM and STS quotas in the IAM User Guide.
", - "GetContextKeysForCustomPolicy": "Gets a list of all of the context keys referenced in the input policies. The policies are supplied as a list of one or more strings. To get the context keys from policies associated with an IAM user, group, or role, use GetContextKeysForPrincipalPolicy.
Context keys are variables maintained by AWS and its services that provide details about the context of an API query request. Context keys can be evaluated by testing against a value specified in an IAM policy. Use GetContextKeysForCustomPolicy to understand what key names and values you must supply when you call SimulateCustomPolicy. Note that all parameters are shown in unencoded form here for clarity but must be URL encoded to be included as a part of a real HTML request.
Gets a list of all of the context keys referenced in all the IAM policies that are attached to the specified IAM entity. The entity can be an IAM user, group, or role. If you specify a user, then the request also includes all of the policies attached to groups that the user is a member of.
You can optionally include a list of one or more additional policies, specified as strings. If you want to include only a list of policies by string, use GetContextKeysForCustomPolicy instead.
Note: This operation discloses information about the permissions granted to other users. If you do not want users to see other user's permissions, then consider allowing them to use GetContextKeysForCustomPolicy instead.
Context keys are variables maintained by AWS and its services that provide details about the context of an API query request. Context keys can be evaluated by testing against a value in an IAM policy. Use GetContextKeysForPrincipalPolicy to understand what key names and values you must supply when you call SimulatePrincipalPolicy.
", - "GetCredentialReport": "Retrieves a credential report for the AWS account. For more information about the credential report, see Getting credential reports in the IAM User Guide.
", + "GenerateCredentialReport": "Generates a credential report for the account. For more information about the credential report, see Getting credential reports in the IAM User Guide.
", + "GenerateOrganizationsAccessReport": "Generates a report for service last accessed data for Organizations. You can generate a report for any entities (organization root, organizational unit, or account) or policies in your organization.
To call this operation, you must be signed in using your Organizations management account credentials. You can use your long-term IAM user or root user credentials, or temporary credentials from assuming an IAM role. SCPs must be enabled for your organization root. You must have the required IAM and Organizations permissions. For more information, see Refining permissions using service last accessed data in the IAM User Guide.
You can generate a service last accessed data report for entities by specifying only the entity's path. This data includes a list of services that are allowed by any service control policies (SCPs) that apply to the entity.
You can generate a service last accessed data report for a policy by specifying an entity's path and an optional Organizations policy ID. This data includes a list of services that are allowed by the specified SCP.
For each service in both report types, the data includes the most recent account activity that the policy allows to account principals in the entity or the entity's children. For important information about the data, reporting period, permissions required, troubleshooting, and supported Regions see Reducing permissions using service last accessed data in the IAM User Guide.
The data includes all attempts to access Amazon Web Services, not just the successful ones. This includes all attempts that were made using the Management Console, the Amazon Web Services API through any of the SDKs, or any of the command line tools. An unexpected entry in the service last accessed data does not mean that an account has been compromised, because the request might have been denied. Refer to your CloudTrail logs as the authoritative source for information about all API calls and whether they were successful or denied access. For more information, see Logging IAM events with CloudTrail in the IAM User Guide.
This operation returns a JobId. Use this parameter in the GetOrganizationsAccessReport operation to check the status of the report generation. To check the status of this request, use the JobId parameter in the GetOrganizationsAccessReport operation and test the JobStatus response parameter. When the job is complete, you can retrieve the report.
To generate a service last accessed data report for entities, specify an entity path without specifying the optional Organizations policy ID. The type of entity that you specify determines the data returned in the report.
Root – When you specify the organizations root as the entity, the resulting report lists all of the services allowed by SCPs that are attached to your root. For each service, the report includes data for all accounts in your organization except the management account, because the management account is not limited by SCPs.
OU – When you specify an organizational unit (OU) as the entity, the resulting report lists all of the services allowed by SCPs that are attached to the OU and its parents. For each service, the report includes data for all accounts in the OU or its children. This data excludes the management account, because the management account is not limited by SCPs.
management account – When you specify the management account, the resulting report lists all Amazon Web Services services, because the management account is not limited by SCPs. For each service, the report includes data for only the management account.
Account – When you specify another account as the entity, the resulting report lists all of the services allowed by SCPs that are attached to the account and its parents. For each service, the report includes data for only the specified account.
To generate a service last accessed data report for policies, specify an entity path and the optional Organizations policy ID. The type of entity that you specify determines the data returned for each service.
Root – When you specify the root entity and a policy ID, the resulting report lists all of the services that are allowed by the specified SCP. For each service, the report includes data for all accounts in your organization to which the SCP applies. This data excludes the management account, because the management account is not limited by SCPs. If the SCP is not attached to any entities in the organization, then the report will return a list of services with no data.
OU – When you specify an OU entity and a policy ID, the resulting report lists all of the services that are allowed by the specified SCP. For each service, the report includes data for all accounts in the OU or its children to which the SCP applies. This means that other accounts outside the OU that are affected by the SCP might not be included in the data. This data excludes the management account, because the management account is not limited by SCPs. If the SCP is not attached to the OU or one of its children, the report will return a list of services with no data.
management account – When you specify the management account, the resulting report lists all Amazon Web Services services, because the management account is not limited by SCPs. If you specify a policy ID in the CLI or API, the policy is ignored. For each service, the report includes data for only the management account.
Account – When you specify another account entity and a policy ID, the resulting report lists all of the services that are allowed by the specified SCP. For each service, the report includes data for only the specified account. This means that other accounts in the organization that are affected by the SCP might not be included in the data. If the SCP is not attached to the account, the report will return a list of services with no data.
Service last accessed data does not use other policy types when determining whether a principal could access a service. These other policy types include identity-based policies, resource-based policies, access control lists, IAM permissions boundaries, and STS assume role policies. It only applies SCP logic. For more about the evaluation of policy types, see Evaluating policies in the IAM User Guide.
For more information about service last accessed data, see Reducing policy scope by viewing user activity in the IAM User Guide.
", + "GenerateServiceLastAccessedDetails": "Generates a report that includes details about when an IAM resource (user, group, role, or policy) was last used in an attempt to access Amazon Web Services services. Recent activity usually appears within four hours. IAM reports activity for the last 365 days, or less if your Region began supporting this feature within the last year. For more information, see Regions where data is tracked.
The service last accessed data includes all attempts to access an Amazon Web Services API, not just the successful ones. This includes all attempts that were made using the Management Console, the Amazon Web Services API through any of the SDKs, or any of the command line tools. An unexpected entry in the service last accessed data does not mean that your account has been compromised, because the request might have been denied. Refer to your CloudTrail logs as the authoritative source for information about all API calls and whether they were successful or denied access. For more information, see Logging IAM events with CloudTrail in the IAM User Guide.
The GenerateServiceLastAccessedDetails operation returns a JobId. Use this parameter in the following operations to retrieve the following details from your report:
GetServiceLastAccessedDetails – Use this operation for users, groups, roles, or policies to list every Amazon Web Services service that the resource could access using permissions policies. For each service, the response includes information about the most recent access attempt.
The JobId returned by GenerateServiceLastAccessedDetail must be used by the same role within a session, or by the same user when used to call GetServiceLastAccessedDetail.
GetServiceLastAccessedDetailsWithEntities – Use this operation for groups and policies to list information about the associated entities (users or roles) that attempted to access a specific Amazon Web Services service.
To check the status of the GenerateServiceLastAccessedDetails request, use the JobId parameter in the same operations and test the JobStatus response parameter.
For additional information about the permissions policies that allow an identity (user, group, or role) to access specific services, use the ListPoliciesGrantingServiceAccess operation.
Service last accessed data does not use other policy types when determining whether a resource could access a service. These other policy types include resource-based policies, access control lists, Organizations policies, IAM permissions boundaries, and STS assume role policies. It only applies permissions policy logic. For more about the evaluation of policy types, see Evaluating policies in the IAM User Guide.
For more information about service and action last accessed data, see Reducing permissions using service last accessed data in the IAM User Guide.
", + "GetAccessKeyLastUsed": "Retrieves information about when the specified access key was last used. The information includes the date and time of last use, along with the Amazon Web Services service and Region that were specified in the last request made with that key.
", + "GetAccountAuthorizationDetails": "Retrieves information about all IAM users, groups, roles, and policies in your Amazon Web Services account, including their relationships to one another. Use this operation to obtain a snapshot of the configuration of IAM permissions (users, groups, roles, and policies) in your account.
Policies returned by this operation are URL-encoded compliant with RFC 3986. You can use a URL decoding method to convert the policy back to plain JSON text. For example, if you use Java, you can use the decode method of the java.net.URLDecoder utility class in the Java SDK. Other languages and SDKs provide similar functionality.
You can optionally filter the results using the Filter parameter. You can paginate the results using the MaxItems and Marker parameters.
Retrieves the password policy for the account. This tells you the complexity requirements and mandatory rotation periods for the IAM user passwords in your account. For more information about using a password policy, see Managing an IAM password policy.
", + "GetAccountSummary": "Retrieves information about IAM entity usage and IAM quotas in the Amazon Web Services account.
For information about IAM quotas, see IAM and STS quotas in the IAM User Guide.
", + "GetContextKeysForCustomPolicy": "Gets a list of all of the context keys referenced in the input policies. The policies are supplied as a list of one or more strings. To get the context keys from policies associated with an IAM user, group, or role, use GetContextKeysForPrincipalPolicy.
Context keys are variables maintained by Amazon Web Services and its services that provide details about the context of an API query request. Context keys can be evaluated by testing against a value specified in an IAM policy. Use GetContextKeysForCustomPolicy to understand what key names and values you must supply when you call SimulateCustomPolicy. Note that all parameters are shown in unencoded form here for clarity but must be URL encoded to be included as a part of a real HTML request.
Gets a list of all of the context keys referenced in all the IAM policies that are attached to the specified IAM entity. The entity can be an IAM user, group, or role. If you specify a user, then the request also includes all of the policies attached to groups that the user is a member of.
You can optionally include a list of one or more additional policies, specified as strings. If you want to include only a list of policies by string, use GetContextKeysForCustomPolicy instead.
Note: This operation discloses information about the permissions granted to other users. If you do not want users to see other user's permissions, then consider allowing them to use GetContextKeysForCustomPolicy instead.
Context keys are variables maintained by Amazon Web Services and its services that provide details about the context of an API query request. Context keys can be evaluated by testing against a value in an IAM policy. Use GetContextKeysForPrincipalPolicy to understand what key names and values you must supply when you call SimulatePrincipalPolicy.
", + "GetCredentialReport": "Retrieves a credential report for the account. For more information about the credential report, see Getting credential reports in the IAM User Guide.
", "GetGroup": " Returns a list of IAM users that are in the specified IAM group. You can paginate the results using the MaxItems and Marker parameters.
Retrieves the specified inline policy document that is embedded in the specified IAM group.
Policies returned by this operation are URL-encoded compliant with RFC 3986. You can use a URL decoding method to convert the policy back to plain JSON text. For example, if you use Java, you can use the decode method of the java.net.URLDecoder utility class in the Java SDK. Other languages and SDKs provide similar functionality.
An IAM group can also have managed policies attached to it. To retrieve a managed policy document that is attached to a group, use GetPolicy to determine the policy's default version, then use GetPolicyVersion to retrieve the policy document.
For more information about policies, see Managed policies and inline policies in the IAM User Guide.
", "GetInstanceProfile": "Retrieves information about the specified instance profile, including the instance profile's path, GUID, ARN, and role. For more information about instance profiles, see About instance profiles in the IAM User Guide.
", - "GetLoginProfile": "Retrieves the user name and password creation date for the specified IAM user. If the user has not been assigned a password, the operation returns a 404 (NoSuchEntity) error.
Retrieves the user name for the specified IAM user. A login profile is created when you create a password for the user to access the Management Console. If the user does not exist or does not have a password, the operation returns a 404 (NoSuchEntity) error.
If you create an IAM user with access to the console, the CreateDate reflects the date you created the initial password for the user.
If you create an IAM user with programmatic access, and then later add a password for the user to access the Management Console, the CreateDate reflects the initial password creation date. A user with programmatic access does not have a login profile unless you create a password for the user to access the Management Console.
Returns information about the specified OpenID Connect (OIDC) provider resource object in IAM.
", - "GetOrganizationsAccessReport": "Retrieves the service last accessed data report for AWS Organizations that was previously generated using the GenerateOrganizationsAccessReport operation. This operation retrieves the status of your report job and the report contents.
Depending on the parameters that you passed when you generated the report, the data returned could include different information. For details, see GenerateOrganizationsAccessReport.
To call this operation, you must be signed in to the management account in your organization. SCPs must be enabled for your organization root. You must have permissions to perform this operation. For more information, see Refining permissions using service last accessed data in the IAM User Guide.
For each service that principals in an account (root users, IAM users, or IAM roles) could access using SCPs, the operation returns details about the most recent access attempt. If there was no attempt, the service is listed without details about the most recent attempt to access the service. If the operation fails, it returns the reason that it failed.
By default, the list is sorted by service namespace.
", + "GetOrganizationsAccessReport": "Retrieves the service last accessed data report for Organizations that was previously generated using the GenerateOrganizationsAccessReport operation. This operation retrieves the status of your report job and the report contents.
Depending on the parameters that you passed when you generated the report, the data returned could include different information. For details, see GenerateOrganizationsAccessReport.
To call this operation, you must be signed in to the management account in your organization. SCPs must be enabled for your organization root. You must have permissions to perform this operation. For more information, see Refining permissions using service last accessed data in the IAM User Guide.
For each service that principals in an account (root users, IAM users, or IAM roles) could access using SCPs, the operation returns details about the most recent access attempt. If there was no attempt, the service is listed without details about the most recent attempt to access the service. If the operation fails, it returns the reason that it failed.
By default, the list is sorted by service namespace.
", "GetPolicy": "Retrieves information about the specified managed policy, including the policy's default version and the total number of IAM users, groups, and roles to which the policy is attached. To retrieve the list of the specific users, groups, and roles that the policy is attached to, use ListEntitiesForPolicy. This operation returns metadata about the policy. To retrieve the actual policy document for a specific version of the policy, use GetPolicyVersion.
This operation retrieves information about managed policies. To retrieve information about an inline policy that is embedded with an IAM user, group, or role, use GetUserPolicy, GetGroupPolicy, or GetRolePolicy.
For more information about policies, see Managed policies and inline policies in the IAM User Guide.
", "GetPolicyVersion": "Retrieves information about the specified version of the specified managed policy, including the policy document.
Policies returned by this operation are URL-encoded compliant with RFC 3986. You can use a URL decoding method to convert the policy back to plain JSON text. For example, if you use Java, you can use the decode method of the java.net.URLDecoder utility class in the Java SDK. Other languages and SDKs provide similar functionality.
To list the available versions for a policy, use ListPolicyVersions.
This operation retrieves information about managed policies. To retrieve information about an inline policy that is embedded in a user, group, or role, use GetUserPolicy, GetGroupPolicy, or GetRolePolicy.
For more information about the types of policies, see Managed policies and inline policies in the IAM User Guide.
For more information about managed policy versions, see Versioning for managed policies in the IAM User Guide.
", "GetRole": "Retrieves information about the specified role, including the role's path, GUID, ARN, and the role's trust policy that grants permission to assume the role. For more information about roles, see Working with roles.
Policies returned by this operation are URL-encoded compliant with RFC 3986. You can use a URL decoding method to convert the policy back to plain JSON text. For example, if you use Java, you can use the decode method of the java.net.URLDecoder utility class in the Java SDK. Other languages and SDKs provide similar functionality.
Retrieves the specified inline policy document that is embedded with the specified IAM role.
Policies returned by this operation are URL-encoded compliant with RFC 3986. You can use a URL decoding method to convert the policy back to plain JSON text. For example, if you use Java, you can use the decode method of the java.net.URLDecoder utility class in the Java SDK. Other languages and SDKs provide similar functionality.
An IAM role can also have managed policies attached to it. To retrieve a managed policy document that is attached to a role, use GetPolicy to determine the policy's default version, then use GetPolicyVersion to retrieve the policy document.
For more information about policies, see Managed policies and inline policies in the IAM User Guide.
For more information about roles, see Using roles to delegate permissions and federate identities.
", "GetSAMLProvider": "Returns the SAML provider metadocument that was uploaded when the IAM SAML provider resource object was created or updated.
This operation requires Signature Version 4.
Retrieves the specified SSH public key, including metadata about the key.
The SSH public key retrieved by this operation is used only for authenticating the associated IAM user to an AWS CodeCommit repository. For more information about using SSH keys to authenticate to an AWS CodeCommit repository, see Set up AWS CodeCommit for SSH connections in the AWS CodeCommit User Guide.
", - "GetServerCertificate": "Retrieves information about the specified server certificate stored in IAM.
For more information about working with server certificates, see Working with server certificates in the IAM User Guide. This topic includes a list of AWS services that can use the server certificates that you manage with IAM.
", - "GetServiceLastAccessedDetails": "Retrieves a service last accessed report that was created using the GenerateServiceLastAccessedDetails operation. You can use the JobId parameter in GetServiceLastAccessedDetails to retrieve the status of your report job. When the report is complete, you can retrieve the generated report. The report includes a list of AWS services that the resource (user, group, role, or managed policy) can access.
Service last accessed data does not use other policy types when determining whether a resource could access a service. These other policy types include resource-based policies, access control lists, AWS Organizations policies, IAM permissions boundaries, and AWS STS assume role policies. It only applies permissions policy logic. For more about the evaluation of policy types, see Evaluating policies in the IAM User Guide.
For each service that the resource could access using permissions policies, the operation returns details about the most recent access attempt. If there was no attempt, the service is listed without details about the most recent attempt to access the service. If the operation fails, the GetServiceLastAccessedDetails operation returns the reason that it failed.
The GetServiceLastAccessedDetails operation returns a list of services. This list includes the number of entities that have attempted to access the service and the date and time of the last attempt. It also returns the ARN of the following entity, depending on the resource ARN that you used to generate the report:
User – Returns the user ARN that you used to generate the report
Group – Returns the ARN of the group member (user) that last attempted to access the service
Role – Returns the role ARN that you used to generate the report
Policy – Returns the ARN of the user or role that last used the policy to attempt to access the service
By default, the list is sorted by service namespace.
If you specified ACTION_LEVEL granularity when you generated the report, this operation returns service and action last accessed data. This includes the most recent access attempt for each tracked action within a service. Otherwise, this operation returns only service data.
For more information about service and action last accessed data, see Reducing permissions using service last accessed data in the IAM User Guide.
", + "GetSSHPublicKey": "Retrieves the specified SSH public key, including metadata about the key.
The SSH public key retrieved by this operation is used only for authenticating the associated IAM user to an CodeCommit repository. For more information about using SSH keys to authenticate to an CodeCommit repository, see Set up CodeCommit for SSH connections in the CodeCommit User Guide.
", + "GetServerCertificate": "Retrieves information about the specified server certificate stored in IAM.
For more information about working with server certificates, see Working with server certificates in the IAM User Guide. This topic includes a list of Amazon Web Services services that can use the server certificates that you manage with IAM.
", + "GetServiceLastAccessedDetails": "Retrieves a service last accessed report that was created using the GenerateServiceLastAccessedDetails operation. You can use the JobId parameter in GetServiceLastAccessedDetails to retrieve the status of your report job. When the report is complete, you can retrieve the generated report. The report includes a list of Amazon Web Services services that the resource (user, group, role, or managed policy) can access.
Service last accessed data does not use other policy types when determining whether a resource could access a service. These other policy types include resource-based policies, access control lists, Organizations policies, IAM permissions boundaries, and STS assume role policies. It only applies permissions policy logic. For more about the evaluation of policy types, see Evaluating policies in the IAM User Guide.
For each service that the resource could access using permissions policies, the operation returns details about the most recent access attempt. If there was no attempt, the service is listed without details about the most recent attempt to access the service. If the operation fails, the GetServiceLastAccessedDetails operation returns the reason that it failed.
The GetServiceLastAccessedDetails operation returns a list of services. This list includes the number of entities that have attempted to access the service and the date and time of the last attempt. It also returns the ARN of the following entity, depending on the resource ARN that you used to generate the report:
User – Returns the user ARN that you used to generate the report
Group – Returns the ARN of the group member (user) that last attempted to access the service
Role – Returns the role ARN that you used to generate the report
Policy – Returns the ARN of the user or role that last used the policy to attempt to access the service
By default, the list is sorted by service namespace.
If you specified ACTION_LEVEL granularity when you generated the report, this operation returns service and action last accessed data. This includes the most recent access attempt for each tracked action within a service. Otherwise, this operation returns only service data.
For more information about service and action last accessed data, see Reducing permissions using service last accessed data in the IAM User Guide.
", "GetServiceLastAccessedDetailsWithEntities": "After you generate a group or policy report using the GenerateServiceLastAccessedDetails operation, you can use the JobId parameter in GetServiceLastAccessedDetailsWithEntities. This operation retrieves the status of your report job and a list of entities that could have used group or policy permissions to access the specified service.
Group – For a group report, this operation returns a list of users in the group that could have used the group’s policies in an attempt to access the service.
Policy – For a policy report, this operation returns a list of entities (users or roles) that could have used the policy in an attempt to access the service.
You can also use this operation for user or role reports to retrieve details about those entities.
If the operation fails, the GetServiceLastAccessedDetailsWithEntities operation returns the reason that it failed.
By default, the list of associated entities is sorted by date, with the most recent access listed first.
", "GetServiceLinkedRoleDeletionStatus": "Retrieves the status of your service-linked role deletion. After you use DeleteServiceLinkedRole to submit a service-linked role for deletion, you can use the DeletionTaskId parameter in GetServiceLinkedRoleDeletionStatus to check the status of the deletion. If the deletion fails, this operation returns the reason that it failed, if that information is returned by the service.
Retrieves information about the specified IAM user, including the user's creation date, path, unique ID, and ARN.
If you do not specify a user name, IAM determines the user name implicitly based on the AWS access key ID used to sign the request to this operation.
", + "GetUser": "Retrieves information about the specified IAM user, including the user's creation date, path, unique ID, and ARN.
If you do not specify a user name, IAM determines the user name implicitly based on the Amazon Web Services access key ID used to sign the request to this operation.
", "GetUserPolicy": "Retrieves the specified inline policy document that is embedded in the specified IAM user.
Policies returned by this operation are URL-encoded compliant with RFC 3986. You can use a URL decoding method to convert the policy back to plain JSON text. For example, if you use Java, you can use the decode method of the java.net.URLDecoder utility class in the Java SDK. Other languages and SDKs provide similar functionality.
An IAM user can also have managed policies attached to it. To retrieve a managed policy document that is attached to a user, use GetPolicy to determine the policy's default version. Then use GetPolicyVersion to retrieve the policy document.
For more information about policies, see Managed policies and inline policies in the IAM User Guide.
", - "ListAccessKeys": "Returns information about the access key IDs associated with the specified IAM user. If there is none, the operation returns an empty list.
Although each user is limited to a small number of keys, you can still paginate the results using the MaxItems and Marker parameters.
If the UserName field is not specified, the user name is determined implicitly based on the AWS access key ID used to sign the request. This operation works for access keys under the AWS account. Consequently, you can use this operation to manage AWS account root user credentials even if the AWS account has no associated users.
To ensure the security of your AWS account, the secret access key is accessible only during key and user creation.
Lists the account alias associated with the AWS account (Note: you can have only one). For information about using an AWS account alias, see Using an alias for your AWS account ID in the IAM User Guide.
", + "ListAccessKeys": "Returns information about the access key IDs associated with the specified IAM user. If there is none, the operation returns an empty list.
Although each user is limited to a small number of keys, you can still paginate the results using the MaxItems and Marker parameters.
If the UserName field is not specified, the user name is determined implicitly based on the Amazon Web Services access key ID used to sign the request. This operation works for access keys under the account. Consequently, you can use this operation to manage account root user credentials even if the account has no associated users.
To ensure the security of your account, the secret access key is accessible only during key and user creation.
Lists the account alias associated with the account (Note: you can have only one). For information about using an account alias, see Using an alias for your account ID in the IAM User Guide.
", "ListAttachedGroupPolicies": "Lists all managed policies that are attached to the specified IAM group.
An IAM group can also have inline policies embedded with it. To list the inline policies for a group, use ListGroupPolicies. For information about policies, see Managed policies and inline policies in the IAM User Guide.
You can paginate the results using the MaxItems and Marker parameters. You can use the PathPrefix parameter to limit the list of policies to only those matching the specified path prefix. If there are no policies attached to the specified group (or none that match the specified path prefix), the operation returns an empty list.
Lists all managed policies that are attached to the specified IAM role.
An IAM role can also have inline policies embedded with it. To list the inline policies for a role, use ListRolePolicies. For information about policies, see Managed policies and inline policies in the IAM User Guide.
You can paginate the results using the MaxItems and Marker parameters. You can use the PathPrefix parameter to limit the list of policies to only those matching the specified path prefix. If there are no policies attached to the specified role (or none that match the specified path prefix), the operation returns an empty list.
Lists all managed policies that are attached to the specified IAM user.
An IAM user can also have inline policies embedded with it. To list the inline policies for a user, use ListUserPolicies. For information about policies, see Managed policies and inline policies in the IAM User Guide.
You can paginate the results using the MaxItems and Marker parameters. You can use the PathPrefix parameter to limit the list of policies to only those matching the specified path prefix. If there are no policies attached to the specified group (or none that match the specified path prefix), the operation returns an empty list.
Lists the instance profiles that have the specified path prefix. If there are none, the operation returns an empty list. For more information about instance profiles, see About instance profiles.
IAM resource-listing operations return a subset of the available attributes for the resource. For example, this operation does not return tags, even though they are an attribute of the returned object. To view all of the information for an instance profile, see GetInstanceProfile.
You can paginate the results using the MaxItems and Marker parameters.
Lists the instance profiles that have the specified associated IAM role. If there are none, the operation returns an empty list. For more information about instance profiles, go to About instance profiles.
You can paginate the results using the MaxItems and Marker parameters.
Lists the tags that are attached to the specified IAM virtual multi-factor authentication (MFA) device. The returned list of tags is sorted by tag key. For more information about tagging, see Tagging IAM resources in the IAM User Guide.
", - "ListMFADevices": "Lists the MFA devices for an IAM user. If the request includes a IAM user name, then this operation lists all the MFA devices associated with the specified user. If you do not specify a user name, IAM determines the user name implicitly based on the AWS access key ID signing the request for this operation.
You can paginate the results using the MaxItems and Marker parameters.
Lists the MFA devices for an IAM user. If the request includes a IAM user name, then this operation lists all the MFA devices associated with the specified user. If you do not specify a user name, IAM determines the user name implicitly based on the Amazon Web Services access key ID signing the request for this operation.
You can paginate the results using the MaxItems and Marker parameters.
Lists the tags that are attached to the specified OpenID Connect (OIDC)-compatible identity provider. The returned list of tags is sorted by tag key. For more information, see About web identity federation.
For more information about tagging, see Tagging IAM resources in the IAM User Guide.
", - "ListOpenIDConnectProviders": "Lists information about the IAM OpenID Connect (OIDC) provider resource objects defined in the AWS account.
IAM resource-listing operations return a subset of the available attributes for the resource. For example, this operation does not return tags, even though they are an attribute of the returned object. To view all of the information for an OIDC provider, see GetOpenIDConnectProvider.
Lists all the managed policies that are available in your AWS account, including your own customer-defined managed policies and all AWS managed policies.
You can filter the list of policies that is returned using the optional OnlyAttached, Scope, and PathPrefix parameters. For example, to list only the customer managed policies in your AWS account, set Scope to Local. To list only AWS managed policies, set Scope to AWS.
You can paginate the results using the MaxItems and Marker parameters.
For more information about managed policies, see Managed policies and inline policies in the IAM User Guide.
IAM resource-listing operations return a subset of the available attributes for the resource. For example, this operation does not return tags, even though they are an attribute of the returned object. To view all of the information for a customer manged policy, see GetPolicy.
Retrieves a list of policies that the IAM identity (user, group, or role) can use to access each specified service.
This operation does not use other policy types when determining whether a resource could access a service. These other policy types include resource-based policies, access control lists, AWS Organizations policies, IAM permissions boundaries, and AWS STS assume role policies. It only applies permissions policy logic. For more about the evaluation of policy types, see Evaluating policies in the IAM User Guide.
The list of policies returned by the operation depends on the ARN of the identity that you provide.
User – The list of policies includes the managed and inline policies that are attached to the user directly. The list also includes any additional managed and inline policies that are attached to the group to which the user belongs.
Group – The list of policies includes only the managed and inline policies that are attached to the group directly. Policies that are attached to the group’s user are not included.
Role – The list of policies includes only the managed and inline policies that are attached to the role.
For each managed policy, this operation returns the ARN and policy name. For each inline policy, it returns the policy name and the entity to which it is attached. Inline policies do not have an ARN. For more information about these policy types, see Managed policies and inline policies in the IAM User Guide.
Policies that are attached to users and roles as permissions boundaries are not returned. To view which managed policy is currently used to set the permissions boundary for a user or role, use the GetUser or GetRole operations.
", + "ListOpenIDConnectProviders": "Lists information about the IAM OpenID Connect (OIDC) provider resource objects defined in the account.
IAM resource-listing operations return a subset of the available attributes for the resource. For example, this operation does not return tags, even though they are an attribute of the returned object. To view all of the information for an OIDC provider, see GetOpenIDConnectProvider.
Lists all the managed policies that are available in your account, including your own customer-defined managed policies and all Amazon Web Services managed policies.
You can filter the list of policies that is returned using the optional OnlyAttached, Scope, and PathPrefix parameters. For example, to list only the customer managed policies in your Amazon Web Services account, set Scope to Local. To list only Amazon Web Services managed policies, set Scope to AWS.
You can paginate the results using the MaxItems and Marker parameters.
For more information about managed policies, see Managed policies and inline policies in the IAM User Guide.
IAM resource-listing operations return a subset of the available attributes for the resource. For example, this operation does not return tags, even though they are an attribute of the returned object. To view all of the information for a customer manged policy, see GetPolicy.
Retrieves a list of policies that the IAM identity (user, group, or role) can use to access each specified service.
This operation does not use other policy types when determining whether a resource could access a service. These other policy types include resource-based policies, access control lists, Organizations policies, IAM permissions boundaries, and STS assume role policies. It only applies permissions policy logic. For more about the evaluation of policy types, see Evaluating policies in the IAM User Guide.
The list of policies returned by the operation depends on the ARN of the identity that you provide.
User – The list of policies includes the managed and inline policies that are attached to the user directly. The list also includes any additional managed and inline policies that are attached to the group to which the user belongs.
Group – The list of policies includes only the managed and inline policies that are attached to the group directly. Policies that are attached to the group’s user are not included.
Role – The list of policies includes only the managed and inline policies that are attached to the role.
For each managed policy, this operation returns the ARN and policy name. For each inline policy, it returns the policy name and the entity to which it is attached. Inline policies do not have an ARN. For more information about these policy types, see Managed policies and inline policies in the IAM User Guide.
Policies that are attached to users and roles as permissions boundaries are not returned. To view which managed policy is currently used to set the permissions boundary for a user or role, use the GetUser or GetRole operations.
", "ListPolicyTags": "Lists the tags that are attached to the specified IAM customer managed policy. The returned list of tags is sorted by tag key. For more information about tagging, see Tagging IAM resources in the IAM User Guide.
", "ListPolicyVersions": "Lists information about the versions of the specified managed policy, including the version that is currently set as the policy's default version.
For more information about managed policies, see Managed policies and inline policies in the IAM User Guide.
", "ListRolePolicies": "Lists the names of the inline policies that are embedded in the specified IAM role.
An IAM role can also have managed policies attached to it. To list the managed policies that are attached to a role, use ListAttachedRolePolicies. For more information about policies, see Managed policies and inline policies in the IAM User Guide.
You can paginate the results using the MaxItems and Marker parameters. If there are no inline policies embedded with the specified role, the operation returns an empty list.
Lists the IAM roles that have the specified path prefix. If there are none, the operation returns an empty list. For more information about roles, see Working with roles.
IAM resource-listing operations return a subset of the available attributes for the resource. For example, this operation does not return tags, even though they are an attribute of the returned object. To view all of the information for a role, see GetRole.
You can paginate the results using the MaxItems and Marker parameters.
Lists the tags that are attached to the specified Security Assertion Markup Language (SAML) identity provider. The returned list of tags is sorted by tag key. For more information, see About SAML 2.0-based federation.
For more information about tagging, see Tagging IAM resources in the IAM User Guide.
", "ListSAMLProviders": "Lists the SAML provider resource objects defined in IAM in the account. IAM resource-listing operations return a subset of the available attributes for the resource. For example, this operation does not return tags, even though they are an attribute of the returned object. To view all of the information for a SAML provider, see GetSAMLProvider.
This operation requires Signature Version 4.
Returns information about the SSH public keys associated with the specified IAM user. If none exists, the operation returns an empty list.
The SSH public keys returned by this operation are used only for authenticating the IAM user to an AWS CodeCommit repository. For more information about using SSH keys to authenticate to an AWS CodeCommit repository, see Set up AWS CodeCommit for SSH connections in the AWS CodeCommit User Guide.
Although each user is limited to a small number of keys, you can still paginate the results using the MaxItems and Marker parameters.
Lists the tags that are attached to the specified IAM server certificate. The returned list of tags is sorted by tag key. For more information about tagging, see Tagging IAM resources in the IAM User Guide.
For certificates in a Region supported by AWS Certificate Manager (ACM), we recommend that you don't use IAM server certificates. Instead, use ACM to provision, manage, and deploy your server certificates. For more information about IAM server certificates, Working with server certificates in the IAM User Guide.
Lists the server certificates stored in IAM that have the specified path prefix. If none exist, the operation returns an empty list.
You can paginate the results using the MaxItems and Marker parameters.
For more information about working with server certificates, see Working with server certificates in the IAM User Guide. This topic also includes a list of AWS services that can use the server certificates that you manage with IAM.
IAM resource-listing operations return a subset of the available attributes for the resource. For example, this operation does not return tags, even though they are an attribute of the returned object. To view all of the information for a servercertificate, see GetServerCertificate.
Returns information about the service-specific credentials associated with the specified IAM user. If none exists, the operation returns an empty list. The service-specific credentials returned by this operation are used only for authenticating the IAM user to a specific service. For more information about using service-specific credentials to authenticate to an AWS service, see Set up service-specific credentials in the AWS CodeCommit User Guide.
", - "ListSigningCertificates": "Returns information about the signing certificates associated with the specified IAM user. If none exists, the operation returns an empty list.
Although each user is limited to a small number of signing certificates, you can still paginate the results using the MaxItems and Marker parameters.
If the UserName field is not specified, the user name is determined implicitly based on the AWS access key ID used to sign the request for this operation. This operation works for access keys under the AWS account. Consequently, you can use this operation to manage AWS account root user credentials even if the AWS account has no associated users.
Returns information about the SSH public keys associated with the specified IAM user. If none exists, the operation returns an empty list.
The SSH public keys returned by this operation are used only for authenticating the IAM user to an CodeCommit repository. For more information about using SSH keys to authenticate to an CodeCommit repository, see Set up CodeCommit for SSH connections in the CodeCommit User Guide.
Although each user is limited to a small number of keys, you can still paginate the results using the MaxItems and Marker parameters.
Lists the tags that are attached to the specified IAM server certificate. The returned list of tags is sorted by tag key. For more information about tagging, see Tagging IAM resources in the IAM User Guide.
For certificates in a Region supported by Certificate Manager (ACM), we recommend that you don't use IAM server certificates. Instead, use ACM to provision, manage, and deploy your server certificates. For more information about IAM server certificates, Working with server certificates in the IAM User Guide.
Lists the server certificates stored in IAM that have the specified path prefix. If none exist, the operation returns an empty list.
You can paginate the results using the MaxItems and Marker parameters.
For more information about working with server certificates, see Working with server certificates in the IAM User Guide. This topic also includes a list of Amazon Web Services services that can use the server certificates that you manage with IAM.
IAM resource-listing operations return a subset of the available attributes for the resource. For example, this operation does not return tags, even though they are an attribute of the returned object. To view all of the information for a servercertificate, see GetServerCertificate.
Returns information about the service-specific credentials associated with the specified IAM user. If none exists, the operation returns an empty list. The service-specific credentials returned by this operation are used only for authenticating the IAM user to a specific service. For more information about using service-specific credentials to authenticate to an Amazon Web Services service, see Set up service-specific credentials in the CodeCommit User Guide.
", + "ListSigningCertificates": "Returns information about the signing certificates associated with the specified IAM user. If none exists, the operation returns an empty list.
Although each user is limited to a small number of signing certificates, you can still paginate the results using the MaxItems and Marker parameters.
If the UserName field is not specified, the user name is determined implicitly based on the Amazon Web Services access key ID used to sign the request for this operation. This operation works for access keys under the account. Consequently, you can use this operation to manage account root user credentials even if the account has no associated users.
Lists the names of the inline policies embedded in the specified IAM user.
An IAM user can also have managed policies attached to it. To list the managed policies that are attached to a user, use ListAttachedUserPolicies. For more information about policies, see Managed policies and inline policies in the IAM User Guide.
You can paginate the results using the MaxItems and Marker parameters. If there are no inline policies embedded with the specified user, the operation returns an empty list.
Lists the tags that are attached to the specified IAM user. The returned list of tags is sorted by tag key. For more information about tagging, see Tagging IAM resources in the IAM User Guide.
", - "ListUsers": "Lists the IAM users that have the specified path prefix. If no path prefix is specified, the operation returns all users in the AWS account. If there are none, the operation returns an empty list.
IAM resource-listing operations return a subset of the available attributes for the resource. For example, this operation does not return tags, even though they are an attribute of the returned object. To view all of the information for a user, see GetUser.
You can paginate the results using the MaxItems and Marker parameters.
Lists the virtual MFA devices defined in the AWS account by assignment status. If you do not specify an assignment status, the operation returns a list of all virtual MFA devices. Assignment status can be Assigned, Unassigned, or Any.
IAM resource-listing operations return a subset of the available attributes for the resource. For example, this operation does not return tags, even though they are an attribute of the returned object. To view all of the information for a virtual MFA device, see ListVirtualMFADevices.
You can paginate the results using the MaxItems and Marker parameters.
Lists the IAM users that have the specified path prefix. If no path prefix is specified, the operation returns all users in the account. If there are none, the operation returns an empty list.
IAM resource-listing operations return a subset of the available attributes for the resource. For example, this operation does not return tags, even though they are an attribute of the returned object. To view all of the information for a user, see GetUser.
You can paginate the results using the MaxItems and Marker parameters.
Lists the virtual MFA devices defined in the account by assignment status. If you do not specify an assignment status, the operation returns a list of all virtual MFA devices. Assignment status can be Assigned, Unassigned, or Any.
IAM resource-listing operations return a subset of the available attributes for the resource. For example, this operation does not return tags, even though they are an attribute of the returned object. To view all of the information for a virtual MFA device, see ListVirtualMFADevices.
You can paginate the results using the MaxItems and Marker parameters.
Adds or updates an inline policy document that is embedded in the specified IAM group.
A user can also have managed policies attached to it. To attach a managed policy to a group, use AttachGroupPolicy. To create a new managed policy, use CreatePolicy. For information about policies, see Managed policies and inline policies in the IAM User Guide.
For information about the maximum number of inline policies that you can embed in a group, see IAM and STS quotas in the IAM User Guide.
Because policy documents can be large, you should use POST rather than GET when calling PutGroupPolicy. For general information about using the Query API with IAM, see Making query requests in the IAM User Guide.
Adds or updates the policy that is specified as the IAM role's permissions boundary. You can use an AWS managed policy or a customer managed policy to set the boundary for a role. Use the boundary to control the maximum permissions that the role can have. Setting a permissions boundary is an advanced feature that can affect the permissions for the role.
You cannot set the boundary for a service-linked role.
Policies used as permissions boundaries do not provide permissions. You must also attach a permissions policy to the role. To learn how the effective permissions for a role are evaluated, see IAM JSON policy evaluation logic in the IAM User Guide.
Adds or updates the policy that is specified as the IAM role's permissions boundary. You can use an Amazon Web Services managed policy or a customer managed policy to set the boundary for a role. Use the boundary to control the maximum permissions that the role can have. Setting a permissions boundary is an advanced feature that can affect the permissions for the role.
You cannot set the boundary for a service-linked role.
Policies used as permissions boundaries do not provide permissions. You must also attach a permissions policy to the role. To learn how the effective permissions for a role are evaluated, see IAM JSON policy evaluation logic in the IAM User Guide.
Adds or updates an inline policy document that is embedded in the specified IAM role.
When you embed an inline policy in a role, the inline policy is used as part of the role's access (permissions) policy. The role's trust policy is created at the same time as the role, using CreateRole. You can update a role's trust policy using UpdateAssumeRolePolicy. For more information about IAM roles, see Using roles to delegate permissions and federate identities.
A role can also have a managed policy attached to it. To attach a managed policy to a role, use AttachRolePolicy. To create a new managed policy, use CreatePolicy. For information about policies, see Managed policies and inline policies in the IAM User Guide.
For information about the maximum number of inline policies that you can embed with a role, see IAM and STS quotas in the IAM User Guide.
Because policy documents can be large, you should use POST rather than GET when calling PutRolePolicy. For general information about using the Query API with IAM, see Making query requests in the IAM User Guide.
Adds or updates the policy that is specified as the IAM user's permissions boundary. You can use an AWS managed policy or a customer managed policy to set the boundary for a user. Use the boundary to control the maximum permissions that the user can have. Setting a permissions boundary is an advanced feature that can affect the permissions for the user.
Policies that are used as permissions boundaries do not provide permissions. You must also attach a permissions policy to the user. To learn how the effective permissions for a user are evaluated, see IAM JSON policy evaluation logic in the IAM User Guide.
Adds or updates the policy that is specified as the IAM user's permissions boundary. You can use an Amazon Web Services managed policy or a customer managed policy to set the boundary for a user. Use the boundary to control the maximum permissions that the user can have. Setting a permissions boundary is an advanced feature that can affect the permissions for the user.
Policies that are used as permissions boundaries do not provide permissions. You must also attach a permissions policy to the user. To learn how the effective permissions for a user are evaluated, see IAM JSON policy evaluation logic in the IAM User Guide.
Adds or updates an inline policy document that is embedded in the specified IAM user.
An IAM user can also have a managed policy attached to it. To attach a managed policy to a user, use AttachUserPolicy. To create a new managed policy, use CreatePolicy. For information about policies, see Managed policies and inline policies in the IAM User Guide.
For information about the maximum number of inline policies that you can embed in a user, see IAM and STS quotas in the IAM User Guide.
Because policy documents can be large, you should use POST rather than GET when calling PutUserPolicy. For general information about using the Query API with IAM, see Making query requests in the IAM User Guide.
Removes the specified client ID (also known as audience) from the list of client IDs registered for the specified IAM OpenID Connect (OIDC) provider resource object.
This operation is idempotent; it does not fail or return an error if you try to remove a client ID that does not exist.
", "RemoveRoleFromInstanceProfile": "Removes the specified IAM role from the specified EC2 instance profile.
Make sure that you do not have any Amazon EC2 instances running with the role you are about to remove from the instance profile. Removing a role from an instance profile that is associated with a running instance might break any applications running on the instance.
For more information about IAM roles, see Working with roles. For more information about instance profiles, see About instance profiles.
", "RemoveUserFromGroup": "Removes the specified user from the specified group.
", - "ResetServiceSpecificCredential": "Resets the password for a service-specific credential. The new password is AWS generated and cryptographically strong. It cannot be configured by the user. Resetting the password immediately invalidates the previous password associated with this user.
", - "ResyncMFADevice": "Synchronizes the specified MFA device with its IAM resource object on the AWS servers.
For more information about creating and working with virtual MFA devices, see Using a virtual MFA device in the IAM User Guide.
", + "ResetServiceSpecificCredential": "Resets the password for a service-specific credential. The new password is Amazon Web Services generated and cryptographically strong. It cannot be configured by the user. Resetting the password immediately invalidates the previous password associated with this user.
", + "ResyncMFADevice": "Synchronizes the specified MFA device with its IAM resource object on the Amazon Web Services servers.
For more information about creating and working with virtual MFA devices, see Using a virtual MFA device in the IAM User Guide.
", "SetDefaultPolicyVersion": "Sets the specified version of the specified policy as the policy's default (operative) version.
This operation affects all users, groups, and roles that the policy is attached to. To list the users, groups, and roles that the policy is attached to, use ListEntitiesForPolicy.
For information about managed policies, see Managed policies and inline policies in the IAM User Guide.
", - "SetSecurityTokenServicePreferences": "Sets the specified version of the global endpoint token as the token version used for the AWS account.
By default, AWS Security Token Service (STS) is available as a global service, and all STS requests go to a single endpoint at https://sts.amazonaws.com. AWS recommends using Regional STS endpoints to reduce latency, build in redundancy, and increase session token availability. For information about Regional endpoints for STS, see AWS AWS Security Token Service endpoints and quotas in the AWS General Reference.
If you make an STS call to the global endpoint, the resulting session tokens might be valid in some Regions but not others. It depends on the version that is set in this operation. Version 1 tokens are valid only in AWS Regions that are available by default. These tokens do not work in manually enabled Regions, such as Asia Pacific (Hong Kong). Version 2 tokens are valid in all Regions. However, version 2 tokens are longer and might affect systems where you temporarily store tokens. For information, see Activating and deactivating STS in an AWS region in the IAM User Guide.
To view the current session token version, see the GlobalEndpointTokenVersion entry in the response of the GetAccountSummary operation.
Simulate how a set of IAM policies and optionally a resource-based policy works with a list of API operations and AWS resources to determine the policies' effective permissions. The policies are provided as strings.
The simulation does not perform the API operations; it only checks the authorization to determine if the simulated policies allow or deny the operations. You can simulate resources that don't exist in your account.
If you want to simulate existing policies that are attached to an IAM user, group, or role, use SimulatePrincipalPolicy instead.
Context keys are variables that are maintained by AWS and its services and which provide details about the context of an API query request. You can use the Condition element of an IAM policy to evaluate context keys. To get the list of context keys that the policies require for correct simulation, use GetContextKeysForCustomPolicy.
If the output is long, you can use MaxItems and Marker parameters to paginate the results.
For more information about using the policy simulator, see Testing IAM policies with the IAM policy simulator in the IAM User Guide.
", - "SimulatePrincipalPolicy": "Simulate how a set of IAM policies attached to an IAM entity works with a list of API operations and AWS resources to determine the policies' effective permissions. The entity can be an IAM user, group, or role. If you specify a user, then the simulation also includes all of the policies that are attached to groups that the user belongs to. You can simulate resources that don't exist in your account.
You can optionally include a list of one or more additional policies specified as strings to include in the simulation. If you want to simulate only policies specified as strings, use SimulateCustomPolicy instead.
You can also optionally include one resource-based policy to be evaluated with each of the resources included in the simulation.
The simulation does not perform the API operations; it only checks the authorization to determine if the simulated policies allow or deny the operations.
Note: This operation discloses information about the permissions granted to other users. If you do not want users to see other user's permissions, then consider allowing them to use SimulateCustomPolicy instead.
Context keys are variables maintained by AWS and its services that provide details about the context of an API query request. You can use the Condition element of an IAM policy to evaluate context keys. To get the list of context keys that the policies require for correct simulation, use GetContextKeysForPrincipalPolicy.
If the output is long, you can use the MaxItems and Marker parameters to paginate the results.
For more information about using the policy simulator, see Testing IAM policies with the IAM policy simulator in the IAM User Guide.
", - "TagInstanceProfile": "Adds one or more tags to an IAM instance profile. If a tag with the same key name already exists, then that tag is overwritten with the new value.
Each tag consists of a key name and an associated value. By assigning tags to your resources, you can do the following:
Administrative grouping and discovery - Attach tags to resources to aid in organization and search. For example, you could search for all resources with the key name Project and the value MyImportantProject. Or search for all resources with the key name Cost Center and the value 41200.
Access control - Include tags in IAM user-based and resource-based policies. You can use tags to restrict access to only an IAM instance profile that has a specified tag attached. For examples of policies that show how to use tags to control access, see Control access using IAM tags in the IAM User Guide.
If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created. For more information about tagging, see Tagging IAM resources in the IAM User Guide.
AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.
Adds one or more tags to an IAM virtual multi-factor authentication (MFA) device. If a tag with the same key name already exists, then that tag is overwritten with the new value.
A tag consists of a key name and an associated value. By assigning tags to your resources, you can do the following:
Administrative grouping and discovery - Attach tags to resources to aid in organization and search. For example, you could search for all resources with the key name Project and the value MyImportantProject. Or search for all resources with the key name Cost Center and the value 41200.
Access control - Include tags in IAM user-based and resource-based policies. You can use tags to restrict access to only an IAM virtual MFA device that has a specified tag attached. For examples of policies that show how to use tags to control access, see Control access using IAM tags in the IAM User Guide.
If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created. For more information about tagging, see Tagging IAM resources in the IAM User Guide.
AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.
Adds one or more tags to an OpenID Connect (OIDC)-compatible identity provider. For more information about these providers, see About web identity federation. If a tag with the same key name already exists, then that tag is overwritten with the new value.
A tag consists of a key name and an associated value. By assigning tags to your resources, you can do the following:
Administrative grouping and discovery - Attach tags to resources to aid in organization and search. For example, you could search for all resources with the key name Project and the value MyImportantProject. Or search for all resources with the key name Cost Center and the value 41200.
Access control - Include tags in IAM user-based and resource-based policies. You can use tags to restrict access to only an OIDC provider that has a specified tag attached. For examples of policies that show how to use tags to control access, see Control access using IAM tags in the IAM User Guide.
If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created. For more information about tagging, see Tagging IAM resources in the IAM User Guide.
AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.
Adds one or more tags to an IAM customer managed policy. If a tag with the same key name already exists, then that tag is overwritten with the new value.
A tag consists of a key name and an associated value. By assigning tags to your resources, you can do the following:
Administrative grouping and discovery - Attach tags to resources to aid in organization and search. For example, you could search for all resources with the key name Project and the value MyImportantProject. Or search for all resources with the key name Cost Center and the value 41200.
Access control - Include tags in IAM user-based and resource-based policies. You can use tags to restrict access to only an IAM customer managed policy that has a specified tag attached. For examples of policies that show how to use tags to control access, see Control access using IAM tags in the IAM User Guide.
If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created. For more information about tagging, see Tagging IAM resources in the IAM User Guide.
AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.
Adds one or more tags to an IAM role. The role can be a regular role or a service-linked role. If a tag with the same key name already exists, then that tag is overwritten with the new value.
A tag consists of a key name and an associated value. By assigning tags to your resources, you can do the following:
Administrative grouping and discovery - Attach tags to resources to aid in organization and search. For example, you could search for all resources with the key name Project and the value MyImportantProject. Or search for all resources with the key name Cost Center and the value 41200.
Access control - Include tags in IAM user-based and resource-based policies. You can use tags to restrict access to only an IAM role that has a specified tag attached. You can also restrict access to only those resources that have a certain tag attached. For examples of policies that show how to use tags to control access, see Control access using IAM tags in the IAM User Guide.
Cost allocation - Use tags to help track which individuals and teams are using which AWS resources.
If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created. For more information about tagging, see Tagging IAM resources in the IAM User Guide.
AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.
For more information about tagging, see Tagging IAM identities in the IAM User Guide.
", - "TagSAMLProvider": "Adds one or more tags to a Security Assertion Markup Language (SAML) identity provider. For more information about these providers, see About SAML 2.0-based federation . If a tag with the same key name already exists, then that tag is overwritten with the new value.
A tag consists of a key name and an associated value. By assigning tags to your resources, you can do the following:
Administrative grouping and discovery - Attach tags to resources to aid in organization and search. For example, you could search for all resources with the key name Project and the value MyImportantProject. Or search for all resources with the key name Cost Center and the value 41200.
Access control - Include tags in IAM user-based and resource-based policies. You can use tags to restrict access to only a SAML identity provider that has a specified tag attached. For examples of policies that show how to use tags to control access, see Control access using IAM tags in the IAM User Guide.
If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created. For more information about tagging, see Tagging IAM resources in the IAM User Guide.
AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.
Adds one or more tags to an IAM server certificate. If a tag with the same key name already exists, then that tag is overwritten with the new value.
For certificates in a Region supported by AWS Certificate Manager (ACM), we recommend that you don't use IAM server certificates. Instead, use ACM to provision, manage, and deploy your server certificates. For more information about IAM server certificates, Working with server certificates in the IAM User Guide.
A tag consists of a key name and an associated value. By assigning tags to your resources, you can do the following:
Administrative grouping and discovery - Attach tags to resources to aid in organization and search. For example, you could search for all resources with the key name Project and the value MyImportantProject. Or search for all resources with the key name Cost Center and the value 41200.
Access control - Include tags in IAM user-based and resource-based policies. You can use tags to restrict access to only a server certificate that has a specified tag attached. For examples of policies that show how to use tags to control access, see Control access using IAM tags in the IAM User Guide.
Cost allocation - Use tags to help track which individuals and teams are using which AWS resources.
If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created. For more information about tagging, see Tagging IAM resources in the IAM User Guide.
AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.
Adds one or more tags to an IAM user. If a tag with the same key name already exists, then that tag is overwritten with the new value.
A tag consists of a key name and an associated value. By assigning tags to your resources, you can do the following:
Administrative grouping and discovery - Attach tags to resources to aid in organization and search. For example, you could search for all resources with the key name Project and the value MyImportantProject. Or search for all resources with the key name Cost Center and the value 41200.
Access control - Include tags in IAM user-based and resource-based policies. You can use tags to restrict access to only an IAM requesting user that has a specified tag attached. You can also restrict access to only those resources that have a certain tag attached. For examples of policies that show how to use tags to control access, see Control access using IAM tags in the IAM User Guide.
Cost allocation - Use tags to help track which individuals and teams are using which AWS resources.
If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created. For more information about tagging, see Tagging IAM resources in the IAM User Guide.
AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.
For more information about tagging, see Tagging IAM identities in the IAM User Guide.
", + "SetSecurityTokenServicePreferences": "Sets the specified version of the global endpoint token as the token version used for the account.
By default, Security Token Service (STS) is available as a global service, and all STS requests go to a single endpoint at https://sts.amazonaws.com. Amazon Web Services recommends using Regional STS endpoints to reduce latency, build in redundancy, and increase session token availability. For information about Regional endpoints for STS, see Security Token Service endpoints and quotas in the Amazon Web Services General Reference.
If you make an STS call to the global endpoint, the resulting session tokens might be valid in some Regions but not others. It depends on the version that is set in this operation. Version 1 tokens are valid only in Regions that are available by default. These tokens do not work in manually enabled Regions, such as Asia Pacific (Hong Kong). Version 2 tokens are valid in all Regions. However, version 2 tokens are longer and might affect systems where you temporarily store tokens. For information, see Activating and deactivating STS in an Region in the IAM User Guide.
To view the current session token version, see the GlobalEndpointTokenVersion entry in the response of the GetAccountSummary operation.
Simulate how a set of IAM policies and optionally a resource-based policy works with a list of API operations and Amazon Web Services resources to determine the policies' effective permissions. The policies are provided as strings.
The simulation does not perform the API operations; it only checks the authorization to determine if the simulated policies allow or deny the operations. You can simulate resources that don't exist in your account.
If you want to simulate existing policies that are attached to an IAM user, group, or role, use SimulatePrincipalPolicy instead.
Context keys are variables that are maintained by Amazon Web Services and its services and which provide details about the context of an API query request. You can use the Condition element of an IAM policy to evaluate context keys. To get the list of context keys that the policies require for correct simulation, use GetContextKeysForCustomPolicy.
If the output is long, you can use MaxItems and Marker parameters to paginate the results.
For more information about using the policy simulator, see Testing IAM policies with the IAM policy simulator in the IAM User Guide.
", + "SimulatePrincipalPolicy": "Simulate how a set of IAM policies attached to an IAM entity works with a list of API operations and Amazon Web Services resources to determine the policies' effective permissions. The entity can be an IAM user, group, or role. If you specify a user, then the simulation also includes all of the policies that are attached to groups that the user belongs to. You can simulate resources that don't exist in your account.
You can optionally include a list of one or more additional policies specified as strings to include in the simulation. If you want to simulate only policies specified as strings, use SimulateCustomPolicy instead.
You can also optionally include one resource-based policy to be evaluated with each of the resources included in the simulation.
The simulation does not perform the API operations; it only checks the authorization to determine if the simulated policies allow or deny the operations.
Note: This operation discloses information about the permissions granted to other users. If you do not want users to see other user's permissions, then consider allowing them to use SimulateCustomPolicy instead.
Context keys are variables maintained by Amazon Web Services and its services that provide details about the context of an API query request. You can use the Condition element of an IAM policy to evaluate context keys. To get the list of context keys that the policies require for correct simulation, use GetContextKeysForPrincipalPolicy.
If the output is long, you can use the MaxItems and Marker parameters to paginate the results.
For more information about using the policy simulator, see Testing IAM policies with the IAM policy simulator in the IAM User Guide.
", + "TagInstanceProfile": "Adds one or more tags to an IAM instance profile. If a tag with the same key name already exists, then that tag is overwritten with the new value.
Each tag consists of a key name and an associated value. By assigning tags to your resources, you can do the following:
Administrative grouping and discovery - Attach tags to resources to aid in organization and search. For example, you could search for all resources with the key name Project and the value MyImportantProject. Or search for all resources with the key name Cost Center and the value 41200.
Access control - Include tags in IAM user-based and resource-based policies. You can use tags to restrict access to only an IAM instance profile that has a specified tag attached. For examples of policies that show how to use tags to control access, see Control access using IAM tags in the IAM User Guide.
If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created. For more information about tagging, see Tagging IAM resources in the IAM User Guide.
Amazon Web Services always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.
Adds one or more tags to an IAM virtual multi-factor authentication (MFA) device. If a tag with the same key name already exists, then that tag is overwritten with the new value.
A tag consists of a key name and an associated value. By assigning tags to your resources, you can do the following:
Administrative grouping and discovery - Attach tags to resources to aid in organization and search. For example, you could search for all resources with the key name Project and the value MyImportantProject. Or search for all resources with the key name Cost Center and the value 41200.
Access control - Include tags in IAM user-based and resource-based policies. You can use tags to restrict access to only an IAM virtual MFA device that has a specified tag attached. For examples of policies that show how to use tags to control access, see Control access using IAM tags in the IAM User Guide.
If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created. For more information about tagging, see Tagging IAM resources in the IAM User Guide.
Amazon Web Services always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.
Adds one or more tags to an OpenID Connect (OIDC)-compatible identity provider. For more information about these providers, see About web identity federation. If a tag with the same key name already exists, then that tag is overwritten with the new value.
A tag consists of a key name and an associated value. By assigning tags to your resources, you can do the following:
Administrative grouping and discovery - Attach tags to resources to aid in organization and search. For example, you could search for all resources with the key name Project and the value MyImportantProject. Or search for all resources with the key name Cost Center and the value 41200.
Access control - Include tags in IAM user-based and resource-based policies. You can use tags to restrict access to only an OIDC provider that has a specified tag attached. For examples of policies that show how to use tags to control access, see Control access using IAM tags in the IAM User Guide.
If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created. For more information about tagging, see Tagging IAM resources in the IAM User Guide.
Amazon Web Services always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.
Adds one or more tags to an IAM customer managed policy. If a tag with the same key name already exists, then that tag is overwritten with the new value.
A tag consists of a key name and an associated value. By assigning tags to your resources, you can do the following:
Administrative grouping and discovery - Attach tags to resources to aid in organization and search. For example, you could search for all resources with the key name Project and the value MyImportantProject. Or search for all resources with the key name Cost Center and the value 41200.
Access control - Include tags in IAM user-based and resource-based policies. You can use tags to restrict access to only an IAM customer managed policy that has a specified tag attached. For examples of policies that show how to use tags to control access, see Control access using IAM tags in the IAM User Guide.
If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created. For more information about tagging, see Tagging IAM resources in the IAM User Guide.
Amazon Web Services always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.
Adds one or more tags to an IAM role. The role can be a regular role or a service-linked role. If a tag with the same key name already exists, then that tag is overwritten with the new value.
A tag consists of a key name and an associated value. By assigning tags to your resources, you can do the following:
Administrative grouping and discovery - Attach tags to resources to aid in organization and search. For example, you could search for all resources with the key name Project and the value MyImportantProject. Or search for all resources with the key name Cost Center and the value 41200.
Access control - Include tags in IAM user-based and resource-based policies. You can use tags to restrict access to only an IAM role that has a specified tag attached. You can also restrict access to only those resources that have a certain tag attached. For examples of policies that show how to use tags to control access, see Control access using IAM tags in the IAM User Guide.
Cost allocation - Use tags to help track which individuals and teams are using which Amazon Web Services resources.
If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created. For more information about tagging, see Tagging IAM resources in the IAM User Guide.
Amazon Web Services always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.
For more information about tagging, see Tagging IAM identities in the IAM User Guide.
", + "TagSAMLProvider": "Adds one or more tags to a Security Assertion Markup Language (SAML) identity provider. For more information about these providers, see About SAML 2.0-based federation . If a tag with the same key name already exists, then that tag is overwritten with the new value.
A tag consists of a key name and an associated value. By assigning tags to your resources, you can do the following:
Administrative grouping and discovery - Attach tags to resources to aid in organization and search. For example, you could search for all resources with the key name Project and the value MyImportantProject. Or search for all resources with the key name Cost Center and the value 41200.
Access control - Include tags in IAM user-based and resource-based policies. You can use tags to restrict access to only a SAML identity provider that has a specified tag attached. For examples of policies that show how to use tags to control access, see Control access using IAM tags in the IAM User Guide.
If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created. For more information about tagging, see Tagging IAM resources in the IAM User Guide.
Amazon Web Services always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.
Adds one or more tags to an IAM server certificate. If a tag with the same key name already exists, then that tag is overwritten with the new value.
For certificates in a Region supported by Certificate Manager (ACM), we recommend that you don't use IAM server certificates. Instead, use ACM to provision, manage, and deploy your server certificates. For more information about IAM server certificates, Working with server certificates in the IAM User Guide.
A tag consists of a key name and an associated value. By assigning tags to your resources, you can do the following:
Administrative grouping and discovery - Attach tags to resources to aid in organization and search. For example, you could search for all resources with the key name Project and the value MyImportantProject. Or search for all resources with the key name Cost Center and the value 41200.
Access control - Include tags in IAM user-based and resource-based policies. You can use tags to restrict access to only a server certificate that has a specified tag attached. For examples of policies that show how to use tags to control access, see Control access using IAM tags in the IAM User Guide.
Cost allocation - Use tags to help track which individuals and teams are using which Amazon Web Services resources.
If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created. For more information about tagging, see Tagging IAM resources in the IAM User Guide.
Amazon Web Services always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.
Adds one or more tags to an IAM user. If a tag with the same key name already exists, then that tag is overwritten with the new value.
A tag consists of a key name and an associated value. By assigning tags to your resources, you can do the following:
Administrative grouping and discovery - Attach tags to resources to aid in organization and search. For example, you could search for all resources with the key name Project and the value MyImportantProject. Or search for all resources with the key name Cost Center and the value 41200.
Access control - Include tags in IAM user-based and resource-based policies. You can use tags to restrict access to only an IAM requesting user that has a specified tag attached. You can also restrict access to only those resources that have a certain tag attached. For examples of policies that show how to use tags to control access, see Control access using IAM tags in the IAM User Guide.
Cost allocation - Use tags to help track which individuals and teams are using which Amazon Web Services resources.
If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created. For more information about tagging, see Tagging IAM resources in the IAM User Guide.
Amazon Web Services always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.
For more information about tagging, see Tagging IAM identities in the IAM User Guide.
", "UntagInstanceProfile": "Removes the specified tags from the IAM instance profile. For more information about tagging, see Tagging IAM resources in the IAM User Guide.
", "UntagMFADevice": "Removes the specified tags from the IAM virtual multi-factor authentication (MFA) device. For more information about tagging, see Tagging IAM resources in the IAM User Guide.
", "UntagOpenIDConnectProvider": "Removes the specified tags from the specified OpenID Connect (OIDC)-compatible identity provider in IAM. For more information about OIDC providers, see About web identity federation. For more information about tagging, see Tagging IAM resources in the IAM User Guide.
", "UntagPolicy": "Removes the specified tags from the customer managed policy. For more information about tagging, see Tagging IAM resources in the IAM User Guide.
", "UntagRole": "Removes the specified tags from the role. For more information about tagging, see Tagging IAM resources in the IAM User Guide.
", "UntagSAMLProvider": "Removes the specified tags from the specified Security Assertion Markup Language (SAML) identity provider in IAM. For more information about these providers, see About web identity federation. For more information about tagging, see Tagging IAM resources in the IAM User Guide.
", - "UntagServerCertificate": "Removes the specified tags from the IAM server certificate. For more information about tagging, see Tagging IAM resources in the IAM User Guide.
For certificates in a Region supported by AWS Certificate Manager (ACM), we recommend that you don't use IAM server certificates. Instead, use ACM to provision, manage, and deploy your server certificates. For more information about IAM server certificates, Working with server certificates in the IAM User Guide.
Removes the specified tags from the IAM server certificate. For more information about tagging, see Tagging IAM resources in the IAM User Guide.
For certificates in a Region supported by Certificate Manager (ACM), we recommend that you don't use IAM server certificates. Instead, use ACM to provision, manage, and deploy your server certificates. For more information about IAM server certificates, Working with server certificates in the IAM User Guide.
Removes the specified tags from the user. For more information about tagging, see Tagging IAM resources in the IAM User Guide.
", - "UpdateAccessKey": "Changes the status of the specified access key from Active to Inactive, or vice versa. This operation can be used to disable a user's key as part of a key rotation workflow.
If the UserName is not specified, the user name is determined implicitly based on the AWS access key ID used to sign the request. This operation works for access keys under the AWS account. Consequently, you can use this operation to manage AWS account root user credentials even if the AWS account has no associated users.
For information about rotating keys, see Managing keys and certificates in the IAM User Guide.
", - "UpdateAccountPasswordPolicy": "Updates the password policy settings for the AWS account.
This operation does not support partial updates. No parameters are required, but if you do not specify a parameter, that parameter's value reverts to its default value. See the Request Parameters section for each parameter's default value. Also note that some parameters do not allow the default parameter to be explicitly set. Instead, to invoke the default value, do not include that parameter when you invoke the operation.
For more information about using a password policy, see Managing an IAM password policy in the IAM User Guide.
", + "UpdateAccessKey": "Changes the status of the specified access key from Active to Inactive, or vice versa. This operation can be used to disable a user's key as part of a key rotation workflow.
If the UserName is not specified, the user name is determined implicitly based on the Amazon Web Services access key ID used to sign the request. This operation works for access keys under the account. Consequently, you can use this operation to manage account root user credentials even if the account has no associated users.
For information about rotating keys, see Managing keys and certificates in the IAM User Guide.
", + "UpdateAccountPasswordPolicy": "Updates the password policy settings for the account.
This operation does not support partial updates. No parameters are required, but if you do not specify a parameter, that parameter's value reverts to its default value. See the Request Parameters section for each parameter's default value. Also note that some parameters do not allow the default parameter to be explicitly set. Instead, to invoke the default value, do not include that parameter when you invoke the operation.
For more information about using a password policy, see Managing an IAM password policy in the IAM User Guide.
", "UpdateAssumeRolePolicy": "Updates the policy that grants an IAM entity permission to assume a role. This is typically referred to as the \"role trust policy\". For more information about roles, see Using roles to delegate permissions and federate identities.
", "UpdateGroup": "Updates the name and/or the path of the specified IAM group.
You should understand the implications of changing a group's path or name. For more information, see Renaming users and groups in the IAM User Guide.
The person making the request (the principal), must have permission to change the role group with the old name and the new name. For example, to change the group named Managers to MGRs, the principal must have a policy that allows them to update both groups. If the principal has permission to update the Managers group, but not the MGRs group, then the update fails. For more information about permissions, see Access management.
Changes the password for the specified IAM user. You can use the AWS CLI, the AWS API, or the Users page in the IAM console to change the password for any IAM user. Use ChangePassword to change your own password in the My Security Credentials page in the AWS Management Console.
For more information about modifying passwords, see Managing passwords in the IAM User Guide.
", + "UpdateLoginProfile": "Changes the password for the specified IAM user. You can use the CLI, the Amazon Web Services API, or the Users page in the IAM console to change the password for any IAM user. Use ChangePassword to change your own password in the My Security Credentials page in the Management Console.
For more information about modifying passwords, see Managing passwords in the IAM User Guide.
", "UpdateOpenIDConnectProviderThumbprint": "Replaces the existing list of server certificate thumbprints associated with an OpenID Connect (OIDC) provider resource object with a new list of thumbprints.
The list that you pass with this operation completely replaces the existing list of thumbprints. (The lists are not merged.)
Typically, you need to update a thumbprint only when the identity provider's certificate changes, which occurs rarely. However, if the provider's certificate does change, any attempt to assume an IAM role that specifies the OIDC provider as a principal fails until the certificate thumbprint is updated.
Trust for the OIDC provider is derived from the provider's certificate and is validated by the thumbprint. Therefore, it is best to limit access to the UpdateOpenIDConnectProviderThumbprint operation to highly privileged users.
Updates the description or maximum session duration setting of a role.
", "UpdateRoleDescription": "Use UpdateRole instead.
Modifies only the description of a role. This operation performs the same function as the Description parameter in the UpdateRole operation.
Updates the metadata document for an existing SAML provider resource object.
This operation requires Signature Version 4.
Sets the status of an IAM user's SSH public key to active or inactive. SSH public keys that are inactive cannot be used for authentication. This operation can be used to disable a user's SSH public key as part of a key rotation work flow.
The SSH public key affected by this operation is used only for authenticating the associated IAM user to an AWS CodeCommit repository. For more information about using SSH keys to authenticate to an AWS CodeCommit repository, see Set up AWS CodeCommit for SSH connections in the AWS CodeCommit User Guide.
", - "UpdateServerCertificate": "Updates the name and/or the path of the specified server certificate stored in IAM.
For more information about working with server certificates, see Working with server certificates in the IAM User Guide. This topic also includes a list of AWS services that can use the server certificates that you manage with IAM.
You should understand the implications of changing a server certificate's path or name. For more information, see Renaming a server certificate in the IAM User Guide.
The person making the request (the principal), must have permission to change the server certificate with the old name and the new name. For example, to change the certificate named ProductionCert to ProdCert, the principal must have a policy that allows them to update both certificates. If the principal has permission to update the ProductionCert group, but not the ProdCert certificate, then the update fails. For more information about permissions, see Access management in the IAM User Guide.
Sets the status of an IAM user's SSH public key to active or inactive. SSH public keys that are inactive cannot be used for authentication. This operation can be used to disable a user's SSH public key as part of a key rotation work flow.
The SSH public key affected by this operation is used only for authenticating the associated IAM user to an CodeCommit repository. For more information about using SSH keys to authenticate to an CodeCommit repository, see Set up CodeCommit for SSH connections in the CodeCommit User Guide.
", + "UpdateServerCertificate": "Updates the name and/or the path of the specified server certificate stored in IAM.
For more information about working with server certificates, see Working with server certificates in the IAM User Guide. This topic also includes a list of Amazon Web Services services that can use the server certificates that you manage with IAM.
You should understand the implications of changing a server certificate's path or name. For more information, see Renaming a server certificate in the IAM User Guide.
The person making the request (the principal), must have permission to change the server certificate with the old name and the new name. For example, to change the certificate named ProductionCert to ProdCert, the principal must have a policy that allows them to update both certificates. If the principal has permission to update the ProductionCert group, but not the ProdCert certificate, then the update fails. For more information about permissions, see Access management in the IAM User Guide.
Sets the status of a service-specific credential to Active or Inactive. Service-specific credentials that are inactive cannot be used for authentication to the service. This operation can be used to disable a user's service-specific credential as part of a credential rotation work flow.
Changes the status of the specified user signing certificate from active to disabled, or vice versa. This operation can be used to disable an IAM user's signing certificate as part of a certificate rotation work flow.
If the UserName field is not specified, the user name is determined implicitly based on the AWS access key ID used to sign the request. This operation works for access keys under the AWS account. Consequently, you can use this operation to manage AWS account root user credentials even if the AWS account has no associated users.
Changes the status of the specified user signing certificate from active to disabled, or vice versa. This operation can be used to disable an IAM user's signing certificate as part of a certificate rotation work flow.
If the UserName field is not specified, the user name is determined implicitly based on the Amazon Web Services access key ID used to sign the request. This operation works for access keys under the account. Consequently, you can use this operation to manage account root user credentials even if the account has no associated users.
Updates the name and/or the path of the specified IAM user.
You should understand the implications of changing an IAM user's path or name. For more information, see Renaming an IAM user and Renaming an IAM group in the IAM User Guide.
To change a user name, the requester must have appropriate permissions on both the source object and the target object. For example, to change Bob to Robert, the entity making the request must have permission on Bob and Robert, or must have permission on all (*). For more information about permissions, see Permissions and policies.
Uploads an SSH public key and associates it with the specified IAM user.
The SSH public key uploaded by this operation can be used only for authenticating the associated IAM user to an AWS CodeCommit repository. For more information about using SSH keys to authenticate to an AWS CodeCommit repository, see Set up AWS CodeCommit for SSH connections in the AWS CodeCommit User Guide.
", - "UploadServerCertificate": "Uploads a server certificate entity for the AWS account. The server certificate entity includes a public key certificate, a private key, and an optional certificate chain, which should all be PEM-encoded.
We recommend that you use AWS Certificate Manager to provision, manage, and deploy your server certificates. With ACM you can request a certificate, deploy it to AWS resources, and let ACM handle certificate renewals for you. Certificates provided by ACM are free. For more information about using ACM, see the AWS Certificate Manager User Guide.
For more information about working with server certificates, see Working with server certificates in the IAM User Guide. This topic includes a list of AWS services that can use the server certificates that you manage with IAM.
For information about the number of server certificates you can upload, see IAM and STS quotas in the IAM User Guide.
Because the body of the public key certificate, private key, and the certificate chain can be large, you should use POST rather than GET when calling UploadServerCertificate. For information about setting up signatures and authorization through the API, see Signing AWS API requests in the AWS General Reference. For general information about using the Query API with IAM, see Calling the API by making HTTP query requests in the IAM User Guide.
Uploads an X.509 signing certificate and associates it with the specified IAM user. Some AWS services require you to use certificates to validate requests that are signed with a corresponding private key. When you upload the certificate, its default status is Active.
For information about when you would use an X.509 signing certificate, see Managing server certificates in IAM in the IAM User Guide.
If the UserName is not specified, the IAM user name is determined implicitly based on the AWS access key ID used to sign the request. This operation works for access keys under the AWS account. Consequently, you can use this operation to manage AWS account root user credentials even if the AWS account has no associated users.
Because the body of an X.509 certificate can be large, you should use POST rather than GET when calling UploadSigningCertificate. For information about setting up signatures and authorization through the API, see Signing AWS API requests in the AWS General Reference. For general information about using the Query API with IAM, see Making query requests in the IAM User Guide.
Uploads an SSH public key and associates it with the specified IAM user.
The SSH public key uploaded by this operation can be used only for authenticating the associated IAM user to an CodeCommit repository. For more information about using SSH keys to authenticate to an CodeCommit repository, see Set up CodeCommit for SSH connections in the CodeCommit User Guide.
", + "UploadServerCertificate": "Uploads a server certificate entity for the account. The server certificate entity includes a public key certificate, a private key, and an optional certificate chain, which should all be PEM-encoded.
We recommend that you use Certificate Manager to provision, manage, and deploy your server certificates. With ACM you can request a certificate, deploy it to Amazon Web Services resources, and let ACM handle certificate renewals for you. Certificates provided by ACM are free. For more information about using ACM, see the Certificate Manager User Guide.
For more information about working with server certificates, see Working with server certificates in the IAM User Guide. This topic includes a list of Amazon Web Services services that can use the server certificates that you manage with IAM.
For information about the number of server certificates you can upload, see IAM and STS quotas in the IAM User Guide.
Because the body of the public key certificate, private key, and the certificate chain can be large, you should use POST rather than GET when calling UploadServerCertificate. For information about setting up signatures and authorization through the API, see Signing Amazon Web Services API requests in the Amazon Web Services General Reference. For general information about using the Query API with IAM, see Calling the API by making HTTP query requests in the IAM User Guide.
Uploads an X.509 signing certificate and associates it with the specified IAM user. Some Amazon Web Services services require you to use certificates to validate requests that are signed with a corresponding private key. When you upload the certificate, its default status is Active.
For information about when you would use an X.509 signing certificate, see Managing server certificates in IAM in the IAM User Guide.
If the UserName is not specified, the IAM user name is determined implicitly based on the Amazon Web Services access key ID used to sign the request. This operation works for access keys under the account. Consequently, you can use this operation to manage account root user credentials even if the account has no associated users.
Because the body of an X.509 certificate can be large, you should use POST rather than GET when calling UploadSigningCertificate. For information about setting up signatures and authorization through the API, see Signing Amazon Web Services API requests in the Amazon Web Services General Reference. For general information about using the Query API with IAM, see Making query requests in the IAM User Guide.
An object that contains details about when a principal in the reported AWS Organizations entity last attempted to access an AWS service. A principal can be an IAM user, an IAM role, or the AWS account root user within the reported Organizations entity.
This data type is a response element in the GetOrganizationsAccessReport operation.
", + "base": "An object that contains details about when a principal in the reported Organizations entity last attempted to access an Amazon Web Services service. A principal can be an IAM user, an IAM role, or the Amazon Web Services account root user within the reported Organizations entity.
This data type is a response element in the GetOrganizationsAccessReport operation.
", "refs": { "AccessDetails$member": null } @@ -182,19 +182,19 @@ } }, "AccessKey": { - "base": "Contains information about an AWS access key.
This data type is used as a response element in the CreateAccessKey and ListAccessKeys operations.
The SecretAccessKey value is returned only in response to CreateAccessKey. You can get a secret access key only when you first create an access key; you cannot recover the secret access key later. If you lose a secret access key, you must create a new access key.
Contains information about an Amazon Web Services access key.
This data type is used as a response element in the CreateAccessKey and ListAccessKeys operations.
The SecretAccessKey value is returned only in response to CreateAccessKey. You can get a secret access key only when you first create an access key; you cannot recover the secret access key later. If you lose a secret access key, you must create a new access key.
A structure with details about the access key.
" } }, "AccessKeyLastUsed": { - "base": "Contains information about the last time an AWS access key was used since IAM began tracking this information on April 22, 2015.
This data type is used as a response element in the GetAccessKeyLastUsed operation.
", + "base": "Contains information about the last time an Amazon Web Services access key was used since IAM began tracking this information on April 22, 2015.
This data type is used as a response element in the GetAccessKeyLastUsed operation.
", "refs": { "GetAccessKeyLastUsedResponse$AccessKeyLastUsed": "Contains information about the last time the access key was used.
" } }, "AccessKeyMetadata": { - "base": "Contains information about an AWS access key, without its secret key.
This data type is used as a response element in the ListAccessKeys operation.
", + "base": "Contains information about an Amazon Web Services access key, without its secret key.
This data type is used as a response element in the ListAccessKeys operation.
", "refs": { "accessKeyMetadataListType$member": null } @@ -669,7 +669,7 @@ } }, "EntityDetails": { - "base": "An object that contains details about when the IAM entities (users or roles) were last used in an attempt to access the specified AWS service.
This data type is a response element in the GetServiceLastAccessedDetailsWithEntities operation.
", + "base": "An object that contains details about when the IAM entities (users or roles) were last used in an attempt to access the specified Amazon Web Services service.
This data type is a response element in the GetServiceLastAccessedDetailsWithEntities operation.
", "refs": { "entityDetailsListType$member": null } @@ -703,7 +703,7 @@ "EvalDecisionDetailsType": { "base": null, "refs": { - "EvaluationResult$EvalDecisionDetails": "Additional details about the results of the cross-account evaluation decision. This parameter is populated for only cross-account simulations. It contains a brief summary of how each policy type contributes to the final evaluation decision.
If the simulation evaluates policies within the same account and includes a resource ARN, then the parameter is present but the response is empty. If the simulation evaluates policies within the same account and specifies all resources (*), then the parameter is not returned.
When you make a cross-account request, AWS evaluates the request in the trusting account and the trusted account. The request is allowed only if both evaluations return true. For more information about how policies are evaluated, see Evaluating policies within a single account.
If an AWS Organizations SCP included in the evaluation denies access, the simulation ends. In this case, policy evaluation does not proceed any further and this parameter is not returned.
", + "EvaluationResult$EvalDecisionDetails": "Additional details about the results of the cross-account evaluation decision. This parameter is populated for only cross-account simulations. It contains a brief summary of how each policy type contributes to the final evaluation decision.
If the simulation evaluates policies within the same account and includes a resource ARN, then the parameter is present but the response is empty. If the simulation evaluates policies within the same account and specifies all resources (*), then the parameter is not returned.
When you make a cross-account request, Amazon Web Services evaluates the request in the trusting account and the trusted account. The request is allowed only if both evaluations return true. For more information about how policies are evaluated, see Evaluating policies within a single account.
If an Organizations SCP included in the evaluation denies access, the simulation ends. In this case, policy evaluation does not proceed any further and this parameter is not returned.
", "ResourceSpecificResult$EvalDecisionDetails": "Additional details about the results of the evaluation decision on a single resource. This parameter is returned only for cross-account simulations. This parameter explains how each policy type contributes to the resource-specific evaluation decision.
" } }, @@ -1033,7 +1033,7 @@ } }, "LimitExceededException": { - "base": "The request was rejected because it attempted to create resources beyond the current AWS account limits. The error message describes the limit exceeded.
", + "base": "The request was rejected because it attempted to create resources beyond the current Amazon Web Services account limits. The error message describes the limit exceeded.
", "refs": { } }, @@ -1393,7 +1393,7 @@ "base": "Contains the user name and password create date for a user.
This data type is used as a response element in the CreateLoginProfile and GetLoginProfile operations.
", "refs": { "CreateLoginProfileResponse$LoginProfile": "A structure containing the user name and password create date.
", - "GetLoginProfileResponse$LoginProfile": "A structure containing the user name and password create date for the user.
" + "GetLoginProfileResponse$LoginProfile": "A structure containing the user name and the profile creation date for the user.
" } }, "MFADevice": { @@ -1438,13 +1438,13 @@ "OpenIDConnectProviderListType": { "base": "Contains a list of IAM OpenID Connect providers.
", "refs": { - "ListOpenIDConnectProvidersResponse$OpenIDConnectProviderList": "The list of IAM OIDC provider resource objects defined in the AWS account.
" + "ListOpenIDConnectProvidersResponse$OpenIDConnectProviderList": "The list of IAM OIDC provider resource objects defined in the account.
" } }, "OpenIDConnectProviderUrlType": { "base": "Contains a URL that specifies the endpoint for an OpenID Connect provider.
", "refs": { - "CreateOpenIDConnectProviderRequest$Url": "The URL of the identity provider. The URL must begin with https:// and should correspond to the iss claim in the provider's OpenID Connect ID tokens. Per the OIDC standard, path components are allowed but query parameters are not. Typically the URL consists of only a hostname, like https://server.example.org or https://example.com.
You cannot register the same provider multiple times in a single AWS account. If you try to submit a URL that has already been used for an OpenID Connect provider in the AWS account, you will get an error.
", + "CreateOpenIDConnectProviderRequest$Url": "The URL of the identity provider. The URL must begin with https:// and should correspond to the iss claim in the provider's OpenID Connect ID tokens. Per the OIDC standard, path components are allowed but query parameters are not. Typically the URL consists of only a hostname, like https://server.example.org or https://example.com.
You cannot register the same provider multiple times in a single account. If you try to submit a URL that has already been used for an OpenID Connect provider in the account, you will get an error.
", "GetOpenIDConnectProviderResponse$Url": "The URL that the IAM OIDC provider resource object is associated with. For more information, see CreateOpenIDConnectProvider.
" } }, @@ -1530,7 +1530,7 @@ } }, "PolicyNotAttachableException": { - "base": "The request failed because AWS service role policies can only be attached to the service-linked role for that service.
", + "base": "The request failed because Amazon Web Services service role policies can only be attached to the service-linked role for that service.
", "refs": { } }, @@ -1687,8 +1687,8 @@ "ResourceNameListType": { "base": null, "refs": { - "SimulateCustomPolicyRequest$ResourceArns": "A list of ARNs of AWS resources to include in the simulation. If this parameter is not provided, then the value defaults to * (all resources). Each API in the ActionNames parameter is evaluated for each resource in this list. The simulation determines the access result (allowed or denied) of each combination and reports it in the response. You can simulate resources that don't exist in your account.
The simulation does not automatically retrieve policies for the specified resources. If you want to include a resource policy in the simulation, then you must include the policy as a string in the ResourcePolicy parameter.
If you include a ResourcePolicy, then it must be applicable to all of the resources included in the simulation or you receive an invalid input error.
For more information about ARNs, see Amazon Resource Names (ARNs) in the AWS General Reference.
", - "SimulatePrincipalPolicyRequest$ResourceArns": "A list of ARNs of AWS resources to include in the simulation. If this parameter is not provided, then the value defaults to * (all resources). Each API in the ActionNames parameter is evaluated for each resource in this list. The simulation determines the access result (allowed or denied) of each combination and reports it in the response. You can simulate resources that don't exist in your account.
The simulation does not automatically retrieve policies for the specified resources. If you want to include a resource policy in the simulation, then you must include the policy as a string in the ResourcePolicy parameter.
For more information about ARNs, see Amazon Resource Names (ARNs) in the AWS General Reference.
" + "SimulateCustomPolicyRequest$ResourceArns": "A list of ARNs of Amazon Web Services resources to include in the simulation. If this parameter is not provided, then the value defaults to * (all resources). Each API in the ActionNames parameter is evaluated for each resource in this list. The simulation determines the access result (allowed or denied) of each combination and reports it in the response. You can simulate resources that don't exist in your account.
The simulation does not automatically retrieve policies for the specified resources. If you want to include a resource policy in the simulation, then you must include the policy as a string in the ResourcePolicy parameter.
If you include a ResourcePolicy, then it must be applicable to all of the resources included in the simulation or you receive an invalid input error.
For more information about ARNs, see Amazon Resource Names (ARNs) in the Amazon Web Services General Reference.
", + "SimulatePrincipalPolicyRequest$ResourceArns": "A list of ARNs of Amazon Web Services resources to include in the simulation. If this parameter is not provided, then the value defaults to * (all resources). Each API in the ActionNames parameter is evaluated for each resource in this list. The simulation determines the access result (allowed or denied) of each combination and reports it in the response. You can simulate resources that don't exist in your account.
The simulation does not automatically retrieve policies for the specified resources. If you want to include a resource policy in the simulation, then you must include the policy as a string in the ResourcePolicy parameter.
For more information about ARNs, see Amazon Resource Names (ARNs) in the Amazon Web Services General Reference.
" } }, "ResourceNameType": { @@ -1697,10 +1697,10 @@ "EvaluationResult$EvalResourceName": "The ARN of the resource that the indicated API operation was tested on.
", "ResourceNameListType$member": null, "ResourceSpecificResult$EvalResourceName": "The name of the simulated resource, in Amazon Resource Name (ARN) format.
", - "SimulateCustomPolicyRequest$ResourceOwner": "An ARN representing the AWS account ID that specifies the owner of any simulated resource that does not identify its owner in the resource ARN. Examples of resource ARNs include an S3 bucket or object. If ResourceOwner is specified, it is also used as the account owner of any ResourcePolicy included in the simulation. If the ResourceOwner parameter is not specified, then the owner of the resources and the resource policy defaults to the account of the identity provided in CallerArn. This parameter is required only if you specify a resource-based policy and account that owns the resource is different from the account that owns the simulated calling user CallerArn.
The ARN for an account uses the following syntax: arn:aws:iam::AWS-account-ID:root. For example, to represent the account with the 112233445566 ID, use the following ARN: arn:aws:iam::112233445566-ID:root.
An ARN representing the account ID that specifies the owner of any simulated resource that does not identify its owner in the resource ARN. Examples of resource ARNs include an S3 bucket or object. If ResourceOwner is specified, it is also used as the account owner of any ResourcePolicy included in the simulation. If the ResourceOwner parameter is not specified, then the owner of the resources and the resource policy defaults to the account of the identity provided in CallerArn. This parameter is required only if you specify a resource-based policy and account that owns the resource is different from the account that owns the simulated calling user CallerArn.
The ARN for an account uses the following syntax: arn:aws:iam::AWS-account-ID:root. For example, to represent the account with the 112233445566 ID, use the following ARN: arn:aws:iam::112233445566-ID:root.
The ARN of the IAM user that you want to use as the simulated caller of the API operations. CallerArn is required if you include a ResourcePolicy so that the policy's Principal element has a value to use in evaluating the policy.
You can specify only the ARN of an IAM user. You cannot specify the ARN of an assumed role, federated user, or a service principal.
", - "SimulatePrincipalPolicyRequest$ResourceOwner": "An AWS account ID that specifies the owner of any simulated resource that does not identify its owner in the resource ARN. Examples of resource ARNs include an S3 bucket or object. If ResourceOwner is specified, it is also used as the account owner of any ResourcePolicy included in the simulation. If the ResourceOwner parameter is not specified, then the owner of the resources and the resource policy defaults to the account of the identity provided in CallerArn. This parameter is required only if you specify a resource-based policy and account that owns the resource is different from the account that owns the simulated calling user CallerArn.
The ARN of the IAM user that you want to specify as the simulated caller of the API operations. If you do not specify a CallerArn, it defaults to the ARN of the user that you specify in PolicySourceArn, if you specified a user. If you include both a PolicySourceArn (for example, arn:aws:iam::123456789012:user/David) and a CallerArn (for example, arn:aws:iam::123456789012:user/Bob), the result is that you simulate calling the API operations as Bob, as if Bob had David's policies.
You can specify only the ARN of an IAM user. You cannot specify the ARN of an assumed role, federated user, or a service principal.
CallerArn is required if you include a ResourcePolicy and the PolicySourceArn is not the ARN for an IAM user. This is required so that the resource-based policy's Principal element has a value to use in evaluating the policy.
For more information about ARNs, see Amazon Resource Names (ARNs) in the AWS General Reference.
" + "SimulatePrincipalPolicyRequest$ResourceOwner": "An account ID that specifies the owner of any simulated resource that does not identify its owner in the resource ARN. Examples of resource ARNs include an S3 bucket or object. If ResourceOwner is specified, it is also used as the account owner of any ResourcePolicy included in the simulation. If the ResourceOwner parameter is not specified, then the owner of the resources and the resource policy defaults to the account of the identity provided in CallerArn. This parameter is required only if you specify a resource-based policy and account that owns the resource is different from the account that owns the simulated calling user CallerArn.
The ARN of the IAM user that you want to specify as the simulated caller of the API operations. If you do not specify a CallerArn, it defaults to the ARN of the user that you specify in PolicySourceArn, if you specified a user. If you include both a PolicySourceArn (for example, arn:aws:iam::123456789012:user/David) and a CallerArn (for example, arn:aws:iam::123456789012:user/Bob), the result is that you simulate calling the API operations as Bob, as if Bob had David's policies.
You can specify only the ARN of an IAM user. You cannot specify the ARN of an assumed role, federated user, or a service principal.
CallerArn is required if you include a ResourcePolicy and the PolicySourceArn is not the ARN for an IAM user. This is required so that the resource-based policy's Principal element has a value to use in evaluating the policy.
For more information about ARNs, see Amazon Resource Names (ARNs) in the Amazon Web Services General Reference.
" } }, "ResourceSpecificResult": { @@ -1772,7 +1772,7 @@ "SAMLProviderListType": { "base": null, "refs": { - "ListSAMLProvidersResponse$SAMLProviderList": "The list of SAML provider resource objects defined in IAM for this AWS account.
" + "ListSAMLProvidersResponse$SAMLProviderList": "The list of SAML provider resource objects defined in IAM for this Amazon Web Services account.
" } }, "SAMLProviderNameType": { @@ -1892,10 +1892,10 @@ "refs": { "GetContextKeysForCustomPolicyRequest$PolicyInputList": "A list of policies for which you want the list of context keys referenced in those policies. Each document is specified as a string containing the complete, valid JSON text of an IAM policy.
The regex pattern used to validate this parameter is a string of characters consisting of the following:
Any printable ASCII character ranging from the space character (\\u0020) through the end of the ASCII character range
The printable characters in the Basic Latin and Latin-1 Supplement character set (through \\u00FF)
The special characters tab (\\u0009), line feed (\\u000A), and carriage return (\\u000D)
An optional list of additional policies for which you want the list of context keys that are referenced.
The regex pattern used to validate this parameter is a string of characters consisting of the following:
Any printable ASCII character ranging from the space character (\\u0020) through the end of the ASCII character range
The printable characters in the Basic Latin and Latin-1 Supplement character set (through \\u00FF)
The special characters tab (\\u0009), line feed (\\u000A), and carriage return (\\u000D)
A list of policy documents to include in the simulation. Each document is specified as a string containing the complete, valid JSON text of an IAM policy. Do not include any resource-based policies in this parameter. Any resource-based policy must be submitted with the ResourcePolicy parameter. The policies cannot be \"scope-down\" policies, such as you could include in a call to GetFederationToken or one of the AssumeRole API operations. In other words, do not use policies designed to restrict what a user can do while using the temporary credentials.
The regex pattern used to validate this parameter is a string of characters consisting of the following:
Any printable ASCII character ranging from the space character (\\u0020) through the end of the ASCII character range
The printable characters in the Basic Latin and Latin-1 Supplement character set (through \\u00FF)
The special characters tab (\\u0009), line feed (\\u000A), and carriage return (\\u000D)
The IAM permissions boundary policy to simulate. The permissions boundary sets the maximum permissions that an IAM entity can have. You can input only one permissions boundary when you pass a policy to this operation. For more information about permissions boundaries, see Permissions boundaries for IAM entities in the IAM User Guide. The policy input is specified as a string that contains the complete, valid JSON text of a permissions boundary policy.
The regex pattern used to validate this parameter is a string of characters consisting of the following:
Any printable ASCII character ranging from the space character (\\u0020) through the end of the ASCII character range
The printable characters in the Basic Latin and Latin-1 Supplement character set (through \\u00FF)
The special characters tab (\\u0009), line feed (\\u000A), and carriage return (\\u000D)
A list of policy documents to include in the simulation. Each document is specified as a string containing the complete, valid JSON text of an IAM policy. Do not include any resource-based policies in this parameter. Any resource-based policy must be submitted with the ResourcePolicy parameter. The policies cannot be \"scope-down\" policies, such as you could include in a call to GetFederationToken or one of the AssumeRole API operations. In other words, do not use policies designed to restrict what a user can do while using the temporary credentials.
The maximum length of the policy document that you can pass in this operation, including whitespace, is listed below. To view the maximum character counts of a managed policy with no whitespaces, see IAM and STS character quotas.
The regex pattern used to validate this parameter is a string of characters consisting of the following:
Any printable ASCII character ranging from the space character (\\u0020) through the end of the ASCII character range
The printable characters in the Basic Latin and Latin-1 Supplement character set (through \\u00FF)
The special characters tab (\\u0009), line feed (\\u000A), and carriage return (\\u000D)
The IAM permissions boundary policy to simulate. The permissions boundary sets the maximum permissions that an IAM entity can have. You can input only one permissions boundary when you pass a policy to this operation. For more information about permissions boundaries, see Permissions boundaries for IAM entities in the IAM User Guide. The policy input is specified as a string that contains the complete, valid JSON text of a permissions boundary policy.
The maximum length of the policy document that you can pass in this operation, including whitespace, is listed below. To view the maximum character counts of a managed policy with no whitespaces, see IAM and STS character quotas.
The regex pattern used to validate this parameter is a string of characters consisting of the following:
Any printable ASCII character ranging from the space character (\\u0020) through the end of the ASCII character range
The printable characters in the Basic Latin and Latin-1 Supplement character set (through \\u00FF)
The special characters tab (\\u0009), line feed (\\u000A), and carriage return (\\u000D)
An optional list of additional policy documents to include in the simulation. Each document is specified as a string containing the complete, valid JSON text of an IAM policy.
The regex pattern used to validate this parameter is a string of characters consisting of the following:
Any printable ASCII character ranging from the space character (\\u0020) through the end of the ASCII character range
The printable characters in the Basic Latin and Latin-1 Supplement character set (through \\u00FF)
The special characters tab (\\u0009), line feed (\\u000A), and carriage return (\\u000D)
The IAM permissions boundary policy to simulate. The permissions boundary sets the maximum permissions that the entity can have. You can input only one permissions boundary when you pass a policy to this operation. An IAM entity can only have one permissions boundary in effect at a time. For example, if a permissions boundary is attached to an entity and you pass in a different permissions boundary policy using this parameter, then the new permissions boundary policy is used for the simulation. For more information about permissions boundaries, see Permissions boundaries for IAM entities in the IAM User Guide. The policy input is specified as a string containing the complete, valid JSON text of a permissions boundary policy.
The regex pattern used to validate this parameter is a string of characters consisting of the following:
Any printable ASCII character ranging from the space character (\\u0020) through the end of the ASCII character range
The printable characters in the Basic Latin and Latin-1 Supplement character set (through \\u00FF)
The special characters tab (\\u0009), line feed (\\u000A), and carriage return (\\u000D)
The IAM permissions boundary policy to simulate. The permissions boundary sets the maximum permissions that the entity can have. You can input only one permissions boundary when you pass a policy to this operation. An IAM entity can only have one permissions boundary in effect at a time. For example, if a permissions boundary is attached to an entity and you pass in a different permissions boundary policy using this parameter, then the new permissions boundary policy is used for the simulation. For more information about permissions boundaries, see Permissions boundaries for IAM entities in the IAM User Guide. The policy input is specified as a string containing the complete, valid JSON text of a permissions boundary policy.
The maximum length of the policy document that you can pass in this operation, including whitespace, is listed below. To view the maximum character counts of a managed policy with no whitespaces, see IAM and STS character quotas.
The regex pattern used to validate this parameter is a string of characters consisting of the following:
Any printable ASCII character ranging from the space character (\\u0020) through the end of the ASCII character range
The printable characters in the Basic Latin and Latin-1 Supplement character set (through \\u00FF)
The special characters tab (\\u0009), line feed (\\u000A), and carriage return (\\u000D)
Contains information about an IAM user entity.
This data type is used as a response element in the following operations:
", "refs": { "CreateUserResponse$User": "A structure with details about the new IAM user.
", - "GetUserResponse$User": "A structure containing details about the IAM user.
Due to a service issue, password last used data does not include password use from May 3, 2018 22:50 PDT to May 23, 2018 14:08 PDT. This affects last sign-in dates shown in the IAM console and password last used dates in the IAM credential report, and returned by this operation. If users signed in during the affected time, the password last used date that is returned is the date the user last signed in before May 3, 2018. For users that signed in after May 23, 2018 14:08 PDT, the returned password last used date is accurate.
You can use password last used information to identify unused credentials for deletion. For example, you might delete users who did not sign in to AWS in the last 90 days. In cases like this, we recommend that you adjust your evaluation window to include dates after May 23, 2018. Alternatively, if your users use access keys to access AWS programmatically you can refer to access key last used information because it is accurate for all dates.
A structure containing details about the IAM user.
Due to a service issue, password last used data does not include password use from May 3, 2018 22:50 PDT to May 23, 2018 14:08 PDT. This affects last sign-in dates shown in the IAM console and password last used dates in the IAM credential report, and returned by this operation. If users signed in during the affected time, the password last used date that is returned is the date the user last signed in before May 3, 2018. For users that signed in after May 23, 2018 14:08 PDT, the returned password last used date is accurate.
You can use password last used information to identify unused credentials for deletion. For example, you might delete users who did not sign in to Amazon Web Services in the last 90 days. In cases like this, we recommend that you adjust your evaluation window to include dates after May 23, 2018. Alternatively, if your users use access keys to access Amazon Web Services programmatically you can refer to access key last used information because it is accurate for all dates.
The IAM user associated with this virtual MFA device.
", "userListType$member": null } @@ -2181,7 +2181,7 @@ "accountAliasListType": { "base": null, "refs": { - "ListAccountAliasesResponse$AccountAliases": "A list of aliases associated with the account. AWS supports only one alias per account.
" + "ListAccountAliasesResponse$AccountAliases": "A list of aliases associated with the account. Amazon Web Services supports only one alias per account.
" } }, "accountAliasType": { @@ -2193,66 +2193,66 @@ } }, "arnType": { - "base": "The Amazon Resource Name (ARN). ARNs are unique identifiers for AWS resources.
For more information about ARNs, go to Amazon Resource Names (ARNs) in the AWS General Reference.
", + "base": "The Amazon Resource Name (ARN). ARNs are unique identifiers for Amazon Web Services resources.
For more information about ARNs, go to Amazon Resource Names (ARNs) in the Amazon Web Services General Reference.
", "refs": { "AddClientIDToOpenIDConnectProviderRequest$OpenIDConnectProviderArn": "The Amazon Resource Name (ARN) of the IAM OpenID Connect (OIDC) provider resource to add the client ID to. You can get a list of OIDC provider ARNs by using the ListOpenIDConnectProviders operation.
", "ArnListType$member": null, - "AttachGroupPolicyRequest$PolicyArn": "The Amazon Resource Name (ARN) of the IAM policy you want to attach.
For more information about ARNs, see Amazon Resource Names (ARNs) in the AWS General Reference.
", - "AttachRolePolicyRequest$PolicyArn": "The Amazon Resource Name (ARN) of the IAM policy you want to attach.
For more information about ARNs, see Amazon Resource Names (ARNs) in the AWS General Reference.
", - "AttachUserPolicyRequest$PolicyArn": "The Amazon Resource Name (ARN) of the IAM policy you want to attach.
For more information about ARNs, see Amazon Resource Names (ARNs) in the AWS General Reference.
", + "AttachGroupPolicyRequest$PolicyArn": "The Amazon Resource Name (ARN) of the IAM policy you want to attach.
For more information about ARNs, see Amazon Resource Names (ARNs) in the Amazon Web Services General Reference.
", + "AttachRolePolicyRequest$PolicyArn": "The Amazon Resource Name (ARN) of the IAM policy you want to attach.
For more information about ARNs, see Amazon Resource Names (ARNs) in the Amazon Web Services General Reference.
", + "AttachUserPolicyRequest$PolicyArn": "The Amazon Resource Name (ARN) of the IAM policy you want to attach.
For more information about ARNs, see Amazon Resource Names (ARNs) in the Amazon Web Services General Reference.
", "AttachedPermissionsBoundary$PermissionsBoundaryArn": "The ARN of the policy used to set the permissions boundary for the user or role.
", "AttachedPolicy$PolicyArn": null, "CreateOpenIDConnectProviderResponse$OpenIDConnectProviderArn": "The Amazon Resource Name (ARN) of the new IAM OpenID Connect provider that is created. For more information, see OpenIDConnectProviderListEntry.
", - "CreatePolicyVersionRequest$PolicyArn": "The Amazon Resource Name (ARN) of the IAM policy to which you want to add a new version.
For more information about ARNs, see Amazon Resource Names (ARNs) in the AWS General Reference.
", + "CreatePolicyVersionRequest$PolicyArn": "The Amazon Resource Name (ARN) of the IAM policy to which you want to add a new version.
For more information about ARNs, see Amazon Resource Names (ARNs) in the Amazon Web Services General Reference.
", "CreateRoleRequest$PermissionsBoundary": "The ARN of the policy that is used to set the permissions boundary for the role.
", "CreateSAMLProviderResponse$SAMLProviderArn": "The Amazon Resource Name (ARN) of the new SAML provider resource in IAM.
", "CreateUserRequest$PermissionsBoundary": "The ARN of the policy that is used to set the permissions boundary for the user.
", "DeleteOpenIDConnectProviderRequest$OpenIDConnectProviderArn": "The Amazon Resource Name (ARN) of the IAM OpenID Connect provider resource object to delete. You can get a list of OpenID Connect provider resource ARNs by using the ListOpenIDConnectProviders operation.
", - "DeletePolicyRequest$PolicyArn": "The Amazon Resource Name (ARN) of the IAM policy you want to delete.
For more information about ARNs, see Amazon Resource Names (ARNs) in the AWS General Reference.
", - "DeletePolicyVersionRequest$PolicyArn": "The Amazon Resource Name (ARN) of the IAM policy from which you want to delete a version.
For more information about ARNs, see Amazon Resource Names (ARNs) in the AWS General Reference.
", + "DeletePolicyRequest$PolicyArn": "The Amazon Resource Name (ARN) of the IAM policy you want to delete.
For more information about ARNs, see Amazon Resource Names (ARNs) in the Amazon Web Services General Reference.
", + "DeletePolicyVersionRequest$PolicyArn": "The Amazon Resource Name (ARN) of the IAM policy from which you want to delete a version.
For more information about ARNs, see Amazon Resource Names (ARNs) in the Amazon Web Services General Reference.
", "DeleteSAMLProviderRequest$SAMLProviderArn": "The Amazon Resource Name (ARN) of the SAML provider to delete.
", - "DetachGroupPolicyRequest$PolicyArn": "The Amazon Resource Name (ARN) of the IAM policy you want to detach.
For more information about ARNs, see Amazon Resource Names (ARNs) in the AWS General Reference.
", - "DetachRolePolicyRequest$PolicyArn": "The Amazon Resource Name (ARN) of the IAM policy you want to detach.
For more information about ARNs, see Amazon Resource Names (ARNs) in the AWS General Reference.
", - "DetachUserPolicyRequest$PolicyArn": "The Amazon Resource Name (ARN) of the IAM policy you want to detach.
For more information about ARNs, see Amazon Resource Names (ARNs) in the AWS General Reference.
", + "DetachGroupPolicyRequest$PolicyArn": "The Amazon Resource Name (ARN) of the IAM policy you want to detach.
For more information about ARNs, see Amazon Resource Names (ARNs) in the Amazon Web Services General Reference.
", + "DetachRolePolicyRequest$PolicyArn": "The Amazon Resource Name (ARN) of the IAM policy you want to detach.
For more information about ARNs, see Amazon Resource Names (ARNs) in the Amazon Web Services General Reference.
", + "DetachUserPolicyRequest$PolicyArn": "The Amazon Resource Name (ARN) of the IAM policy you want to detach.
For more information about ARNs, see Amazon Resource Names (ARNs) in the Amazon Web Services General Reference.
", "EntityInfo$Arn": null, - "GenerateServiceLastAccessedDetailsRequest$Arn": "The ARN of the IAM resource (user, group, role, or managed policy) used to generate information about when the resource was last used in an attempt to access an AWS service.
", - "GetContextKeysForPrincipalPolicyRequest$PolicySourceArn": "The ARN of a user, group, or role whose policies contain the context keys that you want listed. If you specify a user, the list includes context keys that are found in all policies that are attached to the user. The list also includes all groups that the user is a member of. If you pick a group or a role, then it includes only those context keys that are found in policies attached to that entity. Note that all parameters are shown in unencoded form here for clarity, but must be URL encoded to be included as a part of a real HTML request.
For more information about ARNs, see Amazon Resource Names (ARNs) in the AWS General Reference.
", - "GetOpenIDConnectProviderRequest$OpenIDConnectProviderArn": "The Amazon Resource Name (ARN) of the OIDC provider resource object in IAM to get information for. You can get a list of OIDC provider resource ARNs by using the ListOpenIDConnectProviders operation.
For more information about ARNs, see Amazon Resource Names (ARNs) in the AWS General Reference.
", - "GetPolicyRequest$PolicyArn": "The Amazon Resource Name (ARN) of the managed policy that you want information about.
For more information about ARNs, see Amazon Resource Names (ARNs) in the AWS General Reference.
", - "GetPolicyVersionRequest$PolicyArn": "The Amazon Resource Name (ARN) of the managed policy that you want information about.
For more information about ARNs, see Amazon Resource Names (ARNs) in the AWS General Reference.
", - "GetSAMLProviderRequest$SAMLProviderArn": "The Amazon Resource Name (ARN) of the SAML provider resource object in IAM to get information about.
For more information about ARNs, see Amazon Resource Names (ARNs) in the AWS General Reference.
", + "GenerateServiceLastAccessedDetailsRequest$Arn": "The ARN of the IAM resource (user, group, role, or managed policy) used to generate information about when the resource was last used in an attempt to access an Amazon Web Services service.
", + "GetContextKeysForPrincipalPolicyRequest$PolicySourceArn": "The ARN of a user, group, or role whose policies contain the context keys that you want listed. If you specify a user, the list includes context keys that are found in all policies that are attached to the user. The list also includes all groups that the user is a member of. If you pick a group or a role, then it includes only those context keys that are found in policies attached to that entity. Note that all parameters are shown in unencoded form here for clarity, but must be URL encoded to be included as a part of a real HTML request.
For more information about ARNs, see Amazon Resource Names (ARNs) in the Amazon Web Services General Reference.
", + "GetOpenIDConnectProviderRequest$OpenIDConnectProviderArn": "The Amazon Resource Name (ARN) of the OIDC provider resource object in IAM to get information for. You can get a list of OIDC provider resource ARNs by using the ListOpenIDConnectProviders operation.
For more information about ARNs, see Amazon Resource Names (ARNs) in the Amazon Web Services General Reference.
", + "GetPolicyRequest$PolicyArn": "The Amazon Resource Name (ARN) of the managed policy that you want information about.
For more information about ARNs, see Amazon Resource Names (ARNs) in the Amazon Web Services General Reference.
", + "GetPolicyVersionRequest$PolicyArn": "The Amazon Resource Name (ARN) of the managed policy that you want information about.
For more information about ARNs, see Amazon Resource Names (ARNs) in the Amazon Web Services General Reference.
", + "GetSAMLProviderRequest$SAMLProviderArn": "The Amazon Resource Name (ARN) of the SAML provider resource object in IAM to get information about.
For more information about ARNs, see Amazon Resource Names (ARNs) in the Amazon Web Services General Reference.
", "Group$Arn": "The Amazon Resource Name (ARN) specifying the group. For more information about ARNs and how to use them in policies, see IAM identifiers in the IAM User Guide.
", "GroupDetail$Arn": null, "InstanceProfile$Arn": "The Amazon Resource Name (ARN) specifying the instance profile. For more information about ARNs and how to use them in policies, see IAM identifiers in the IAM User Guide.
", - "ListEntitiesForPolicyRequest$PolicyArn": "The Amazon Resource Name (ARN) of the IAM policy for which you want the versions.
For more information about ARNs, see Amazon Resource Names (ARNs) in the AWS General Reference.
", - "ListOpenIDConnectProviderTagsRequest$OpenIDConnectProviderArn": "The ARN of the OpenID Connect (OIDC) identity provider whose tags you want to see.
This parameter accepts (through its regex pattern) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-
", + "ListEntitiesForPolicyRequest$PolicyArn": "The Amazon Resource Name (ARN) of the IAM policy for which you want the versions.
For more information about ARNs, see Amazon Resource Names (ARNs) in the Amazon Web Services General Reference.
", + "ListOpenIDConnectProviderTagsRequest$OpenIDConnectProviderArn": "The ARN of the OpenID Connect (OIDC) identity provider whose tags you want to see.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", "ListPoliciesGrantingServiceAccessRequest$Arn": "The ARN of the IAM identity (user, group, or role) whose policies you want to list.
", - "ListPolicyTagsRequest$PolicyArn": "The ARN of the IAM customer managed policy whose tags you want to see.
This parameter accepts (through its regex pattern) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-
", - "ListPolicyVersionsRequest$PolicyArn": "The Amazon Resource Name (ARN) of the IAM policy for which you want the versions.
For more information about ARNs, see Amazon Resource Names (ARNs) in the AWS General Reference.
", - "ListSAMLProviderTagsRequest$SAMLProviderArn": "The ARN of the Security Assertion Markup Language (SAML) identity provider whose tags you want to see.
This parameter accepts (through its regex pattern) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-
", + "ListPolicyTagsRequest$PolicyArn": "The ARN of the IAM customer managed policy whose tags you want to see.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", + "ListPolicyVersionsRequest$PolicyArn": "The Amazon Resource Name (ARN) of the IAM policy for which you want the versions.
For more information about ARNs, see Amazon Resource Names (ARNs) in the Amazon Web Services General Reference.
", + "ListSAMLProviderTagsRequest$SAMLProviderArn": "The ARN of the Security Assertion Markup Language (SAML) identity provider whose tags you want to see.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", "ManagedPolicyDetail$Arn": null, "OpenIDConnectProviderListEntry$Arn": null, "Policy$Arn": null, "PolicyGrantingServiceAccess$PolicyArn": null, "PutRolePermissionsBoundaryRequest$PermissionsBoundary": "The ARN of the policy that is used to set the permissions boundary for the role.
", "PutUserPermissionsBoundaryRequest$PermissionsBoundary": "The ARN of the policy that is used to set the permissions boundary for the user.
", - "RemoveClientIDFromOpenIDConnectProviderRequest$OpenIDConnectProviderArn": "The Amazon Resource Name (ARN) of the IAM OIDC provider resource to remove the client ID from. You can get a list of OIDC provider ARNs by using the ListOpenIDConnectProviders operation.
For more information about ARNs, see Amazon Resource Names (ARNs) in the AWS General Reference.
", + "RemoveClientIDFromOpenIDConnectProviderRequest$OpenIDConnectProviderArn": "The Amazon Resource Name (ARN) of the IAM OIDC provider resource to remove the client ID from. You can get a list of OIDC provider ARNs by using the ListOpenIDConnectProviders operation.
For more information about ARNs, see Amazon Resource Names (ARNs) in the Amazon Web Services General Reference.
", "Role$Arn": "The Amazon Resource Name (ARN) specifying the role. For more information about ARNs and how to use them in policies, see IAM identifiers in the IAM User Guide guide.
", "RoleDetail$Arn": null, "SAMLProviderListEntry$Arn": "The Amazon Resource Name (ARN) of the SAML provider.
", "ServerCertificateMetadata$Arn": "The Amazon Resource Name (ARN) specifying the server certificate. For more information about ARNs and how to use them in policies, see IAM identifiers in the IAM User Guide.
", - "ServiceLastAccessed$LastAuthenticatedEntity": "The ARN of the authenticated entity (user or role) that last attempted to access the service. AWS does not report unauthenticated requests.
This field is null if no IAM entities attempted to access the service within the reporting period.
", - "SetDefaultPolicyVersionRequest$PolicyArn": "The Amazon Resource Name (ARN) of the IAM policy whose default version you want to set.
For more information about ARNs, see Amazon Resource Names (ARNs) in the AWS General Reference.
", - "SimulatePrincipalPolicyRequest$PolicySourceArn": "The Amazon Resource Name (ARN) of a user, group, or role whose policies you want to include in the simulation. If you specify a user, group, or role, the simulation includes all policies that are associated with that entity. If you specify a user, the simulation also includes all policies that are attached to any groups the user belongs to.
For more information about ARNs, see Amazon Resource Names (ARNs) in the AWS General Reference.
", - "TagOpenIDConnectProviderRequest$OpenIDConnectProviderArn": "The ARN of the OIDC identity provider in IAM to which you want to add tags.
This parameter accepts (through its regex pattern) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-
", - "TagPolicyRequest$PolicyArn": "The ARN of the IAM customer managed policy to which you want to add tags.
This parameter accepts (through its regex pattern) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-
", - "TagSAMLProviderRequest$SAMLProviderArn": "The ARN of the SAML identity provider in IAM to which you want to add tags.
This parameter accepts (through its regex pattern) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-
", + "ServiceLastAccessed$LastAuthenticatedEntity": "The ARN of the authenticated entity (user or role) that last attempted to access the service. Amazon Web Services does not report unauthenticated requests.
This field is null if no IAM entities attempted to access the service within the reporting period.
", + "SetDefaultPolicyVersionRequest$PolicyArn": "The Amazon Resource Name (ARN) of the IAM policy whose default version you want to set.
For more information about ARNs, see Amazon Resource Names (ARNs) in the Amazon Web Services General Reference.
", + "SimulatePrincipalPolicyRequest$PolicySourceArn": "The Amazon Resource Name (ARN) of a user, group, or role whose policies you want to include in the simulation. If you specify a user, group, or role, the simulation includes all policies that are associated with that entity. If you specify a user, the simulation also includes all policies that are attached to any groups the user belongs to.
The maximum length of the policy document that you can pass in this operation, including whitespace, is listed below. To view the maximum character counts of a managed policy with no whitespaces, see IAM and STS character quotas.
For more information about ARNs, see Amazon Resource Names (ARNs) in the Amazon Web Services General Reference.
", + "TagOpenIDConnectProviderRequest$OpenIDConnectProviderArn": "The ARN of the OIDC identity provider in IAM to which you want to add tags.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", + "TagPolicyRequest$PolicyArn": "The ARN of the IAM customer managed policy to which you want to add tags.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", + "TagSAMLProviderRequest$SAMLProviderArn": "The ARN of the SAML identity provider in IAM to which you want to add tags.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", "TrackedActionLastAccessed$LastAccessedEntity": null, - "UntagOpenIDConnectProviderRequest$OpenIDConnectProviderArn": "The ARN of the OIDC provider in IAM from which you want to remove tags.
This parameter accepts (through its regex pattern) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-
", - "UntagPolicyRequest$PolicyArn": "The ARN of the IAM customer managed policy from which you want to remove tags.
This parameter accepts (through its regex pattern) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-
", - "UntagSAMLProviderRequest$SAMLProviderArn": "The ARN of the SAML identity provider in IAM from which you want to remove tags.
This parameter accepts (through its regex pattern) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-
", - "UpdateOpenIDConnectProviderThumbprintRequest$OpenIDConnectProviderArn": "The Amazon Resource Name (ARN) of the IAM OIDC provider resource object for which you want to update the thumbprint. You can get a list of OIDC provider ARNs by using the ListOpenIDConnectProviders operation.
For more information about ARNs, see Amazon Resource Names (ARNs) in the AWS General Reference.
", - "UpdateSAMLProviderRequest$SAMLProviderArn": "The Amazon Resource Name (ARN) of the SAML provider to update.
For more information about ARNs, see Amazon Resource Names (ARNs) in the AWS General Reference.
", + "UntagOpenIDConnectProviderRequest$OpenIDConnectProviderArn": "The ARN of the OIDC provider in IAM from which you want to remove tags.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", + "UntagPolicyRequest$PolicyArn": "The ARN of the IAM customer managed policy from which you want to remove tags.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", + "UntagSAMLProviderRequest$SAMLProviderArn": "The ARN of the SAML identity provider in IAM from which you want to remove tags.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", + "UpdateOpenIDConnectProviderThumbprintRequest$OpenIDConnectProviderArn": "The Amazon Resource Name (ARN) of the IAM OIDC provider resource object for which you want to update the thumbprint. You can get a list of OIDC provider ARNs by using the ListOpenIDConnectProviders operation.
For more information about ARNs, see Amazon Resource Names (ARNs) in the Amazon Web Services General Reference.
", + "UpdateSAMLProviderRequest$SAMLProviderArn": "The Amazon Resource Name (ARN) of the SAML provider to update.
For more information about ARNs, see Amazon Resource Names (ARNs) in the Amazon Web Services General Reference.
", "UpdateSAMLProviderResponse$SAMLProviderArn": "The Amazon Resource Name (ARN) of the SAML provider that was updated.
", "User$Arn": "The Amazon Resource Name (ARN) that identifies the user. For more information about ARNs and how to use ARNs in policies, see IAM Identifiers in the IAM User Guide.
", "UserDetail$Arn": null @@ -2320,27 +2320,27 @@ "ListGroupPoliciesResponse$IsTruncated": "A flag that indicates whether there are more items to return. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items. Note that IAM might return fewer than the MaxItems number of results even when there are more results available. We recommend that you check IsTruncated after every call to ensure that you receive all your results.
A flag that indicates whether there are more items to return. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items. Note that IAM might return fewer than the MaxItems number of results even when there are more results available. We recommend that you check IsTruncated after every call to ensure that you receive all your results.
A flag that indicates whether there are more items to return. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items. Note that IAM might return fewer than the MaxItems number of results even when there are more results available. We recommend that you check IsTruncated after every call to ensure that you receive all your results.
A flag that indicates whether there are more items to return. If your results were truncated, you can use the Marker request parameter to make a subsequent pagination request that retrieves more items. Note that IAM might return fewer than the MaxItems number of results even when more results are available. Check IsTruncated after every call to ensure that you receive all of your results.
A flag that indicates whether there are more items to return. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items. Note that IAM might return fewer than the MaxItems number of results even when there are more results available. We recommend that you check IsTruncated after every call to ensure that you receive all your results.
A flag that indicates whether there are more items to return. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items. Note that IAM might return fewer than the MaxItems number of results even when there are more results available. We recommend that you check IsTruncated after every call to ensure that you receive all your results.
A flag that indicates whether there are more items to return. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items. Note that IAM might return fewer than the MaxItems number of results even when there are more results available. We recommend that you check IsTruncated after every call to ensure that you receive all your results.
A flag that indicates whether there are more items to return. If your results were truncated, you can use the Marker request parameter to make a subsequent pagination request that retrieves more items. Note that IAM might return fewer than the MaxItems number of results even when more results are available. Check IsTruncated after every call to ensure that you receive all of your results.
A flag that indicates whether there are more items to return. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items. Note that IAM might return fewer than the MaxItems number of results even when there are more results available. We recommend that you check IsTruncated after every call to ensure that you receive all your results.
A flag that indicates whether there are more items to return. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items. Note that IAM might return fewer than the MaxItems number of results even when there are more results available. We recommend that you check IsTruncated after every call to ensure that you receive all your results.
A flag that indicates whether there are more items to return. If your results were truncated, you can use the Marker request parameter to make a subsequent pagination request that retrieves more items. Note that IAM might return fewer than the MaxItems number of results even when more results are available. Check IsTruncated after every call to ensure that you receive all of your results.
A flag that indicates whether there are more items to return. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items. Note that IAM might return fewer than the MaxItems number of results even when there are more results available. We recommend that you check IsTruncated after every call to ensure that you receive all your results.
A flag that indicates whether there are more items to return. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items. We recommend that you check IsTruncated after every call to ensure that you receive all your results.
A flag to filter the results to only the attached policies.
When OnlyAttached is true, the returned list contains only the policies that are attached to an IAM user, group, or role. When OnlyAttached is false, or when the parameter is not included, all policies are returned.
A flag that indicates whether there are more items to return. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items. Note that IAM might return fewer than the MaxItems number of results even when there are more results available. We recommend that you check IsTruncated after every call to ensure that you receive all your results.
A flag that indicates whether there are more items to return. If your results were truncated, you can use the Marker request parameter to make a subsequent pagination request that retrieves more items. Note that IAM might return fewer than the MaxItems number of results even when more results are available. Check IsTruncated after every call to ensure that you receive all of your results.
A flag that indicates whether there are more items to return. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items. Note that IAM might return fewer than the MaxItems number of results even when there are more results available. We recommend that you check IsTruncated after every call to ensure that you receive all your results.
A flag that indicates whether there are more items to return. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items. Note that IAM might return fewer than the MaxItems number of results even when there are more results available. We recommend that you check IsTruncated after every call to ensure that you receive all your results.
A flag that indicates whether there are more items to return. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items. Note that IAM might return fewer than the MaxItems number of results even when there are more results available. We recommend that you check IsTruncated after every call to ensure that you receive all your results.
A flag that indicates whether there are more items to return. If your results were truncated, you can use the Marker request parameter to make a subsequent pagination request that retrieves more items. Note that IAM might return fewer than the MaxItems number of results even when more results are available. Check IsTruncated after every call to ensure that you receive all of your results.
A flag that indicates whether there are more items to return. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items. Note that IAM might return fewer than the MaxItems number of results even when there are more results available. We recommend that you check IsTruncated after every call to ensure that you receive all your results.
A flag that indicates whether there are more items to return. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items. Note that IAM might return fewer than the MaxItems number of results even when there are more results available. We recommend that you check IsTruncated after every call to ensure that you receive all your results.
A flag that indicates whether there are more items to return. If your results were truncated, you can use the Marker request parameter to make a subsequent pagination request that retrieves more items. Note that IAM might return fewer than the MaxItems number of results even when more results are available. Check IsTruncated after every call to ensure that you receive all of your results.
A flag that indicates whether there are more items to return. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items. Note that IAM might return fewer than the MaxItems number of results even when there are more results available. We recommend that you check IsTruncated after every call to ensure that you receive all your results.
A flag that indicates whether there are more items to return. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items. Note that IAM might return fewer than the MaxItems number of results even when there are more results available. We recommend that you check IsTruncated after every call to ensure that you receive all your results.
A flag that indicates whether there are more items to return. If your results were truncated, you can use the Marker request parameter to make a subsequent pagination request that retrieves more items. Note that IAM might return fewer than the MaxItems number of results even when more results are available. Check IsTruncated after every call to ensure that you receive all of your results.
A flag that indicates whether there are more items to return. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items. Note that IAM might return fewer than the MaxItems number of results even when there are more results available. We recommend that you check IsTruncated after every call to ensure that you receive all your results.
A flag that indicates whether there are more items to return. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items. Note that IAM might return fewer than the MaxItems number of results even when there are more results available. We recommend that you check IsTruncated after every call to ensure that you receive all your results.
A flag that indicates whether there are more items to return. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items. Note that IAM might return fewer than the MaxItems number of results even when there are more results available. We recommend that you check IsTruncated after every call to ensure that you receive all your results.
A flag that indicates whether there are more items to return. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items. Note that IAM might return fewer than the MaxItems number of results even when there are more results available. We recommend that you check IsTruncated after every call to ensure that you receive all your results.
A flag that indicates whether there are more items to return. If your results were truncated, you can use the Marker request parameter to make a subsequent pagination request that retrieves more items. Note that IAM might return fewer than the MaxItems number of results even when more results are available. Check IsTruncated after every call to ensure that you receive all of your results.
A flag that indicates whether there are more items to return. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items. Note that IAM might return fewer than the MaxItems number of results even when there are more results available. We recommend that you check IsTruncated after every call to ensure that you receive all your results.
A flag that indicates whether there are more items to return. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items. Note that IAM might return fewer than the MaxItems number of results even when there are more results available. We recommend that you check IsTruncated after every call to ensure that you receive all your results.
A flag that indicates whether there are more items to return. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items. Note that IAM might return fewer than the MaxItems number of results even when there are more results available. We recommend that you check IsTruncated after every call to ensure that you receive all your results.
Specifies whether the user is required to set a new password on next sign-in.
", @@ -2360,7 +2360,7 @@ "UpdateAccountPasswordPolicyRequest$RequireNumbers": "Specifies whether IAM user passwords must contain at least one numeric character (0 to 9).
If you do not specify a value for this parameter, then the operation uses the default value of false. The result is that passwords do not require at least one numeric character.
Specifies whether IAM user passwords must contain at least one uppercase character from the ISO basic Latin alphabet (A to Z).
If you do not specify a value for this parameter, then the operation uses the default value of false. The result is that passwords do not require at least one uppercase character.
Specifies whether IAM user passwords must contain at least one lowercase character from the ISO basic Latin alphabet (a to z).
If you do not specify a value for this parameter, then the operation uses the default value of false. The result is that passwords do not require at least one lowercase character.
Allows all IAM users in your account to use the AWS Management Console to change their own passwords. For more information, see Letting IAM users change their own passwords in the IAM User Guide.
If you do not specify a value for this parameter, then the operation uses the default value of false. The result is that IAM users in the account do not automatically have permissions to change their own password.
Allows all IAM users in your account to use the Management Console to change their own passwords. For more information, see Letting IAM users change their own passwords in the IAM User Guide.
If you do not specify a value for this parameter, then the operation uses the default value of false. The result is that IAM users in the account do not automatically have permissions to change their own password.
The date and time, in ISO 8601 date-time format, when an authenticated principal most recently attempted to access the service. AWS does not report unauthenticated requests.
This field is null if no principals in the reported Organizations entity attempted to access the service within the reporting period.
", + "AccessDetail$LastAuthenticatedTime": "The date and time, in ISO 8601 date-time format, when an authenticated principal most recently attempted to access the service. Amazon Web Services does not report unauthenticated requests.
This field is null if no principals in the reported Organizations entity attempted to access the service within the reporting period.
", "AccessKey$CreateDate": "The date when the access key was created.
", "AccessKeyLastUsed$LastUsedDate": "The date and time, in ISO 8601 date-time format, when the access key was most recently used. This field is null in the following situations:
The user does not have an access key.
An access key exists but has not been used since IAM began tracking this information.
There is no sign-in data associated with the user.
The date when the access key was created.
", - "EntityDetails$LastAuthenticated": "The date and time, in ISO 8601 date-time format, when the authenticated entity last attempted to access AWS. AWS does not report unauthenticated requests.
This field is null if no IAM entities attempted to access the service within the reporting period.
", + "EntityDetails$LastAuthenticated": "The date and time, in ISO 8601 date-time format, when the authenticated entity last attempted to access Amazon Web Services. Amazon Web Services does not report unauthenticated requests.
This field is null if no IAM entities attempted to access the service within the reporting period.
", "GetCredentialReportResponse$GeneratedTime": "The date and time when the credential report was created, in ISO 8601 date-time format.
", - "GetOpenIDConnectProviderResponse$CreateDate": "The date and time when the IAM OIDC provider resource object was created in the AWS account.
", + "GetOpenIDConnectProviderResponse$CreateDate": "The date and time when the IAM OIDC provider resource object was created in the account.
", "GetOrganizationsAccessReportResponse$JobCreationDate": "The date and time, in ISO 8601 date-time format, when the report job was created.
", "GetOrganizationsAccessReportResponse$JobCompletionDate": "The date and time, in ISO 8601 date-time format, when the generated report job was completed or failed.
This field is null if the job is still in progress, as indicated by a job status value of IN_PROGRESS.
The date and time when the SAML provider was created.
", @@ -2469,13 +2469,13 @@ "SSHPublicKeyMetadata$UploadDate": "The date and time, in ISO 8601 date-time format, when the SSH public key was uploaded.
", "ServerCertificateMetadata$UploadDate": "The date when the server certificate was uploaded.
", "ServerCertificateMetadata$Expiration": "The date on which the certificate is set to expire.
", - "ServiceLastAccessed$LastAuthenticated": "The date and time, in ISO 8601 date-time format, when an authenticated entity most recently attempted to access the service. AWS does not report unauthenticated requests.
This field is null if no IAM entities attempted to access the service within the reporting period.
", + "ServiceLastAccessed$LastAuthenticated": "The date and time, in ISO 8601 date-time format, when an authenticated entity most recently attempted to access the service. Amazon Web Services does not report unauthenticated requests.
This field is null if no IAM entities attempted to access the service within the reporting period.
", "ServiceSpecificCredential$CreateDate": "The date and time, in ISO 8601 date-time format, when the service-specific credential were created.
", "ServiceSpecificCredentialMetadata$CreateDate": "The date and time, in ISO 8601 date-time format, when the service-specific credential were created.
", "SigningCertificate$UploadDate": "The date when the signing certificate was uploaded.
", - "TrackedActionLastAccessed$LastAccessedTime": "The date and time, in ISO 8601 date-time format, when an authenticated entity most recently attempted to access the tracked service. AWS does not report unauthenticated requests.
This field is null if no IAM entities attempted to access the service within the reporting period.
", + "TrackedActionLastAccessed$LastAccessedTime": "The date and time, in ISO 8601 date-time format, when an authenticated entity most recently attempted to access the tracked service. Amazon Web Services does not report unauthenticated requests.
This field is null if no IAM entities attempted to access the service within the reporting period.
", "User$CreateDate": "The date and time, in ISO 8601 date-time format, when the user was created.
", - "User$PasswordLastUsed": "The date and time, in ISO 8601 date-time format, when the user's password was last used to sign in to an AWS website. For a list of AWS websites that capture a user's last sign-in time, see the Credential reports topic in the IAM User Guide. If a password is used more than once in a five-minute span, only the first use is returned in this field. If the field is null (no value), then it indicates that they never signed in with a password. This can be because:
The user never had a password.
A password exists but has not been used since IAM started tracking this information on October 20, 2014.
A null value does not mean that the user never had a password. Also, if the user does not currently have a password but had one in the past, then this field contains the date and time the most recent password was used.
This value is returned only in the GetUser and ListUsers operations.
", + "User$PasswordLastUsed": "The date and time, in ISO 8601 date-time format, when the user's password was last used to sign in to an Amazon Web Services website. For a list of Amazon Web Services websites that capture a user's last sign-in time, see the Credential reports topic in the IAM User Guide. If a password is used more than once in a five-minute span, only the first use is returned in this field. If the field is null (no value), then it indicates that they never signed in with a password. This can be because:
The user never had a password.
A password exists but has not been used since IAM started tracking this information on October 20, 2014.
A null value does not mean that the user never had a password. Also, if the user does not currently have a password but had one in the past, then this field contains the date and time the most recent password was used.
This value is returned only in the GetUser and ListUsers operations.
", "UserDetail$CreateDate": "The date and time, in ISO 8601 date-time format, when the user was created.
", "VirtualMFADevice$EnableDate": "The date and time on which the virtual MFA device was enabled.
" } @@ -2513,7 +2513,7 @@ "entityDetailsListType": { "base": null, "refs": { - "GetServiceLastAccessedDetailsWithEntitiesResponse$EntityDetailsList": "An EntityDetailsList object that contains details about when an IAM entity (user or role) used group or policy permissions in an attempt to access the specified AWS service.
An EntityDetailsList object that contains details about when an IAM entity (user or role) used group or policy permissions in an attempt to access the specified Amazon Web Services service.
The name (friendly name, not ARN) identifying the user that the policy is embedded in.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", "DeleteUserRequest$UserName": "The name of the user to delete.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", "EnableMFADeviceRequest$UserName": "The name of the IAM user for whom you want to enable the MFA device.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", - "GetAccessKeyLastUsedResponse$UserName": "The name of the AWS IAM user that owns this access key.
", + "GetAccessKeyLastUsedResponse$UserName": "The name of the IAM user that owns this access key.
", "GetUserPolicyRequest$UserName": "The name of the user who the policy is associated with.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", "GetUserPolicyResponse$UserName": "The user the policy is associated with.
", "GetUserRequest$UserName": "The name of the user to get information about.
This parameter is optional. If it is not included, it defaults to the user making the request. This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", @@ -2554,12 +2554,12 @@ "ListMFADevicesRequest$UserName": "The name of the user whose MFA devices you want to list.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", "ListSigningCertificatesRequest$UserName": "The name of the IAM user whose signing certificates you want to examine.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", "ListUserPoliciesRequest$UserName": "The name of the user to list policies for.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", - "ListUserTagsRequest$UserName": "The name of the IAM user whose tags you want to see.
This parameter accepts (through its regex pattern) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-
", + "ListUserTagsRequest$UserName": "The name of the IAM user whose tags you want to see.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", "PutUserPolicyRequest$UserName": "The name of the user to associate the policy with.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", "RemoveUserFromGroupRequest$UserName": "The name of the user to remove.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", "ResyncMFADeviceRequest$UserName": "The name of the user whose MFA device you want to resynchronize.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", - "TagUserRequest$UserName": "The name of the IAM user to which you want to add tags.
This parameter accepts (through its regex pattern) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-
", - "UntagUserRequest$UserName": "The name of the IAM user from which you want to remove tags.
This parameter accepts (through its regex pattern) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-
", + "TagUserRequest$UserName": "The name of the IAM user to which you want to add tags.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", + "UntagUserRequest$UserName": "The name of the IAM user from which you want to remove tags.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", "UpdateAccessKeyRequest$UserName": "The name of the user whose key you want to update.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", "UpdateSigningCertificateRequest$UserName": "The name of the IAM user the signing certificate belongs to.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", "UpdateUserRequest$UserName": "Name of the user to update. If you're changing the name of the user, this is the original user name.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", @@ -2569,7 +2569,7 @@ "globalEndpointTokenVersion": { "base": null, "refs": { - "SetSecurityTokenServicePreferencesRequest$GlobalEndpointTokenVersion": "The version of the global endpoint token. Version 1 tokens are valid only in AWS Regions that are available by default. These tokens do not work in manually enabled Regions, such as Asia Pacific (Hong Kong). Version 2 tokens are valid in all Regions. However, version 2 tokens are longer and might affect systems where you temporarily store tokens.
For information, see Activating and deactivating STS in an AWS region in the IAM User Guide.
" + "SetSecurityTokenServicePreferencesRequest$GlobalEndpointTokenVersion": "The version of the global endpoint token. Version 1 tokens are valid only in Regions that are available by default. These tokens do not work in manually enabled Regions, such as Asia Pacific (Hong Kong). Version 2 tokens are valid in all Regions. However, version 2 tokens are longer and might affect systems where you temporarily store tokens.
For information, see Activating and deactivating STS in an Region in the IAM User Guide.
" } }, "groupDetailListType": { @@ -2597,7 +2597,7 @@ "AddUserToGroupRequest$GroupName": "The name of the group to update.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", "AttachGroupPolicyRequest$GroupName": "The name (friendly name, not ARN) of the group to attach the policy to.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", "CreateGroupRequest$GroupName": "The name of the group to create. Do not include the path in this value.
IAM user, group, role, and policy names must be unique within the account. Names are not distinguished by case. For example, you cannot create resources named both \"MyResource\" and \"myresource\".
", - "CreateServiceLinkedRoleRequest$AWSServiceName": "The service principal for the AWS service to which this role is attached. You use a string similar to a URL but without the http:// in front. For example: elasticbeanstalk.amazonaws.com.
Service principals are unique and case-sensitive. To find the exact service principal for your service-linked role, see AWS services that work with IAM in the IAM User Guide. Look for the services that have Yes in the Service-Linked Role column. Choose the Yes link to view the service-linked role documentation for that service.
", + "CreateServiceLinkedRoleRequest$AWSServiceName": "The service principal for the Amazon Web Services service to which this role is attached. You use a string similar to a URL but without the http:// in front. For example: elasticbeanstalk.amazonaws.com.
Service principals are unique and case-sensitive. To find the exact service principal for your service-linked role, see Amazon Web Services services that work with IAM in the IAM User Guide. Look for the services that have Yes in the Service-Linked Role column. Choose the Yes link to view the service-linked role documentation for that service.
", "DeleteGroupPolicyRequest$GroupName": "The name (friendly name, not ARN) identifying the group that the policy is embedded in.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", "DeleteGroupRequest$GroupName": "The name of the IAM group to delete.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", "DetachGroupPolicyRequest$GroupName": "The name (friendly name, not ARN) of the IAM group to detach the policy from.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", @@ -2651,10 +2651,10 @@ "DeleteInstanceProfileRequest$InstanceProfileName": "The name of the instance profile to delete.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", "GetInstanceProfileRequest$InstanceProfileName": "The name of the instance profile to get information about.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", "InstanceProfile$InstanceProfileName": "The name identifying the instance profile.
", - "ListInstanceProfileTagsRequest$InstanceProfileName": "The name of the IAM instance profile whose tags you want to see.
This parameter accepts (through its regex pattern) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-
", + "ListInstanceProfileTagsRequest$InstanceProfileName": "The name of the IAM instance profile whose tags you want to see.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", "RemoveRoleFromInstanceProfileRequest$InstanceProfileName": "The name of the instance profile to update.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", - "TagInstanceProfileRequest$InstanceProfileName": "The name of the IAM instance profile to which you want to add tags.
This parameter accepts (through its regex pattern) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-
", - "UntagInstanceProfileRequest$InstanceProfileName": "The name of the IAM instance profile from which you want to remove tags.
This parameter accepts (through its regex pattern) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-
" + "TagInstanceProfileRequest$InstanceProfileName": "The name of the IAM instance profile to which you want to add tags.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", + "UntagInstanceProfileRequest$InstanceProfileName": "The name of the IAM instance profile from which you want to remove tags.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
" } }, "integerType": { @@ -2805,25 +2805,25 @@ "ListGroupPoliciesRequest$MaxItems": "Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true.
If you do not include this parameter, the number of items defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true, and Marker contains a value to include in the subsequent call that tells the service where to continue from.
Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true.
If you do not include this parameter, the number of items defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true, and Marker contains a value to include in the subsequent call that tells the service where to continue from.
Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true.
If you do not include this parameter, the number of items defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true, and Marker contains a value to include in the subsequent call that tells the service where to continue from.
(Optional) Use this only when paginating results to indicate the maximum number of items that you want in the response. If additional items exist beyond the maximum that you specify, the IsTruncated response element is true.
If you do not include this parameter, it defaults to 100. Note that IAM might return fewer results, even when more results are available. In that case, the IsTruncated response element returns true, and Marker contains a value to include in the subsequent call that tells the service where to continue from.
Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true.
If you do not include this parameter, the number of items defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true, and Marker contains a value to include in the subsequent call that tells the service where to continue from.
Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true.
If you do not include this parameter, the number of items defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true, and Marker contains a value to include in the subsequent call that tells the service where to continue from.
Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true.
If you do not include this parameter, the number of items defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true, and Marker contains a value to include in the subsequent call that tells the service where to continue from.
(Optional) Use this only when paginating results to indicate the maximum number of items that you want in the response. If additional items exist beyond the maximum that you specify, the IsTruncated response element is true.
If you do not include this parameter, it defaults to 100. Note that IAM might return fewer results, even when more results are available. In that case, the IsTruncated response element returns true, and Marker contains a value to include in the subsequent call that tells the service where to continue from.
Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true.
If you do not include this parameter, the number of items defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true, and Marker contains a value to include in the subsequent call that tells the service where to continue from.
Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true.
If you do not include this parameter, the number of items defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true, and Marker contains a value to include in the subsequent call that tells the service where to continue from.
(Optional) Use this only when paginating results to indicate the maximum number of items that you want in the response. If additional items exist beyond the maximum that you specify, the IsTruncated response element is true.
If you do not include this parameter, it defaults to 100. Note that IAM might return fewer results, even when more results are available. In that case, the IsTruncated response element returns true, and Marker contains a value to include in the subsequent call that tells the service where to continue from.
Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true.
If you do not include this parameter, the number of items defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true, and Marker contains a value to include in the subsequent call that tells the service where to continue from.
Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true.
If you do not include this parameter, the number of items defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true, and Marker contains a value to include in the subsequent call that tells the service where to continue from.
(Optional) Use this only when paginating results to indicate the maximum number of items that you want in the response. If additional items exist beyond the maximum that you specify, the IsTruncated response element is true.
If you do not include this parameter, it defaults to 100. Note that IAM might return fewer results, even when more results are available. In that case, the IsTruncated response element returns true, and Marker contains a value to include in the subsequent call that tells the service where to continue from.
Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true.
If you do not include this parameter, the number of items defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true, and Marker contains a value to include in the subsequent call that tells the service where to continue from.
Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true.
If you do not include this parameter, the number of items defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true, and Marker contains a value to include in the subsequent call that tells the service where to continue from.
Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true.
If you do not include this parameter, the number of items defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true, and Marker contains a value to include in the subsequent call that tells the service where to continue from.
(Optional) Use this only when paginating results to indicate the maximum number of items that you want in the response. If additional items exist beyond the maximum that you specify, the IsTruncated response element is true.
If you do not include this parameter, it defaults to 100. Note that IAM might return fewer results, even when more results are available. In that case, the IsTruncated response element returns true, and Marker contains a value to include in the subsequent call that tells the service where to continue from.
Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true.
If you do not include this parameter, the number of items defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true, and Marker contains a value to include in the subsequent call that tells the service where to continue from.
Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true.
If you do not include this parameter, the number of items defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true, and Marker contains a value to include in the subsequent call that tells the service where to continue from.
(Optional) Use this only when paginating results to indicate the maximum number of items that you want in the response. If additional items exist beyond the maximum that you specify, the IsTruncated response element is true.
If you do not include this parameter, it defaults to 100. Note that IAM might return fewer results, even when more results are available. In that case, the IsTruncated response element returns true, and Marker contains a value to include in the subsequent call that tells the service where to continue from.
Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true.
If you do not include this parameter, the number of items defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true, and Marker contains a value to include in the subsequent call that tells the service where to continue from.
Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true.
If you do not include this parameter, the number of items defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true, and Marker contains a value to include in the subsequent call that tells the service where to continue from.
(Optional) Use this only when paginating results to indicate the maximum number of items that you want in the response. If additional items exist beyond the maximum that you specify, the IsTruncated response element is true.
If you do not include this parameter, it defaults to 100. Note that IAM might return fewer results, even when more results are available. In that case, the IsTruncated response element returns true, and Marker contains a value to include in the subsequent call that tells the service where to continue from.
Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true.
If you do not include this parameter, the number of items defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true, and Marker contains a value to include in the subsequent call that tells the service where to continue from.
Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true.
If you do not include this parameter, the number of items defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true, and Marker contains a value to include in the subsequent call that tells the service where to continue from.
Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true.
If you do not include this parameter, the number of items defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true, and Marker contains a value to include in the subsequent call that tells the service where to continue from.
Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true.
If you do not include this parameter, the number of items defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true, and Marker contains a value to include in the subsequent call that tells the service where to continue from.
(Optional) Use this only when paginating results to indicate the maximum number of items that you want in the response. If additional items exist beyond the maximum that you specify, the IsTruncated response element is true.
If you do not include this parameter, it defaults to 100. Note that IAM might return fewer results, even when more results are available. In that case, the IsTruncated response element returns true, and Marker contains a value to include in the subsequent call that tells the service where to continue from.
Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true.
If you do not include this parameter, the number of items defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true, and Marker contains a value to include in the subsequent call that tells the service where to continue from.
Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true.
If you do not include this parameter, the number of items defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true, and Marker contains a value to include in the subsequent call that tells the service where to continue from.
Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true.
If you do not include this parameter, the number of items defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true, and Marker contains a value to include in the subsequent call that tells the service where to continue from.
Use this only when paginating results to indicate the maximum number of items you want in the response. If additional items exist beyond the maximum you specify, the IsTruncated response element is true.
If you do not include this parameter, the number of items defaults to 100. Note that IAM might return fewer results, even when there are more results available. In that case, the IsTruncated response element returns true, and Marker contains a value to include in the subsequent call that tells the service where to continue from.
The path of the Organizations entity (root, organizational unit, or account) from which an authenticated principal last attempted to access the service. AWS does not report unauthenticated requests.
This field is null if no principals (IAM users, IAM roles, or root users) in the reported Organizations entity attempted to access the service within the reporting period.
", - "GenerateOrganizationsAccessReportRequest$EntityPath": "The path of the AWS Organizations entity (root, OU, or account). You can build an entity path using the known structure of your organization. For example, assume that your account ID is 123456789012 and its parent OU ID is ou-rge0-awsabcde. The organization root ID is r-f6g7h8i9j0example and your organization ID is o-a1b2c3d4e5. Your entity path is o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-rge0-awsabcde/123456789012.
The path of the Organizations entity (root, organizational unit, or account) from which an authenticated principal last attempted to access the service. Amazon Web Services does not report unauthenticated requests.
This field is null if no principals (IAM users, IAM roles, or root users) in the reported Organizations entity attempted to access the service within the reporting period.
", + "GenerateOrganizationsAccessReportRequest$EntityPath": "The path of the Organizations entity (root, OU, or account). You can build an entity path using the known structure of your organization. For example, assume that your account ID is 123456789012 and its parent OU ID is ou-rge0-awsabcde. The organization root ID is r-f6g7h8i9j0example and your organization ID is o-a1b2c3d4e5. Your entity path is o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-rge0-awsabcde/123456789012.
The identifier of the AWS Organizations service control policy (SCP). This parameter is optional.
This ID is used to generate information about when an account principal that is limited by the SCP attempted to access an AWS service.
" + "GenerateOrganizationsAccessReportRequest$OrganizationsPolicyId": "The identifier of the Organizations service control policy (SCP). This parameter is optional.
This ID is used to generate information about when an account principal that is limited by the SCP attempted to access an Amazon Web Services service.
" } }, "passwordPolicyViolationMessage": { @@ -2886,9 +2886,9 @@ "base": null, "refs": { "ChangePasswordRequest$OldPassword": "The IAM user's current password.
", - "ChangePasswordRequest$NewPassword": "The new password. The new password must conform to the AWS account's password policy, if one exists.
The regex pattern that is used to validate this parameter is a string of characters. That string can include almost any printable ASCII character from the space (\\u0020) through the end of the ASCII character range (\\u00FF). You can also include the tab (\\u0009), line feed (\\u000A), and carriage return (\\u000D) characters. Any of these characters are valid in a password. However, many tools, such as the AWS Management Console, might restrict the ability to type certain characters because they have special meaning within that tool.
The new password for the user.
The regex pattern that is used to validate this parameter is a string of characters. That string can include almost any printable ASCII character from the space (\\u0020) through the end of the ASCII character range (\\u00FF). You can also include the tab (\\u0009), line feed (\\u000A), and carriage return (\\u000D) characters. Any of these characters are valid in a password. However, many tools, such as the AWS Management Console, might restrict the ability to type certain characters because they have special meaning within that tool.
The new password for the specified IAM user.
The regex pattern used to validate this parameter is a string of characters consisting of the following:
Any printable ASCII character ranging from the space character (\\u0020) through the end of the ASCII character range
The printable characters in the Basic Latin and Latin-1 Supplement character set (through \\u00FF)
The special characters tab (\\u0009), line feed (\\u000A), and carriage return (\\u000D)
However, the format can be further restricted by the account administrator by setting a password policy on the AWS account. For more information, see UpdateAccountPasswordPolicy.
" + "ChangePasswordRequest$NewPassword": "The new password. The new password must conform to the account's password policy, if one exists.
The regex pattern that is used to validate this parameter is a string of characters. That string can include almost any printable ASCII character from the space (\\u0020) through the end of the ASCII character range (\\u00FF). You can also include the tab (\\u0009), line feed (\\u000A), and carriage return (\\u000D) characters. Any of these characters are valid in a password. However, many tools, such as the Management Console, might restrict the ability to type certain characters because they have special meaning within that tool.
The new password for the user.
The regex pattern that is used to validate this parameter is a string of characters. That string can include almost any printable ASCII character from the space (\\u0020) through the end of the ASCII character range (\\u00FF). You can also include the tab (\\u0009), line feed (\\u000A), and carriage return (\\u000D) characters. Any of these characters are valid in a password. However, many tools, such as the Management Console, might restrict the ability to type certain characters because they have special meaning within that tool.
The new password for the specified IAM user.
The regex pattern used to validate this parameter is a string of characters consisting of the following:
Any printable ASCII character ranging from the space character (\\u0020) through the end of the ASCII character range
The printable characters in the Basic Latin and Latin-1 Supplement character set (through \\u00FF)
The special characters tab (\\u0009), line feed (\\u000A), and carriage return (\\u000D)
However, the format can be further restricted by the account administrator by setting a password policy on the account. For more information, see UpdateAccountPasswordPolicy.
" } }, "pathPrefixType": { @@ -2944,23 +2944,23 @@ "policyDocumentType": { "base": null, "refs": { - "CreatePolicyRequest$PolicyDocument": "The JSON policy document that you want to use as the content for the new policy.
You must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.
To learn more about JSON policy grammar, see Grammar of the IAM JSON policy language in the IAM User Guide.
The regex pattern used to validate this parameter is a string of characters consisting of the following:
Any printable ASCII character ranging from the space character (\\u0020) through the end of the ASCII character range
The printable characters in the Basic Latin and Latin-1 Supplement character set (through \\u00FF)
The special characters tab (\\u0009), line feed (\\u000A), and carriage return (\\u000D)
The JSON policy document that you want to use as the content for this new version of the policy.
You must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.
The regex pattern used to validate this parameter is a string of characters consisting of the following:
Any printable ASCII character ranging from the space character (\\u0020) through the end of the ASCII character range
The printable characters in the Basic Latin and Latin-1 Supplement character set (through \\u00FF)
The special characters tab (\\u0009), line feed (\\u000A), and carriage return (\\u000D)
The trust relationship policy document that grants an entity permission to assume the role.
In IAM, you must provide a JSON policy that has been converted to a string. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.
The regex pattern used to validate this parameter is a string of characters consisting of the following:
Any printable ASCII character ranging from the space character (\\u0020) through the end of the ASCII character range
The printable characters in the Basic Latin and Latin-1 Supplement character set (through \\u00FF)
The special characters tab (\\u0009), line feed (\\u000A), and carriage return (\\u000D)
Upon success, the response includes the same trust policy in JSON format.
", - "GetGroupPolicyResponse$PolicyDocument": "The policy document.
IAM stores policies in JSON format. However, resources that were created using AWS CloudFormation templates can be formatted in YAML. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.
", - "GetRolePolicyResponse$PolicyDocument": "The policy document.
IAM stores policies in JSON format. However, resources that were created using AWS CloudFormation templates can be formatted in YAML. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.
", - "GetUserPolicyResponse$PolicyDocument": "The policy document.
IAM stores policies in JSON format. However, resources that were created using AWS CloudFormation templates can be formatted in YAML. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.
", + "CreatePolicyRequest$PolicyDocument": "The JSON policy document that you want to use as the content for the new policy.
You must provide policies in JSON format in IAM. However, for CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.
The maximum length of the policy document that you can pass in this operation, including whitespace, is listed below. To view the maximum character counts of a managed policy with no whitespaces, see IAM and STS character quotas.
To learn more about JSON policy grammar, see Grammar of the IAM JSON policy language in the IAM User Guide.
The regex pattern used to validate this parameter is a string of characters consisting of the following:
Any printable ASCII character ranging from the space character (\\u0020) through the end of the ASCII character range
The printable characters in the Basic Latin and Latin-1 Supplement character set (through \\u00FF)
The special characters tab (\\u0009), line feed (\\u000A), and carriage return (\\u000D)
The JSON policy document that you want to use as the content for this new version of the policy.
You must provide policies in JSON format in IAM. However, for CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.
The maximum length of the policy document that you can pass in this operation, including whitespace, is listed below. To view the maximum character counts of a managed policy with no whitespaces, see IAM and STS character quotas.
The regex pattern used to validate this parameter is a string of characters consisting of the following:
Any printable ASCII character ranging from the space character (\\u0020) through the end of the ASCII character range
The printable characters in the Basic Latin and Latin-1 Supplement character set (through \\u00FF)
The special characters tab (\\u0009), line feed (\\u000A), and carriage return (\\u000D)
The trust relationship policy document that grants an entity permission to assume the role.
In IAM, you must provide a JSON policy that has been converted to a string. However, for CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.
The regex pattern used to validate this parameter is a string of characters consisting of the following:
Any printable ASCII character ranging from the space character (\\u0020) through the end of the ASCII character range
The printable characters in the Basic Latin and Latin-1 Supplement character set (through \\u00FF)
The special characters tab (\\u0009), line feed (\\u000A), and carriage return (\\u000D)
Upon success, the response includes the same trust policy in JSON format.
", + "GetGroupPolicyResponse$PolicyDocument": "The policy document.
IAM stores policies in JSON format. However, resources that were created using CloudFormation templates can be formatted in YAML. CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.
", + "GetRolePolicyResponse$PolicyDocument": "The policy document.
IAM stores policies in JSON format. However, resources that were created using CloudFormation templates can be formatted in YAML. CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.
", + "GetUserPolicyResponse$PolicyDocument": "The policy document.
IAM stores policies in JSON format. However, resources that were created using CloudFormation templates can be formatted in YAML. CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.
", "PolicyDetail$PolicyDocument": "The policy document.
", "PolicyVersion$Document": "The policy document.
The policy document is returned in the response to the GetPolicyVersion and GetAccountAuthorizationDetails operations. It is not returned in the response to the CreatePolicyVersion or ListPolicyVersions operations.
The policy document returned in this structure is URL-encoded compliant with RFC 3986. You can use a URL decoding method to convert the policy back to plain JSON text. For example, if you use Java, you can use the decode method of the java.net.URLDecoder utility class in the Java SDK. Other languages and SDKs provide similar functionality.
The policy document.
You must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.
The regex pattern used to validate this parameter is a string of characters consisting of the following:
Any printable ASCII character ranging from the space character (\\u0020) through the end of the ASCII character range
The printable characters in the Basic Latin and Latin-1 Supplement character set (through \\u00FF)
The special characters tab (\\u0009), line feed (\\u000A), and carriage return (\\u000D)
The policy document.
You must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.
The regex pattern used to validate this parameter is a string of characters consisting of the following:
Any printable ASCII character ranging from the space character (\\u0020) through the end of the ASCII character range
The printable characters in the Basic Latin and Latin-1 Supplement character set (through \\u00FF)
The special characters tab (\\u0009), line feed (\\u000A), and carriage return (\\u000D)
The policy document.
You must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.
The regex pattern used to validate this parameter is a string of characters consisting of the following:
Any printable ASCII character ranging from the space character (\\u0020) through the end of the ASCII character range
The printable characters in the Basic Latin and Latin-1 Supplement character set (through \\u00FF)
The special characters tab (\\u0009), line feed (\\u000A), and carriage return (\\u000D)
The policy document.
You must provide policies in JSON format in IAM. However, for CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. CloudFormation always converts a YAML policy to JSON format before submitting it to = IAM.
The regex pattern used to validate this parameter is a string of characters consisting of the following:
Any printable ASCII character ranging from the space character (\\u0020) through the end of the ASCII character range
The printable characters in the Basic Latin and Latin-1 Supplement character set (through \\u00FF)
The special characters tab (\\u0009), line feed (\\u000A), and carriage return (\\u000D)
The policy document.
You must provide policies in JSON format in IAM. However, for CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.
The regex pattern used to validate this parameter is a string of characters consisting of the following:
Any printable ASCII character ranging from the space character (\\u0020) through the end of the ASCII character range
The printable characters in the Basic Latin and Latin-1 Supplement character set (through \\u00FF)
The special characters tab (\\u0009), line feed (\\u000A), and carriage return (\\u000D)
The policy document.
You must provide policies in JSON format in IAM. However, for CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.
The regex pattern used to validate this parameter is a string of characters consisting of the following:
Any printable ASCII character ranging from the space character (\\u0020) through the end of the ASCII character range
The printable characters in the Basic Latin and Latin-1 Supplement character set (through \\u00FF)
The special characters tab (\\u0009), line feed (\\u000A), and carriage return (\\u000D)
The policy that grants an entity permission to assume the role.
", "RoleDetail$AssumeRolePolicyDocument": "The trust policy that grants permission to assume the role.
", - "SimulateCustomPolicyRequest$ResourcePolicy": "A resource-based policy to include in the simulation provided as a string. Each resource in the simulation is treated as if it had this policy attached. You can include only one resource-based policy in a simulation.
The regex pattern used to validate this parameter is a string of characters consisting of the following:
Any printable ASCII character ranging from the space character (\\u0020) through the end of the ASCII character range
The printable characters in the Basic Latin and Latin-1 Supplement character set (through \\u00FF)
The special characters tab (\\u0009), line feed (\\u000A), and carriage return (\\u000D)
A resource-based policy to include in the simulation provided as a string. Each resource in the simulation is treated as if it had this policy attached. You can include only one resource-based policy in a simulation.
The regex pattern used to validate this parameter is a string of characters consisting of the following:
Any printable ASCII character ranging from the space character (\\u0020) through the end of the ASCII character range
The printable characters in the Basic Latin and Latin-1 Supplement character set (through \\u00FF)
The special characters tab (\\u0009), line feed (\\u000A), and carriage return (\\u000D)
A resource-based policy to include in the simulation provided as a string. Each resource in the simulation is treated as if it had this policy attached. You can include only one resource-based policy in a simulation.
The maximum length of the policy document that you can pass in this operation, including whitespace, is listed below. To view the maximum character counts of a managed policy with no whitespaces, see IAM and STS character quotas.
The regex pattern used to validate this parameter is a string of characters consisting of the following:
Any printable ASCII character ranging from the space character (\\u0020) through the end of the ASCII character range
The printable characters in the Basic Latin and Latin-1 Supplement character set (through \\u00FF)
The special characters tab (\\u0009), line feed (\\u000A), and carriage return (\\u000D)
A resource-based policy to include in the simulation provided as a string. Each resource in the simulation is treated as if it had this policy attached. You can include only one resource-based policy in a simulation.
The maximum length of the policy document that you can pass in this operation, including whitespace, is listed below. To view the maximum character counts of a managed policy with no whitespaces, see IAM and STS character quotas.
The regex pattern used to validate this parameter is a string of characters consisting of the following:
Any printable ASCII character ranging from the space character (\\u0020) through the end of the ASCII character range
The printable characters in the Basic Latin and Latin-1 Supplement character set (through \\u00FF)
The special characters tab (\\u0009), line feed (\\u000A), and carriage return (\\u000D)
The policy that grants an entity permission to assume the role.
You must provide policies in JSON format in IAM. However, for AWS CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. AWS CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.
The regex pattern used to validate this parameter is a string of characters consisting of the following:
Any printable ASCII character ranging from the space character (\\u0020) through the end of the ASCII character range
The printable characters in the Basic Latin and Latin-1 Supplement character set (through \\u00FF)
The special characters tab (\\u0009), line feed (\\u000A), and carriage return (\\u000D)
The policy that grants an entity permission to assume the role.
You must provide policies in JSON format in IAM. However, for CloudFormation templates formatted in YAML, you can provide the policy in JSON or YAML format. CloudFormation always converts a YAML policy to JSON format before submitting it to IAM.
The regex pattern used to validate this parameter is a string of characters consisting of the following:
Any printable ASCII character ranging from the space character (\\u0020) through the end of the ASCII character range
The printable characters in the Basic Latin and Latin-1 Supplement character set (through \\u00FF)
The special characters tab (\\u0009), line feed (\\u000A), and carriage return (\\u000D)
The scope to use for filtering the results.
To list only AWS managed policies, set Scope to AWS. To list only the customer managed policies in your AWS account, set Scope to Local.
This parameter is optional. If it is not included, or if it is set to All, all policies are returned.
The scope to use for filtering the results.
To list only Amazon Web Services managed policies, set Scope to AWS. To list only the customer managed policies in your account, set Scope to Local.
This parameter is optional. If it is not included, or if it is set to All, all policies are returned.
The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
Anyone who assumes the role from the AWS CLI or API can use the DurationSeconds API parameter or the duration-seconds CLI parameter to request a longer session. The MaxSessionDuration setting determines the maximum duration that can be requested using the DurationSeconds parameter. If users don't specify a value for the DurationSeconds parameter, their security credentials are valid for one hour by default. This applies when you use the AssumeRole* API operations or the assume-role* CLI operations but does not apply when you use those operations to create a console URL. For more information, see Using IAM roles in the IAM User Guide.
The maximum session duration (in seconds) for the specified role. Anyone who uses the AWS CLI, or API to assume the role can specify the duration using the optional DurationSeconds API parameter or duration-seconds CLI parameter.
The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
Anyone who assumes the role from the AWS CLI or API can use the DurationSeconds API parameter or the duration-seconds CLI parameter to request a longer session. The MaxSessionDuration setting determines the maximum duration that can be requested using the DurationSeconds parameter. If users don't specify a value for the DurationSeconds parameter, their security credentials are valid for one hour by default. This applies when you use the AssumeRole* API operations or the assume-role* CLI operations but does not apply when you use those operations to create a console URL. For more information, see Using IAM roles in the IAM User Guide.
The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
Anyone who assumes the role from the or API can use the DurationSeconds API parameter or the duration-seconds CLI parameter to request a longer session. The MaxSessionDuration setting determines the maximum duration that can be requested using the DurationSeconds parameter. If users don't specify a value for the DurationSeconds parameter, their security credentials are valid for one hour by default. This applies when you use the AssumeRole* API operations or the assume-role* CLI operations but does not apply when you use those operations to create a console URL. For more information, see Using IAM roles in the IAM User Guide.
The maximum session duration (in seconds) for the specified role. Anyone who uses the CLI, or API to assume the role can specify the duration using the optional DurationSeconds API parameter or duration-seconds CLI parameter.
The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
Anyone who assumes the role from the CLI or API can use the DurationSeconds API parameter or the duration-seconds CLI parameter to request a longer session. The MaxSessionDuration setting determines the maximum duration that can be requested using the DurationSeconds parameter. If users don't specify a value for the DurationSeconds parameter, their security credentials are valid for one hour by default. This applies when you use the AssumeRole* API operations or the assume-role* CLI operations but does not apply when you use those operations to create a console URL. For more information, see Using IAM roles in the IAM User Guide.
The serial number that uniquely identifies the MFA device. For virtual MFA devices, the serial number is the device ARN.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@:/-
", "DeleteVirtualMFADeviceRequest$SerialNumber": "The serial number that uniquely identifies the MFA device. For virtual MFA devices, the serial number is the same as the ARN.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@:/-
", "EnableMFADeviceRequest$SerialNumber": "The serial number that uniquely identifies the MFA device. For virtual MFA devices, the serial number is the device ARN.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@:/-
", - "ListMFADeviceTagsRequest$SerialNumber": "The unique identifier for the IAM virtual MFA device whose tags you want to see. For virtual MFA devices, the serial number is the same as the ARN.
This parameter accepts (through its regex pattern) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-
", + "ListMFADeviceTagsRequest$SerialNumber": "The unique identifier for the IAM virtual MFA device whose tags you want to see. For virtual MFA devices, the serial number is the same as the ARN.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", "MFADevice$SerialNumber": "The serial number that uniquely identifies the MFA device. For virtual MFA devices, the serial number is the device ARN.
", "ResyncMFADeviceRequest$SerialNumber": "Serial number that uniquely identifies the MFA device.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", - "TagMFADeviceRequest$SerialNumber": "The unique identifier for the IAM virtual MFA device to which you want to add tags. For virtual MFA devices, the serial number is the same as the ARN.
This parameter accepts (through its regex pattern) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-
", - "UntagMFADeviceRequest$SerialNumber": "The unique identifier for the IAM virtual MFA device from which you want to remove tags. For virtual MFA devices, the serial number is the same as the ARN.
This parameter accepts (through its regex pattern) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-
", + "TagMFADeviceRequest$SerialNumber": "The unique identifier for the IAM virtual MFA device to which you want to add tags. For virtual MFA devices, the serial number is the same as the ARN.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", + "UntagMFADeviceRequest$SerialNumber": "The unique identifier for the IAM virtual MFA device from which you want to remove tags. For virtual MFA devices, the serial number is the same as the ARN.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", "VirtualMFADevice$SerialNumber": "The serial number associated with VirtualMFADevice.
The name of the server certificate you want to delete.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", "GetServerCertificateRequest$ServerCertificateName": "The name of the server certificate you want to retrieve information about.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", - "ListServerCertificateTagsRequest$ServerCertificateName": "The name of the IAM server certificate whose tags you want to see.
This parameter accepts (through its regex pattern) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-
", + "ListServerCertificateTagsRequest$ServerCertificateName": "The name of the IAM server certificate whose tags you want to see.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", "ServerCertificateMetadata$ServerCertificateName": "The name that identifies the server certificate.
", - "TagServerCertificateRequest$ServerCertificateName": "The name of the IAM server certificate to which you want to add tags.
This parameter accepts (through its regex pattern) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-
", - "UntagServerCertificateRequest$ServerCertificateName": "The name of the IAM server certificate from which you want to remove tags.
This parameter accepts (through its regex pattern) a string of characters that consist of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: =,.@-
", + "TagServerCertificateRequest$ServerCertificateName": "The name of the IAM server certificate to which you want to add tags.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", + "UntagServerCertificateRequest$ServerCertificateName": "The name of the IAM server certificate from which you want to remove tags.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", "UpdateServerCertificateRequest$ServerCertificateName": "The name of the server certificate that you want to update.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", "UpdateServerCertificateRequest$NewServerCertificateName": "The new name for the server certificate. Include this only if you are updating the server certificate's name. The name of the certificate cannot contain any spaces.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", "UploadServerCertificateRequest$ServerCertificateName": "The name for the server certificate. Do not include the path in this value. The name of the certificate cannot contain any spaces.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
" @@ -3249,8 +3249,8 @@ "serviceName": { "base": null, "refs": { - "CreateServiceSpecificCredentialRequest$ServiceName": "The name of the AWS service that is to be associated with the credentials. The service you specify here is the only service that can be accessed using these credentials.
", - "ListServiceSpecificCredentialsRequest$ServiceName": "Filters the returned results to only those for the specified AWS service. If not specified, then AWS returns service-specific credentials for all services.
", + "CreateServiceSpecificCredentialRequest$ServiceName": "The name of the Amazon Web Services service that is to be associated with the credentials. The service you specify here is the only service that can be accessed using these credentials.
", + "ListServiceSpecificCredentialsRequest$ServiceName": "Filters the returned results to only those for the specified Amazon Web Services service. If not specified, then Amazon Web Services returns service-specific credentials for all services.
", "ServiceSpecificCredential$ServiceName": "The name of the service associated with the service-specific credential.
", "ServiceSpecificCredentialMetadata$ServiceName": "The name of the service associated with the service-specific credential.
" } @@ -3265,16 +3265,16 @@ "serviceNamespaceListType": { "base": null, "refs": { - "ListPoliciesGrantingServiceAccessRequest$ServiceNamespaces": "The service namespace for the AWS services whose policies you want to list.
To learn the service namespace for a service, see Actions, resources, and condition keys for AWS services in the IAM User Guide. Choose the name of the service to view details for that service. In the first paragraph, find the service prefix. For example, (service prefix: a4b). For more information about service namespaces, see AWS service namespaces in the AWS General Reference.
The service namespace for the Amazon Web Services services whose policies you want to list.
To learn the service namespace for a service, see Actions, resources, and condition keys for Amazon Web Services services in the IAM User Guide. Choose the name of the service to view details for that service. In the first paragraph, find the service prefix. For example, (service prefix: a4b). For more information about service namespaces, see Amazon Web Services service namespaces in the Amazon Web Services General Reference.
The namespace of the service in which access was attempted.
To learn the service namespace of a service, see Actions, resources, and condition keys for AWS services in the Service Authorization Reference. Choose the name of the service to view details for that service. In the first paragraph, find the service prefix. For example, (service prefix: a4b). For more information about service namespaces, see AWS service namespaces in the AWS General Reference.
The service namespace for an AWS service. Provide the service namespace to learn when the IAM entity last attempted to access the specified service.
To learn the service namespace for a service, see Actions, resources, and condition keys for AWS services in the IAM User Guide. Choose the name of the service to view details for that service. In the first paragraph, find the service prefix. For example, (service prefix: a4b). For more information about service namespaces, see AWS service namespaces in the AWS General Reference.
The namespace of the service that was accessed.
To learn the service namespace of a service, see Actions, resources, and condition keys for AWS services in the Service Authorization Reference. Choose the name of the service to view details for that service. In the first paragraph, find the service prefix. For example, (service prefix: a4b). For more information about service namespaces, see AWS service namespaces in the AWS General Reference.
The namespace of the service in which access was attempted.
To learn the service namespace of a service, see Actions, resources, and condition keys for AWS services in the Service Authorization Reference. Choose the name of the service to view details for that service. In the first paragraph, find the service prefix. For example, (service prefix: a4b). For more information about service namespaces, see AWS Service Namespaces in the AWS General Reference.
The namespace of the service in which access was attempted.
To learn the service namespace of a service, see Actions, resources, and condition keys for Amazon Web Services services in the Service Authorization Reference. Choose the name of the service to view details for that service. In the first paragraph, find the service prefix. For example, (service prefix: a4b). For more information about service namespaces, see Amazon Web Services service namespaces in the Amazon Web Services General Reference.
The service namespace for an Amazon Web Services service. Provide the service namespace to learn when the IAM entity last attempted to access the specified service.
To learn the service namespace for a service, see Actions, resources, and condition keys for Amazon Web Services services in the IAM User Guide. Choose the name of the service to view details for that service. In the first paragraph, find the service prefix. For example, (service prefix: a4b). For more information about service namespaces, see Amazon Web Services service namespaces in the Amazon Web Services General Reference.
The namespace of the service that was accessed.
To learn the service namespace of a service, see Actions, resources, and condition keys for Amazon Web Services services in the Service Authorization Reference. Choose the name of the service to view details for that service. In the first paragraph, find the service prefix. For example, (service prefix: a4b). For more information about service namespaces, see Amazon Web Services service namespaces in the Amazon Web Services General Reference.
The namespace of the service in which access was attempted.
To learn the service namespace of a service, see Actions, resources, and condition keys for Amazon Web Services services in the Service Authorization Reference. Choose the name of the service to view details for that service. In the first paragraph, find the service prefix. For example, (service prefix: a4b). For more information about service namespaces, see Amazon Web Services Service Namespaces in the Amazon Web Services General Reference.
The generated user name for the service-specific credential. This value is generated by combining the IAM user's name combined with the ID number of the AWS account, as in jane-at-123456789012, for example. This value cannot be configured by the user.
The generated user name for the service-specific credential. This value is generated by combining the IAM user's name combined with the ID number of the Amazon Web Services account, as in jane-at-123456789012, for example. This value cannot be configured by the user.
The generated user name for the service-specific credential.
" } }, @@ -3318,29 +3318,29 @@ "refs": { "AccessKey$Status": "The status of the access key. Active means that the key is valid for API calls, while Inactive means it is not.
The status of the access key. Active means that the key is valid for API calls; Inactive means it is not.
The status of the SSH public key. Active means that the key can be used for authentication with an AWS CodeCommit repository. Inactive means that the key cannot be used.
The status of the SSH public key. Active means that the key can be used for authentication with an AWS CodeCommit repository. Inactive means that the key cannot be used.
The status of the SSH public key. Active means that the key can be used for authentication with an CodeCommit repository. Inactive means that the key cannot be used.
The status of the SSH public key. Active means that the key can be used for authentication with an CodeCommit repository. Inactive means that the key cannot be used.
The status of the service-specific credential. Active means that the key is valid for API calls, while Inactive means it is not.
The status of the service-specific credential. Active means that the key is valid for API calls, while Inactive means it is not.
The status of the signing certificate. Active means that the key is valid for API calls, while Inactive means it is not.
The status you want to assign to the secret access key. Active means that the key can be used for programmatic calls to AWS, while Inactive means that the key cannot be used.
The status to assign to the SSH public key. Active means that the key can be used for authentication with an AWS CodeCommit repository. Inactive means that the key cannot be used.
The status you want to assign to the secret access key. Active means that the key can be used for programmatic calls to Amazon Web Services, while Inactive means that the key cannot be used.
The status to assign to the SSH public key. Active means that the key can be used for authentication with an CodeCommit repository. Inactive means that the key cannot be used.
The status to be assigned to the service-specific credential.
", - "UpdateSigningCertificateRequest$Status": " The status you want to assign to the certificate. Active means that the certificate can be used for programmatic calls to AWS Inactive means that the certificate cannot be used.
The status you want to assign to the certificate. Active means that the certificate can be used for programmatic calls to Amazon Web Services Inactive means that the certificate cannot be used.
The Region where the last service access attempt occurred.
This field is null if no principals in the reported Organizations entity attempted to access the service within the reporting period.
", - "AccessKeyLastUsed$ServiceName": "The name of the AWS service with which this access key was most recently used. The value of this field is \"N/A\" in the following situations:
The user does not have an access key.
An access key exists but has not been used since IAM started tracking this information.
There is no sign-in data associated with the user.
The AWS Region where this access key was most recently used. The value for this field is \"N/A\" in the following situations:
The user does not have an access key.
An access key exists but has not been used since IAM began tracking this information.
There is no sign-in data associated with the user.
For more information about AWS Regions, see Regions and endpoints in the Amazon Web Services General Reference.
", + "AccessKeyLastUsed$ServiceName": "The name of the Amazon Web Services service with which this access key was most recently used. The value of this field is \"N/A\" in the following situations:
The user does not have an access key.
An access key exists but has not been used since IAM started tracking this information.
There is no sign-in data associated with the user.
The Region where this access key was most recently used. The value for this field is \"N/A\" in the following situations:
The user does not have an access key.
An access key exists but has not been used since IAM began tracking this information.
There is no sign-in data associated with the user.
For more information about Regions, see Regions and endpoints in the Amazon Web Services General Reference.
", "ErrorDetails$Message": "Detailed information about the reason that the operation failed.
", "ErrorDetails$Code": "The error code associated with the operation failure.
", - "RoleLastUsed$Region": "The name of the AWS Region in which the role was last used.
", - "ServiceLastAccessed$LastAuthenticatedRegion": "The Region from which the authenticated entity (user or role) last attempted to access the service. AWS does not report unauthenticated requests.
This field is null if no IAM entities attempted to access the service within the reporting period.
", + "RoleLastUsed$Region": "The name of the Region in which the role was last used.
", + "ServiceLastAccessed$LastAuthenticatedRegion": "The Region from which the authenticated entity (user or role) last attempted to access the service. Amazon Web Services does not report unauthenticated requests.
This field is null if no IAM entities attempted to access the service within the reporting period.
", "TrackedActionLastAccessed$ActionName": "The name of the tracked action to which access was attempted. Tracked actions are actions that report activity to IAM.
", - "TrackedActionLastAccessed$LastAccessedRegion": "The Region from which the authenticated entity (user or role) last attempted to access the tracked action. AWS does not report unauthenticated requests.
This field is null if no IAM entities attempted to access the service within the reporting period.
" + "TrackedActionLastAccessed$LastAccessedRegion": "The Region from which the authenticated entity (user or role) last attempted to access the tracked action. Amazon Web Services does not report unauthenticated requests.
This field is null if no IAM entities attempted to access the service within the reporting period.
" } }, "summaryKeyType": { @@ -3426,7 +3426,7 @@ "tagValueType": { "base": null, "refs": { - "Tag$Value": "The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources, Accounting, and Support. Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.
AWS always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.
The value associated with this tag. For example, tags with a key name of Department could have values such as Human Resources, Accounting, and Support. Tags with a key name of Cost Center might have values that consist of the number associated with the different cost centers in your company. Typically, many resources have tags with the same key name but with different values.
Amazon Web Services always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.
The name of the user whose login profile you want to retrieve.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", "GetSSHPublicKeyRequest$UserName": "The name of the IAM user associated with the SSH public key.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", "ListAttachedUserPoliciesRequest$UserName": "The name (friendly name, not ARN) of the user to list attached policies for.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", - "ListSSHPublicKeysRequest$UserName": "The name of the IAM user to list SSH public keys for. If none is specified, the UserName field is determined implicitly based on the AWS access key used to sign the request.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", + "ListSSHPublicKeysRequest$UserName": "The name of the IAM user to list SSH public keys for. If none is specified, the UserName field is determined implicitly based on the Amazon Web Services access key used to sign the request.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", "ListServiceSpecificCredentialsRequest$UserName": "The name of the user whose service-specific credentials you want information about. If this value is not specified, then the operation assumes the user whose credentials are used to call the operation.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
", - "LoginProfile$UserName": "The name of the user, which can be used for signing in to the AWS Management Console.
", + "LoginProfile$UserName": "The name of the user, which can be used for signing in to the Management Console.
", "MFADevice$UserName": "The user with whom the MFA device is associated.
", "PolicyUser$UserName": "The name (friendly name, not ARN) identifying the user.
", "PutUserPermissionsBoundaryRequest$UserName": "The name (friendly name, not ARN) of the IAM user for which you want to set the permissions boundary.
", diff --git a/models/apis/iotsitewise/2019-12-02/api-2.json b/models/apis/iotsitewise/2019-12-02/api-2.json index a95db29e83f..3c37c6bfaf3 100644 --- a/models/apis/iotsitewise/2019-12-02/api-2.json +++ b/models/apis/iotsitewise/2019-12-02/api-2.json @@ -511,6 +511,23 @@ ], "endpoint":{"hostPrefix":"monitor."} }, + "DescribeStorageConfiguration":{ + "name":"DescribeStorageConfiguration", + "http":{ + "method":"GET", + "requestUri":"/configuration/account/storage" + }, + "input":{"shape":"DescribeStorageConfigurationRequest"}, + "output":{"shape":"DescribeStorageConfigurationResponse"}, + "errors":[ + {"shape":"InvalidRequestException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"InternalFailureException"}, + {"shape":"ThrottlingException"}, + {"shape":"LimitExceededException"}, + {"shape":"ConflictingOperationException"} + ] + }, "DisassociateAssets":{ "name":"DisassociateAssets", "http":{ @@ -804,6 +821,24 @@ ], "endpoint":{"hostPrefix":"model."} }, + "PutStorageConfiguration":{ + "name":"PutStorageConfiguration", + "http":{ + "method":"POST", + "requestUri":"/configuration/account/storage" + }, + "input":{"shape":"PutStorageConfigurationRequest"}, + "output":{"shape":"PutStorageConfigurationResponse"}, + "errors":[ + {"shape":"InvalidRequestException"}, + {"shape":"ResourceAlreadyExistsException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"InternalFailureException"}, + {"shape":"ThrottlingException"}, + {"shape":"LimitExceededException"}, + {"shape":"ConflictingOperationException"} + ] + }, "TagResource":{ "name":"TagResource", "http":{ @@ -1868,6 +1903,17 @@ "projectArn":{"shape":"ARN"} } }, + "CustomerManagedS3Storage":{ + "type":"structure", + "required":[ + "s3ResourceArn", + "roleArn" + ], + "members":{ + "s3ResourceArn":{"shape":"ARN"}, + "roleArn":{"shape":"ARN"} + } + }, "DashboardDefinition":{ "type":"string", "max":204800, @@ -2387,6 +2433,24 @@ "projectLastUpdateDate":{"shape":"Timestamp"} } }, + "DescribeStorageConfigurationRequest":{ + "type":"structure", + "members":{ + } + }, + "DescribeStorageConfigurationResponse":{ + "type":"structure", + "required":[ + "storageType", + "configurationStatus" + ], + "members":{ + "storageType":{"shape":"StorageType"}, + "multiLayerStorage":{"shape":"MultiLayerStorage"}, + "configurationStatus":{"shape":"ConfigurationStatus"}, + "lastUpdateDate":{"shape":"Timestamp"} + } + }, "Description":{ "type":"string", "max":2048, @@ -3324,6 +3388,13 @@ } }, "MonitorErrorMessage":{"type":"string"}, + "MultiLayerStorage":{ + "type":"structure", + "required":["customerManagedS3Storage"], + "members":{ + "customerManagedS3Storage":{"shape":"CustomerManagedS3Storage"} + } + }, "Name":{ "type":"string", "max":256, @@ -3550,6 +3621,26 @@ "members":{ } }, + "PutStorageConfigurationRequest":{ + "type":"structure", + "required":["storageType"], + "members":{ + "storageType":{"shape":"StorageType"}, + "multiLayerStorage":{"shape":"MultiLayerStorage"} + } + }, + "PutStorageConfigurationResponse":{ + "type":"structure", + "required":[ + "storageType", + "configurationStatus" + ], + "members":{ + "storageType":{"shape":"StorageType"}, + "multiLayerStorage":{"shape":"MultiLayerStorage"}, + "configurationStatus":{"shape":"ConfigurationStatus"} + } + }, "Qualities":{ "type":"list", "member":{"shape":"Quality"}, @@ -3626,6 +3717,13 @@ "exception":true, "fault":true }, + "StorageType":{ + "type":"string", + "enum":[ + "SITEWISE_DEFAULT_STORAGE", + "MULTI_LAYER_STORAGE" + ] + }, "TagKey":{ "type":"string", "max":128, diff --git a/models/apis/iotsitewise/2019-12-02/docs-2.json b/models/apis/iotsitewise/2019-12-02/docs-2.json index 4c28d6806e4..9d4387ea13e 100644 --- a/models/apis/iotsitewise/2019-12-02/docs-2.json +++ b/models/apis/iotsitewise/2019-12-02/docs-2.json @@ -1,72 +1,74 @@ { "version": "2.0", - "service": "Welcome to the AWS IoT SiteWise API Reference. AWS IoT SiteWise is an AWS service that connects Industrial Internet of Things (IIoT) devices to the power of the AWS Cloud. For more information, see the AWS IoT SiteWise User Guide. For information about AWS IoT SiteWise quotas, see Quotas in the AWS IoT SiteWise User Guide.
", + "service": "Welcome to the IoT SiteWise API Reference. IoT SiteWise is an Amazon Web Services service that connects Industrial Internet of Things (IIoT) devices to the power of the Amazon Web Services Cloud. For more information, see the IoT SiteWise User Guide. For information about IoT SiteWise quotas, see Quotas in the IoT SiteWise User Guide.
", "operations": { - "AssociateAssets": "Associates a child asset with the given parent asset through a hierarchy defined in the parent asset's model. For more information, see Associating assets in the AWS IoT SiteWise User Guide.
", - "BatchAssociateProjectAssets": "Associates a group (batch) of assets with an AWS IoT SiteWise Monitor project.
", - "BatchDisassociateProjectAssets": "Disassociates a group (batch) of assets from an AWS IoT SiteWise Monitor project.
", - "BatchPutAssetPropertyValue": "Sends a list of asset property values to AWS IoT SiteWise. Each value is a timestamp-quality-value (TQV) data point. For more information, see Ingesting data using the API in the AWS IoT SiteWise User Guide.
To identify an asset property, you must specify one of the following:
The assetId and propertyId of an asset property.
A propertyAlias, which is a data stream alias (for example, /company/windfarm/3/turbine/7/temperature). To define an asset property's alias, see UpdateAssetProperty.
With respect to Unix epoch time, AWS IoT SiteWise accepts only TQVs that have a timestamp of no more than 7 days in the past and no more than 10 minutes in the future. AWS IoT SiteWise rejects timestamps outside of the inclusive range of [-7 days, +10 minutes] and returns a TimestampOutOfRangeException error.
For each asset property, AWS IoT SiteWise overwrites TQVs with duplicate timestamps unless the newer TQV has a different quality. For example, if you store a TQV {T1, GOOD, V1}, then storing {T1, GOOD, V2} replaces the existing TQV.
AWS IoT SiteWise authorizes access to each BatchPutAssetPropertyValue entry individually. For more information, see BatchPutAssetPropertyValue authorization in the AWS IoT SiteWise User Guide.
Creates an access policy that grants the specified identity (AWS SSO user, AWS SSO group, or IAM user) access to the specified AWS IoT SiteWise Monitor portal or project resource.
", - "CreateAsset": "Creates an asset from an existing asset model. For more information, see Creating assets in the AWS IoT SiteWise User Guide.
", - "CreateAssetModel": "Creates an asset model from specified property and hierarchy definitions. You create assets from asset models. With asset models, you can easily create assets of the same type that have standardized definitions. Each asset created from a model inherits the asset model's property and hierarchy definitions. For more information, see Defining asset models in the AWS IoT SiteWise User Guide.
", - "CreateDashboard": "Creates a dashboard in an AWS IoT SiteWise Monitor project.
", - "CreateGateway": "Creates a gateway, which is a virtual or edge device that delivers industrial data streams from local servers to AWS IoT SiteWise. For more information, see Ingesting data using a gateway in the AWS IoT SiteWise User Guide.
", - "CreatePortal": "Creates a portal, which can contain projects and dashboards. AWS IoT SiteWise Monitor uses AWS SSO or IAM to authenticate portal users and manage user permissions.
Before you can sign in to a new portal, you must add at least one identity to that portal. For more information, see Adding or removing portal administrators in the AWS IoT SiteWise User Guide.
Associates a child asset with the given parent asset through a hierarchy defined in the parent asset's model. For more information, see Associating assets in the IoT SiteWise User Guide.
", + "BatchAssociateProjectAssets": "Associates a group (batch) of assets with an IoT SiteWise Monitor project.
", + "BatchDisassociateProjectAssets": "Disassociates a group (batch) of assets from an IoT SiteWise Monitor project.
", + "BatchPutAssetPropertyValue": "Sends a list of asset property values to IoT SiteWise. Each value is a timestamp-quality-value (TQV) data point. For more information, see Ingesting data using the API in the IoT SiteWise User Guide.
To identify an asset property, you must specify one of the following:
The assetId and propertyId of an asset property.
A propertyAlias, which is a data stream alias (for example, /company/windfarm/3/turbine/7/temperature). To define an asset property's alias, see UpdateAssetProperty.
With respect to Unix epoch time, IoT SiteWise accepts only TQVs that have a timestamp of no more than 7 days in the past and no more than 10 minutes in the future. IoT SiteWise rejects timestamps outside of the inclusive range of [-7 days, +10 minutes] and returns a TimestampOutOfRangeException error.
For each asset property, IoT SiteWise overwrites TQVs with duplicate timestamps unless the newer TQV has a different quality. For example, if you store a TQV {T1, GOOD, V1}, then storing {T1, GOOD, V2} replaces the existing TQV.
IoT SiteWise authorizes access to each BatchPutAssetPropertyValue entry individually. For more information, see BatchPutAssetPropertyValue authorization in the IoT SiteWise User Guide.
Creates an access policy that grants the specified identity (Amazon Web Services SSO user, Amazon Web Services SSO group, or IAM user) access to the specified IoT SiteWise Monitor portal or project resource.
", + "CreateAsset": "Creates an asset from an existing asset model. For more information, see Creating assets in the IoT SiteWise User Guide.
", + "CreateAssetModel": "Creates an asset model from specified property and hierarchy definitions. You create assets from asset models. With asset models, you can easily create assets of the same type that have standardized definitions. Each asset created from a model inherits the asset model's property and hierarchy definitions. For more information, see Defining asset models in the IoT SiteWise User Guide.
", + "CreateDashboard": "Creates a dashboard in an IoT SiteWise Monitor project.
", + "CreateGateway": "Creates a gateway, which is a virtual or edge device that delivers industrial data streams from local servers to IoT SiteWise. For more information, see Ingesting data using a gateway in the IoT SiteWise User Guide.
", + "CreatePortal": "Creates a portal, which can contain projects and dashboards. IoT SiteWise Monitor uses Amazon Web Services SSO or IAM to authenticate portal users and manage user permissions.
Before you can sign in to a new portal, you must add at least one identity to that portal. For more information, see Adding or removing portal administrators in the IoT SiteWise User Guide.
Creates a project in the specified portal.
", - "DeleteAccessPolicy": "Deletes an access policy that grants the specified identity access to the specified AWS IoT SiteWise Monitor resource. You can use this operation to revoke access to an AWS IoT SiteWise Monitor resource.
", - "DeleteAsset": "Deletes an asset. This action can't be undone. For more information, see Deleting assets and models in the AWS IoT SiteWise User Guide.
You can't delete an asset that's associated to another asset. For more information, see DisassociateAssets.
Deletes an asset model. This action can't be undone. You must delete all assets created from an asset model before you can delete the model. Also, you can't delete an asset model if a parent asset model exists that contains a property formula expression that depends on the asset model that you want to delete. For more information, see Deleting assets and models in the AWS IoT SiteWise User Guide.
", - "DeleteDashboard": "Deletes a dashboard from AWS IoT SiteWise Monitor.
", - "DeleteGateway": "Deletes a gateway from AWS IoT SiteWise. When you delete a gateway, some of the gateway's files remain in your gateway's file system.
", - "DeletePortal": "Deletes a portal from AWS IoT SiteWise Monitor.
", - "DeleteProject": "Deletes a project from AWS IoT SiteWise Monitor.
", - "DescribeAccessPolicy": "Describes an access policy, which specifies an identity's access to an AWS IoT SiteWise Monitor portal or project.
", + "DeleteAccessPolicy": "Deletes an access policy that grants the specified identity access to the specified IoT SiteWise Monitor resource. You can use this operation to revoke access to an IoT SiteWise Monitor resource.
", + "DeleteAsset": "Deletes an asset. This action can't be undone. For more information, see Deleting assets and models in the IoT SiteWise User Guide.
You can't delete an asset that's associated to another asset. For more information, see DisassociateAssets.
Deletes an asset model. This action can't be undone. You must delete all assets created from an asset model before you can delete the model. Also, you can't delete an asset model if a parent asset model exists that contains a property formula expression that depends on the asset model that you want to delete. For more information, see Deleting assets and models in the IoT SiteWise User Guide.
", + "DeleteDashboard": "Deletes a dashboard from IoT SiteWise Monitor.
", + "DeleteGateway": "Deletes a gateway from IoT SiteWise. When you delete a gateway, some of the gateway's files remain in your gateway's file system.
", + "DeletePortal": "Deletes a portal from IoT SiteWise Monitor.
", + "DeleteProject": "Deletes a project from IoT SiteWise Monitor.
", + "DescribeAccessPolicy": "Describes an access policy, which specifies an identity's access to an IoT SiteWise Monitor portal or project.
", "DescribeAsset": "Retrieves information about an asset.
", "DescribeAssetModel": "Retrieves information about an asset model.
", "DescribeAssetProperty": "Retrieves information about an asset property.
When you call this operation for an attribute property, this response includes the default attribute value that you define in the asset model. If you update the default value in the model, this operation's response includes the new default value.
This operation doesn't return the value of the asset property. To get the value of an asset property, use GetAssetPropertyValue.
", "DescribeDashboard": "Retrieves information about a dashboard.
", - "DescribeDefaultEncryptionConfiguration": "Retrieves information about the default encryption configuration for the AWS account in the default or specified region. For more information, see Key management in the AWS IoT SiteWise User Guide.
", + "DescribeDefaultEncryptionConfiguration": "Retrieves information about the default encryption configuration for the Amazon Web Services account in the default or specified Region. For more information, see Key management in the IoT SiteWise User Guide.
", "DescribeGateway": "Retrieves information about a gateway.
", - "DescribeGatewayCapabilityConfiguration": "Retrieves information about a gateway capability configuration. Each gateway capability defines data sources for a gateway. A capability configuration can contain multiple data source configurations. If you define OPC-UA sources for a gateway in the AWS IoT SiteWise console, all of your OPC-UA sources are stored in one capability configuration. To list all capability configurations for a gateway, use DescribeGateway.
", - "DescribeLoggingOptions": "Retrieves the current AWS IoT SiteWise logging options.
", + "DescribeGatewayCapabilityConfiguration": "Retrieves information about a gateway capability configuration. Each gateway capability defines data sources for a gateway. A capability configuration can contain multiple data source configurations. If you define OPC-UA sources for a gateway in the IoT SiteWise console, all of your OPC-UA sources are stored in one capability configuration. To list all capability configurations for a gateway, use DescribeGateway.
", + "DescribeLoggingOptions": "Retrieves the current IoT SiteWise logging options.
", "DescribePortal": "Retrieves information about a portal.
", "DescribeProject": "Retrieves information about a project.
", + "DescribeStorageConfiguration": "Retrieves information about the storage configuration for IoT SiteWise.
", "DisassociateAssets": "Disassociates a child asset from the given parent asset through a hierarchy defined in the parent asset's model.
", - "GetAssetPropertyAggregates": "Gets aggregated values for an asset property. For more information, see Querying aggregates in the AWS IoT SiteWise User Guide.
To identify an asset property, you must specify one of the following:
The assetId and propertyId of an asset property.
A propertyAlias, which is a data stream alias (for example, /company/windfarm/3/turbine/7/temperature). To define an asset property's alias, see UpdateAssetProperty.
Gets an asset property's current value. For more information, see Querying current values in the AWS IoT SiteWise User Guide.
To identify an asset property, you must specify one of the following:
The assetId and propertyId of an asset property.
A propertyAlias, which is a data stream alias (for example, /company/windfarm/3/turbine/7/temperature). To define an asset property's alias, see UpdateAssetProperty.
Gets the history of an asset property's values. For more information, see Querying historical values in the AWS IoT SiteWise User Guide.
To identify an asset property, you must specify one of the following:
The assetId and propertyId of an asset property.
A propertyAlias, which is a data stream alias (for example, /company/windfarm/3/turbine/7/temperature). To define an asset property's alias, see UpdateAssetProperty.
Get interpolated values for an asset property for a specified time interval, during a period of time. For example, you can use the this operation to return the interpolated temperature values for a wind turbine every 24 hours over a duration of 7 days.
This API isn't available in China (Beijing).
To identify an asset property, you must specify one of the following:
The assetId and propertyId of an asset property.
A propertyAlias, which is a data stream alias (for example, /company/windfarm/3/turbine/7/temperature). To define an asset property's alias, see UpdateAssetProperty.
Retrieves a paginated list of access policies for an identity (an AWS SSO user, an AWS SSO group, or an IAM user) or an AWS IoT SiteWise Monitor resource (a portal or project).
", + "GetAssetPropertyAggregates": "Gets aggregated values for an asset property. For more information, see Querying aggregates in the IoT SiteWise User Guide.
To identify an asset property, you must specify one of the following:
The assetId and propertyId of an asset property.
A propertyAlias, which is a data stream alias (for example, /company/windfarm/3/turbine/7/temperature). To define an asset property's alias, see UpdateAssetProperty.
Gets an asset property's current value. For more information, see Querying current values in the IoT SiteWise User Guide.
To identify an asset property, you must specify one of the following:
The assetId and propertyId of an asset property.
A propertyAlias, which is a data stream alias (for example, /company/windfarm/3/turbine/7/temperature). To define an asset property's alias, see UpdateAssetProperty.
Gets the history of an asset property's values. For more information, see Querying historical values in the IoT SiteWise User Guide.
To identify an asset property, you must specify one of the following:
The assetId and propertyId of an asset property.
A propertyAlias, which is a data stream alias (for example, /company/windfarm/3/turbine/7/temperature). To define an asset property's alias, see UpdateAssetProperty.
Get interpolated values for an asset property for a specified time interval, during a period of time. For example, you can use the this operation to return the interpolated temperature values for a wind turbine every 24 hours over a duration of 7 days.
To identify an asset property, you must specify one of the following:
The assetId and propertyId of an asset property.
A propertyAlias, which is a data stream alias (for example, /company/windfarm/3/turbine/7/temperature). To define an asset property's alias, see UpdateAssetProperty.
Retrieves a paginated list of access policies for an identity (an Amazon Web Services SSO user, an Amazon Web Services SSO group, or an IAM user) or an IoT SiteWise Monitor resource (a portal or project).
", "ListAssetModels": "Retrieves a paginated list of summaries of all asset models.
", "ListAssetRelationships": "Retrieves a paginated list of asset relationships for an asset. You can use this operation to identify an asset's root asset and all associated assets between that asset and its root.
", "ListAssets": "Retrieves a paginated list of asset summaries.
You can use this operation to do the following:
List assets based on a specific asset model.
List top-level assets.
You can't use this operation to list all assets. To retrieve summaries for all of your assets, use ListAssetModels to get all of your asset model IDs. Then, use ListAssets to get all assets for each asset model.
", "ListAssociatedAssets": "Retrieves a paginated list of associated assets.
You can use this operation to do the following:
List child assets associated to a parent asset by a hierarchy that you specify.
List an asset's parent asset.
Retrieves a paginated list of dashboards for an AWS IoT SiteWise Monitor project.
", + "ListDashboards": "Retrieves a paginated list of dashboards for an IoT SiteWise Monitor project.
", "ListGateways": "Retrieves a paginated list of gateways.
", - "ListPortals": "Retrieves a paginated list of AWS IoT SiteWise Monitor portals.
", - "ListProjectAssets": "Retrieves a paginated list of assets associated with an AWS IoT SiteWise Monitor project.
", - "ListProjects": "Retrieves a paginated list of projects for an AWS IoT SiteWise Monitor portal.
", - "ListTagsForResource": "Retrieves the list of tags for an AWS IoT SiteWise resource.
", - "PutDefaultEncryptionConfiguration": "Sets the default encryption configuration for the AWS account. For more information, see Key management in the AWS IoT SiteWise User Guide.
", - "PutLoggingOptions": "Sets logging options for AWS IoT SiteWise.
", - "TagResource": "Adds tags to an AWS IoT SiteWise resource. If a tag already exists for the resource, this operation updates the tag's value.
", - "UntagResource": "Removes a tag from an AWS IoT SiteWise resource.
", - "UpdateAccessPolicy": "Updates an existing access policy that specifies an identity's access to an AWS IoT SiteWise Monitor portal or project resource.
", - "UpdateAsset": "Updates an asset's name. For more information, see Updating assets and models in the AWS IoT SiteWise User Guide.
", - "UpdateAssetModel": "Updates an asset model and all of the assets that were created from the model. Each asset created from the model inherits the updated asset model's property and hierarchy definitions. For more information, see Updating assets and models in the AWS IoT SiteWise User Guide.
This operation overwrites the existing model with the provided model. To avoid deleting your asset model's properties or hierarchies, you must include their IDs and definitions in the updated asset model payload. For more information, see DescribeAssetModel.
If you remove a property from an asset model, AWS IoT SiteWise deletes all previous data for that property. If you remove a hierarchy definition from an asset model, AWS IoT SiteWise disassociates every asset associated with that hierarchy. You can't change the type or data type of an existing property.
Retrieves a paginated list of IoT SiteWise Monitor portals.
", + "ListProjectAssets": "Retrieves a paginated list of assets associated with an IoT SiteWise Monitor project.
", + "ListProjects": "Retrieves a paginated list of projects for an IoT SiteWise Monitor portal.
", + "ListTagsForResource": "Retrieves the list of tags for an IoT SiteWise resource.
", + "PutDefaultEncryptionConfiguration": "Sets the default encryption configuration for the Amazon Web Services account. For more information, see Key management in the IoT SiteWise User Guide.
", + "PutLoggingOptions": "Sets logging options for IoT SiteWise.
", + "PutStorageConfiguration": "Configures storage settings for IoT SiteWise.
", + "TagResource": "Adds tags to an IoT SiteWise resource. If a tag already exists for the resource, this operation updates the tag's value.
", + "UntagResource": "Removes a tag from an IoT SiteWise resource.
", + "UpdateAccessPolicy": "Updates an existing access policy that specifies an identity's access to an IoT SiteWise Monitor portal or project resource.
", + "UpdateAsset": "Updates an asset's name. For more information, see Updating assets and models in the IoT SiteWise User Guide.
", + "UpdateAssetModel": "Updates an asset model and all of the assets that were created from the model. Each asset created from the model inherits the updated asset model's property and hierarchy definitions. For more information, see Updating assets and models in the IoT SiteWise User Guide.
This operation overwrites the existing model with the provided model. To avoid deleting your asset model's properties or hierarchies, you must include their IDs and definitions in the updated asset model payload. For more information, see DescribeAssetModel.
If you remove a property from an asset model, IoT SiteWise deletes all previous data for that property. If you remove a hierarchy definition from an asset model, IoT SiteWise disassociates every asset associated with that hierarchy. You can't change the type or data type of an existing property.
Updates an asset property's alias and notification state.
This operation overwrites the property's existing alias and notification state. To keep your existing property's alias or notification state, you must include the existing values in the UpdateAssetProperty request. For more information, see DescribeAssetProperty.
Updates an AWS IoT SiteWise Monitor dashboard.
", + "UpdateDashboard": "Updates an IoT SiteWise Monitor dashboard.
", "UpdateGateway": "Updates a gateway's name.
", - "UpdateGatewayCapabilityConfiguration": "Updates a gateway capability configuration or defines a new capability configuration. Each gateway capability defines data sources for a gateway. A capability configuration can contain multiple data source configurations. If you define OPC-UA sources for a gateway in the AWS IoT SiteWise console, all of your OPC-UA sources are stored in one capability configuration. To list all capability configurations for a gateway, use DescribeGateway.
", - "UpdatePortal": "Updates an AWS IoT SiteWise Monitor portal.
", - "UpdateProject": "Updates an AWS IoT SiteWise Monitor project.
" + "UpdateGatewayCapabilityConfiguration": "Updates a gateway capability configuration or defines a new capability configuration. Each gateway capability defines data sources for a gateway. A capability configuration can contain multiple data source configurations. If you define OPC-UA sources for a gateway in the IoT SiteWise console, all of your OPC-UA sources are stored in one capability configuration. To list all capability configurations for a gateway, use DescribeGateway.
", + "UpdatePortal": "Updates an IoT SiteWise Monitor portal.
", + "UpdateProject": "Updates an IoT SiteWise Monitor project.
" }, "shapes": { "ARN": { "base": null, "refs": { - "Alarms$alarmRoleArn": "The ARN of the IAM role that allows the alarm to perform actions and access AWS resources, including AWS IoT Events.
", - "Alarms$notificationLambdaArn": "The ARN of the AWS Lambda function that manages alarm notifications. For more information, see Managing alarm notifications in the AWS IoT Events Developer Guide.
", + "Alarms$alarmRoleArn": "The ARN of the IAM role that allows the alarm to perform actions and access Amazon Web Services resources and services, such as IoT Events.
", + "Alarms$notificationLambdaArn": "The ARN of the Lambda function that manages alarm notifications. For more information, see Managing alarm notifications in the IoT Events Developer Guide.
", "AssetModelSummary$arn": "The ARN of the asset model, which has the following format.
arn:${Partition}:iotsitewise:${Region}:${Account}:asset-model/${AssetModelId}
The ARN of the asset, which has the following format.
arn:${Partition}:iotsitewise:${Region}:${Account}:asset/${AssetId}
The ARN of the asset, which has the following format.
arn:${Partition}:iotsitewise:${Region}:${Account}:asset/${AssetId}
The ARN of the asset, which has the following format.
arn:${Partition}:iotsitewise:${Region}:${Account}:asset/${AssetId}
The ARN of the dashboard, which has the following format.
arn:${Partition}:iotsitewise:${Region}:${Account}:dashboard/${DashboardId}
The ARN of the gateway, which has the following format.
arn:${Partition}:iotsitewise:${Region}:${Account}:gateway/${GatewayId}
The ARN of a service role that allows the portal's users to access your AWS IoT SiteWise resources on your behalf. For more information, see Using service roles for AWS IoT SiteWise Monitor in the AWS IoT SiteWise User Guide.
", + "CreatePortalRequest$roleArn": "The ARN of a service role that allows the portal's users to access your IoT SiteWise resources on your behalf. For more information, see Using service roles for IoT SiteWise Monitor in the IoT SiteWise User Guide.
", "CreatePortalResponse$portalArn": "The ARN of the portal, which has the following format.
arn:${Partition}:iotsitewise:${Region}:${Account}:portal/${PortalId}
The ARN of the project, which has the following format.
arn:${Partition}:iotsitewise:${Region}:${Account}:project/${ProjectId}
The ARN of the Amazon S3 object. For more information about how to find the ARN for an Amazon S3 object, see Amazon S3 resources in the Amazon Simple Storage Service User Guide.
", + "CustomerManagedS3Storage$roleArn": "The ARN of the Identity and Access Management role that allows IoT SiteWise to send data to Amazon S3.
", "DescribeAccessPolicyResponse$accessPolicyArn": "The ARN of the access policy, which has the following format.
arn:${Partition}:iotsitewise:${Region}:${Account}:access-policy/${AccessPolicyId}
The ARN of the asset model, which has the following format.
arn:${Partition}:iotsitewise:${Region}:${Account}:asset-model/${AssetModelId}
The ARN of the asset, which has the following format.
arn:${Partition}:iotsitewise:${Region}:${Account}:asset/${AssetId}
The ARN of the dashboard, which has the following format.
arn:${Partition}:iotsitewise:${Region}:${Account}:dashboard/${DashboardId}
The key ARN of the customer managed customer master key (CMK) used for AWS KMS encryption if you use KMS_BASED_ENCRYPTION.
The key ARN of the customer managed customer master key (CMK) used for KMS encryption if you use KMS_BASED_ENCRYPTION.
The ARN of the gateway, which has the following format.
arn:${Partition}:iotsitewise:${Region}:${Account}:gateway/${GatewayId}
The ARN of the portal, which has the following format.
arn:${Partition}:iotsitewise:${Region}:${Account}:portal/${PortalId}
The ARN of the service role that allows the portal's users to access your AWS IoT SiteWise resources on your behalf. For more information, see Using service roles for AWS IoT SiteWise Monitor in the AWS IoT SiteWise User Guide.
", + "DescribePortalResponse$roleArn": "The ARN of the service role that allows the portal's users to access your IoT SiteWise resources on your behalf. For more information, see Using service roles for IoT SiteWise Monitor in the IoT SiteWise User Guide.
", "DescribeProjectResponse$projectArn": "The ARN of the project, which has the following format.
arn:${Partition}:iotsitewise:${Region}:${Account}:project/${ProjectId}
The ARN of the Greengrass group. For more information about how to find a group's ARN, see ListGroups and GetGroup in the AWS IoT Greengrass API Reference.
", + "Greengrass$groupArn": "The ARN of the Greengrass group. For more information about how to find a group's ARN, see ListGroups and GetGroup in the IoT Greengrass API Reference.
", "IAMRoleIdentity$arn": "The ARN of the IAM role. For more information, see IAM ARNs in the IAM User Guide.
", "IAMUserIdentity$arn": "The ARN of the IAM user. For more information, see IAM ARNs in the IAM User Guide.
If you delete the IAM user, access policies that contain this identity include an empty arn. You can delete the access policy for the IAM user that no longer exists.
The ARN of the IAM user. For more information, see IAM ARNs in the IAM User Guide. This parameter is required if you specify IAM for identityType.
The ARN of the service role that allows the portal's users to access your AWS IoT SiteWise resources on your behalf. For more information, see Using service roles for AWS IoT SiteWise Monitor in the AWS IoT SiteWise User Guide.
", - "PutDefaultEncryptionConfigurationResponse$kmsKeyArn": "The Key ARN of the AWS KMS CMK used for AWS KMS encryption if you use KMS_BASED_ENCRYPTION.
The ARN of a service role that allows the portal's users to access your AWS IoT SiteWise resources on your behalf. For more information, see Using service roles for AWS IoT SiteWise Monitor in the AWS IoT SiteWise User Guide.
" + "PortalSummary$roleArn": "The ARN of the service role that allows the portal's users to access your IoT SiteWise resources on your behalf. For more information, see Using service roles for IoT SiteWise Monitor in the IoT SiteWise User Guide.
", + "PutDefaultEncryptionConfigurationResponse$kmsKeyArn": "The Key ARN of the KMS CMK used for KMS encryption if you use KMS_BASED_ENCRYPTION.
The ARN of a service role that allows the portal's users to access your IoT SiteWise resources on your behalf. For more information, see Using service roles for IoT SiteWise Monitor in the IoT SiteWise User Guide.
" } }, "AccessPolicySummaries": { @@ -103,7 +107,7 @@ } }, "AccessPolicySummary": { - "base": "Contains an access policy that defines an identity's access to an AWS IoT SiteWise Monitor resource.
", + "base": "Contains an access policy that defines an identity's access to an IoT SiteWise Monitor resource.
", "refs": { "AccessPolicySummaries$member": null } @@ -150,11 +154,11 @@ } }, "Alarms": { - "base": "Contains the configuration information of an alarm created in an AWS IoT SiteWise Monitor portal. You can use the alarm to monitor an asset property and get notified when the asset property value is outside a specified range. For more information, see .
", + "base": "Contains the configuration information of an alarm created in an IoT SiteWise Monitor portal. You can use the alarm to monitor an asset property and get notified when the asset property value is outside a specified range. For more information, see Monitoring with alarms in the IoT SiteWise Application Guide.
", "refs": { - "CreatePortalRequest$alarms": "Contains the configuration information of an alarm created in an AWS IoT SiteWise Monitor portal. You can use the alarm to monitor an asset property and get notified when the asset property value is outside a specified range. For more information, see .
", - "DescribePortalResponse$alarms": "Contains the configuration information of an alarm created in a AWS IoT SiteWise Monitor portal.
", - "UpdatePortalRequest$alarms": "Contains the configuration information of an alarm created in an AWS IoT SiteWise Monitor portal. You can use the alarm to monitor an asset property and get notified when the asset property value is outside a specified range. For more information, see .
" + "CreatePortalRequest$alarms": "Contains the configuration information of an alarm created in an IoT SiteWise Monitor portal. You can use the alarm to monitor an asset property and get notified when the asset property value is outside a specified range. For more information, see Monitoring with alarms in the IoT SiteWise Application Guide.
", + "DescribePortalResponse$alarms": "Contains the configuration information of an alarm created in an IoT SiteWise Monitor portal.
", + "UpdatePortalRequest$alarms": "Contains the configuration information of an alarm created in an IoT SiteWise Monitor portal. You can use the alarm to monitor an asset property and get notified when the asset property value is outside a specified range. For more information, see Monitoring with alarms in the IoT SiteWise Application Guide.
" } }, "AmazonResourceName": { @@ -252,7 +256,7 @@ "base": null, "refs": { "DescribeAssetModelResponse$assetModelHierarchies": "A list of asset model hierarchies that each contain a childAssetModelId and a hierarchyId (named id). A hierarchy specifies allowed parent/child asset relationships for an asset model.
The updated hierarchy definitions of the asset model. Each hierarchy specifies an asset model whose assets can be children of any other assets created from this asset model. For more information, see Asset hierarchies in the AWS IoT SiteWise User Guide.
You can specify up to 10 hierarchies per asset model. For more information, see Quotas in the AWS IoT SiteWise User Guide.
" + "UpdateAssetModelRequest$assetModelHierarchies": "The updated hierarchy definitions of the asset model. Each hierarchy specifies an asset model whose assets can be children of any other assets created from this asset model. For more information, see Asset hierarchies in the IoT SiteWise User Guide.
You can specify up to 10 hierarchies per asset model. For more information, see Quotas in the IoT SiteWise User Guide.
" } }, "AssetModelHierarchy": { @@ -270,7 +274,7 @@ "AssetModelHierarchyDefinitions": { "base": null, "refs": { - "CreateAssetModelRequest$assetModelHierarchies": "The hierarchy definitions of the asset model. Each hierarchy specifies an asset model whose assets can be children of any other assets created from this asset model. For more information, see Asset hierarchies in the AWS IoT SiteWise User Guide.
You can specify up to 10 hierarchies per asset model. For more information, see Quotas in the AWS IoT SiteWise User Guide.
" + "CreateAssetModelRequest$assetModelHierarchies": "The hierarchy definitions of the asset model. Each hierarchy specifies an asset model whose assets can be children of any other assets created from this asset model. For more information, see Asset hierarchies in the IoT SiteWise User Guide.
You can specify up to 10 hierarchies per asset model. For more information, see Quotas in the IoT SiteWise User Guide.
" } }, "AssetModelProperties": { @@ -278,7 +282,7 @@ "refs": { "AssetModelCompositeModel$properties": "The asset property definitions for this composite model.
", "DescribeAssetModelResponse$assetModelProperties": "The list of asset properties for the asset model.
This object doesn't include properties that you define in composite models. You can find composite model properties in the assetModelCompositeModels object.
The updated property definitions of the asset model. For more information, see Asset properties in the AWS IoT SiteWise User Guide.
You can specify up to 200 properties per asset model. For more information, see Quotas in the AWS IoT SiteWise User Guide.
" + "UpdateAssetModelRequest$assetModelProperties": "The updated property definitions of the asset model. For more information, see Asset properties in the IoT SiteWise User Guide.
You can specify up to 200 properties per asset model. For more information, see Quotas in the IoT SiteWise User Guide.
" } }, "AssetModelProperty": { @@ -297,7 +301,7 @@ "base": null, "refs": { "AssetModelCompositeModelDefinition$properties": "The asset property definitions for this composite model.
", - "CreateAssetModelRequest$assetModelProperties": "The property definitions of the asset model. For more information, see Asset properties in the AWS IoT SiteWise User Guide.
You can specify up to 200 properties per asset model. For more information, see Quotas in the AWS IoT SiteWise User Guide.
" + "CreateAssetModelRequest$assetModelProperties": "The property definitions of the asset model. For more information, see Asset properties in the IoT SiteWise User Guide.
You can specify up to 200 properties per asset model. For more information, see Quotas in the IoT SiteWise User Guide.
" } }, "AssetModelState": { @@ -307,7 +311,7 @@ } }, "AssetModelStatus": { - "base": "Contains current status information for an asset model. For more information, see Asset and model states in the AWS IoT SiteWise User Guide.
", + "base": "Contains current status information for an asset model. For more information, see Asset and model states in the IoT SiteWise User Guide.
", "refs": { "AssetModelSummary$status": "The current status of the asset model.
", "CreateAssetModelResponse$assetModelStatus": "The status of the asset model, which contains a state (CREATING after successfully calling this operation) and any error message.
The property alias that identifies the property, such as an OPC-UA server data stream path (for example, /company/windfarm/3/turbine/7/temperature). For more information, see Mapping industrial data streams to asset properties in the AWS IoT SiteWise User Guide.
The property alias that identifies the property, such as an OPC-UA server data stream path (for example, /company/windfarm/3/turbine/7/temperature). For more information, see Mapping industrial data streams to asset properties in the AWS IoT SiteWise User Guide.
The property alias that identifies the property, such as an OPC-UA server data stream path (for example, /company/windfarm/3/turbine/7/temperature). For more information, see Mapping industrial data streams to asset properties in the AWS IoT SiteWise User Guide.
The property alias that identifies the property, such as an OPC-UA server data stream path (for example, /company/windfarm/3/turbine/7/temperature). For more information, see Mapping industrial data streams to asset properties in the AWS IoT SiteWise User Guide.
The property alias that identifies the property, such as an OPC-UA server data stream path (for example, /company/windfarm/3/turbine/7/temperature). For more information, see Mapping industrial data streams to asset properties in the AWS IoT SiteWise User Guide.
The alias that identifies the property, such as an OPC-UA server data stream path (for example, /company/windfarm/3/turbine/7/temperature). For more information, see Mapping industrial data streams to asset properties in the IoT SiteWise User Guide.
The alias that identifies the property, such as an OPC-UA server data stream path (for example, /company/windfarm/3/turbine/7/temperature). For more information, see Mapping industrial data streams to asset properties in the IoT SiteWise User Guide.
The alias that identifies the property, such as an OPC-UA server data stream path (for example, /company/windfarm/3/turbine/7/temperature). For more information, see Mapping industrial data streams to asset properties in the IoT SiteWise User Guide.
The alias that identifies the property, such as an OPC-UA server data stream path (for example, /company/windfarm/3/turbine/7/temperature). For more information, see Mapping industrial data streams to asset properties in the IoT SiteWise User Guide.
The alias that identifies the property, such as an OPC-UA server data stream path (for example, /company/windfarm/3/turbine/7/temperature). For more information, see Mapping industrial data streams to asset properties in the IoT SiteWise User Guide.
Contains information about the current status of an asset. For more information, see Asset and model states in the AWS IoT SiteWise User Guide.
", + "base": "Contains information about the current status of an asset. For more information, see Asset and model states in the IoT SiteWise User Guide.
", "refs": { "AssetSummary$status": "The current status of the asset.
", "AssociatedAssetsSummary$status": "The current status of the asset.
", @@ -436,7 +440,7 @@ } }, "Attribute": { - "base": "Contains an asset attribute property. For more information, see Attributes in the AWS IoT SiteWise User Guide.
", + "base": "Contains an asset attribute property. For more information, see Attributes in the IoT SiteWise User Guide.
", "refs": { "PropertyType$attribute": "Specifies an asset attribute property. An attribute generally contains static information, such as the serial number of an IIoT wind turbine.
" } @@ -444,7 +448,7 @@ "AuthMode": { "base": null, "refs": { - "CreatePortalRequest$portalAuthMode": "The service to use to authenticate users to the portal. Choose from the following options:
SSO – The portal uses AWS Single Sign-On to authenticate users and manage user permissions. Before you can create a portal that uses AWS SSO, you must enable AWS SSO. For more information, see Enabling AWS SSO in the AWS IoT SiteWise User Guide. This option is only available in AWS Regions other than the China Regions.
IAM – The portal uses AWS Identity and Access Management (IAM) to authenticate users and manage user permissions. This option is only available in the China Regions.
You can't change this value after you create a portal.
Default: SSO
The service to use to authenticate users to the portal. Choose from the following options:
SSO – The portal uses Amazon Web Services Single Sign On to authenticate users and manage user permissions. Before you can create a portal that uses Amazon Web Services SSO, you must enable Amazon Web Services SSO. For more information, see Enabling Amazon Web Services SSO in the IoT SiteWise User Guide. This option is only available in Amazon Web Services Regions other than the China Regions.
IAM – The portal uses Identity and Access Management to authenticate users and manage user permissions. This option is only available in the China Regions.
You can't change this value after you create a portal.
Default: SSO
The service to use to authenticate users to the portal.
" } }, @@ -523,17 +527,17 @@ "CapabilityConfiguration": { "base": null, "refs": { - "DescribeGatewayCapabilityConfigurationResponse$capabilityConfiguration": "The JSON document that defines the gateway capability's configuration. For more information, see Configuring data sources (CLI) in the AWS IoT SiteWise User Guide.
", - "UpdateGatewayCapabilityConfigurationRequest$capabilityConfiguration": "The JSON document that defines the configuration for the gateway capability. For more information, see Configuring data sources (CLI) in the AWS IoT SiteWise User Guide.
" + "DescribeGatewayCapabilityConfigurationResponse$capabilityConfiguration": "The JSON document that defines the gateway capability's configuration. For more information, see Configuring data sources (CLI) in the IoT SiteWise User Guide.
", + "UpdateGatewayCapabilityConfigurationRequest$capabilityConfiguration": "The JSON document that defines the configuration for the gateway capability. For more information, see Configuring data sources (CLI) in the IoT SiteWise User Guide.
" } }, "CapabilityNamespace": { "base": null, "refs": { - "DescribeGatewayCapabilityConfigurationRequest$capabilityNamespace": "The namespace of the capability configuration. For example, if you configure OPC-UA sources from the AWS IoT SiteWise console, your OPC-UA capability configuration has the namespace iotsitewise:opcuacollector:version, where version is a number such as 1.
The namespace of the capability configuration. For example, if you configure OPC-UA sources from the IoT SiteWise console, your OPC-UA capability configuration has the namespace iotsitewise:opcuacollector:version, where version is a number such as 1.
The namespace of the gateway capability.
", - "GatewayCapabilitySummary$capabilityNamespace": "The namespace of the capability configuration. For example, if you configure OPC-UA sources from the AWS IoT SiteWise console, your OPC-UA capability configuration has the namespace iotsitewise:opcuacollector:version, where version is a number such as 1.
The namespace of the gateway capability configuration to be updated. For example, if you configure OPC-UA sources from the AWS IoT SiteWise console, your OPC-UA capability configuration has the namespace iotsitewise:opcuacollector:version, where version is a number such as 1.
The namespace of the capability configuration. For example, if you configure OPC-UA sources from the IoT SiteWise console, your OPC-UA capability configuration has the namespace iotsitewise:opcuacollector:version, where version is a number such as 1.
The namespace of the gateway capability configuration to be updated. For example, if you configure OPC-UA sources from the IoT SiteWise console, your OPC-UA capability configuration has the namespace iotsitewise:opcuacollector:version, where version is a number such as 1.
The namespace of the gateway capability.
" } }, @@ -580,7 +584,7 @@ } }, "ConfigurationErrorDetails": { - "base": "Contains the details of an AWS IoT SiteWise configuration error.
", + "base": "Contains the details of an IoT SiteWise configuration error.
", "refs": { "ConfigurationStatus$error": "Contains associated error information, if any.
" } @@ -595,7 +599,9 @@ "base": "Contains current status information for the configuration.
", "refs": { "DescribeDefaultEncryptionConfigurationResponse$configurationStatus": "The status of the account configuration. This contains the ConfigurationState. If there's an error, it also contains the ErrorDetails.
The status of the account configuration. This contains the ConfigurationState. If there is an error, it also contains the ErrorDetails.
The status of the account configuration. This contains the ConfigurationState. If there is an error, it also contains the ErrorDetails.
Contains information about a customer managed Amazon S3 bucket.
", + "refs": { + "MultiLayerStorage$customerManagedS3Storage": "Contains information about a customer managed Amazon S3 bucket.
" + } + }, "DashboardDefinition": { "base": null, "refs": { - "CreateDashboardRequest$dashboardDefinition": "The dashboard definition specified in a JSON literal. For detailed information, see Creating dashboards (CLI) in the AWS IoT SiteWise User Guide.
", - "DescribeDashboardResponse$dashboardDefinition": "The dashboard's definition JSON literal. For detailed information, see Creating dashboards (CLI) in the AWS IoT SiteWise User Guide.
", - "UpdateDashboardRequest$dashboardDefinition": "The new dashboard definition, as specified in a JSON literal. For detailed information, see Creating dashboards (CLI) in the AWS IoT SiteWise User Guide.
" + "CreateDashboardRequest$dashboardDefinition": "The dashboard definition specified in a JSON literal. For detailed information, see Creating dashboards (CLI) in the IoT SiteWise User Guide.
", + "DescribeDashboardResponse$dashboardDefinition": "The dashboard's definition JSON literal. For detailed information, see Creating dashboards (CLI) in the IoT SiteWise User Guide.
", + "UpdateDashboardRequest$dashboardDefinition": "The new dashboard definition, as specified in a JSON literal. For detailed information, see Creating dashboards (CLI) in the IoT SiteWise User Guide.
" } }, "DashboardSummaries": { @@ -696,7 +708,7 @@ "DefaultValue": { "base": null, "refs": { - "Attribute$defaultValue": "The default value of the asset model property attribute. All assets that you create from the asset model contain this attribute value. You can update an attribute's value after you create an asset. For more information, see Updating attribute values in the AWS IoT SiteWise User Guide.
" + "Attribute$defaultValue": "The default value of the asset model property attribute. All assets that you create from the asset model contain this attribute value. You can update an attribute's value after you create an asset. For more information, see Updating attribute values in the IoT SiteWise User Guide.
" } }, "DeleteAccessPolicyRequest": { @@ -874,6 +886,16 @@ "refs": { } }, + "DescribeStorageConfigurationRequest": { + "base": null, + "refs": { + } + }, + "DescribeStorageConfigurationResponse": { + "base": null, + "refs": { + } + }, "Description": { "base": null, "refs": { @@ -906,11 +928,11 @@ "Email": { "base": null, "refs": { - "CreatePortalRequest$portalContactEmail": "The AWS administrator's contact email address.
", - "CreatePortalRequest$notificationSenderEmail": "The email address that sends alarm notifications.
If you use the AWS IoT Events managed AWS Lambda function to manage your emails, you must verify the sender email address in Amazon SES.
The AWS administrator's contact email address.
", + "CreatePortalRequest$portalContactEmail": "The Amazon Web Services administrator's contact email address.
", + "CreatePortalRequest$notificationSenderEmail": "The email address that sends alarm notifications.
If you use the IoT Events managed Lambda function to manage your emails, you must verify the sender email address in Amazon SES.
The Amazon Web Services administrator's contact email address.
", "DescribePortalResponse$notificationSenderEmail": "The email address that sends alarm notifications.
", - "UpdatePortalRequest$portalContactEmail": "The AWS administrator's contact email address.
", + "UpdatePortalRequest$portalContactEmail": "The Amazon Web Services administrator's contact email address.
", "UpdatePortalRequest$notificationSenderEmail": "The email address that sends alarm notifications.
" } }, @@ -937,7 +959,7 @@ } }, "ErrorDetails": { - "base": "Contains the details of an AWS IoT SiteWise error.
", + "base": "Contains the details of an IoT SiteWise error.
", "refs": { "AssetModelStatus$error": "Contains associated error information, if any.
", "AssetStatus$error": "Contains associated error information, if any.
" @@ -969,8 +991,8 @@ "Expression": { "base": null, "refs": { - "Metric$expression": "The mathematical expression that defines the metric aggregation function. You can specify up to 10 variables per expression. You can specify up to 10 functions per expression.
For more information, see Quotas in the AWS IoT SiteWise User Guide.
", - "Transform$expression": "The mathematical expression that defines the transformation function. You can specify up to 10 variables per expression. You can specify up to 10 functions per expression.
For more information, see Quotas in the AWS IoT SiteWise User Guide.
" + "Metric$expression": "The mathematical expression that defines the metric aggregation function. You can specify up to 10 variables per expression. You can specify up to 10 functions per expression.
For more information, see Quotas in the IoT SiteWise User Guide.
", + "Transform$expression": "The mathematical expression that defines the transformation function. You can specify up to 10 variables per expression. You can specify up to 10 functions per expression.
For more information, see Quotas in the IoT SiteWise User Guide.
" } }, "ExpressionVariable": { @@ -1059,25 +1081,25 @@ } }, "Greengrass": { - "base": "Contains details for a gateway that runs on AWS IoT Greengrass. To create a gateway that runs on AWS IoT Greengrass, you must add the IoT SiteWise connector to a Greengrass group and deploy it. Your Greengrass group must also have permissions to upload data to AWS IoT SiteWise. For more information, see Ingesting data using a gateway in the AWS IoT SiteWise User Guide.
", + "base": "Contains details for a gateway that runs on IoT Greengrass. To create a gateway that runs on IoT Greengrass, you must add the IoT SiteWise connector to a Greengrass group and deploy it. Your Greengrass group must also have permissions to upload data to IoT SiteWise. For more information, see Ingesting data using a gateway in the IoT SiteWise User Guide.
", "refs": { - "GatewayPlatform$greengrass": "A gateway that runs on AWS IoT Greengrass.
" + "GatewayPlatform$greengrass": "A gateway that runs on IoT Greengrass.
" } }, "GroupIdentity": { "base": "Contains information for a group identity in an access policy.
", "refs": { - "Identity$group": "An AWS SSO group identity.
" + "Identity$group": "An Amazon Web Services SSO group identity.
" } }, "IAMRoleIdentity": { - "base": "Contains information about an AWS Identity and Access Management (IAM) role. For more information, see IAM roles in the IAM User Guide.
", + "base": "Contains information about an Identity and Access Management role. For more information, see IAM roles in the IAM User Guide.
", "refs": { "Identity$iamRole": "An IAM role identity.
" } }, "IAMUserIdentity": { - "base": "Contains information about an AWS Identity and Access Management (IAM) user.
", + "base": "Contains information about an Identity and Access Management user.
", "refs": { "Identity$iamUser": "An IAM user identity.
" } @@ -1095,24 +1117,24 @@ "AssetModelHierarchy$childAssetModelId": "The ID of the asset model. All assets in this hierarchy must be instances of the childAssetModelId asset model.
The ID of an asset model for this hierarchy.
", "AssetModelProperty$id": "The ID of the asset model property.
", - "AssetModelSummary$id": "The ID of the asset model (used with AWS IoT SiteWise APIs).
", + "AssetModelSummary$id": "The ID of the asset model (used with IoT SiteWise APIs).
", "AssetProperty$id": "The ID of the asset property.
", "AssetSummary$id": "The ID of the asset.
", "AssetSummary$assetModelId": "The ID of the asset model used to create this asset.
", "AssociateAssetsRequest$assetId": "The ID of the parent asset.
", - "AssociateAssetsRequest$hierarchyId": "The ID of a hierarchy in the parent asset's model. Hierarchies allow different groupings of assets to be formed that all come from the same asset model. For more information, see Asset hierarchies in the AWS IoT SiteWise User Guide.
", + "AssociateAssetsRequest$hierarchyId": "The ID of a hierarchy in the parent asset's model. Hierarchies allow different groupings of assets to be formed that all come from the same asset model. For more information, see Asset hierarchies in the IoT SiteWise User Guide.
", "AssociateAssetsRequest$childAssetId": "The ID of the child asset to be associated.
", "AssociatedAssetsSummary$id": "The ID of the asset.
", "AssociatedAssetsSummary$assetModelId": "The ID of the asset model used to create the asset.
", "BatchAssociateProjectAssetsRequest$projectId": "The ID of the project to which to associate the assets.
", "BatchDisassociateProjectAssetsRequest$projectId": "The ID of the project from which to disassociate the assets.
", "CreateAccessPolicyResponse$accessPolicyId": "The ID of the access policy.
", - "CreateAssetModelResponse$assetModelId": "The ID of the asset model. You can use this ID when you call other AWS IoT SiteWise APIs.
", + "CreateAssetModelResponse$assetModelId": "The ID of the asset model. You can use this ID when you call other IoT SiteWise APIs.
", "CreateAssetRequest$assetModelId": "The ID of the asset model from which to create the asset.
", - "CreateAssetResponse$assetId": "The ID of the asset. This ID uniquely identifies the asset within AWS IoT SiteWise and can be used with other AWS IoT SiteWise APIs.
", + "CreateAssetResponse$assetId": "The ID of the asset. This ID uniquely identifies the asset within IoT SiteWise and can be used with other IoT SiteWise APIs.
", "CreateDashboardRequest$projectId": "The ID of the project in which to create the dashboard.
", "CreateDashboardResponse$dashboardId": "The ID of the dashboard.
", - "CreateGatewayResponse$gatewayId": "The ID of the gateway device. You can use this ID when you call other AWS IoT SiteWise APIs.
", + "CreateGatewayResponse$gatewayId": "The ID of the gateway device. You can use this ID when you call other IoT SiteWise APIs.
", "CreatePortalResponse$portalId": "The ID of the created portal.
", "CreateProjectRequest$portalId": "The ID of the portal in which to create the project.
", "CreateProjectResponse$projectId": "The ID of the project.
", @@ -1148,7 +1170,7 @@ "DescribeProjectResponse$projectId": "The ID of the project.
", "DescribeProjectResponse$portalId": "The ID of the portal that the project is in.
", "DisassociateAssetsRequest$assetId": "The ID of the parent asset from which to disassociate the child asset.
", - "DisassociateAssetsRequest$hierarchyId": "The ID of a hierarchy in the parent asset's model. Hierarchies allow different groupings of assets to be formed that all come from the same asset model. You can use the hierarchy ID to identify the correct asset to disassociate. For more information, see Asset hierarchies in the AWS IoT SiteWise User Guide.
", + "DisassociateAssetsRequest$hierarchyId": "The ID of a hierarchy in the parent asset's model. Hierarchies allow different groupings of assets to be formed that all come from the same asset model. You can use the hierarchy ID to identify the correct asset to disassociate. For more information, see Asset hierarchies in the IoT SiteWise User Guide.
", "DisassociateAssetsRequest$childAssetId": "The ID of the child asset to disassociate.
", "GatewaySummary$gatewayId": "The ID of the gateway device.
", "GetAssetPropertyAggregatesRequest$assetId": "The ID of the asset.
", @@ -1166,7 +1188,7 @@ "ListAssetRelationshipsRequest$assetId": "The ID of the asset.
", "ListAssetsRequest$assetModelId": "The ID of the asset model by which to filter the list of assets. This parameter is required if you choose ALL for filter.
The ID of the asset to query.
", - "ListAssociatedAssetsRequest$hierarchyId": "The ID of the hierarchy by which child assets are associated to the asset. To find a hierarchy ID, use the DescribeAsset or DescribeAssetModel operations. This parameter is required if you choose CHILD for traversalDirection.
For more information, see Asset hierarchies in the AWS IoT SiteWise User Guide.
", + "ListAssociatedAssetsRequest$hierarchyId": "The ID of the hierarchy by which child assets are associated to the asset. To find a hierarchy ID, use the DescribeAsset or DescribeAssetModel operations. This parameter is required if you choose CHILD for traversalDirection.
For more information, see Asset hierarchies in the IoT SiteWise User Guide.
", "ListDashboardsRequest$projectId": "The ID of the project.
", "ListProjectAssetsRequest$projectId": "The ID of the project.
", "ListProjectsRequest$portalId": "The ID of the portal.
", @@ -1197,26 +1219,26 @@ } }, "Identity": { - "base": "Contains an identity that can access an AWS IoT SiteWise Monitor resource.
Currently, you can't use AWS APIs to retrieve AWS SSO identity IDs. You can find the AWS SSO identity IDs in the URL of user and group pages in the AWS SSO console.
Contains an identity that can access an IoT SiteWise Monitor resource.
Currently, you can't use Amazon Web Services APIs to retrieve Amazon Web Services SSO identity IDs. You can find the Amazon Web Services SSO identity IDs in the URL of user and group pages in the Amazon Web Services SSO console.
The identity (an AWS SSO user, an AWS SSO group, or an IAM user).
", - "CreateAccessPolicyRequest$accessPolicyIdentity": "The identity for this access policy. Choose an AWS SSO user, an AWS SSO group, or an IAM user.
", - "DescribeAccessPolicyResponse$accessPolicyIdentity": "The identity (AWS SSO user, AWS SSO group, or IAM user) to which this access policy applies.
", - "UpdateAccessPolicyRequest$accessPolicyIdentity": "The identity for this access policy. Choose an AWS SSO user, an AWS SSO group, or an IAM user.
" + "AccessPolicySummary$identity": "The identity (an Amazon Web Services SSO user, an Amazon Web Services SSO group, or an IAM user).
", + "CreateAccessPolicyRequest$accessPolicyIdentity": "The identity for this access policy. Choose an Amazon Web Services SSO user, an Amazon Web Services SSO group, or an IAM user.
", + "DescribeAccessPolicyResponse$accessPolicyIdentity": "The identity (Amazon Web Services SSO user, Amazon Web Services SSO group, or IAM user) to which this access policy applies.
", + "UpdateAccessPolicyRequest$accessPolicyIdentity": "The identity for this access policy. Choose an Amazon Web Services SSO user, an Amazon Web Services SSO group, or an IAM user.
" } }, "IdentityId": { "base": null, "refs": { - "GroupIdentity$id": "The AWS SSO ID of the group.
", + "GroupIdentity$id": "The Amazon Web Services SSO ID of the group.
", "ListAccessPoliciesRequest$identityId": "The ID of the identity. This parameter is required if you specify USER or GROUP for identityType.
The AWS SSO ID of the user.
" + "UserIdentity$id": "The Amazon Web Services SSO ID of the user.
" } }, "IdentityType": { "base": null, "refs": { - "ListAccessPoliciesRequest$identityType": "The type of identity (AWS SSO user, AWS SSO group, or IAM user). This parameter is required if you specify identityId.
The type of identity (Amazon Web Services SSO user, Amazon Web Services SSO group, or IAM user). This parameter is required if you specify identityId.
Contains an image that is uploaded to AWS IoT SiteWise and available at a URL.
", + "base": "Contains an image that is uploaded to IoT SiteWise and available at a URL.
", "refs": { "DescribePortalResponse$portalLogoImageLocation": "The portal's logo image, which is available at a URL.
" } }, "InternalFailureException": { - "base": "AWS IoT SiteWise can't process your request right now. Try again later.
", + "base": "IoT SiteWise can't process your request right now. Try again later.
", "refs": { } }, @@ -1276,7 +1298,7 @@ "Interval": { "base": null, "refs": { - "TumblingWindow$interval": "The time interval for the tumbling window. Note that w represents weeks, d represents days, h represents hours, and m represents minutes. AWS IoT SiteWise computes the 1w interval the end of Sunday at midnight each week (UTC), the 1d interval at the end of each day at midnight (UTC), the 1h interval at the end of each hour, and so on.
When AWS IoT SiteWise aggregates data points for metric computations, the start of each interval is exclusive and the end of each interval is inclusive. AWS IoT SiteWise places the computed data point at the end of the interval.
" + "TumblingWindow$interval": "The time interval for the tumbling window. Note that w represents weeks, d represents days, h represents hours, and m represents minutes. IoT SiteWise computes the 1w interval the end of Sunday at midnight each week (UTC), the 1d interval at the end of each day at midnight (UTC), the 1h interval at the end of each hour, and so on.
When IoT SiteWise aggregates data points for metric computations, the start of each interval is exclusive and the end of each interval is inclusive. IoT SiteWise places the computed data point at the end of the interval.
" } }, "IntervalInSeconds": { @@ -1293,11 +1315,11 @@ "KmsKeyId": { "base": null, "refs": { - "PutDefaultEncryptionConfigurationRequest$kmsKeyId": "The Key ID of the customer managed customer master key (CMK) used for AWS KMS encryption. This is required if you use KMS_BASED_ENCRYPTION.
The Key ID of the customer managed customer master key (CMK) used for KMS encryption. This is required if you use KMS_BASED_ENCRYPTION.
You've reached the limit for a resource. For example, this can occur if you're trying to associate more than the allowed number of child assets or attempting to create more than the allowed number of properties for an asset model.
For more information, see Quotas in the AWS IoT SiteWise User Guide.
", + "base": "You've reached the limit for a resource. For example, this can occur if you're trying to associate more than the allowed number of child assets or attempting to create more than the allowed number of properties for an asset model.
For more information, see Quotas in the IoT SiteWise User Guide.
", "refs": { } }, @@ -1420,7 +1442,7 @@ "LoggingLevel": { "base": null, "refs": { - "LoggingOptions$level": "The AWS IoT SiteWise logging verbosity level.
" + "LoggingOptions$level": "The IoT SiteWise logging verbosity level.
" } }, "LoggingOptions": { @@ -1434,40 +1456,40 @@ "base": null, "refs": { "VariableValue$propertyId": "The ID of the property to use as the variable. You can use the property name if it's from the same asset model.
The ID of the hierarchy to query for the property ID. You can use the hierarchy's name instead of the hierarchy's ID.
You use a hierarchy ID instead of a model ID because you can have several hierarchies using the same model and therefore the same propertyId. For example, you might have separately grouped assets that come from the same asset model. For more information, see Asset hierarchies in the AWS IoT SiteWise User Guide.
The ID of the hierarchy to query for the property ID. You can use the hierarchy's name instead of the hierarchy's ID.
You use a hierarchy ID instead of a model ID because you can have several hierarchies using the same model and therefore the same propertyId. For example, you might have separately grouped assets that come from the same asset model. For more information, see Asset hierarchies in the IoT SiteWise User Guide.
The maximum number of results to be returned per paginated request. If not specified, the default value is 10.
" + "GetInterpolatedAssetPropertyValuesRequest$maxResults": "The maximum number of results to return for each paginated request. If not specified, the default value is 10.
" } }, "MaxResults": { "base": null, "refs": { - "GetAssetPropertyAggregatesRequest$maxResults": "The maximum number of results to be returned per paginated request.
Default: 100
", - "GetAssetPropertyValueHistoryRequest$maxResults": "The maximum number of results to be returned per paginated request.
Default: 100
", - "ListAccessPoliciesRequest$maxResults": "The maximum number of results to be returned per paginated request.
Default: 50
", - "ListAssetModelsRequest$maxResults": "The maximum number of results to be returned per paginated request.
Default: 50
", - "ListAssetRelationshipsRequest$maxResults": "The maximum number of results to be returned per paginated request.
", - "ListAssetsRequest$maxResults": "The maximum number of results to be returned per paginated request.
Default: 50
", - "ListAssociatedAssetsRequest$maxResults": "The maximum number of results to be returned per paginated request.
Default: 50
", - "ListDashboardsRequest$maxResults": "The maximum number of results to be returned per paginated request.
Default: 50
", - "ListGatewaysRequest$maxResults": "The maximum number of results to be returned per paginated request.
Default: 50
", - "ListPortalsRequest$maxResults": "The maximum number of results to be returned per paginated request.
Default: 50
", - "ListProjectAssetsRequest$maxResults": "The maximum number of results to be returned per paginated request.
Default: 50
", - "ListProjectsRequest$maxResults": "The maximum number of results to be returned per paginated request.
Default: 50
" + "GetAssetPropertyAggregatesRequest$maxResults": "The maximum number of results to return for each paginated request.
Default: 100
", + "GetAssetPropertyValueHistoryRequest$maxResults": "The maximum number of results to return for each paginated request.
Default: 100
", + "ListAccessPoliciesRequest$maxResults": "The maximum number of results to return for each paginated request.
Default: 50
", + "ListAssetModelsRequest$maxResults": "The maximum number of results to return for each paginated request.
Default: 50
", + "ListAssetRelationshipsRequest$maxResults": "The maximum number of results to return for each paginated request.
", + "ListAssetsRequest$maxResults": "The maximum number of results to return for each paginated request.
Default: 50
", + "ListAssociatedAssetsRequest$maxResults": "The maximum number of results to return for each paginated request.
Default: 50
", + "ListDashboardsRequest$maxResults": "The maximum number of results to return for each paginated request.
Default: 50
", + "ListGatewaysRequest$maxResults": "The maximum number of results to return for each paginated request.
Default: 50
", + "ListPortalsRequest$maxResults": "The maximum number of results to return for each paginated request.
Default: 50
", + "ListProjectAssetsRequest$maxResults": "The maximum number of results to return for each paginated request.
Default: 50
", + "ListProjectsRequest$maxResults": "The maximum number of results to return for each paginated request.
Default: 50
" } }, "Measurement": { - "base": "Contains an asset measurement property. For more information, see Measurements in the AWS IoT SiteWise User Guide.
", + "base": "Contains an asset measurement property. For more information, see Measurements in the IoT SiteWise User Guide.
", "refs": { "PropertyType$measurement": "Specifies an asset measurement property. A measurement represents a device's raw sensor data stream, such as timestamped temperature values or timestamped power values.
" } }, "Metric": { - "base": "Contains an asset metric property. With metrics, you can calculate aggregate functions, such as an average, maximum, or minimum, as specified through an expression. A metric maps several values to a single value (such as a sum).
The maximum number of dependent/cascading variables used in any one metric calculation is 10. Therefore, a root metric can have up to 10 cascading metrics in its computational dependency tree. Additionally, a metric can only have a data type of DOUBLE and consume properties with data types of INTEGER or DOUBLE.
For more information, see Metrics in the AWS IoT SiteWise User Guide.
", + "base": "Contains an asset metric property. With metrics, you can calculate aggregate functions, such as an average, maximum, or minimum, as specified through an expression. A metric maps several values to a single value (such as a sum).
The maximum number of dependent/cascading variables used in any one metric calculation is 10. Therefore, a root metric can have up to 10 cascading metrics in its computational dependency tree. Additionally, a metric can only have a data type of DOUBLE and consume properties with data types of INTEGER or DOUBLE.
For more information, see Metrics in the IoT SiteWise User Guide.
", "refs": { "PropertyType$metric": "Specifies an asset metric property. A metric contains a mathematical expression that uses aggregate functions to process all input data points over a time interval and output a single data point, such as to calculate the average hourly temperature.
" } @@ -1475,7 +1497,7 @@ "MetricWindow": { "base": "Contains a time interval window used for data aggregate computations (for example, average, sum, count, and so on).
", "refs": { - "Metric$window": "The window (time interval) over which AWS IoT SiteWise computes the metric's aggregation expression. AWS IoT SiteWise computes one data point per window.
The window (time interval) over which IoT SiteWise computes the metric's aggregation expression. IoT SiteWise computes one data point per window.
Contains AWS IoT SiteWise Monitor error details.
", + "base": "Contains IoT SiteWise Monitor error details.
", "refs": { "PortalStatus$error": "Contains associated error information, if any.
" } @@ -1496,6 +1518,14 @@ "MonitorErrorDetails$message": "The error message.
" } }, + "MultiLayerStorage": { + "base": "Contains information about the storage destination.
", + "refs": { + "DescribeStorageConfigurationResponse$multiLayerStorage": "Contains information about the storage destination.
", + "PutStorageConfigurationRequest$multiLayerStorage": "Identifies a storage destination. If you specified MULTI_LAYER_STORAGE for the storage type, you must specify a MultiLayerStorage object.
Contains information about the storage destination.
" + } + }, "Name": { "base": null, "refs": { @@ -1596,11 +1626,11 @@ "PortalClientId": { "base": null, "refs": { - "DescribePortalResponse$portalClientId": "The AWS SSO application generated client ID (used with AWS SSO APIs). AWS IoT SiteWise includes portalClientId for only portals that use AWS SSO to authenticate users.
The Amazon Web Services SSO application generated client ID (used with Amazon Web Services SSO APIs). IoT SiteWise includes portalClientId for only portals that use Amazon Web Services SSO to authenticate users.
Identifies an AWS IoT SiteWise Monitor portal.
", + "base": "Identifies an IoT SiteWise Monitor portal.
", "refs": { "Resource$portal": "A portal resource.
" } @@ -1634,7 +1664,7 @@ } }, "ProjectResource": { - "base": "Identifies a specific AWS IoT SiteWise Monitor project.
", + "base": "Identifies a specific IoT SiteWise Monitor project.
", "refs": { "Resource$project": "A project resource.
" } @@ -1661,9 +1691,9 @@ "PropertyAlias": { "base": null, "refs": { - "AssetProperty$alias": "The property alias that identifies the property, such as an OPC-UA server data stream path (for example, /company/windfarm/3/turbine/7/temperature). For more information, see Mapping industrial data streams to asset properties in the AWS IoT SiteWise User Guide.
The property alias that identifies the property, such as an OPC-UA server data stream path (for example, /company/windfarm/3/turbine/7/temperature). For more information, see Mapping industrial data streams to asset properties in the AWS IoT SiteWise User Guide.
The property alias that identifies the property, such as an OPC-UA server data stream path (for example, /company/windfarm/3/turbine/7/temperature). For more information, see Mapping industrial data streams to asset properties in the AWS IoT SiteWise User Guide.
If you omit this parameter, the alias is removed from the property.
" + "AssetProperty$alias": "The alias that identifies the property, such as an OPC-UA server data stream path (for example, /company/windfarm/3/turbine/7/temperature). For more information, see Mapping industrial data streams to asset properties in the IoT SiteWise User Guide.
The alias that identifies the property, such as an OPC-UA server data stream path (for example, /company/windfarm/3/turbine/7/temperature). For more information, see Mapping industrial data streams to asset properties in the IoT SiteWise User Guide.
The alias that identifies the property, such as an OPC-UA server data stream path (for example, /company/windfarm/3/turbine/7/temperature). For more information, see Mapping industrial data streams to asset properties in the IoT SiteWise User Guide.
If you omit this parameter, the alias is removed from the property.
" } }, "PropertyDataType": { @@ -1676,7 +1706,7 @@ } }, "PropertyNotification": { - "base": "Contains asset property value notification information. When the notification state is enabled, AWS IoT SiteWise publishes property value updates to a unique MQTT topic. For more information, see Interacting with other services in the AWS IoT SiteWise User Guide.
", + "base": "Contains asset property value notification information. When the notification state is enabled, IoT SiteWise publishes property value updates to a unique MQTT topic. For more information, see Interacting with other services in the IoT SiteWise User Guide.
", "refs": { "AssetProperty$notification": "The asset property's notification topic and state. For more information, see UpdateAssetProperty.
", "Property$notification": "The asset property's notification topic and state. For more information, see UpdateAssetProperty.
" @@ -1686,13 +1716,13 @@ "base": null, "refs": { "PropertyNotification$state": "The current notification state.
", - "UpdateAssetPropertyRequest$propertyNotificationState": "The MQTT notification state (enabled or disabled) for this asset property. When the notification state is enabled, AWS IoT SiteWise publishes property value updates to a unique MQTT topic. For more information, see Interacting with other services in the AWS IoT SiteWise User Guide.
If you omit this parameter, the notification state is set to DISABLED.
The MQTT notification state (enabled or disabled) for this asset property. When the notification state is enabled, IoT SiteWise publishes property value updates to a unique MQTT topic. For more information, see Interacting with other services in the IoT SiteWise User Guide.
If you omit this parameter, the notification state is set to DISABLED.
The MQTT topic to which AWS IoT SiteWise publishes property value update notifications.
" + "PropertyNotification$topic": "The MQTT topic to which IoT SiteWise publishes property value update notifications.
" } }, "PropertyType": { @@ -1768,6 +1798,16 @@ "refs": { } }, + "PutStorageConfigurationRequest": { + "base": null, + "refs": { + } + }, + "PutStorageConfigurationResponse": { + "base": null, + "refs": { + } + }, "Qualities": { "base": null, "refs": { @@ -1791,12 +1831,12 @@ } }, "Resource": { - "base": "Contains an AWS IoT SiteWise Monitor resource ID for a portal or project.
", + "base": "Contains an IoT SiteWise Monitor resource ID for a portal or project.
", "refs": { - "AccessPolicySummary$resource": "The AWS IoT SiteWise Monitor resource (a portal or project).
", - "CreateAccessPolicyRequest$accessPolicyResource": "The AWS IoT SiteWise Monitor resource for this access policy. Choose either a portal or a project.
", - "DescribeAccessPolicyResponse$accessPolicyResource": "The AWS IoT SiteWise Monitor resource (portal or project) to which this access policy provides access.
", - "UpdateAccessPolicyRequest$accessPolicyResource": "The AWS IoT SiteWise Monitor resource for this access policy. Choose either a portal or a project.
" + "AccessPolicySummary$resource": "The IoT SiteWise Monitor resource (a portal or project).
", + "CreateAccessPolicyRequest$accessPolicyResource": "The IoT SiteWise Monitor resource for this access policy. Choose either a portal or a project.
", + "DescribeAccessPolicyResponse$accessPolicyResource": "The IoT SiteWise Monitor resource (portal or project) to which this access policy provides access.
", + "UpdateAccessPolicyRequest$accessPolicyResource": "The IoT SiteWise Monitor resource for this access policy. Choose either a portal or a project.
" } }, "ResourceAlreadyExistsException": { @@ -1832,7 +1872,7 @@ "SSOApplicationId": { "base": null, "refs": { - "CreatePortalResponse$ssoApplicationId": "The associated AWS SSO application ID, if the portal uses AWS SSO.
" + "CreatePortalResponse$ssoApplicationId": "The associated Amazon Web Services SSO application ID, if the portal uses Amazon Web Services SSO.
" } }, "ServiceUnavailableException": { @@ -1840,6 +1880,14 @@ "refs": { } }, + "StorageType": { + "base": null, + "refs": { + "DescribeStorageConfigurationResponse$storageType": "The type of storage that you specified for your data. The storage type can be one of the following values:
SITEWISE_DEFAULT_STORAGE – IoT SiteWise replicates your data into a service managed database.
MULTI_LAYER_STORAGE – IoT SiteWise replicates your data into a service managed database and saves a copy of your raw data and metadata in an Amazon S3 object that you specified.
The type of storage that you specified for your data. The storage type can be one of the following values:
SITEWISE_DEFAULT_STORAGE – IoT SiteWise replicates your data into a service managed database.
MULTI_LAYER_STORAGE – IoT SiteWise replicates your data into a service managed database and saves a copy of your raw data and metadata in an Amazon S3 object that you specified.
The type of storage that you specified for your data. The storage type can be one of the following values:
SITEWISE_DEFAULT_STORAGE – IoT SiteWise replicates your data into a service managed database.
MULTI_LAYER_STORAGE – IoT SiteWise replicates your data into a service managed database and saves a copy of your raw data and metadata in an Amazon S3 object that you specified.
A list of key-value pairs that contain metadata for the access policy. For more information, see Tagging your AWS IoT SiteWise resources in the AWS IoT SiteWise User Guide.
", - "CreateAssetModelRequest$tags": "A list of key-value pairs that contain metadata for the asset model. For more information, see Tagging your AWS IoT SiteWise resources in the AWS IoT SiteWise User Guide.
", - "CreateAssetRequest$tags": "A list of key-value pairs that contain metadata for the asset. For more information, see Tagging your AWS IoT SiteWise resources in the AWS IoT SiteWise User Guide.
", - "CreateDashboardRequest$tags": "A list of key-value pairs that contain metadata for the dashboard. For more information, see Tagging your AWS IoT SiteWise resources in the AWS IoT SiteWise User Guide.
", - "CreateGatewayRequest$tags": "A list of key-value pairs that contain metadata for the gateway. For more information, see Tagging your AWS IoT SiteWise resources in the AWS IoT SiteWise User Guide.
", - "CreatePortalRequest$tags": "A list of key-value pairs that contain metadata for the portal. For more information, see Tagging your AWS IoT SiteWise resources in the AWS IoT SiteWise User Guide.
", - "CreateProjectRequest$tags": "A list of key-value pairs that contain metadata for the project. For more information, see Tagging your AWS IoT SiteWise resources in the AWS IoT SiteWise User Guide.
", - "ListTagsForResourceResponse$tags": "The list of key-value pairs that contain metadata for the resource. For more information, see Tagging your AWS IoT SiteWise resources in the AWS IoT SiteWise User Guide.
", - "TagResourceRequest$tags": "A list of key-value pairs that contain metadata for the resource. For more information, see Tagging your AWS IoT SiteWise resources in the AWS IoT SiteWise User Guide.
" + "CreateAccessPolicyRequest$tags": "A list of key-value pairs that contain metadata for the access policy. For more information, see Tagging your IoT SiteWise resources in the IoT SiteWise User Guide.
", + "CreateAssetModelRequest$tags": "A list of key-value pairs that contain metadata for the asset model. For more information, see Tagging your IoT SiteWise resources in the IoT SiteWise User Guide.
", + "CreateAssetRequest$tags": "A list of key-value pairs that contain metadata for the asset. For more information, see Tagging your IoT SiteWise resources in the IoT SiteWise User Guide.
", + "CreateDashboardRequest$tags": "A list of key-value pairs that contain metadata for the dashboard. For more information, see Tagging your IoT SiteWise resources in the IoT SiteWise User Guide.
", + "CreateGatewayRequest$tags": "A list of key-value pairs that contain metadata for the gateway. For more information, see Tagging your IoT SiteWise resources in the IoT SiteWise User Guide.
", + "CreatePortalRequest$tags": "A list of key-value pairs that contain metadata for the portal. For more information, see Tagging your IoT SiteWise resources in the IoT SiteWise User Guide.
", + "CreateProjectRequest$tags": "A list of key-value pairs that contain metadata for the project. For more information, see Tagging your IoT SiteWise resources in the IoT SiteWise User Guide.
", + "ListTagsForResourceResponse$tags": "The list of key-value pairs that contain metadata for the resource. For more information, see Tagging your IoT SiteWise resources in the IoT SiteWise User Guide.
", + "TagResourceRequest$tags": "A list of key-value pairs that contain metadata for the resource. For more information, see Tagging your IoT SiteWise resources in the IoT SiteWise User Guide.
" } }, "TagResourceRequest": { @@ -1884,7 +1932,7 @@ } }, "ThrottlingException": { - "base": "Your request exceeded a rate limit. For example, you might have exceeded the number of AWS IoT SiteWise assets that can be created per second, the allowed number of messages per second, and so on.
For more information, see Quotas in the AWS IoT SiteWise User Guide.
", + "base": "Your request exceeded a rate limit. For example, you might have exceeded the number of IoT SiteWise assets that can be created per second, the allowed number of messages per second, and so on.
For more information, see Quotas in the IoT SiteWise User Guide.
", "refs": { } }, @@ -1939,6 +1987,7 @@ "DescribePortalResponse$portalLastUpdateDate": "The date the portal was last updated, in Unix epoch time.
", "DescribeProjectResponse$projectCreationDate": "The date the project was created, in Unix epoch time.
", "DescribeProjectResponse$projectLastUpdateDate": "The date the project was last updated, in Unix epoch time.
", + "DescribeStorageConfigurationResponse$lastUpdateDate": "The date the storage configuration was last updated, in Unix epoch time.
", "GatewaySummary$creationDate": "The date the gateway was created, in Unix epoch time.
", "GatewaySummary$lastUpdateDate": "The date the gateway was last updated, in Unix epoch time.
", "GetAssetPropertyAggregatesRequest$startDate": "The exclusive start of the range from which to query historical data, expressed in seconds in Unix epoch time.
", @@ -1958,12 +2007,12 @@ } }, "TooManyTagsException": { - "base": "You've reached the limit for the number of tags allowed for a resource. For more information, see Tag naming limits and requirements in the AWS General Reference.
", + "base": "You've reached the limit for the number of tags allowed for a resource. For more information, see Tag naming limits and requirements in the Amazon Web Services General Reference.
", "refs": { } }, "Transform": { - "base": "Contains an asset transform property. A transform is a one-to-one mapping of a property's data points from one form to another. For example, you can use a transform to convert a Celsius data stream to Fahrenheit by applying the transformation expression to each data point of the Celsius stream. A transform can only have a data type of DOUBLE and consume properties with data types of INTEGER or DOUBLE.
For more information, see Transforms in the AWS IoT SiteWise User Guide.
", + "base": "Contains an asset transform property. A transform is a one-to-one mapping of a property's data points from one form to another. For example, you can use a transform to convert a Celsius data stream to Fahrenheit by applying the transformation expression to each data point of the Celsius stream. A transform can only have a data type of DOUBLE and consume properties with data types of INTEGER or DOUBLE.
For more information, see Transforms in the IoT SiteWise User Guide.
", "refs": { "PropertyType$transform": "Specifies an asset transform property. A transform contains a mathematical expression that maps a property's data points from one form to another, such as a unit conversion from Celsius to Fahrenheit.
" } @@ -2084,16 +2133,16 @@ "Url": { "base": null, "refs": { - "CreatePortalResponse$portalStartUrl": "The URL for the AWS IoT SiteWise Monitor portal. You can use this URL to access portals that use AWS SSO for authentication. For portals that use IAM for authentication, you must use the AWS IoT SiteWise console to get a URL that you can use to access the portal.
", - "DescribePortalResponse$portalStartUrl": "The URL for the AWS IoT SiteWise Monitor portal. You can use this URL to access portals that use AWS SSO for authentication. For portals that use IAM for authentication, you must use the AWS IoT SiteWise console to get a URL that you can use to access the portal.
", + "CreatePortalResponse$portalStartUrl": "The URL for the IoT SiteWise Monitor portal. You can use this URL to access portals that use Amazon Web Services SSO for authentication. For portals that use IAM for authentication, you must use the IoT SiteWise console to get a URL that you can use to access the portal.
", + "DescribePortalResponse$portalStartUrl": "The URL for the IoT SiteWise Monitor portal. You can use this URL to access portals that use Amazon Web Services SSO for authentication. For portals that use IAM for authentication, you must use the IoT SiteWise console to get a URL that you can use to access the portal.
", "ImageLocation$url": "The URL where the image is available. The URL is valid for 15 minutes so that you can view and download the image
", - "PortalSummary$startUrl": "The URL for the AWS IoT SiteWise Monitor portal. You can use this URL to access portals that use AWS SSO for authentication. For portals that use IAM for authentication, you must use the AWS IoT SiteWise console to get a URL that you can use to access the portal.
" + "PortalSummary$startUrl": "The URL for the IoT SiteWise Monitor portal. You can use this URL to access portals that use Amazon Web Services SSO for authentication. For portals that use IAM for authentication, you must use the IoT SiteWise console to get a URL that you can use to access the portal.
" } }, "UserIdentity": { "base": "Contains information for a user identity in an access policy.
", "refs": { - "Identity$user": "An AWS SSO user identity.
" + "Identity$user": "An Amazon Web Services SSO user identity.
" } }, "VariableName": { diff --git a/models/apis/mq/2017-11-27/api-2.json b/models/apis/mq/2017-11-27/api-2.json index 3632145b674..12deb43ab7f 100644 --- a/models/apis/mq/2017-11-27/api-2.json +++ b/models/apis/mq/2017-11-27/api-2.json @@ -573,7 +573,8 @@ "shape" : "__string", "locationName" : "nextToken" } - } + }, + "required" : [ "MaxResults" ] }, "BrokerInstance" : { "type" : "structure", @@ -636,7 +637,8 @@ "shape" : "__string", "locationName" : "nextToken" } - } + }, + "required" : [ "MaxResults" ] }, "BrokerState" : { "type" : "string", @@ -681,7 +683,8 @@ "shape" : "__string", "locationName" : "hostInstanceType" } - } + }, + "required" : [ "DeploymentMode", "EngineType" ] }, "ChangeType" : { "type" : "string", @@ -730,7 +733,8 @@ "shape" : "__mapOf__string", "locationName" : "tags" } - } + }, + "required" : [ "Description", "EngineVersion", "LatestRevision", "AuthenticationStrategy", "EngineType", "Id", "Arn", "Name", "Created" ] }, "ConfigurationId" : { "type" : "structure", @@ -743,7 +747,8 @@ "shape" : "__integer", "locationName" : "revision" } - } + }, + "required" : [ "Id" ] }, "ConfigurationRevision" : { "type" : "structure", @@ -760,7 +765,8 @@ "shape" : "__integer", "locationName" : "revision" } - } + }, + "required" : [ "Revision", "Created" ] }, "Configurations" : { "type" : "structure", @@ -876,7 +882,8 @@ "shape" : "__listOfUser", "locationName" : "users" } - } + }, + "required" : [ "EngineVersion", "HostInstanceType", "AutoMinorVersionUpgrade", "Users", "BrokerName", "DeploymentMode", "EngineType", "PubliclyAccessible" ] }, "CreateBrokerOutput" : { "type" : "structure", @@ -971,7 +978,8 @@ "shape" : "__listOfUser", "locationName" : "users" } - } + }, + "required" : [ "EngineVersion", "HostInstanceType", "AutoMinorVersionUpgrade", "Users", "BrokerName", "DeploymentMode", "EngineType", "PubliclyAccessible" ] }, "CreateBrokerResponse" : { "type" : "structure", @@ -1009,7 +1017,8 @@ "shape" : "__mapOf__string", "locationName" : "tags" } - } + }, + "required" : [ "EngineVersion", "EngineType", "Name" ] }, "CreateConfigurationOutput" : { "type" : "structure", @@ -1038,7 +1047,8 @@ "shape" : "__string", "locationName" : "name" } - } + }, + "required" : [ "AuthenticationStrategy", "Id", "Arn", "Name", "Created" ] }, "CreateConfigurationRequest" : { "type" : "structure", @@ -1063,7 +1073,8 @@ "shape" : "__mapOf__string", "locationName" : "tags" } - } + }, + "required" : [ "EngineVersion", "EngineType", "Name" ] }, "CreateConfigurationResponse" : { "type" : "structure", @@ -1124,7 +1135,8 @@ "shape" : "__string", "locationName" : "password" } - } + }, + "required" : [ "Password" ] }, "CreateUserRequest" : { "type" : "structure", @@ -1152,7 +1164,7 @@ "locationName" : "username" } }, - "required" : [ "Username", "BrokerId" ] + "required" : [ "Username", "BrokerId", "Password" ] }, "CreateUserResponse" : { "type" : "structure", @@ -1430,7 +1442,8 @@ "shape" : "__listOfUserSummary", "locationName" : "users" } - } + }, + "required" : [ "DeploymentMode", "EngineType", "AutoMinorVersionUpgrade", "PubliclyAccessible" ] }, "DescribeBrokerRequest" : { "type" : "structure", @@ -1635,7 +1648,8 @@ "shape" : "__string", "locationName" : "description" } - } + }, + "required" : [ "Data", "ConfigurationId", "Created" ] }, "DescribeConfigurationRevisionRequest" : { "type" : "structure", @@ -1697,7 +1711,8 @@ "shape" : "__string", "locationName" : "username" } - } + }, + "required" : [ "Username", "BrokerId" ] }, "DescribeUserRequest" : { "type" : "structure", @@ -1861,7 +1876,8 @@ "shape" : "__boolean", "locationName" : "userSearchSubtree" } - } + }, + "required" : [ "Hosts", "UserSearchMatching", "UserBase", "RoleSearchMatching", "ServiceAccountUsername", "RoleBase", "ServiceAccountPassword" ] }, "LdapServerMetadataOutput" : { "type" : "structure", @@ -1906,7 +1922,8 @@ "shape" : "__boolean", "locationName" : "userSearchSubtree" } - } + }, + "required" : [ "Hosts", "UserSearchMatching", "UserBase", "RoleSearchMatching", "ServiceAccountUsername", "RoleBase" ] }, "ListBrokersOutput" : { "type" : "structure", @@ -2100,7 +2117,8 @@ "shape" : "__listOfUserSummary", "locationName" : "users" } - } + }, + "required" : [ "BrokerId", "MaxResults", "Users" ] }, "ListUsersRequest" : { "type" : "structure", @@ -2180,7 +2198,8 @@ "shape" : "PendingLogs", "locationName" : "pending" } - } + }, + "required" : [ "GeneralLogGroup", "General" ] }, "MaxResults" : { "type" : "integer", @@ -2247,7 +2266,8 @@ "shape" : "SanitizationWarningReason", "locationName" : "reason" } - } + }, + "required" : [ "Reason" ] }, "SanitizationWarningReason" : { "type" : "string", @@ -2310,6 +2330,10 @@ "shape" : "Logs", "locationName" : "logs" }, + "MaintenanceWindowStartTime" : { + "shape" : "WeeklyStartTime", + "locationName" : "maintenanceWindowStartTime" + }, "SecurityGroups" : { "shape" : "__listOf__string", "locationName" : "securityGroups" @@ -2351,11 +2375,16 @@ "shape" : "Logs", "locationName" : "logs" }, + "MaintenanceWindowStartTime" : { + "shape" : "WeeklyStartTime", + "locationName" : "maintenanceWindowStartTime" + }, "SecurityGroups" : { "shape" : "__listOf__string", "locationName" : "securityGroups" } - } + }, + "required" : [ "BrokerId" ] }, "UpdateBrokerRequest" : { "type" : "structure", @@ -2393,6 +2422,10 @@ "shape" : "Logs", "locationName" : "logs" }, + "MaintenanceWindowStartTime" : { + "shape" : "WeeklyStartTime", + "locationName" : "maintenanceWindowStartTime" + }, "SecurityGroups" : { "shape" : "__listOf__string", "locationName" : "securityGroups" @@ -2435,6 +2468,10 @@ "shape" : "Logs", "locationName" : "logs" }, + "MaintenanceWindowStartTime" : { + "shape" : "WeeklyStartTime", + "locationName" : "maintenanceWindowStartTime" + }, "SecurityGroups" : { "shape" : "__listOf__string", "locationName" : "securityGroups" @@ -2452,7 +2489,8 @@ "shape" : "__string", "locationName" : "description" } - } + }, + "required" : [ "Data" ] }, "UpdateConfigurationOutput" : { "type" : "structure", @@ -2481,7 +2519,8 @@ "shape" : "__listOfSanitizationWarning", "locationName" : "warnings" } - } + }, + "required" : [ "Id", "Arn", "Name", "Created" ] }, "UpdateConfigurationRequest" : { "type" : "structure", @@ -2500,7 +2539,7 @@ "locationName" : "description" } }, - "required" : [ "ConfigurationId" ] + "required" : [ "ConfigurationId", "Data" ] }, "UpdateConfigurationResponse" : { "type" : "structure", @@ -2599,7 +2638,8 @@ "shape" : "__string", "locationName" : "username" } - } + }, + "required" : [ "Username", "Password" ] }, "UserPendingChanges" : { "type" : "structure", @@ -2616,7 +2656,8 @@ "shape" : "ChangeType", "locationName" : "pendingChange" } - } + }, + "required" : [ "PendingChange" ] }, "UserSummary" : { "type" : "structure", @@ -2629,7 +2670,8 @@ "shape" : "__string", "locationName" : "username" } - } + }, + "required" : [ "Username" ] }, "WeeklyStartTime" : { "type" : "structure", @@ -2646,7 +2688,8 @@ "shape" : "__string", "locationName" : "timeZone" } - } + }, + "required" : [ "TimeOfDay", "DayOfWeek" ] }, "__boolean" : { "type" : "boolean" diff --git a/models/apis/mq/2017-11-27/docs-2.json b/models/apis/mq/2017-11-27/docs-2.json index f6461a6472a..90d7aa618ae 100644 --- a/models/apis/mq/2017-11-27/docs-2.json +++ b/models/apis/mq/2017-11-27/docs-2.json @@ -1,596 +1,598 @@ { "version" : "2.0", - "service" : "Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers in the cloud. A message broker allows software applications and components to communicate using various programming languages, operating systems, and formal messaging protocols.", + "service" : "Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers in the cloud. A message broker allows software applications and components to communicate using various programming languages, operating systems, and formal messaging protocols.
", "operations" : { - "CreateBroker" : "Creates a broker. Note: This API is asynchronous.", - "CreateConfiguration" : "Creates a new configuration for the specified configuration name. Amazon MQ uses the default configuration (the engine type and version).", - "CreateTags" : "Add a tag to a resource.", - "CreateUser" : "Creates an ActiveMQ user.", - "DeleteBroker" : "Deletes a broker. Note: This API is asynchronous.", - "DeleteTags" : "Removes a tag from a resource.", - "DeleteUser" : "Deletes an ActiveMQ user.", - "DescribeBroker" : "Returns information about the specified broker.", - "DescribeBrokerEngineTypes" : "Describe available engine types and versions.", - "DescribeBrokerInstanceOptions" : "Describe available broker instance options.", - "DescribeConfiguration" : "Returns information about the specified configuration.", - "DescribeConfigurationRevision" : "Returns the specified configuration revision for the specified configuration.", - "DescribeUser" : "Returns information about an ActiveMQ user.", - "ListBrokers" : "Returns a list of all brokers.", - "ListConfigurationRevisions" : "Returns a list of all revisions for the specified configuration.", - "ListConfigurations" : "Returns a list of all configurations.", - "ListTags" : "Lists tags for a resource.", - "ListUsers" : "Returns a list of all ActiveMQ users.", - "RebootBroker" : "Reboots a broker. Note: This API is asynchronous.", - "UpdateBroker" : "Adds a pending configuration change to a broker.", - "UpdateConfiguration" : "Updates the specified configuration.", - "UpdateUser" : "Updates the information for an ActiveMQ user." + "CreateBroker" : "Creates a broker. Note: This API is asynchronous.
To create a broker, you must either use the AmazonMQFullAccess IAM policy or include the following EC2 permissions in your IAM policy.
ec2:CreateNetworkInterface
This permission is required to allow Amazon MQ to create an elastic network interface (ENI) on behalf of your account.
ec2:CreateNetworkInterfacePermission
This permission is required to attach the ENI to the broker instance.
ec2:DeleteNetworkInterface
ec2:DeleteNetworkInterfacePermission
ec2:DetachNetworkInterface
ec2:DescribeInternetGateways
ec2:DescribeNetworkInterfaces
ec2:DescribeNetworkInterfacePermissions
ec2:DescribeRouteTables
ec2:DescribeSecurityGroups
ec2:DescribeSubnets
ec2:DescribeVpcs
For more information, see Create an IAM User and Get Your AWS Credentials and Never Modify or Delete the Amazon MQ Elastic Network Interface in the Amazon MQ Developer Guide.
", + "CreateConfiguration" : "Creates a new configuration for the specified configuration name. Amazon MQ uses the default configuration (the engine type and version).
", + "CreateTags" : "Add a tag to a resource.
", + "CreateUser" : "Creates an ActiveMQ user.
", + "DeleteBroker" : "Deletes a broker. Note: This API is asynchronous.
", + "DeleteTags" : "Removes a tag from a resource.
", + "DeleteUser" : "Deletes an ActiveMQ user.
", + "DescribeBroker" : "Returns information about the specified broker.
", + "DescribeBrokerEngineTypes" : "Describe available engine types and versions.
", + "DescribeBrokerInstanceOptions" : "Describe available broker instance options.
", + "DescribeConfiguration" : "Returns information about the specified configuration.
", + "DescribeConfigurationRevision" : "Returns the specified configuration revision for the specified configuration.
", + "DescribeUser" : "Returns information about an ActiveMQ user.
", + "ListBrokers" : "Returns a list of all brokers.
", + "ListConfigurationRevisions" : "Returns a list of all revisions for the specified configuration.
", + "ListConfigurations" : "Returns a list of all configurations.
", + "ListTags" : "Lists tags for a resource.
", + "ListUsers" : "Returns a list of all ActiveMQ users.
", + "RebootBroker" : "Reboots a broker. Note: This API is asynchronous.
", + "UpdateBroker" : "Adds a pending configuration change to a broker.
", + "UpdateConfiguration" : "Updates the specified configuration.
", + "UpdateUser" : "Updates the information for an ActiveMQ user.
" }, "shapes" : { "AuthenticationStrategy" : { - "base" : "The authentication strategy used to secure the broker.", + "base" : "Optional. The authentication strategy used to secure the broker. The default is SIMPLE.
", "refs" : { - "Configuration$AuthenticationStrategy" : "The authentication strategy associated with the configuration.", - "CreateBrokerInput$AuthenticationStrategy" : "The authentication strategy used to secure the broker.", - "CreateConfigurationInput$AuthenticationStrategy" : "The authentication strategy associated with the configuration.", - "CreateConfigurationOutput$AuthenticationStrategy" : "The authentication strategy associated with the configuration.", - "DescribeBrokerOutput$AuthenticationStrategy" : "The authentication strategy used to secure the broker.", - "DescribeBrokerOutput$PendingAuthenticationStrategy" : "The authentication strategy that will be applied when the broker is rebooted.", - "UpdateBrokerInput$AuthenticationStrategy" : "The authentication strategy used to secure the broker.", - "UpdateBrokerOutput$AuthenticationStrategy" : "The authentication strategy used to secure the broker." + "Configuration$AuthenticationStrategy" : "Optional. The authentication strategy associated with the configuration. The default is SIMPLE.
", + "CreateBrokerInput$AuthenticationStrategy" : "Optional. The authentication strategy used to secure the broker. The default is SIMPLE.
", + "CreateConfigurationInput$AuthenticationStrategy" : "Optional. The authentication strategy associated with the configuration. The default is SIMPLE.
", + "CreateConfigurationOutput$AuthenticationStrategy" : "Optional. The authentication strategy associated with the configuration. The default is SIMPLE.
", + "DescribeBrokerOutput$AuthenticationStrategy" : "The authentication strategy used to secure the broker. The default is SIMPLE.
", + "DescribeBrokerOutput$PendingAuthenticationStrategy" : "The authentication strategy that will be applied when the broker is rebooted. The default is SIMPLE.
", + "UpdateBrokerInput$AuthenticationStrategy" : "Optional. The authentication strategy used to secure the broker. The default is SIMPLE.
", + "UpdateBrokerOutput$AuthenticationStrategy" : "Optional. The authentication strategy used to secure the broker. The default is SIMPLE.
" } }, "AvailabilityZone" : { - "base" : "Name of the availability zone.", + "base" : "Name of the availability zone.
", "refs" : { "__listOfAvailabilityZone$member" : null } }, "BadRequestException" : { - "base" : "Returns information about an error.", + "base" : "Returns information about an error.
", "refs" : { } }, "BrokerEngineType" : { - "base" : "Types of broker engines.", + "base" : "Types of broker engines.
", "refs" : { "__listOfBrokerEngineType$member" : null } }, "BrokerEngineTypeOutput" : { - "base" : "Returns a list of broker engine type.", + "base" : "Returns a list of broker engine type.
", "refs" : { } }, "BrokerInstance" : { - "base" : "Returns information about all brokers.", + "base" : "Returns information about all brokers.
", "refs" : { "__listOfBrokerInstance$member" : null } }, "BrokerInstanceOption" : { - "base" : "Option for host instance type.", + "base" : "Option for host instance type.
", "refs" : { "__listOfBrokerInstanceOption$member" : null } }, "BrokerInstanceOptionsOutput" : { - "base" : "Returns a list of broker instance options.", + "base" : "Returns a list of broker instance options.
", "refs" : { } }, "BrokerState" : { - "base" : "The status of the broker.", + "base" : "The broker's status.
", "refs" : { - "BrokerSummary$BrokerState" : "The status of the broker.", - "DescribeBrokerOutput$BrokerState" : "The status of the broker." + "BrokerSummary$BrokerState" : "The broker's status.
", + "DescribeBrokerOutput$BrokerState" : "The broker's status.
" } }, "BrokerStorageType" : { - "base" : "The storage type of the broker.The broker's storage type.
EFS is not supported for RabbitMQ engine type.
The broker's storage type.
", + "CreateBrokerInput$StorageType" : "The broker's storage type.
", + "DescribeBrokerOutput$StorageType" : "The broker's storage type.
" } }, "BrokerSummary" : { - "base" : "The Amazon Resource Name (ARN) of the broker.", + "base" : "Returns information about all brokers.
", "refs" : { "__listOfBrokerSummary$member" : null } }, "ChangeType" : { - "base" : "The type of change pending for the ActiveMQ user.", + "base" : "The type of change pending for the ActiveMQ user.
", "refs" : { - "UserPendingChanges$PendingChange" : "Required. The type of change pending for the ActiveMQ user.", - "UserSummary$PendingChange" : "The type of change pending for the broker user." + "UserPendingChanges$PendingChange" : "Required. The type of change pending for the ActiveMQ user.
", + "UserSummary$PendingChange" : "The type of change pending for the broker user.
" } }, "Configuration" : { - "base" : "Returns information about all configurations.", + "base" : "Returns information about all configurations.
", "refs" : { "__listOfConfiguration$member" : null } }, "ConfigurationId" : { - "base" : "A list of information about the configuration.A list of information about the configuration.
Does not apply to RabbitMQ brokers.
The broker's current configuration.
", + "Configurations$Pending" : "The broker's pending configuration.
", + "CreateBrokerInput$Configuration" : "A list of information about the configuration.
", + "UpdateBrokerInput$Configuration" : "A list of information about the configuration.
", + "UpdateBrokerOutput$Configuration" : "The ID of the updated configuration.
", "__listOfConfigurationId$member" : null } }, "ConfigurationRevision" : { - "base" : "Returns information about the specified configuration revision.", + "base" : "Returns information about the specified configuration revision.
", "refs" : { - "Configuration$LatestRevision" : "Required. The latest revision of the configuration.", - "CreateConfigurationOutput$LatestRevision" : "The latest revision of the configuration.", - "UpdateConfigurationOutput$LatestRevision" : "The latest revision of the configuration.", + "Configuration$LatestRevision" : "Required. The latest revision of the configuration.
", + "CreateConfigurationOutput$LatestRevision" : "The latest revision of the configuration.
", + "UpdateConfigurationOutput$LatestRevision" : "The latest revision of the configuration.
", "__listOfConfigurationRevision$member" : null } }, "Configurations" : { - "base" : "Broker configuration information", + "base" : "Broker configuration information
", "refs" : { - "DescribeBrokerOutput$Configurations" : "The list of all revisions for the specified configuration." + "DescribeBrokerOutput$Configurations" : "The list of all revisions for the specified configuration.
" } }, "ConflictException" : { - "base" : "Returns information about an error.", + "base" : "Returns information about an error.
", "refs" : { } }, "CreateBrokerInput" : { - "base" : "Required. The version of the broker engine. For a list of supported engine versions, see https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/broker-engine.html", + "base" : "Creates a broker.
", "refs" : { } }, "CreateBrokerOutput" : { - "base" : "Returns information about the created broker.", + "base" : "Returns information about the created broker.
", "refs" : { } }, "CreateConfigurationInput" : { - "base" : "Creates a new configuration for the specified configuration name. Amazon MQ uses the default configuration (the engine type and version).", + "base" : "Creates a new configuration for the specified configuration name. Amazon MQ uses the default configuration (the engine type and version).
", "refs" : { } }, "CreateConfigurationOutput" : { - "base" : "Returns information about the created configuration.", + "base" : "Returns information about the created configuration.
", "refs" : { } }, "CreateUserInput" : { - "base" : "Creates a new ActiveMQ user.", + "base" : "Creates a new ActiveMQ user.
", "refs" : { } }, "DayOfWeek" : { "base" : null, "refs" : { - "WeeklyStartTime$DayOfWeek" : "Required. The day of the week." + "WeeklyStartTime$DayOfWeek" : "Required. The day of the week.
" } }, "DeleteBrokerOutput" : { - "base" : "Returns information about the deleted broker.", + "base" : "Returns information about the deleted broker.
", "refs" : { } }, "DeploymentMode" : { - "base" : "The deployment mode of the broker.", + "base" : "The broker's deployment mode.
", "refs" : { - "BrokerSummary$DeploymentMode" : "Required. The deployment mode of the broker.", - "CreateBrokerInput$DeploymentMode" : "Required. The deployment mode of the broker.", - "DescribeBrokerOutput$DeploymentMode" : "Required. The deployment mode of the broker.", + "BrokerSummary$DeploymentMode" : "The broker's deployment mode.
", + "CreateBrokerInput$DeploymentMode" : "Required. The broker's deployment mode.
", + "DescribeBrokerOutput$DeploymentMode" : "The broker's deployment mode.
", "__listOfDeploymentMode$member" : null } }, "DescribeBrokerOutput" : { - "base" : "The version of the broker engine. For a list of supported engine versions, see https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/broker-engine.html", + "base" : "Returns information about the specified broker.
", "refs" : { } }, "DescribeConfigurationRevisionOutput" : { - "base" : "Returns the specified configuration revision for the specified configuration.", + "base" : "Returns the specified configuration revision for the specified configuration.
", "refs" : { } }, "DescribeUserOutput" : { - "base" : "Returns information about an ActiveMQ user.", + "base" : "Returns information about an ActiveMQ user.
", "refs" : { } }, "EncryptionOptions" : { - "base" : "Encryption options for the broker.", + "base" : "Does not apply to RabbitMQ brokers.
Encryption options for the broker.
", "refs" : { - "CreateBrokerInput$EncryptionOptions" : "Encryption options for the broker.", - "DescribeBrokerOutput$EncryptionOptions" : "Encryption options for the broker." + "CreateBrokerInput$EncryptionOptions" : "Encryption options for the broker. Does not apply to RabbitMQ brokers.
", + "DescribeBrokerOutput$EncryptionOptions" : "Encryption options for the broker. Does not apply to RabbitMQ brokers.
" } }, "EngineType" : { - "base" : "The type of broker engine. Note: Currently, Amazon MQ supports ActiveMQ and RabbitMQ.", + "base" : "The type of broker engine. Amazon MQ supports ActiveMQ and RabbitMQ.
", "refs" : { - "BrokerEngineType$EngineType" : "The type of broker engine.", - "BrokerInstanceOption$EngineType" : "The type of broker engine.", - "BrokerSummary$EngineType" : "Required. The type of broker engine.", - "Configuration$EngineType" : "Required. The type of broker engine. Note: Currently, Amazon MQ supports ACTIVEMQ and RABBITMQ.", - "CreateBrokerInput$EngineType" : "Required. The type of broker engine. Note: Currently, Amazon MQ supports ACTIVEMQ and RABBITMQ.", - "CreateConfigurationInput$EngineType" : "Required. The type of broker engine. Note: Currently, Amazon MQ supports ACTIVEMQ and RABBITMQ.", - "DescribeBrokerOutput$EngineType" : "Required. The type of broker engine. Note: Currently, Amazon MQ supports ACTIVEMQ and RABBITMQ." + "BrokerEngineType$EngineType" : "The broker's engine type.
", + "BrokerInstanceOption$EngineType" : "The broker's engine type.
", + "BrokerSummary$EngineType" : "The type of broker engine.
", + "Configuration$EngineType" : "Required. The type of broker engine. Currently, Amazon MQ supports ACTIVEMQ and RABBITMQ.
", + "CreateBrokerInput$EngineType" : "Required. The type of broker engine. Currently, Amazon MQ supports ACTIVEMQ and RABBITMQ.
", + "CreateConfigurationInput$EngineType" : "Required. The type of broker engine. Currently, Amazon MQ supports ACTIVEMQ and RABBITMQ.
", + "DescribeBrokerOutput$EngineType" : "The type of broker engine. Currently, Amazon MQ supports ACTIVEMQ and RABBITMQ.
" } }, "EngineVersion" : { - "base" : "Id of the engine version.", + "base" : "Id of the engine version.
", "refs" : { "__listOfEngineVersion$member" : null } }, "Error" : { - "base" : "Returns information about an error.", + "base" : "Returns information about an error.
", "refs" : { } }, "ForbiddenException" : { - "base" : "Returns information about an error.", + "base" : "Returns information about an error.
", "refs" : { } }, "InternalServerErrorException" : { - "base" : "Returns information about an error.", + "base" : "Returns information about an error.
", "refs" : { } }, "LdapServerMetadataInput" : { - "base" : "The metadata of the LDAP server used to authenticate and authorize connections to the broker.Optional. The metadata of the LDAP server used to authenticate and authorize connections to the broker.
Does not apply to RabbitMQ brokers.
Optional. The metadata of the LDAP server used to authenticate and authorize connections to the broker. Does not apply to RabbitMQ brokers.
", + "UpdateBrokerInput$LdapServerMetadata" : "Optional. The metadata of the LDAP server used to authenticate and authorize connections to the broker. Does not apply to RabbitMQ brokers.
" } }, "LdapServerMetadataOutput" : { - "base" : "The metadata of the LDAP server used to authenticate and authorize connections to the broker.", + "base" : "Optional. The metadata of the LDAP server used to authenticate and authorize connections to the broker.
", "refs" : { - "DescribeBrokerOutput$LdapServerMetadata" : "The metadata of the LDAP server used to authenticate and authorize connections to the broker.", - "DescribeBrokerOutput$PendingLdapServerMetadata" : "The metadata of the LDAP server that will be used to authenticate and authorize connections to the broker once it is rebooted.", - "UpdateBrokerOutput$LdapServerMetadata" : "The metadata of the LDAP server used to authenticate and authorize connections to the broker." + "DescribeBrokerOutput$LdapServerMetadata" : "The metadata of the LDAP server used to authenticate and authorize connections to the broker.
", + "DescribeBrokerOutput$PendingLdapServerMetadata" : "The metadata of the LDAP server that will be used to authenticate and authorize connections to the broker after it is rebooted.
", + "UpdateBrokerOutput$LdapServerMetadata" : "Optional. The metadata of the LDAP server used to authenticate and authorize connections to the broker. Does not apply to RabbitMQ brokers.
" } }, "ListBrokersOutput" : { - "base" : "A list of information about all brokers.", + "base" : null, "refs" : { } }, "ListConfigurationRevisionsOutput" : { - "base" : "Returns a list of all revisions for the specified configuration.", + "base" : "Returns a list of all revisions for the specified configuration.
", "refs" : { } }, "ListConfigurationsOutput" : { - "base" : "Returns a list of all configurations.", + "base" : "Returns a list of all configurations.
", "refs" : { } }, "ListUsersOutput" : { - "base" : "Returns a list of all ActiveMQ users.", + "base" : "Returns a list of all ActiveMQ users.
", "refs" : { } }, "Logs" : { - "base" : "The list of information about logs to be enabled for the specified broker.", + "base" : "The list of information about logs to be enabled for the specified broker.
", "refs" : { - "CreateBrokerInput$Logs" : "Enables Amazon CloudWatch logging for brokers.", - "UpdateBrokerInput$Logs" : "Enables Amazon CloudWatch logging for brokers.", - "UpdateBrokerOutput$Logs" : "The list of information about logs to be enabled for the specified broker." + "CreateBrokerInput$Logs" : "Enables Amazon CloudWatch logging for brokers.
", + "UpdateBrokerInput$Logs" : "Enables Amazon CloudWatch logging for brokers.
", + "UpdateBrokerOutput$Logs" : "The list of information about logs to be enabled for the specified broker.
" } }, "LogsSummary" : { - "base" : "The list of information about logs currently enabled and pending to be deployed for the specified broker.", + "base" : "The list of information about logs currently enabled and pending to be deployed for the specified broker.
", "refs" : { - "DescribeBrokerOutput$Logs" : "The list of information about logs currently enabled and pending to be deployed for the specified broker." + "DescribeBrokerOutput$Logs" : "The list of information about logs currently enabled and pending to be deployed for the specified broker.
" } }, "NotFoundException" : { - "base" : "Returns information about an error.", + "base" : "Returns information about an error.
", "refs" : { } }, "PendingLogs" : { - "base" : "The list of information about logs to be enabled for the specified broker.", + "base" : "The list of information about logs to be enabled for the specified broker.
", "refs" : { - "LogsSummary$Pending" : "The list of information about logs pending to be deployed for the specified broker." + "LogsSummary$Pending" : "The list of information about logs pending to be deployed for the specified broker.
" } }, "SanitizationWarning" : { - "base" : "Returns information about the XML element or attribute that was sanitized in the configuration.", + "base" : "Returns information about the XML element or attribute that was sanitized in the configuration.
", "refs" : { "__listOfSanitizationWarning$member" : null } }, "SanitizationWarningReason" : { - "base" : "The reason for which the XML elements or attributes were sanitized.", + "base" : "The reason for which the XML elements or attributes were sanitized.
", "refs" : { - "SanitizationWarning$Reason" : "Required. The reason for which the XML elements or attributes were sanitized." + "SanitizationWarning$Reason" : "Required. The reason for which the XML elements or attributes were sanitized.
" } }, "Tags" : { - "base" : "A map of the key-value pairs for the resource tag.", + "base" : "A map of the key-value pairs for the resource tag.
", "refs" : { } }, "UnauthorizedException" : { - "base" : "Returns information about an error.", + "base" : "Returns information about an error.
", "refs" : { } }, "UpdateBrokerInput" : { - "base" : "Updates the broker using the specified properties.", + "base" : "Updates the broker using the specified properties.
", "refs" : { } }, "UpdateBrokerOutput" : { - "base" : "Returns information about the updated broker.", + "base" : "Returns information about the updated broker.
", "refs" : { } }, "UpdateConfigurationInput" : { - "base" : "Updates the specified configuration.", + "base" : "Updates the specified configuration.
", "refs" : { } }, "UpdateConfigurationOutput" : { - "base" : "Returns information about the updated configuration.", + "base" : "Returns information about the updated configuration.
", "refs" : { } }, "UpdateUserInput" : { - "base" : "Updates the information for an ActiveMQ user.", + "base" : "Updates the information for an ActiveMQ user.
", "refs" : { } }, "User" : { - "base" : "A user associated with the broker.", + "base" : "A user associated with the broker. For RabbitMQ brokers, one and only one administrative user is accepted and created when a broker is first provisioned. All subsequent broker users are created by making RabbitMQ API calls directly to brokers or via the RabbitMQ web console.
", "refs" : { "__listOfUser$member" : null } }, "UserPendingChanges" : { - "base" : "Returns information about the status of the changes pending for the ActiveMQ user.", + "base" : "Returns information about the status of the changes pending for the ActiveMQ user.
", "refs" : { - "DescribeUserOutput$Pending" : "The status of the changes pending for the ActiveMQ user." + "DescribeUserOutput$Pending" : "The status of the changes pending for the ActiveMQ user.
" } }, "UserSummary" : { - "base" : "Returns a list of all broker users.", + "base" : "Returns a list of all broker users. Does not apply to RabbitMQ brokers.
", "refs" : { "__listOfUserSummary$member" : null } }, "WeeklyStartTime" : { - "base" : "The scheduled time period relative to UTC during which Amazon MQ begins to apply pending updates or patches to the broker.", + "base" : "The scheduled time period relative to UTC during which Amazon MQ begins to apply pending updates or patches to the broker.
", "refs" : { - "CreateBrokerInput$MaintenanceWindowStartTime" : "The parameters that determine the WeeklyStartTime.", - "DescribeBrokerOutput$MaintenanceWindowStartTime" : "The parameters that determine the WeeklyStartTime." + "CreateBrokerInput$MaintenanceWindowStartTime" : "The parameters that determine the WeeklyStartTime.
", + "DescribeBrokerOutput$MaintenanceWindowStartTime" : "The parameters that determine the WeeklyStartTime.
", + "UpdateBrokerInput$MaintenanceWindowStartTime" : "The parameters that determine the WeeklyStartTime.
", + "UpdateBrokerOutput$MaintenanceWindowStartTime" : "The parameters that determine the WeeklyStartTime.
" } }, "__boolean" : { "base" : null, "refs" : { - "CreateBrokerInput$AutoMinorVersionUpgrade" : "Required. Enables automatic upgrades to new minor versions for brokers, as Apache releases the versions. The automatic upgrades occur during the maintenance window of the broker or after a manual broker reboot.", - "CreateBrokerInput$PubliclyAccessible" : "Required. Enables connections from applications outside of the VPC that hosts the broker's subnets.", - "CreateUserInput$ConsoleAccess" : "Enables access to the ActiveMQ Web Console for the ActiveMQ user.", - "DescribeBrokerOutput$AutoMinorVersionUpgrade" : "Required. Enables automatic upgrades to new minor versions for brokers, as Apache releases the versions. The automatic upgrades occur during the maintenance window of the broker or after a manual broker reboot.", - "DescribeBrokerOutput$PubliclyAccessible" : "Required. Enables connections from applications outside of the VPC that hosts the broker's subnets.", - "DescribeUserOutput$ConsoleAccess" : "Enables access to the the ActiveMQ Web Console for the ActiveMQ user.", - "EncryptionOptions$UseAwsOwnedKey" : "Enables the use of an AWS owned CMK using AWS Key Management Service (KMS).", - "LdapServerMetadataInput$RoleSearchSubtree" : "The directory search scope for the role. If set to true, scope is to search the entire sub-tree.", - "LdapServerMetadataInput$UserSearchSubtree" : "The directory search scope for the user. If set to true, scope is to search the entire sub-tree.", - "LdapServerMetadataOutput$RoleSearchSubtree" : "The directory search scope for the role. If set to true, scope is to search the entire sub-tree.", - "LdapServerMetadataOutput$UserSearchSubtree" : "The directory search scope for the user. If set to true, scope is to search the entire sub-tree.", - "Logs$Audit" : "Enables audit logging. Every user management action made using JMX or the ActiveMQ Web Console is logged. Does not apply to RabbitMQ brokers.", - "Logs$General" : "Enables general logging.", - "LogsSummary$Audit" : "Enables audit logging. Every user management action made using JMX or the ActiveMQ Web Console is logged.", - "LogsSummary$General" : "Enables general logging.", - "PendingLogs$Audit" : "Enables audit logging. Every user management action made using JMX or the ActiveMQ Web Console is logged.", - "PendingLogs$General" : "Enables general logging.", - "UpdateBrokerInput$AutoMinorVersionUpgrade" : "Enables automatic upgrades to new minor versions for brokers, as Apache releases the versions. The automatic upgrades occur during the maintenance window of the broker or after a manual broker reboot.", - "UpdateBrokerOutput$AutoMinorVersionUpgrade" : "The new value of automatic upgrades to new minor version for brokers.", - "UpdateUserInput$ConsoleAccess" : "Enables access to the the ActiveMQ Web Console for the ActiveMQ user.", - "User$ConsoleAccess" : "Enables access to the ActiveMQ Web Console for the ActiveMQ user (Does not apply to RabbitMQ brokers).", - "UserPendingChanges$ConsoleAccess" : "Enables access to the the ActiveMQ Web Console for the ActiveMQ user." + "CreateBrokerInput$AutoMinorVersionUpgrade" : "Enables automatic upgrades to new minor versions for brokers, as new versions are released and supported by Amazon MQ. Automatic upgrades occur during the scheduled maintenance window of the broker or after a manual broker reboot. Set to true by default, if no value is specified.
", + "CreateBrokerInput$PubliclyAccessible" : "Enables connections from applications outside of the VPC that hosts the broker's subnets. Set to false by default, if no value is provided.
", + "CreateUserInput$ConsoleAccess" : "Enables access to the ActiveMQ Web Console for the ActiveMQ user.
", + "DescribeBrokerOutput$AutoMinorVersionUpgrade" : "Enables automatic upgrades to new minor versions for brokers, as new versions are released and supported by Amazon MQ. Automatic upgrades occur during the scheduled maintenance window of the broker or after a manual broker reboot.
", + "DescribeBrokerOutput$PubliclyAccessible" : "Enables connections from applications outside of the VPC that hosts the broker's subnets.
", + "DescribeUserOutput$ConsoleAccess" : "Enables access to the the ActiveMQ Web Console for the ActiveMQ user.
", + "EncryptionOptions$UseAwsOwnedKey" : "Enables the use of an AWS owned CMK using AWS Key Management Service (KMS). Set to true by default, if no value is provided, for example, for RabbitMQ brokers.
", + "LdapServerMetadataInput$RoleSearchSubtree" : "The directory search scope for the role. If set to true, scope is to search the entire subtree.
", + "LdapServerMetadataInput$UserSearchSubtree" : "The directory search scope for the user. If set to true, scope is to search the entire subtree.
", + "LdapServerMetadataOutput$RoleSearchSubtree" : "The directory search scope for the role. If set to true, scope is to search the entire subtree.
", + "LdapServerMetadataOutput$UserSearchSubtree" : "The directory search scope for the user. If set to true, scope is to search the entire subtree.
", + "Logs$Audit" : "Enables audit logging. Every user management action made using JMX or the ActiveMQ Web Console is logged. Does not apply to RabbitMQ brokers.
", + "Logs$General" : "Enables general logging.
", + "LogsSummary$Audit" : "Enables audit logging. Every user management action made using JMX or the ActiveMQ Web Console is logged.
", + "LogsSummary$General" : "Enables general logging.
", + "PendingLogs$Audit" : "Enables audit logging. Every user management action made using JMX or the ActiveMQ Web Console is logged.
", + "PendingLogs$General" : "Enables general logging.
", + "UpdateBrokerInput$AutoMinorVersionUpgrade" : "Enables automatic upgrades to new minor versions for brokers, as new versions are released and supported by Amazon MQ. Automatic upgrades occur during the scheduled maintenance window of the broker or after a manual broker reboot.
", + "UpdateBrokerOutput$AutoMinorVersionUpgrade" : "The new boolean value that specifies whether broker engines automatically upgrade to new minor versions as new versions are released and supported by Amazon MQ.
", + "UpdateUserInput$ConsoleAccess" : "Enables access to the the ActiveMQ Web Console for the ActiveMQ user.
", + "User$ConsoleAccess" : "Enables access to the ActiveMQ Web Console for the ActiveMQ user. Does not apply to RabbitMQ brokers.
", + "UserPendingChanges$ConsoleAccess" : "Enables access to the the ActiveMQ Web Console for the ActiveMQ user.
" } }, "__integer" : { "base" : null, "refs" : { - "ConfigurationId$Revision" : "The revision number of the configuration.", - "ConfigurationRevision$Revision" : "Required. The revision number of the configuration.", - "ListConfigurationRevisionsOutput$MaxResults" : "The maximum number of configuration revisions that can be returned per page (20 by default). This value must be an integer from 5 to 100.", - "ListConfigurationsOutput$MaxResults" : "The maximum number of configurations that Amazon MQ can return per page (20 by default). This value must be an integer from 5 to 100." + "ConfigurationId$Revision" : "The revision number of the configuration.
", + "ConfigurationRevision$Revision" : "Required. The revision number of the configuration.
", + "ListConfigurationRevisionsOutput$MaxResults" : "The maximum number of configuration revisions that can be returned per page (20 by default). This value must be an integer from 5 to 100.
", + "ListConfigurationsOutput$MaxResults" : "The maximum number of configurations that Amazon MQ can return per page (20 by default). This value must be an integer from 5 to 100.
" } }, "__integerMin5Max100" : { "base" : null, "refs" : { - "BrokerEngineTypeOutput$MaxResults" : "Required. The maximum number of engine types that can be returned per page (20 by default). This value must be an integer from 5 to 100.", - "BrokerInstanceOptionsOutput$MaxResults" : "Required. The maximum number of instance options that can be returned per page (20 by default). This value must be an integer from 5 to 100.", - "ListUsersOutput$MaxResults" : "Required. The maximum number of ActiveMQ users that can be returned per page (20 by default). This value must be an integer from 5 to 100." + "BrokerEngineTypeOutput$MaxResults" : "Required. The maximum number of engine types that can be returned per page (20 by default). This value must be an integer from 5 to 100.
", + "BrokerInstanceOptionsOutput$MaxResults" : "Required. The maximum number of instance options that can be returned per page (20 by default). This value must be an integer from 5 to 100.
", + "ListUsersOutput$MaxResults" : "Required. The maximum number of ActiveMQ users that can be returned per page (20 by default). This value must be an integer from 5 to 100.
" } }, "__listOfAvailabilityZone" : { "base" : null, "refs" : { - "BrokerInstanceOption$AvailabilityZones" : "The list of available az." + "BrokerInstanceOption$AvailabilityZones" : "The list of available az.
" } }, "__listOfBrokerEngineType" : { "base" : null, "refs" : { - "BrokerEngineTypeOutput$BrokerEngineTypes" : "List of available engine types and versions." + "BrokerEngineTypeOutput$BrokerEngineTypes" : "List of available engine types and versions.
" } }, "__listOfBrokerInstance" : { "base" : null, "refs" : { - "DescribeBrokerOutput$BrokerInstances" : "A list of information about allocated brokers." + "DescribeBrokerOutput$BrokerInstances" : "A list of information about allocated brokers.
" } }, "__listOfBrokerInstanceOption" : { "base" : null, "refs" : { - "BrokerInstanceOptionsOutput$BrokerInstanceOptions" : "List of available broker instance options." + "BrokerInstanceOptionsOutput$BrokerInstanceOptions" : "List of available broker instance options.
" } }, "__listOfBrokerSummary" : { "base" : null, "refs" : { - "ListBrokersOutput$BrokerSummaries" : "A list of information about all brokers." + "ListBrokersOutput$BrokerSummaries" : "A list of information about all brokers.
" } }, "__listOfConfiguration" : { "base" : null, "refs" : { - "ListConfigurationsOutput$Configurations" : "The list of all revisions for the specified configuration." + "ListConfigurationsOutput$Configurations" : "The list of all revisions for the specified configuration.
" } }, "__listOfConfigurationId" : { "base" : null, "refs" : { - "Configurations$History" : "The history of configurations applied to the broker." + "Configurations$History" : "The history of configurations applied to the broker.
" } }, "__listOfConfigurationRevision" : { "base" : null, "refs" : { - "ListConfigurationRevisionsOutput$Revisions" : "The list of all revisions for the specified configuration." + "ListConfigurationRevisionsOutput$Revisions" : "The list of all revisions for the specified configuration.
" } }, "__listOfDeploymentMode" : { "base" : null, "refs" : { - "BrokerInstanceOption$SupportedDeploymentModes" : "The list of supported deployment modes." + "BrokerInstanceOption$SupportedDeploymentModes" : "The list of supported deployment modes.
" } }, "__listOfEngineVersion" : { "base" : null, "refs" : { - "BrokerEngineType$EngineVersions" : "The list of engine versions." + "BrokerEngineType$EngineVersions" : "The list of engine versions.
" } }, "__listOfSanitizationWarning" : { "base" : null, "refs" : { - "UpdateConfigurationOutput$Warnings" : "The list of the first 20 warnings about the configuration XML elements or attributes that were sanitized." + "UpdateConfigurationOutput$Warnings" : "The list of the first 20 warnings about the configuration XML elements or attributes that were sanitized.
" } }, "__listOfUser" : { "base" : null, "refs" : { - "CreateBrokerInput$Users" : "Required. The list of broker users (persons or applications) who can access queues and topics. For RabbitMQ brokers, one and only one administrative user is accepted and created when a broker is first provisioned. All subsequent broker users are created by making RabbitMQ API calls directly to brokers or via the RabbitMQ Web Console. This value can contain only alphanumeric characters, dashes, periods, underscores, and tildes (- . _ ~). This value must be 2-100 characters long." + "CreateBrokerInput$Users" : "Required. The list of broker users (persons or applications) who can access queues and topics. This value can contain only alphanumeric characters, dashes, periods, underscores, and tildes (- . _ ~). This value must be 2-100 characters long.
When you create an Amazon MQ for RabbitMQ broker, one and only one administrative user is accepted and created when a broker is first provisioned. All subsequent broker users are created by making RabbitMQ API calls directly to brokers or via the RabbitMQ web console.
The list of all broker usernames for the specified broker.
", + "ListUsersOutput$Users" : "Required. The list of all ActiveMQ usernames for the specified broker. Does not apply to RabbitMQ brokers.
" } }, "__listOf__string" : { "base" : null, "refs" : { - "BrokerInstance$Endpoints" : "The broker's wire-level protocol endpoints.", - "BrokerInstanceOption$SupportedEngineVersions" : "The list of supported engine versions.", - "CreateBrokerInput$SecurityGroups" : "The list of security groups (1 minimum, 5 maximum) that authorizes connections to brokers.", - "CreateBrokerInput$SubnetIds" : "The list of groups that define which subnets and IP ranges the broker can use from different Availability Zones. A SINGLE_INSTANCE deployment requires one subnet (for example, the default subnet). An ACTIVE_STANDBY_MULTI_AZ deployment (ACTIVEMQ) requires two subnets. A CLUSTER_MULTI_AZ deployment (RABBITMQ) has no subnet requirements when deployed with public accessibility, deployment without public accessibility requires at least one subnet.", - "CreateUserInput$Groups" : "The list of groups (20 maximum) to which the ActiveMQ user belongs. This value can contain only alphanumeric characters, dashes, periods, underscores, and tildes (- . _ ~). This value must be 2-100 characters long.", - "DescribeBrokerOutput$PendingSecurityGroups" : "The list of pending security groups to authorize connections to brokers.", - "DescribeBrokerOutput$SecurityGroups" : "The list of security groups (1 minimum, 5 maximum) that authorizes connections to brokers.", - "DescribeBrokerOutput$SubnetIds" : "The list of groups that define which subnets and IP ranges the broker can use from different Availability Zones. A SINGLE_INSTANCE deployment requires one subnet (for example, the default subnet). An ACTIVE_STANDBY_MULTI_AZ deployment (ACTIVEMQ) requires two subnets. A CLUSTER_MULTI_AZ deployment (RABBITMQ) has no subnet requirements when deployed with public accessibility, deployment without public accessibility requires at least one subnet.", - "DescribeUserOutput$Groups" : "The list of groups (20 maximum) to which the ActiveMQ user belongs. This value can contain only alphanumeric characters, dashes, periods, underscores, and tildes (- . _ ~). This value must be 2-100 characters long.", - "LdapServerMetadataInput$Hosts" : "Fully qualified domain name of the LDAP server. Optional failover server.", - "LdapServerMetadataOutput$Hosts" : "Fully qualified domain name of the LDAP server. Optional failover server.", - "UpdateBrokerInput$SecurityGroups" : "The list of security groups (1 minimum, 5 maximum) that authorizes connections to brokers.", - "UpdateBrokerOutput$SecurityGroups" : "The list of security groups (1 minimum, 5 maximum) that authorizes connections to brokers.", - "UpdateUserInput$Groups" : "The list of groups (20 maximum) to which the ActiveMQ user belongs. This value can contain only alphanumeric characters, dashes, periods, underscores, and tildes (- . _ ~). This value must be 2-100 characters long.", - "User$Groups" : "The list of groups (20 maximum) to which the ActiveMQ user belongs. This value can contain only alphanumeric characters, dashes, periods, underscores, and tildes (- . _ ~). This value must be 2-100 characters long.", - "UserPendingChanges$Groups" : "The list of groups (20 maximum) to which the ActiveMQ user belongs. This value can contain only alphanumeric characters, dashes, periods, underscores, and tildes (- . _ ~). This value must be 2-100 characters long." + "BrokerInstance$Endpoints" : "The broker's wire-level protocol endpoints.
", + "BrokerInstanceOption$SupportedEngineVersions" : "The list of supported engine versions.
", + "CreateBrokerInput$SecurityGroups" : "The list of rules (1 minimum, 125 maximum) that authorize connections to brokers.
", + "CreateBrokerInput$SubnetIds" : "The list of groups that define which subnets and IP ranges the broker can use from different Availability Zones. If you specify more than one subnet, the subnets must be in different Availability Zones. Amazon MQ will not be able to create VPC endpoints for your broker with multiple subnets in the same Availability Zone. A SINGLE_INSTANCE deployment requires one subnet (for example, the default subnet). An ACTIVE_STANDBY_MULTI_AZ Amazon MQ for ActiveMQ deployment requires two subnets. A CLUSTER_MULTI_AZ Amazon MQ for RabbitMQ deployment has no subnet requirements when deployed with public accessibility. Deployment without public accessibility requires at least one subnet.
If you specify subnets in a shared VPC for a RabbitMQ broker, the associated VPC to which the specified subnets belong must be owned by your AWS account. Amazon MQ will not be able to create VPC endpoints in VPCs that are not owned by your AWS account.
The list of groups (20 maximum) to which the ActiveMQ user belongs. This value can contain only alphanumeric characters, dashes, periods, underscores, and tildes (- . _ ~). This value must be 2-100 characters long.
", + "DescribeBrokerOutput$PendingSecurityGroups" : "The list of pending security groups to authorize connections to brokers.
", + "DescribeBrokerOutput$SecurityGroups" : "The list of rules (1 minimum, 125 maximum) that authorize connections to brokers.
", + "DescribeBrokerOutput$SubnetIds" : "The list of groups that define which subnets and IP ranges the broker can use from different Availability Zones.
", + "DescribeUserOutput$Groups" : "The list of groups (20 maximum) to which the ActiveMQ user belongs. This value can contain only alphanumeric characters, dashes, periods, underscores, and tildes (- . _ ~). This value must be 2-100 characters long.
", + "LdapServerMetadataInput$Hosts" : "Specifies the location of the LDAP server such as AWS Directory Service for Microsoft Active Directory . Optional failover server.
", + "LdapServerMetadataOutput$Hosts" : "Specifies the location of the LDAP server such as AWS Directory Service for Microsoft Active Directory . Optional failover server.
", + "UpdateBrokerInput$SecurityGroups" : "The list of security groups (1 minimum, 5 maximum) that authorizes connections to brokers.
", + "UpdateBrokerOutput$SecurityGroups" : "The list of security groups (1 minimum, 5 maximum) that authorizes connections to brokers.
", + "UpdateUserInput$Groups" : "The list of groups (20 maximum) to which the ActiveMQ user belongs. This value can contain only alphanumeric characters, dashes, periods, underscores, and tildes (- . _ ~). This value must be 2-100 characters long.
", + "User$Groups" : "The list of groups (20 maximum) to which the ActiveMQ user belongs. This value can contain only alphanumeric characters, dashes, periods, underscores, and tildes (- . _ ~). This value must be 2-100 characters long. Does not apply to RabbitMQ brokers.
", + "UserPendingChanges$Groups" : "The list of groups (20 maximum) to which the ActiveMQ user belongs. This value can contain only alphanumeric characters, dashes, periods, underscores, and tildes (- . _ ~). This value must be 2-100 characters long.
" } }, "__mapOf__string" : { "base" : null, "refs" : { - "Configuration$Tags" : "The list of all tags associated with this configuration.", - "CreateBrokerInput$Tags" : "Create tags when creating the broker.", - "CreateConfigurationInput$Tags" : "Create tags when creating the configuration.", - "DescribeBrokerOutput$Tags" : "The list of all tags associated with this broker.", - "Tags$Tags" : "The key-value pair for the resource tag." + "Configuration$Tags" : "The list of all tags associated with this configuration.
", + "CreateBrokerInput$Tags" : "Create tags when creating the broker.
", + "CreateConfigurationInput$Tags" : "Create tags when creating the configuration.
", + "DescribeBrokerOutput$Tags" : "The list of all tags associated with this broker.
", + "Tags$Tags" : "The key-value pair for the resource tag.
" } }, "__string" : { "base" : null, "refs" : { - "AvailabilityZone$Name" : "Id for the availability zone.", - "BrokerEngineTypeOutput$NextToken" : "The token that specifies the next page of results Amazon MQ should return. To request the first page, leave nextToken empty.", - "BrokerInstance$ConsoleURL" : "The URL of the broker's Web Console.", - "BrokerInstance$IpAddress" : "The IP address of the Elastic Network Interface (ENI) attached to the broker. Does not apply to RabbitMQ brokers", - "BrokerInstanceOption$HostInstanceType" : "The type of broker instance.", - "BrokerInstanceOptionsOutput$NextToken" : "The token that specifies the next page of results Amazon MQ should return. To request the first page, leave nextToken empty.", - "BrokerSummary$BrokerArn" : "The Amazon Resource Name (ARN) of the broker.", - "BrokerSummary$BrokerId" : "The unique ID that Amazon MQ generates for the broker.", - "BrokerSummary$BrokerName" : "The name of the broker. This value must be unique in your AWS account, 1-50 characters long, must contain only letters, numbers, dashes, and underscores, and must not contain whitespaces, brackets, wildcard characters, or special characters.", - "BrokerSummary$HostInstanceType" : "The broker's instance type.", - "Configuration$Arn" : "Required. The ARN of the configuration.", - "Configuration$Description" : "Required. The description of the configuration.", - "Configuration$EngineVersion" : "Required. The version of the broker engine. For a list of supported engine versions, see https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/broker-engine.html", - "Configuration$Id" : "Required. The unique ID that Amazon MQ generates for the configuration.", - "Configuration$Name" : "Required. The name of the configuration. This value can contain only alphanumeric characters, dashes, periods, underscores, and tildes (- . _ ~). This value must be 1-150 characters long.", - "ConfigurationId$Id" : "Required. The unique ID that Amazon MQ generates for the configuration.", - "ConfigurationRevision$Description" : "The description of the configuration revision.", - "CreateBrokerInput$BrokerName" : "Required. The name of the broker. This value must be unique in your AWS account, 1-50 characters long, must contain only letters, numbers, dashes, and underscores, and must not contain whitespaces, brackets, wildcard characters, or special characters.", - "CreateBrokerInput$CreatorRequestId" : "The unique ID that the requester receives for the created broker. Amazon MQ passes your ID with the API action. Note: We recommend using a Universally Unique Identifier (UUID) for the creatorRequestId. You may omit the creatorRequestId if your application doesn't require idempotency.", - "CreateBrokerInput$EngineVersion" : "Required. The version of the broker engine. For a list of supported engine versions, see https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/broker-engine.html", - "CreateBrokerInput$HostInstanceType" : "Required. The broker's instance type.", - "CreateBrokerOutput$BrokerArn" : "The Amazon Resource Name (ARN) of the broker.", - "CreateBrokerOutput$BrokerId" : "The unique ID that Amazon MQ generates for the broker.", - "CreateConfigurationInput$EngineVersion" : "Required. The version of the broker engine. For a list of supported engine versions, see https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/broker-engine.html", - "CreateConfigurationInput$Name" : "Required. The name of the configuration. This value can contain only alphanumeric characters, dashes, periods, underscores, and tildes (- . _ ~). This value must be 1-150 characters long.", - "CreateConfigurationOutput$Arn" : "Required. The Amazon Resource Name (ARN) of the configuration.", - "CreateConfigurationOutput$Id" : "Required. The unique ID that Amazon MQ generates for the configuration.", - "CreateConfigurationOutput$Name" : "Required. The name of the configuration. This value can contain only alphanumeric characters, dashes, periods, underscores, and tildes (- . _ ~). This value must be 1-150 characters long.", - "CreateUserInput$Password" : "Required. The password of the user. This value must be at least 12 characters long, must contain at least 4 unique characters, and must not contain commas.", - "DeleteBrokerOutput$BrokerId" : "The unique ID that Amazon MQ generates for the broker.", - "DescribeBrokerOutput$BrokerArn" : "The Amazon Resource Name (ARN) of the broker.", - "DescribeBrokerOutput$BrokerId" : "The unique ID that Amazon MQ generates for the broker.", - "DescribeBrokerOutput$BrokerName" : "The name of the broker. This value must be unique in your AWS account, 1-50 characters long, must contain only letters, numbers, dashes, and underscores, and must not contain whitespaces, brackets, wildcard characters, or special characters.", - "DescribeBrokerOutput$EngineVersion" : "The version of the broker engine. For a list of supported engine versions, see https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/broker-engine.html", - "DescribeBrokerOutput$HostInstanceType" : "The broker's instance type.", - "DescribeBrokerOutput$PendingEngineVersion" : "The version of the broker engine to upgrade to. For a list of supported engine versions, see https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/broker-engine.html", - "DescribeBrokerOutput$PendingHostInstanceType" : "The host instance type of the broker to upgrade to. For a list of supported instance types, see https://docs.aws.amazon.com/amazon-mq/latest/developer-guide//broker.html#broker-instance-types", - "DescribeConfigurationRevisionOutput$ConfigurationId" : "Required. The unique ID that Amazon MQ generates for the configuration.", - "DescribeConfigurationRevisionOutput$Data" : "Required. The base64-encoded XML configuration.", - "DescribeConfigurationRevisionOutput$Description" : "The description of the configuration.", - "DescribeUserOutput$BrokerId" : "Required. The unique ID that Amazon MQ generates for the broker.", - "DescribeUserOutput$Username" : "Required. The username of the ActiveMQ user. This value can contain only alphanumeric characters, dashes, periods, underscores, and tildes (- . _ ~). This value must be 2-100 characters long.", - "EncryptionOptions$KmsKeyId" : "The symmetric customer master key (CMK) to use for the AWS Key Management Service (KMS). This key is used to encrypt your data at rest. If not provided, Amazon MQ will use a default CMK to encrypt your data.", - "EngineVersion$Name" : "Id for the version.", - "Error$ErrorAttribute" : "The attribute which caused the error.", - "Error$Message" : "The explanation of the error.", - "LdapServerMetadataInput$RoleBase" : "Fully qualified name of the directory to search for a user’s groups.", - "LdapServerMetadataInput$RoleName" : "Specifies the LDAP attribute that identifies the group name attribute in the object returned from the group membership query.", - "LdapServerMetadataInput$RoleSearchMatching" : "The search criteria for groups.", - "LdapServerMetadataInput$ServiceAccountPassword" : "Service account password.", - "LdapServerMetadataInput$ServiceAccountUsername" : "Service account username.", - "LdapServerMetadataInput$UserBase" : "Fully qualified name of the directory where you want to search for users.", - "LdapServerMetadataInput$UserRoleName" : "Specifies the name of the LDAP attribute for the user group membership.", - "LdapServerMetadataInput$UserSearchMatching" : "The search criteria for users.", - "LdapServerMetadataOutput$RoleBase" : "Fully qualified name of the directory to search for a user’s groups.", - "LdapServerMetadataOutput$RoleName" : "Specifies the LDAP attribute that identifies the group name attribute in the object returned from the group membership query.", - "LdapServerMetadataOutput$RoleSearchMatching" : "The search criteria for groups.", - "LdapServerMetadataOutput$ServiceAccountUsername" : "Service account username.", - "LdapServerMetadataOutput$UserBase" : "Fully qualified name of the directory where you want to search for users.", - "LdapServerMetadataOutput$UserRoleName" : "Specifies the name of the LDAP attribute for the user group membership.", - "LdapServerMetadataOutput$UserSearchMatching" : "The search criteria for users.", - "ListBrokersOutput$NextToken" : "The token that specifies the next page of results Amazon MQ should return. To request the first page, leave nextToken empty.", - "ListConfigurationRevisionsOutput$ConfigurationId" : "The unique ID that Amazon MQ generates for the configuration.", - "ListConfigurationRevisionsOutput$NextToken" : "The token that specifies the next page of results Amazon MQ should return. To request the first page, leave nextToken empty.", - "ListConfigurationsOutput$NextToken" : "The token that specifies the next page of results Amazon MQ should return. To request the first page, leave nextToken empty.", - "ListUsersOutput$BrokerId" : "Required. The unique ID that Amazon MQ generates for the broker.", - "ListUsersOutput$NextToken" : "The token that specifies the next page of results Amazon MQ should return. To request the first page, leave nextToken empty.", - "LogsSummary$AuditLogGroup" : "The location of the CloudWatch Logs log group where audit logs are sent.", - "LogsSummary$GeneralLogGroup" : "The location of the CloudWatch Logs log group where general logs are sent.", - "SanitizationWarning$AttributeName" : "The name of the XML attribute that has been sanitized.", - "SanitizationWarning$ElementName" : "The name of the XML element that has been sanitized.", - "UpdateBrokerInput$EngineVersion" : "The version of the broker engine. For a list of supported engine versions, see https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/broker-engine.html", - "UpdateBrokerInput$HostInstanceType" : "The host instance type of the broker to upgrade to. For a list of supported instance types, see https://docs.aws.amazon.com/amazon-mq/latest/developer-guide//broker.html#broker-instance-types", - "UpdateBrokerOutput$BrokerId" : "Required. The unique ID that Amazon MQ generates for the broker.", - "UpdateBrokerOutput$EngineVersion" : "The version of the broker engine to upgrade to. For a list of supported engine versions, see https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/broker-engine.html", - "UpdateBrokerOutput$HostInstanceType" : "The host instance type of the broker to upgrade to. For a list of supported instance types, see https://docs.aws.amazon.com/amazon-mq/latest/developer-guide//broker.html#broker-instance-types", - "UpdateConfigurationInput$Data" : "Required. The base64-encoded XML configuration.", - "UpdateConfigurationInput$Description" : "The description of the configuration.", - "UpdateConfigurationOutput$Arn" : "Required. The Amazon Resource Name (ARN) of the configuration.", - "UpdateConfigurationOutput$Id" : "Required. The unique ID that Amazon MQ generates for the configuration.", - "UpdateConfigurationOutput$Name" : "Required. The name of the configuration. This value can contain only alphanumeric characters, dashes, periods, underscores, and tildes (- . _ ~). This value must be 1-150 characters long.", - "UpdateUserInput$Password" : "The password of the user. This value must be at least 12 characters long, must contain at least 4 unique characters, and must not contain commas.", - "User$Password" : "Required. The password of the broker user. This value must be at least 12 characters long, must contain at least 4 unique characters, and must not contain commas.", - "User$Username" : "Required. The username of the broker user. This value can contain only alphanumeric characters, dashes, periods, underscores, and tildes (- . _ ~). This value must be 2-100 characters long.", - "UserSummary$Username" : "Required. The username of the broker user. This value can contain only alphanumeric characters, dashes, periods, underscores, and tildes (- . _ ~). This value must be 2-100 characters long.", - "WeeklyStartTime$TimeOfDay" : "Required. The time, in 24-hour format.", - "WeeklyStartTime$TimeZone" : "The time zone, UTC by default, in either the Country/City format, or the UTC offset format.", + "AvailabilityZone$Name" : "Id for the availability zone.
", + "BrokerEngineTypeOutput$NextToken" : "The token that specifies the next page of results Amazon MQ should return. To request the first page, leave nextToken empty.
", + "BrokerInstance$ConsoleURL" : "The brokers web console URL.
", + "BrokerInstance$IpAddress" : "The IP address of the Elastic Network Interface (ENI) attached to the broker. Does not apply to RabbitMQ brokers.
", + "BrokerInstanceOption$HostInstanceType" : "The broker's instance type.
", + "BrokerInstanceOptionsOutput$NextToken" : "The token that specifies the next page of results Amazon MQ should return. To request the first page, leave nextToken empty.
", + "BrokerSummary$BrokerArn" : "The broker's Amazon Resource Name (ARN).
", + "BrokerSummary$BrokerId" : "The unique ID that Amazon MQ generates for the broker.
", + "BrokerSummary$BrokerName" : "The broker's name. This value is unique in your AWS account, 1-50 characters long, and containing only letters, numbers, dashes, and underscores, and must not contain white spaces, brackets, wildcard characters, or special characters.
", + "BrokerSummary$HostInstanceType" : "The broker's instance type.
", + "Configuration$Arn" : "Required. The ARN of the configuration.
", + "Configuration$Description" : "Required. The description of the configuration.
", + "Configuration$EngineVersion" : "Required. The broker engine's version. For a list of supported engine versions, see, Supported engines.
", + "Configuration$Id" : "Required. The unique ID that Amazon MQ generates for the configuration.
", + "Configuration$Name" : "Required. The name of the configuration. This value can contain only alphanumeric characters, dashes, periods, underscores, and tildes (- . _ ~). This value must be 1-150 characters long.
", + "ConfigurationId$Id" : "Required. The unique ID that Amazon MQ generates for the configuration.
", + "ConfigurationRevision$Description" : "The description of the configuration revision.
", + "CreateBrokerInput$BrokerName" : "Required. The broker's name. This value must be unique in your AWS account, 1-50 characters long, must contain only letters, numbers, dashes, and underscores, and must not contain white spaces, brackets, wildcard characters, or special characters.
", + "CreateBrokerInput$CreatorRequestId" : "The unique ID that the requester receives for the created broker. Amazon MQ passes your ID with the API action. Note: We recommend using a Universally Unique Identifier (UUID) for the creatorRequestId. You may omit the creatorRequestId if your application doesn't require idempotency.
", + "CreateBrokerInput$EngineVersion" : "Required. The broker engine's version. For a list of supported engine versions, see Supported engines.
", + "CreateBrokerInput$HostInstanceType" : "Required. The broker's instance type.
", + "CreateBrokerOutput$BrokerArn" : "The broker's Amazon Resource Name (ARN).
", + "CreateBrokerOutput$BrokerId" : "The unique ID that Amazon MQ generates for the broker.
", + "CreateConfigurationInput$EngineVersion" : "Required. The broker engine's version. For a list of supported engine versions, see Supported engines.
", + "CreateConfigurationInput$Name" : "Required. The name of the configuration. This value can contain only alphanumeric characters, dashes, periods, underscores, and tildes (- . _ ~). This value must be 1-150 characters long.
", + "CreateConfigurationOutput$Arn" : "Required. The Amazon Resource Name (ARN) of the configuration.
", + "CreateConfigurationOutput$Id" : "Required. The unique ID that Amazon MQ generates for the configuration.
", + "CreateConfigurationOutput$Name" : "Required. The name of the configuration. This value can contain only alphanumeric characters, dashes, periods, underscores, and tildes (- . _ ~). This value must be 1-150 characters long.
", + "CreateUserInput$Password" : "Required. The password of the user. This value must be at least 12 characters long, must contain at least 4 unique characters, and must not contain commas, colons, or equal signs (,:=).
", + "DeleteBrokerOutput$BrokerId" : "The unique ID that Amazon MQ generates for the broker.
", + "DescribeBrokerOutput$BrokerArn" : "The broker's Amazon Resource Name (ARN).
", + "DescribeBrokerOutput$BrokerId" : "The unique ID that Amazon MQ generates for the broker.
", + "DescribeBrokerOutput$BrokerName" : "The broker's name. This value must be unique in your AWS account, 1-50 characters long, must contain only letters, numbers, dashes, and underscores, and must not contain white spaces, brackets, wildcard characters, or special characters.
", + "DescribeBrokerOutput$EngineVersion" : "The broker engine's version. For a list of supported engine versions, see Supported engines.
", + "DescribeBrokerOutput$HostInstanceType" : "The broker's instance type.
", + "DescribeBrokerOutput$PendingEngineVersion" : "The broker engine version to upgrade to. For a list of supported engine versions, see Supported engines.
", + "DescribeBrokerOutput$PendingHostInstanceType" : "The broker's host instance type to upgrade to. For a list of supported instance types, see Broker instance types.
", + "DescribeConfigurationRevisionOutput$ConfigurationId" : "Required. The unique ID that Amazon MQ generates for the configuration.
", + "DescribeConfigurationRevisionOutput$Data" : "Required. The base64-encoded XML configuration.
", + "DescribeConfigurationRevisionOutput$Description" : "The description of the configuration.
", + "DescribeUserOutput$BrokerId" : "Required. The unique ID that Amazon MQ generates for the broker.
", + "DescribeUserOutput$Username" : "Required. The username of the ActiveMQ user. This value can contain only alphanumeric characters, dashes, periods, underscores, and tildes (- . _ ~). This value must be 2-100 characters long.
", + "EncryptionOptions$KmsKeyId" : "The customer master key (CMK) to use for the AWS Key Management Service (KMS). This key is used to encrypt your data at rest. If not provided, Amazon MQ will use a default CMK to encrypt your data.
", + "EngineVersion$Name" : "Id for the version.
", + "Error$ErrorAttribute" : "The attribute which caused the error.
", + "Error$Message" : "The explanation of the error.
", + "LdapServerMetadataInput$RoleBase" : "The distinguished name of the node in the directory information tree (DIT) to search for roles or groups. For example, ou=group, ou=corp, dc=corp,\n dc=example, dc=com.
", + "LdapServerMetadataInput$RoleName" : "Specifies the LDAP attribute that identifies the group name attribute in the object returned from the group membership query.
", + "LdapServerMetadataInput$RoleSearchMatching" : "The LDAP search filter used to find roles within the roleBase. The distinguished name of the user matched by userSearchMatching is substituted into the {0} placeholder in the search filter. The client's username is substituted into the {1} placeholder. For example, if you set this option to (member=uid={1})for the user janedoe, the search filter becomes (member=uid=janedoe) after string substitution. It matches all role entries that have a member attribute equal to uid=janedoe under the subtree selected by the roleBase.
", + "LdapServerMetadataInput$ServiceAccountPassword" : "Service account password. A service account is an account in your LDAP server that has access to initiate a connection. For example, cn=admin,dc=corp, dc=example,\n dc=com.
", + "LdapServerMetadataInput$ServiceAccountUsername" : "Service account username. A service account is an account in your LDAP server that has access to initiate a connection. For example, cn=admin,dc=corp, dc=example,\n dc=com.
", + "LdapServerMetadataInput$UserBase" : "Select a particular subtree of the directory information tree (DIT) to search for user entries. The subtree is specified by a DN, which specifies the base node of the subtree. For example, by setting this option to ou=Users,ou=corp, dc=corp,\n dc=example, dc=com, the search for user entries is restricted to the subtree beneath ou=Users, ou=corp, dc=corp, dc=example, dc=com.
", + "LdapServerMetadataInput$UserRoleName" : "Specifies the name of the LDAP attribute for the user group membership.
", + "LdapServerMetadataInput$UserSearchMatching" : "The LDAP search filter used to find users within the userBase. The client's username is substituted into the {0} placeholder in the search filter. For example, if this option is set to (uid={0}) and the received username is janedoe, the search filter becomes (uid=janedoe) after string substitution. It will result in matching an entry like uid=janedoe, ou=Users,ou=corp, dc=corp, dc=example,\n dc=com.
", + "LdapServerMetadataOutput$RoleBase" : "The distinguished name of the node in the directory information tree (DIT) to search for roles or groups. For example, ou=group, ou=corp, dc=corp,\n dc=example, dc=com.
", + "LdapServerMetadataOutput$RoleName" : "Specifies the LDAP attribute that identifies the group name attribute in the object returned from the group membership query.
", + "LdapServerMetadataOutput$RoleSearchMatching" : "The LDAP search filter used to find roles within the roleBase. The distinguished name of the user matched by userSearchMatching is substituted into the {0} placeholder in the search filter. The client's username is substituted into the {1} placeholder. For example, if you set this option to (member=uid={1})for the user janedoe, the search filter becomes (member=uid=janedoe) after string substitution. It matches all role entries that have a member attribute equal to uid=janedoe under the subtree selected by the roleBase.
", + "LdapServerMetadataOutput$ServiceAccountUsername" : "Service account username. A service account is an account in your LDAP server that has access to initiate a connection. For example, cn=admin,dc=corp, dc=example,\n dc=com.
", + "LdapServerMetadataOutput$UserBase" : "Select a particular subtree of the directory information tree (DIT) to search for user entries. The subtree is specified by a DN, which specifies the base node of the subtree. For example, by setting this option to ou=Users,ou=corp, dc=corp,\n dc=example, dc=com, the search for user entries is restricted to the subtree beneath ou=Users, ou=corp, dc=corp, dc=example, dc=com.
", + "LdapServerMetadataOutput$UserRoleName" : "Specifies the name of the LDAP attribute for the user group membership.
", + "LdapServerMetadataOutput$UserSearchMatching" : "The LDAP search filter used to find users within the userBase. The client's username is substituted into the {0} placeholder in the search filter. For example, if this option is set to (uid={0}) and the received username is janedoe, the search filter becomes (uid=janedoe) after string substitution. It will result in matching an entry like uid=janedoe, ou=Users,ou=corp, dc=corp, dc=example,\n dc=com.
", + "ListBrokersOutput$NextToken" : "The token that specifies the next page of results Amazon MQ should return. To request the first page, leave nextToken empty.
", + "ListConfigurationRevisionsOutput$ConfigurationId" : "The unique ID that Amazon MQ generates for the configuration.
", + "ListConfigurationRevisionsOutput$NextToken" : "The token that specifies the next page of results Amazon MQ should return. To request the first page, leave nextToken empty.
", + "ListConfigurationsOutput$NextToken" : "The token that specifies the next page of results Amazon MQ should return. To request the first page, leave nextToken empty.
", + "ListUsersOutput$BrokerId" : "Required. The unique ID that Amazon MQ generates for the broker.
", + "ListUsersOutput$NextToken" : "The token that specifies the next page of results Amazon MQ should return. To request the first page, leave nextToken empty.
", + "LogsSummary$AuditLogGroup" : "The location of the CloudWatch Logs log group where audit logs are sent.
", + "LogsSummary$GeneralLogGroup" : "The location of the CloudWatch Logs log group where general logs are sent.
", + "SanitizationWarning$AttributeName" : "The name of the XML attribute that has been sanitized.
", + "SanitizationWarning$ElementName" : "The name of the XML element that has been sanitized.
", + "UpdateBrokerInput$EngineVersion" : "The broker engine version. For a list of supported engine versions, see Supported engines.
", + "UpdateBrokerInput$HostInstanceType" : "The broker's host instance type to upgrade to. For a list of supported instance types, see Broker instance types.
", + "UpdateBrokerOutput$BrokerId" : "Required. The unique ID that Amazon MQ generates for the broker.
", + "UpdateBrokerOutput$EngineVersion" : "The broker engine version to upgrade to. For a list of supported engine versions, see Supported engines.
", + "UpdateBrokerOutput$HostInstanceType" : "The broker's host instance type to upgrade to. For a list of supported instance types, see Broker instance types.
", + "UpdateConfigurationInput$Data" : "Required. The base64-encoded XML configuration.
", + "UpdateConfigurationInput$Description" : "The description of the configuration.
", + "UpdateConfigurationOutput$Arn" : "Required. The Amazon Resource Name (ARN) of the configuration.
", + "UpdateConfigurationOutput$Id" : "Required. The unique ID that Amazon MQ generates for the configuration.
", + "UpdateConfigurationOutput$Name" : "Required. The name of the configuration. This value can contain only alphanumeric characters, dashes, periods, underscores, and tildes (- . _ ~). This value must be 1-150 characters long.
", + "UpdateUserInput$Password" : "The password of the user. This value must be at least 12 characters long, must contain at least 4 unique characters, and must not contain commas, colons, or equal signs (,:=).
", + "User$Password" : "Required. The password of the user. This value must be at least 12 characters long, must contain at least 4 unique characters, and must not contain commas, colons, or equal signs (,:=).
", + "User$Username" : "important>
For RabbitMQ brokers, this value can contain only alphanumeric characters, dashes, periods, underscores (- . _). This value must not contain a tilde (~) character. Amazon MQ prohibts using guest as a valid usename. This value must be 2-100 characters long.
Required. The username of the broker user. This value can contain only alphanumeric characters, dashes, periods, underscores, and tildes (- . _ ~). This value must be 2-100 characters long.
", + "WeeklyStartTime$TimeOfDay" : "Required. The time, in 24-hour format.
", + "WeeklyStartTime$TimeZone" : "The time zone, UTC by default, in either the Country/City format, or the UTC offset format.
", "__listOf__string$member" : null, "__mapOf__string$member" : null } @@ -598,13 +600,13 @@ "__timestampIso8601" : { "base" : null, "refs" : { - "BrokerSummary$Created" : "The time when the broker was created.", - "Configuration$Created" : "Required. The date and time of the configuration revision.", - "ConfigurationRevision$Created" : "Required. The date and time of the configuration revision.", - "CreateConfigurationOutput$Created" : "Required. The date and time of the configuration.", - "DescribeBrokerOutput$Created" : "The time when the broker was created.", - "DescribeConfigurationRevisionOutput$Created" : "Required. The date and time of the configuration.", - "UpdateConfigurationOutput$Created" : "Required. The date and time of the configuration." + "BrokerSummary$Created" : "The time when the broker was created.
", + "Configuration$Created" : "Required. The date and time of the configuration revision.
", + "ConfigurationRevision$Created" : "Required. The date and time of the configuration revision.
", + "CreateConfigurationOutput$Created" : "Required. The date and time of the configuration.
", + "DescribeBrokerOutput$Created" : "The time when the broker was created.
", + "DescribeConfigurationRevisionOutput$Created" : "Required. The date and time of the configuration.
", + "UpdateConfigurationOutput$Created" : "Required. The date and time of the configuration.
" } } } diff --git a/models/apis/storagegateway/2013-06-30/api-2.json b/models/apis/storagegateway/2013-06-30/api-2.json index e2e20437e6f..e41de6d0bfc 100644 --- a/models/apis/storagegateway/2013-06-30/api-2.json +++ b/models/apis/storagegateway/2013-06-30/api-2.json @@ -1318,7 +1318,8 @@ "LocationARN":{"shape":"FileSystemLocationARN"}, "Tags":{"shape":"Tags"}, "AuditDestinationARN":{"shape":"AuditDestinationARN"}, - "CacheAttributes":{"shape":"CacheAttributes"} + "CacheAttributes":{"shape":"CacheAttributes"}, + "EndpointNetworkConfiguration":{"shape":"EndpointNetworkConfiguration"} } }, "AssociateFileSystemOutput":{ @@ -1591,7 +1592,9 @@ "Tags":{"shape":"Tags"}, "FileShareName":{"shape":"FileShareName"}, "CacheAttributes":{"shape":"CacheAttributes"}, - "NotificationPolicy":{"shape":"NotificationPolicy"} + "NotificationPolicy":{"shape":"NotificationPolicy"}, + "VPCEndpointDNSName":{"shape":"DNSHostName"}, + "BucketRegion":{"shape":"RegionId"} } }, "CreateNFSFileShareOutput":{ @@ -1631,7 +1634,10 @@ "Tags":{"shape":"Tags"}, "FileShareName":{"shape":"FileShareName"}, "CacheAttributes":{"shape":"CacheAttributes"}, - "NotificationPolicy":{"shape":"NotificationPolicy"} + "NotificationPolicy":{"shape":"NotificationPolicy"}, + "VPCEndpointDNSName":{"shape":"DNSHostName"}, + "BucketRegion":{"shape":"RegionId"}, + "OplocksEnabled":{"shape":"Boolean"} } }, "CreateSMBFileShareOutput":{ @@ -1781,6 +1787,12 @@ } }, "CreatedDate":{"type":"timestamp"}, + "DNSHostName":{ + "type":"string", + "max":255, + "min":1, + "pattern":"^(([a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.)*([A-Za-z0-9\\-]*[A-Za-z0-9])$" + }, "DayOfMonth":{ "type":"integer", "max":28, @@ -2077,7 +2089,9 @@ "HostEnvironment":{"shape":"HostEnvironment"}, "EndpointType":{"shape":"EndpointType"}, "SoftwareUpdatesEndDate":{"shape":"SoftwareUpdatesEndDate"}, - "DeprecationDate":{"shape":"DeprecationDate"} + "DeprecationDate":{"shape":"DeprecationDate"}, + "GatewayCapacity":{"shape":"GatewayCapacity"}, + "SupportedGatewayCapacities":{"shape":"SupportedGatewayCapacities"} } }, "DescribeMaintenanceStartTimeInput":{ @@ -2396,6 +2410,12 @@ "DoubleObject":{"type":"double"}, "Ec2InstanceId":{"type":"string"}, "Ec2InstanceRegion":{"type":"string"}, + "EndpointNetworkConfiguration":{ + "type":"structure", + "members":{ + "IpAddresses":{"shape":"IpAddressList"} + } + }, "EndpointType":{ "type":"string", "max":8, @@ -2546,7 +2566,8 @@ "AuditDestinationARN":{"shape":"AuditDestinationARN"}, "GatewayARN":{"shape":"GatewayARN"}, "Tags":{"shape":"Tags"}, - "CacheAttributes":{"shape":"CacheAttributes"} + "CacheAttributes":{"shape":"CacheAttributes"}, + "EndpointNetworkConfiguration":{"shape":"EndpointNetworkConfiguration"} } }, "FileSystemAssociationInfoList":{ @@ -2592,6 +2613,14 @@ "max":500, "min":50 }, + "GatewayCapacity":{ + "type":"string", + "enum":[ + "Small", + "Medium", + "Large" + ] + }, "GatewayId":{ "type":"string", "max":30, @@ -2668,6 +2697,12 @@ "max":23, "min":0 }, + "IPV4Address":{ + "type":"string", + "max":15, + "min":7, + "pattern":"^((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])(\\.(?!$)|$)){4}" + }, "IPV4AddressCIDR":{ "type":"string", "pattern":"^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))?$" @@ -2697,6 +2732,12 @@ }, "exception":true }, + "IpAddressList":{ + "type":"list", + "member":{"shape":"IPV4Address"}, + "max":1, + "min":0 + }, "IqnName":{ "type":"string", "max":255, @@ -2965,7 +3006,9 @@ "Tags":{"shape":"Tags"}, "FileShareName":{"shape":"FileShareName"}, "CacheAttributes":{"shape":"CacheAttributes"}, - "NotificationPolicy":{"shape":"NotificationPolicy"} + "NotificationPolicy":{"shape":"NotificationPolicy"}, + "VPCEndpointDNSName":{"shape":"DNSHostName"}, + "BucketRegion":{"shape":"RegionId"} } }, "NFSFileShareInfoList":{ @@ -3236,7 +3279,10 @@ "Tags":{"shape":"Tags"}, "FileShareName":{"shape":"FileShareName"}, "CacheAttributes":{"shape":"CacheAttributes"}, - "NotificationPolicy":{"shape":"NotificationPolicy"} + "NotificationPolicy":{"shape":"NotificationPolicy"}, + "VPCEndpointDNSName":{"shape":"DNSHostName"}, + "BucketRegion":{"shape":"RegionId"}, + "OplocksEnabled":{"shape":"Boolean"} } }, "SMBFileShareInfoList":{ @@ -3394,6 +3440,10 @@ "type":"list", "member":{"shape":"StorediSCSIVolume"} }, + "SupportedGatewayCapacities":{ + "type":"list", + "member":{"shape":"GatewayCapacity"} + }, "Tag":{ "type":"structure", "required":[ @@ -3647,7 +3697,8 @@ "GatewayARN":{"shape":"GatewayARN"}, "GatewayName":{"shape":"GatewayName"}, "GatewayTimezone":{"shape":"GatewayTimezone"}, - "CloudWatchLogGroupARN":{"shape":"CloudWatchLogGroupARN"} + "CloudWatchLogGroupARN":{"shape":"CloudWatchLogGroupARN"}, + "GatewayCapacity":{"shape":"GatewayCapacity"} } }, "UpdateGatewayInformationOutput":{ @@ -3738,7 +3789,8 @@ "CaseSensitivity":{"shape":"CaseSensitivity"}, "FileShareName":{"shape":"FileShareName"}, "CacheAttributes":{"shape":"CacheAttributes"}, - "NotificationPolicy":{"shape":"NotificationPolicy"} + "NotificationPolicy":{"shape":"NotificationPolicy"}, + "OplocksEnabled":{"shape":"Boolean"} } }, "UpdateSMBFileShareOutput":{ diff --git a/models/apis/storagegateway/2013-06-30/docs-2.json b/models/apis/storagegateway/2013-06-30/docs-2.json index 2b1d6a6df66..72bc107f084 100644 --- a/models/apis/storagegateway/2013-06-30/docs-2.json +++ b/models/apis/storagegateway/2013-06-30/docs-2.json @@ -1,22 +1,22 @@ { "version": "2.0", - "service": "AWS Storage Gateway is the service that connects an on-premises software appliance with cloud-based storage to provide seamless and secure integration between an organization's on-premises IT environment and the AWS storage infrastructure. The service enables you to securely upload data to the AWS Cloud for cost effective backup and rapid disaster recovery.
Use the following links to get started using the AWS Storage Gateway Service API Reference:
AWS Storage Gateway required request headers: Describes the required headers that you must send with every POST request to AWS Storage Gateway.
Signing requests: AWS Storage Gateway requires that you authenticate every request you send; this topic describes how sign such a request.
Error responses: Provides reference information about AWS Storage Gateway errors.
Operations in AWS Storage Gateway: Contains detailed descriptions of all AWS Storage Gateway operations, their request parameters, response elements, possible errors, and examples of requests and responses.
AWS Storage Gateway endpoints and quotas: Provides a list of each AWS Region and the endpoints available for use with AWS Storage Gateway.
AWS Storage Gateway resource IDs are in uppercase. When you use these resource IDs with the Amazon EC2 API, EC2 expects resource IDs in lowercase. You must change your resource ID to lowercase to use it with the EC2 API. For example, in Storage Gateway the ID for a volume might be vol-AA22BB012345DAF670. When you use this ID with the EC2 API, you must change it to vol-aa22bb012345daf670. Otherwise, the EC2 API might not behave as expected.
IDs for Storage Gateway volumes and Amazon EBS snapshots created from gateway volumes are changing to a longer format. Starting in December 2016, all new volumes and snapshots will be created with a 17-character string. Starting in April 2016, you will be able to use these longer IDs so you can test your systems with the new format. For more information, see Longer EC2 and EBS resource IDs.
For example, a volume Amazon Resource Name (ARN) with the longer volume ID format looks like the following:
arn:aws:storagegateway:us-west-2:111122223333:gateway/sgw-12A3456B/volume/vol-1122AABBCCDDEEFFG.
A snapshot ID with the longer ID format looks like the following: snap-78e226633445566ee.
For more information, see Announcement: Heads-up – Longer AWS Storage Gateway volume and snapshot IDs coming in 2016.
Storage Gateway is the service that connects an on-premises software appliance with cloud-based storage to provide seamless and secure integration between an organization's on-premises IT environment and the Amazon Web Services storage infrastructure. The service enables you to securely upload data to the Cloud for cost effective backup and rapid disaster recovery.
Use the following links to get started using the Storage Gateway Service API Reference:
Storage Gateway required request headers: Describes the required headers that you must send with every POST request to Storage Gateway.
Signing requests: Storage Gateway requires that you authenticate every request you send; this topic describes how sign such a request.
Error responses: Provides reference information about Storage Gateway errors.
Operations in Storage Gateway: Contains detailed descriptions of all Storage Gateway operations, their request parameters, response elements, possible errors, and examples of requests and responses.
Storage Gateway endpoints and quotas: Provides a list of each Region and the endpoints available for use with Storage Gateway.
Storage Gateway resource IDs are in uppercase. When you use these resource IDs with the Amazon EC2 API, EC2 expects resource IDs in lowercase. You must change your resource ID to lowercase to use it with the EC2 API. For example, in Storage Gateway the ID for a volume might be vol-AA22BB012345DAF670. When you use this ID with the EC2 API, you must change it to vol-aa22bb012345daf670. Otherwise, the EC2 API might not behave as expected.
IDs for Storage Gateway volumes and Amazon EBS snapshots created from gateway volumes are changing to a longer format. Starting in December 2016, all new volumes and snapshots will be created with a 17-character string. Starting in April 2016, you will be able to use these longer IDs so you can test your systems with the new format. For more information, see Longer EC2 and EBS resource IDs.
For example, a volume Amazon Resource Name (ARN) with the longer volume ID format looks like the following:
arn:aws:storagegateway:us-west-2:111122223333:gateway/sgw-12A3456B/volume/vol-1122AABBCCDDEEFFG.
A snapshot ID with the longer ID format looks like the following: snap-78e226633445566ee.
For more information, see Announcement: Heads-up – Longer Storage Gateway volume and snapshot IDs coming in 2016.
Activates the gateway you previously deployed on your host. In the activation process, you specify information such as the AWS Region that you want to use for storing snapshots or tapes, the time zone for scheduled snapshots the gateway snapshot schedule window, an activation key, and a name for your gateway. The activation process also associates your gateway with your account. For more information, see UpdateGatewayInformation.
You must turn on the gateway VM before you can activate your gateway.
Configures one or more gateway local disks as cache for a gateway. This operation is only supported in the cached volume, tape, and file gateway type (see How AWS Storage Gateway works (architecture).
In the request, you specify the gateway Amazon Resource Name (ARN) to which you want to add cache, and one or more disk IDs that you want to configure as cache.
", - "AddTagsToResource": "Adds one or more tags to the specified resource. You use tags to add metadata to resources, which you can use to categorize these resources. For example, you can categorize resources by purpose, owner, environment, or team. Each tag consists of a key and a value, which you define. You can add tags to the following AWS Storage Gateway resources:
Storage gateways of all types
Storage volumes
Virtual tapes
NFS and SMB file shares
You can create a maximum of 50 tags for each resource. Virtual tapes and storage volumes that are recovered to a new gateway maintain their tags.
", + "ActivateGateway": "Activates the gateway you previously deployed on your host. In the activation process, you specify information such as the Region that you want to use for storing snapshots or tapes, the time zone for scheduled snapshots the gateway snapshot schedule window, an activation key, and a name for your gateway. The activation process also associates your gateway with your account. For more information, see UpdateGatewayInformation.
You must turn on the gateway VM before you can activate your gateway.
Configures one or more gateway local disks as cache for a gateway. This operation is only supported in the cached volume, tape, and file gateway type (see How Storage Gateway works (architecture).
In the request, you specify the gateway Amazon Resource Name (ARN) to which you want to add cache, and one or more disk IDs that you want to configure as cache.
", + "AddTagsToResource": "Adds one or more tags to the specified resource. You use tags to add metadata to resources, which you can use to categorize these resources. For example, you can categorize resources by purpose, owner, environment, or team. Each tag consists of a key and a value, which you define. You can add tags to the following Storage Gateway resources:
Storage gateways of all types
Storage volumes
Virtual tapes
NFS and SMB file shares
File System associations
You can create a maximum of 50 tags for each resource. Virtual tapes and storage volumes that are recovered to a new gateway maintain their tags.
", "AddUploadBuffer": "Configures one or more gateway local disks as upload buffer for a specified gateway. This operation is supported for the stored volume, cached volume, and tape gateway types.
In the request, you specify the gateway Amazon Resource Name (ARN) to which you want to add upload buffer, and one or more disk IDs that you want to configure as upload buffer.
", "AddWorkingStorage": "Configures one or more gateway local disks as working storage for a gateway. This operation is only supported in the stored volume gateway type. This operation is deprecated in cached volume API version 20120630. Use AddUploadBuffer instead.
Working storage is also referred to as upload buffer. You can also use the AddUploadBuffer operation to add upload buffer to a stored volume gateway.
In the request, you specify the gateway Amazon Resource Name (ARN) to which you want to add working storage, and one or more disk IDs that you want to configure as working storage.
", "AssignTapePool": "Assigns a tape to a tape pool for archiving. The tape assigned to a pool is archived in the S3 storage class that is associated with the pool. When you use your backup application to eject the tape, the tape is archived directly into the S3 storage class (S3 Glacier or S3 Glacier Deep Archive) that corresponds to the pool.
Valid Values: GLACIER | DEEP_ARCHIVE
Associate an Amazon FSx file system with the Amazon FSx file gateway. After the association process is complete, the file shares on the Amazon FSx file system are available for access through the gateway. This operation only supports the Amazon FSx file gateway type.
", + "AssociateFileSystem": "Associate an Amazon FSx file system with the FSx File Gateway. After the association process is complete, the file shares on the Amazon FSx file system are available for access through the gateway. This operation only supports the FSx File Gateway type.
", "AttachVolume": "Connects a volume to an iSCSI connection and then attaches the volume to the specified gateway. Detaching and attaching a volume enables you to recover your data from one gateway to a different gateway without creating a snapshot. It also makes it easier to move your volumes from an on-premises gateway to a gateway hosted on an Amazon EC2 instance.
", "CancelArchival": "Cancels archiving of a virtual tape to the virtual tape shelf (VTS) after the archiving process is initiated. This operation is only supported in the tape gateway type.
", "CancelRetrieval": "Cancels retrieval of a virtual tape from the virtual tape shelf (VTS) to a gateway after the retrieval process is initiated. The virtual tape is returned to the VTS. This operation is only supported in the tape gateway type.
", "CreateCachediSCSIVolume": "Creates a cached volume on a specified cached volume gateway. This operation is only supported in the cached volume gateway type.
Cache storage must be allocated to the gateway before you can create a cached volume. Use the AddCache operation to add cache storage to a gateway.
In the request, you must specify the gateway, size of the volume in bytes, the iSCSI target name, an IP address on which to expose the target, and a unique client token. In response, the gateway creates the volume and returns information about it. This information includes the volume Amazon Resource Name (ARN), its size, and the iSCSI target ARN that initiators can use to connect to the volume target.
Optionally, you can provide the ARN for an existing volume as the SourceVolumeARN for this cached volume, which creates an exact copy of the existing volume’s latest recovery point. The VolumeSizeInBytes value must be equal to or larger than the size of the copied volume, in bytes.
Creates a Network File System (NFS) file share on an existing file gateway. In Storage Gateway, a file share is a file system mount point backed by Amazon S3 cloud storage. Storage Gateway exposes file shares using an NFS interface. This operation is only supported for file gateways.
File gateway requires AWS Security Token Service (AWS STS) to be activated to enable you to create a file share. Make sure AWS STS is activated in the AWS Region you are creating your file gateway in. If AWS STS is not activated in the AWS Region, activate it. For information about how to activate AWS STS, see Activating and deactivating AWS STS in an AWS Region in the AWS Identity and Access Management User Guide.
File gateway does not support creating hard or symbolic links on a file share.
Creates a Server Message Block (SMB) file share on an existing file gateway. In Storage Gateway, a file share is a file system mount point backed by Amazon S3 cloud storage. Storage Gateway exposes file shares using an SMB interface. This operation is only supported for file gateways.
File gateways require AWS Security Token Service (AWS STS) to be activated to enable you to create a file share. Make sure that AWS STS is activated in the AWS Region you are creating your file gateway in. If AWS STS is not activated in this AWS Region, activate it. For information about how to activate AWS STS, see Activating and deactivating AWS STS in an AWS Region in the AWS Identity and Access Management User Guide.
File gateways don't support creating hard or symbolic links on a file share.
Initiates a snapshot of a volume.
AWS Storage Gateway provides the ability to back up point-in-time snapshots of your data to Amazon Simple Storage (Amazon S3) for durable off-site recovery, and also import the data to an Amazon Elastic Block Store (EBS) volume in Amazon Elastic Compute Cloud (EC2). You can take snapshots of your gateway volume on a scheduled or ad hoc basis. This API enables you to take an ad hoc snapshot. For more information, see Editing a snapshot schedule.
In the CreateSnapshot request, you identify the volume by providing its Amazon Resource Name (ARN). You must also provide description for the snapshot. When AWS Storage Gateway takes the snapshot of specified volume, the snapshot and description appears in the AWS Storage Gateway console. In response, AWS Storage Gateway returns you a snapshot ID. You can use this snapshot ID to check the snapshot progress or later use it when you want to create a volume from a snapshot. This operation is only supported in stored and cached volume gateway type.
To list or delete a snapshot, you must use the Amazon EC2 API. For more information, see DescribeSnapshots or DeleteSnapshot in the Amazon Elastic Compute Cloud API Reference.
Volume and snapshot IDs are changing to a longer length ID format. For more information, see the important note on the Welcome page.
Initiates a snapshot of a gateway from a volume recovery point. This operation is only supported in the cached volume gateway type.
A volume recovery point is a point in time at which all data of the volume is consistent and from which you can create a snapshot. To get a list of volume recovery point for cached volume gateway, use ListVolumeRecoveryPoints.
In the CreateSnapshotFromVolumeRecoveryPoint request, you identify the volume by providing its Amazon Resource Name (ARN). You must also provide a description for the snapshot. When the gateway takes a snapshot of the specified volume, the snapshot and its description appear in the AWS Storage Gateway console. In response, the gateway returns you a snapshot ID. You can use this snapshot ID to check the snapshot progress or later use it when you want to create a volume from a snapshot.
To list or delete a snapshot, you must use the Amazon EC2 API. For more information, see DescribeSnapshots or DeleteSnapshot in the Amazon Elastic Compute Cloud API Reference.
Creates a Network File System (NFS) file share on an existing S3 File Gateway. In Storage Gateway, a file share is a file system mount point backed by Amazon S3 cloud storage. Storage Gateway exposes file shares using an NFS interface. This operation is only supported for S3 File Gateways.
S3 File gateway requires Security Token Service (STS) to be activated to enable you to create a file share. Make sure STS is activated in the Region you are creating your S3 File Gateway in. If STS is not activated in the Region, activate it. For information about how to activate STS, see Activating and deactivating STS in an Region in the Identity and Access Management User Guide.
S3 File Gateways do not support creating hard or symbolic links on a file share.
Creates a Server Message Block (SMB) file share on an existing S3 File Gateway. In Storage Gateway, a file share is a file system mount point backed by Amazon S3 cloud storage. Storage Gateway exposes file shares using an SMB interface. This operation is only supported for S3 File Gateways.
S3 File Gateways require Security Token Service (STS) to be activated to enable you to create a file share. Make sure that STS is activated in the Region you are creating your S3 File Gateway in. If STS is not activated in this Region, activate it. For information about how to activate STS, see Activating and deactivating STS in an Region in the Identity and Access Management User Guide.
File gateways don't support creating hard or symbolic links on a file share.
Initiates a snapshot of a volume.
Storage Gateway provides the ability to back up point-in-time snapshots of your data to Amazon Simple Storage (Amazon S3) for durable off-site recovery, and also import the data to an Amazon Elastic Block Store (EBS) volume in Amazon Elastic Compute Cloud (EC2). You can take snapshots of your gateway volume on a scheduled or ad hoc basis. This API enables you to take an ad hoc snapshot. For more information, see Editing a snapshot schedule.
In the CreateSnapshot request, you identify the volume by providing its Amazon Resource Name (ARN). You must also provide description for the snapshot. When Storage Gateway takes the snapshot of specified volume, the snapshot and description appears in the Storage Gateway console. In response, Storage Gateway returns you a snapshot ID. You can use this snapshot ID to check the snapshot progress or later use it when you want to create a volume from a snapshot. This operation is only supported in stored and cached volume gateway type.
To list or delete a snapshot, you must use the Amazon EC2 API. For more information, see DescribeSnapshots or DeleteSnapshot in the Amazon Elastic Compute Cloud API Reference.
Volume and snapshot IDs are changing to a longer length ID format. For more information, see the important note on the Welcome page.
Initiates a snapshot of a gateway from a volume recovery point. This operation is only supported in the cached volume gateway type.
A volume recovery point is a point in time at which all data of the volume is consistent and from which you can create a snapshot. To get a list of volume recovery point for cached volume gateway, use ListVolumeRecoveryPoints.
In the CreateSnapshotFromVolumeRecoveryPoint request, you identify the volume by providing its Amazon Resource Name (ARN). You must also provide a description for the snapshot. When the gateway takes a snapshot of the specified volume, the snapshot and its description appear in the Storage Gateway console. In response, the gateway returns you a snapshot ID. You can use this snapshot ID to check the snapshot progress or later use it when you want to create a volume from a snapshot.
To list or delete a snapshot, you must use the Amazon EC2 API. For more information, see DescribeSnapshots or DeleteSnapshot in the Amazon Elastic Compute Cloud API Reference.
Creates a volume on a specified gateway. This operation is only supported in the stored volume gateway type.
The size of the volume to create is inferred from the disk size. You can choose to preserve existing data on the disk, create volume from an existing snapshot, or create an empty volume. If you choose to create an empty gateway volume, then any existing data on the disk is erased.
In the request, you must specify the gateway and the disk information on which you are creating the volume. In response, the gateway creates the volume and returns volume information such as the volume Amazon Resource Name (ARN), its size, and the iSCSI target ARN that initiators can use to connect to the volume target.
", "CreateTapePool": "Creates a new custom tape pool. You can use custom tape pool to enable tape retention lock on tapes that are archived in the custom pool.
", "CreateTapeWithBarcode": "Creates a virtual tape by using your own barcode. You write data to the virtual tape and then archive the tape. A barcode is unique and cannot be reused if it has already been used on a tape. This applies to barcodes used on deleted tapes. This operation is only supported in the tape gateway type.
Cache storage must be allocated to the gateway before you can create a virtual tape. Use the AddCache operation to add cache storage to a gateway.
Deletes the automatic tape creation policy of a gateway. If you delete this policy, new virtual tapes must be created manually. Use the Amazon Resource Name (ARN) of the gateway in your request to remove the policy.
", "DeleteBandwidthRateLimit": "Deletes the bandwidth rate limits of a gateway. You can delete either the upload and download bandwidth rate limit, or you can delete both. If you delete only one of the limits, the other limit remains unchanged. To specify which gateway to work with, use the Amazon Resource Name (ARN) of the gateway in your request. This operation is supported for the stored volume, cached volume and tape gateway types.
", "DeleteChapCredentials": "Deletes Challenge-Handshake Authentication Protocol (CHAP) credentials for a specified iSCSI target and initiator pair. This operation is supported in volume and tape gateway types.
", - "DeleteFileShare": "Deletes a file share from a file gateway. This operation is only supported for file gateways.
", - "DeleteGateway": "Deletes a gateway. To specify which gateway to delete, use the Amazon Resource Name (ARN) of the gateway in your request. The operation deletes the gateway; however, it does not delete the gateway virtual machine (VM) from your host computer.
After you delete a gateway, you cannot reactivate it. Completed snapshots of the gateway volumes are not deleted upon deleting the gateway, however, pending snapshots will not complete. After you delete a gateway, your next step is to remove it from your environment.
You no longer pay software charges after the gateway is deleted; however, your existing Amazon EBS snapshots persist and you will continue to be billed for these snapshots. You can choose to remove all remaining Amazon EBS snapshots by canceling your Amazon EC2 subscription. If you prefer not to cancel your Amazon EC2 subscription, you can delete your snapshots using the Amazon EC2 console. For more information, see the AWS Storage Gateway detail page.
Deletes a file share from an S3 File Gateway. This operation is only supported for S3 File Gateways.
", + "DeleteGateway": "Deletes a gateway. To specify which gateway to delete, use the Amazon Resource Name (ARN) of the gateway in your request. The operation deletes the gateway; however, it does not delete the gateway virtual machine (VM) from your host computer.
After you delete a gateway, you cannot reactivate it. Completed snapshots of the gateway volumes are not deleted upon deleting the gateway, however, pending snapshots will not complete. After you delete a gateway, your next step is to remove it from your environment.
You no longer pay software charges after the gateway is deleted; however, your existing Amazon EBS snapshots persist and you will continue to be billed for these snapshots. You can choose to remove all remaining Amazon EBS snapshots by canceling your Amazon EC2 subscription. If you prefer not to cancel your Amazon EC2 subscription, you can delete your snapshots using the Amazon EC2 console. For more information, see the Storage Gateway detail page.
Deletes a snapshot of a volume.
You can take snapshots of your gateway volumes on a scheduled or ad hoc basis. This API action enables you to delete a snapshot schedule for a volume. For more information, see Backing up your volumes. In the DeleteSnapshotSchedule request, you identify the volume by providing its Amazon Resource Name (ARN). This operation is only supported in stored and cached volume gateway types.
To list or delete a snapshot, you must use the Amazon EC2 API. For more information, go to DescribeSnapshots in the Amazon Elastic Compute Cloud API Reference.
Deletes the specified virtual tape. This operation is only supported in the tape gateway type.
", "DeleteTapeArchive": "Deletes the specified virtual tape from the virtual tape shelf (VTS). This operation is only supported in the tape gateway type.
", @@ -35,30 +35,30 @@ "DescribeBandwidthRateLimit": "Returns the bandwidth rate limits of a gateway. By default, these limits are not set, which means no bandwidth rate limiting is in effect. This operation is supported for the stored volume, cached volume, and tape gateway types.
This operation only returns a value for a bandwidth rate limit only if the limit is set. If no limits are set for the gateway, then this operation returns only the gateway ARN in the response body. To specify which gateway to describe, use the Amazon Resource Name (ARN) of the gateway in your request.
", "DescribeBandwidthRateLimitSchedule": "Returns information about the bandwidth rate limit schedule of a gateway. By default, gateways do not have bandwidth rate limit schedules, which means no bandwidth rate limiting is in effect. This operation is supported only in the volume and tape gateway types.
This operation returns information about a gateway's bandwidth rate limit schedule. A bandwidth rate limit schedule consists of one or more bandwidth rate limit intervals. A bandwidth rate limit interval defines a period of time on one or more days of the week, during which bandwidth rate limits are specified for uploading, downloading, or both.
A bandwidth rate limit interval consists of one or more days of the week, a start hour and minute, an ending hour and minute, and bandwidth rate limits for uploading and downloading
If no bandwidth rate limit schedule intervals are set for the gateway, this operation returns an empty response. To specify which gateway to describe, use the Amazon Resource Name (ARN) of the gateway in your request.
", "DescribeCache": "Returns information about the cache of a gateway. This operation is only supported in the cached volume, tape, and file gateway types.
The response includes disk IDs that are configured as cache, and it includes the amount of cache allocated and used.
", - "DescribeCachediSCSIVolumes": "Returns a description of the gateway volumes specified in the request. This operation is only supported in the cached volume gateway types.
The list of gateway volumes in the request must be from one gateway. In the response, AWS Storage Gateway returns volume information sorted by volume Amazon Resource Name (ARN).
", + "DescribeCachediSCSIVolumes": "Returns a description of the gateway volumes specified in the request. This operation is only supported in the cached volume gateway types.
The list of gateway volumes in the request must be from one gateway. In the response, Storage Gateway returns volume information sorted by volume Amazon Resource Name (ARN).
", "DescribeChapCredentials": "Returns an array of Challenge-Handshake Authentication Protocol (CHAP) credentials information for a specified iSCSI target, one for each target-initiator pair. This operation is supported in the volume and tape gateway types.
", - "DescribeFileSystemAssociations": "Gets the file system association information. This operation is only supported for Amazon FSx file gateways.
", + "DescribeFileSystemAssociations": "Gets the file system association information. This operation is only supported for FSx File Gateways.
", "DescribeGatewayInformation": "Returns metadata about a gateway such as its name, network interfaces, configured time zone, and the state (whether the gateway is running or not). To specify which gateway to describe, use the Amazon Resource Name (ARN) of the gateway in your request.
", "DescribeMaintenanceStartTime": "Returns your gateway's weekly maintenance start time including the day and time of the week. Note that values are in terms of the gateway's time zone.
", - "DescribeNFSFileShares": "Gets a description for one or more Network File System (NFS) file shares from a file gateway. This operation is only supported for file gateways.
", - "DescribeSMBFileShares": "Gets a description for one or more Server Message Block (SMB) file shares from a file gateway. This operation is only supported for file gateways.
", + "DescribeNFSFileShares": "Gets a description for one or more Network File System (NFS) file shares from an S3 File Gateway. This operation is only supported for S3 File Gateways.
", + "DescribeSMBFileShares": "Gets a description for one or more Server Message Block (SMB) file shares from a S3 File Gateway. This operation is only supported for S3 File Gateways.
", "DescribeSMBSettings": "Gets a description of a Server Message Block (SMB) file share settings from a file gateway. This operation is only supported for file gateways.
", "DescribeSnapshotSchedule": "Describes the snapshot schedule for the specified gateway volume. The snapshot schedule information includes intervals at which snapshots are automatically initiated on the volume. This operation is only supported in the cached volume and stored volume types.
", - "DescribeStorediSCSIVolumes": "Returns the description of the gateway volumes specified in the request. The list of gateway volumes in the request must be from one gateway. In the response, AWS Storage Gateway returns volume information sorted by volume ARNs. This operation is only supported in stored volume gateway type.
", - "DescribeTapeArchives": "Returns a description of specified virtual tapes in the virtual tape shelf (VTS). This operation is only supported in the tape gateway type.
If a specific TapeARN is not specified, AWS Storage Gateway returns a description of all virtual tapes found in the VTS associated with your account.
Returns the description of the gateway volumes specified in the request. The list of gateway volumes in the request must be from one gateway. In the response, Storage Gateway returns volume information sorted by volume ARNs. This operation is only supported in stored volume gateway type.
", + "DescribeTapeArchives": "Returns a description of specified virtual tapes in the virtual tape shelf (VTS). This operation is only supported in the tape gateway type.
If a specific TapeARN is not specified, Storage Gateway returns a description of all virtual tapes found in the VTS associated with your account.
Returns a list of virtual tape recovery points that are available for the specified tape gateway.
A recovery point is a point-in-time view of a virtual tape at which all the data on the virtual tape is consistent. If your gateway crashes, virtual tapes that have recovery points can be recovered to a new gateway. This operation is only supported in the tape gateway type.
", "DescribeTapes": "Returns a description of the specified Amazon Resource Name (ARN) of virtual tapes. If a TapeARN is not specified, returns a description of all virtual tapes associated with the specified gateway. This operation is only supported in the tape gateway type.
Returns information about the upload buffer of a gateway. This operation is supported for the stored volume, cached volume, and tape gateway types.
The response includes disk IDs that are configured as upload buffer space, and it includes the amount of upload buffer space allocated and used.
", - "DescribeVTLDevices": "Returns a description of virtual tape library (VTL) devices for the specified tape gateway. In the response, AWS Storage Gateway returns VTL device information.
This operation is only supported in the tape gateway type.
", + "DescribeVTLDevices": "Returns a description of virtual tape library (VTL) devices for the specified tape gateway. In the response, Storage Gateway returns VTL device information.
This operation is only supported in the tape gateway type.
", "DescribeWorkingStorage": "Returns information about the working storage of a gateway. This operation is only supported in the stored volumes gateway type. This operation is deprecated in cached volumes API version (20120630). Use DescribeUploadBuffer instead.
Working storage is also referred to as upload buffer. You can also use the DescribeUploadBuffer operation to add upload buffer to a stored volume gateway.
The response includes disk IDs that are configured as working storage, and it includes the amount of working storage allocated and used.
", "DetachVolume": "Disconnects a volume from an iSCSI connection and then detaches the volume from the specified gateway. Detaching and attaching a volume enables you to recover your data from one gateway to a different gateway without creating a snapshot. It also makes it easier to move your volumes from an on-premises gateway to a gateway hosted on an Amazon EC2 instance. This operation is only supported in the volume gateway type.
", "DisableGateway": "Disables a tape gateway when the gateway is no longer functioning. For example, if your gateway VM is damaged, you can disable the gateway so you can recover virtual tapes.
Use this operation for a tape gateway that is not reachable or not functioning. This operation is only supported in the tape gateway type.
After a gateway is disabled, it cannot be enabled.
Disassociates an Amazon FSx file system from the specified gateway. After the disassociation process finishes, the gateway can no longer access the Amazon FSx file system. This operation is only supported in the Amazon FSx file gateway type.
", + "DisassociateFileSystem": "Disassociates an Amazon FSx file system from the specified gateway. After the disassociation process finishes, the gateway can no longer access the Amazon FSx file system. This operation is only supported in the FSx File Gateway type.
", "JoinDomain": "Adds a file gateway to an Active Directory domain. This operation is only supported for file gateways that support the SMB file protocol.
", "ListAutomaticTapeCreationPolicies": "Lists the automatic tape creation policies for a gateway. If there are no automatic tape creation policies for the gateway, it returns an empty list.
This operation is only supported for tape gateways.
", - "ListFileShares": "Gets a list of the file shares for a specific file gateway, or the list of file shares that belong to the calling user account. This operation is only supported for file gateways.
", - "ListFileSystemAssociations": "Gets a list of FileSystemAssociationSummary objects. Each object contains a summary of a file system association. This operation is only supported for Amazon FSx file gateways.
Lists gateways owned by an AWS account in an AWS Region specified in the request. The returned list is ordered by gateway Amazon Resource Name (ARN).
By default, the operation returns a maximum of 100 gateways. This operation supports pagination that allows you to optionally reduce the number of gateways returned in a response.
If you have more gateways than are returned in a response (that is, the response returns only a truncated list of your gateways), the response contains a marker that you can specify in your next request to fetch the next page of gateways.
", + "ListFileShares": "Gets a list of the file shares for a specific S3 File Gateway, or the list of file shares that belong to the calling user account. This operation is only supported for S3 File Gateways.
", + "ListFileSystemAssociations": "Gets a list of FileSystemAssociationSummary objects. Each object contains a summary of a file system association. This operation is only supported for FSx File Gateways.
Lists gateways owned by an account in an Region specified in the request. The returned list is ordered by gateway Amazon Resource Name (ARN).
By default, the operation returns a maximum of 100 gateways. This operation supports pagination that allows you to optionally reduce the number of gateways returned in a response.
If you have more gateways than are returned in a response (that is, the response returns only a truncated list of your gateways), the response contains a marker that you can specify in your next request to fetch the next page of gateways.
", "ListLocalDisks": "Returns a list of the gateway's local disks. To specify which gateway to describe, you use the Amazon Resource Name (ARN) of the gateway in the body of the request.
The request returns a list of all disks, specifying which are configured as working storage, cache storage, or stored volume or not configured at all. The response includes a DiskStatus field. This field can have a value of present (the disk is available to use), missing (the disk is no longer connected to the gateway), or mismatch (the disk node is occupied by a disk that has incorrect metadata or the disk content is corrupted).
Lists the tags that have been added to the specified resource. This operation is supported in storage gateways of all types.
", "ListTapePools": "Lists custom tape pools. You specify custom tape pools to list by specifying one or more custom tape pool Amazon Resource Names (ARNs). If you don't specify a custom tape pool ARN, the operation lists all custom tape pools.
This operation supports pagination. You can optionally specify the Limit parameter in the body to limit the number of tape pools in the response. If the number of tape pools returned in the response is truncated, the response includes a Marker element that you can use in your subsequent request to retrieve the next set of tape pools.
Lists iSCSI initiators that are connected to a volume. You can use this operation to determine whether a volume is being used or not. This operation is only supported in the cached volume and stored volume gateway types.
", "ListVolumeRecoveryPoints": "Lists the recovery points for a specified gateway. This operation is only supported in the cached volume gateway type.
Each cache volume has one recovery point. A volume recovery point is a point in time at which all data of the volume is consistent and from which you can create a snapshot or clone a new cached volume from a source volume. To create a snapshot from a volume recovery point use the CreateSnapshotFromVolumeRecoveryPoint operation.
", "ListVolumes": "Lists the iSCSI stored volumes of a gateway. Results are sorted by volume ARN. The response includes only the volume ARNs. If you want additional volume information, use the DescribeStorediSCSIVolumes or the DescribeCachediSCSIVolumes API.
The operation supports pagination. By default, the operation returns a maximum of up to 100 volumes. You can optionally specify the Limit field in the body to limit the number of volumes in the response. If the number of volumes returned in the response is truncated, the response includes a Marker field. You can use this Marker value in your subsequent request to retrieve the next set of volumes. This operation is only supported in the cached volume and stored volume gateway types.
Sends you notification through CloudWatch Events when all files written to your file share have been uploaded to Amazon S3.
AWS Storage Gateway can send a notification through Amazon CloudWatch Events when all files written to your file share up to that point in time have been uploaded to Amazon S3. These files include files written to the file share up to the time that you make a request for notification. When the upload is done, Storage Gateway sends you notification through an Amazon CloudWatch Event. You can configure CloudWatch Events to send the notification through event targets such as Amazon SNS or AWS Lambda function. This operation is only supported for file gateways.
For more information, see Getting file upload notification in the AWS Storage Gateway User Guide.
", - "RefreshCache": "Refreshes the cached inventory of objects for the specified file share. This operation finds objects in the Amazon S3 bucket that were added, removed, or replaced since the gateway last listed the bucket's contents and cached the results. This operation does not import files into the file gateway cache storage. It only updates the cached inventory to reflect changes in the inventory of the objects in the S3 bucket. This operation is only supported in the file gateway type. You can subscribe to be notified through an Amazon CloudWatch event when your RefreshCache operation completes. For more information, see Getting notified about file operations in the AWS Storage Gateway User Guide.
When this API is called, it only initiates the refresh operation. When the API call completes and returns a success code, it doesn't necessarily mean that the file refresh has completed. You should use the refresh-complete notification to determine that the operation has completed before you check for new files on the gateway file share. You can subscribe to be notified through a CloudWatch event when your RefreshCache operation completes.
Throttle limit: This API is asynchronous, so the gateway will accept no more than two refreshes at any time. We recommend using the refresh-complete CloudWatch event notification before issuing additional requests. For more information, see Getting notified about file operations in the AWS Storage Gateway User Guide.
If you invoke the RefreshCache API when two requests are already being processed, any new request will cause an InvalidGatewayRequestException error because too many requests were sent to the server.
For more information, see Getting notified about file operations in the AWS Storage Gateway User Guide.
", + "NotifyWhenUploaded": "Sends you notification through CloudWatch Events when all files written to your file share have been uploaded to Amazon S3.
Storage Gateway can send a notification through Amazon CloudWatch Events when all files written to your file share up to that point in time have been uploaded to Amazon S3. These files include files written to the file share up to the time that you make a request for notification. When the upload is done, Storage Gateway sends you notification through an Amazon CloudWatch Event. You can configure CloudWatch Events to send the notification through event targets such as Amazon SNS or Lambda function. This operation is only supported for S3 File Gateways.
For more information, see Getting file upload notification in the Storage Gateway User Guide.
", + "RefreshCache": "Refreshes the cached inventory of objects for the specified file share. This operation finds objects in the Amazon S3 bucket that were added, removed, or replaced since the gateway last listed the bucket's contents and cached the results. This operation does not import files into the S3 File Gateway cache storage. It only updates the cached inventory to reflect changes in the inventory of the objects in the S3 bucket. This operation is only supported in the S3 File Gateway types.
You can subscribe to be notified through an Amazon CloudWatch event when your RefreshCache operation completes. For more information, see Getting notified about file operations in the Storage Gateway User Guide. This operation is Only supported for S3 File Gateways.
When this API is called, it only initiates the refresh operation. When the API call completes and returns a success code, it doesn't necessarily mean that the file refresh has completed. You should use the refresh-complete notification to determine that the operation has completed before you check for new files on the gateway file share. You can subscribe to be notified through a CloudWatch event when your RefreshCache operation completes.
Throttle limit: This API is asynchronous, so the gateway will accept no more than two refreshes at any time. We recommend using the refresh-complete CloudWatch event notification before issuing additional requests. For more information, see Getting notified about file operations in the Storage Gateway User Guide.
If you invoke the RefreshCache API when two requests are already being processed, any new request will cause an InvalidGatewayRequestException error because too many requests were sent to the server.
For more information, see Getting notified about file operations in the Storage Gateway User Guide.
", "RemoveTagsFromResource": "Removes one or more tags from the specified resource. This operation is supported in storage gateways of all types.
", "ResetCache": "Resets all cache disks that have encountered an error and makes the disks available for reconfiguration as cache storage. If your cache disk encounters an error, the gateway prevents read and write operations on virtual tapes in the gateway. For example, an error can occur when a disk is corrupted or removed from the gateway. When a cache is reset, the gateway loses its cache storage. At this point, you can reconfigure the disks as cache disks. This operation is only supported in the cached volume and tape types.
If the cache disk you are resetting contains data that has not been uploaded to Amazon S3 yet, that data can be lost. After you reset cache disks, there will be no configured cache disks left in the gateway, so you must configure at least one new cache disk for your gateway to function properly.
Retrieves an archived virtual tape from the virtual tape shelf (VTS) to a tape gateway. Virtual tapes archived in the VTS are not associated with any gateway. However after a tape is retrieved, it is associated with a gateway, even though it is also listed in the VTS, that is, archive. This operation is only supported in the tape gateway type.
Once a tape is successfully retrieved to a gateway, it cannot be retrieved again to another gateway. You must archive the tape again before you can retrieve it to another gateway. This operation is only supported in the tape gateway type.
", "RetrieveTapeRecoveryPoint": "Retrieves the recovery point for the specified virtual tape. This operation is only supported in the tape gateway type.
A recovery point is a point in time view of a virtual tape at which all the data on the tape is consistent. If your gateway crashes, virtual tapes that have recovery points can be recovered to a new gateway.
The virtual tape can be retrieved to only one gateway. The retrieved tape is read-only. The virtual tape can be retrieved to only a tape gateway. There is no charge for retrieving recovery points.
Sets the password for your VM local console. When you log in to the local console for the first time, you log in to the VM with the default credentials. We recommend that you set a new password. You don't need to know the default password to set a new password.
", - "SetSMBGuestPassword": "Sets the password for the guest user smbguest. The smbguest user is the user when the authentication method for the file share is set to GuestAccess.
Sets the password for the guest user smbguest. The smbguest user is the user when the authentication method for the file share is set to GuestAccess. This operation only supported for S3 File Gateways
Shuts down a gateway. To specify which gateway to shut down, use the Amazon Resource Name (ARN) of the gateway in the body of your request.
The operation shuts down the gateway service component running in the gateway's virtual machine (VM) and not the host VM.
If you want to shut down the VM, it is recommended that you first shut down the gateway component in the VM to avoid unpredictable conditions.
After the gateway is shutdown, you cannot call any other API except StartGateway, DescribeGatewayInformation, and ListGateways. For more information, see ActivateGateway. Your applications cannot read from or write to the gateway's storage volumes, and there are no snapshots taken.
When you make a shutdown request, you will get a 200 OK success response immediately. However, it might take some time for the gateway to shut down. You can call the DescribeGatewayInformation API to check the status. For more information, see ActivateGateway.
If do not intend to use the gateway again, you must delete the gateway (using DeleteGateway) to no longer pay software charges associated with the gateway.
", "StartAvailabilityMonitorTest": "Start a test that verifies that the specified gateway is configured for High Availability monitoring in your host environment. This request only initiates the test and that a successful response only indicates that the test was started. It doesn't indicate that the test passed. For the status of the test, invoke the DescribeAvailabilityMonitorTest API.
Starting this test will cause your gateway to go offline for a brief period.
Starts a gateway that you previously shut down (see ShutdownGateway). After the gateway starts, you can then make other API calls, your applications can read from or write to the gateway's storage volumes and you will be able to take snapshot backups.
When you make a request, you will get a 200 OK success response immediately. However, it might take some time for the gateway to be ready. You should call DescribeGatewayInformation and check the status before making any additional API calls. For more information, see ActivateGateway.
To specify which gateway to start, use the Amazon Resource Name (ARN) of the gateway in your request.
", @@ -81,13 +81,13 @@ "UpdateBandwidthRateLimit": "Updates the bandwidth rate limits of a gateway. You can update both the upload and download bandwidth rate limit or specify only one of the two. If you don't set a bandwidth rate limit, the existing rate limit remains. This operation is supported for the stored volume, cached volume, and tape gateway types.
By default, a gateway's bandwidth rate limits are not set. If you don't set any limit, the gateway does not have any limitations on its bandwidth usage and could potentially use the maximum available bandwidth.
To specify which gateway to update, use the Amazon Resource Name (ARN) of the gateway in your request.
", "UpdateBandwidthRateLimitSchedule": "Updates the bandwidth rate limit schedule for a specified gateway. By default, gateways do not have bandwidth rate limit schedules, which means no bandwidth rate limiting is in effect. Use this to initiate or update a gateway's bandwidth rate limit schedule. This operation is supported in the volume and tape gateway types.
", "UpdateChapCredentials": "Updates the Challenge-Handshake Authentication Protocol (CHAP) credentials for a specified iSCSI target. By default, a gateway does not have CHAP enabled; however, for added security, you might use it. This operation is supported in the volume and tape gateway types.
When you update CHAP credentials, all existing connections on the target are closed and initiators must reconnect with the new credentials.
Updates a file system association. This operation is only supported in the Amazon FSx file gateway type.
", + "UpdateFileSystemAssociation": "Updates a file system association. This operation is only supported in the FSx File Gateways.
", "UpdateGatewayInformation": "Updates a gateway's metadata, which includes the gateway's name and time zone. To specify which gateway to update, use the Amazon Resource Name (ARN) of the gateway in your request.
For gateways activated after September 2, 2015, the gateway's ARN contains the gateway ID rather than the gateway name. However, changing the name of the gateway has no effect on the gateway's ARN.
Updates the gateway virtual machine (VM) software. The request immediately triggers the software update.
When you make this request, you get a 200 OK success response immediately. However, it might take some time for the update to complete. You can call DescribeGatewayInformation to verify the gateway is in the STATE_RUNNING state.
A software update forces a system restart of your gateway. You can minimize the chance of any disruption to your applications by increasing your iSCSI Initiators' timeouts. For more information about increasing iSCSI Initiator timeouts for Windows and Linux, see Customizing your Windows iSCSI settings and Customizing your Linux iSCSI settings, respectively.
Updates a gateway's weekly maintenance start time information, including day and time of the week. The maintenance time is the time in your gateway's time zone.
", - "UpdateNFSFileShare": "Updates a Network File System (NFS) file share. This operation is only supported in the file gateway type.
To leave a file share field unchanged, set the corresponding input field to null.
Updates the following file share settings:
Default storage class for your S3 bucket
Metadata defaults for your S3 bucket
Allowed NFS clients for your file share
Squash settings
Write status of your file share
Updates a Server Message Block (SMB) file share. This operation is only supported for file gateways.
To leave a file share field unchanged, set the corresponding input field to null.
File gateways require AWS Security Token Service (AWS STS) to be activated to enable you to create a file share. Make sure that AWS STS is activated in the AWS Region you are creating your file gateway in. If AWS STS is not activated in this AWS Region, activate it. For information about how to activate AWS STS, see Activating and deactivating AWS STS in an AWS Region in the AWS Identity and Access Management User Guide.
File gateways don't support creating hard or symbolic links on a file share.
Controls whether the shares on a gateway are visible in a net view or browse list.
", + "UpdateNFSFileShare": "Updates a Network File System (NFS) file share. This operation is only supported in S3 File Gateways.
To leave a file share field unchanged, set the corresponding input field to null.
Updates the following file share settings:
Default storage class for your S3 bucket
Metadata defaults for your S3 bucket
Allowed NFS clients for your file share
Squash settings
Write status of your file share
Updates a Server Message Block (SMB) file share. This operation is only supported for S3 File Gateways.
To leave a file share field unchanged, set the corresponding input field to null.
File gateways require Security Token Service (STS) to be activated to enable you to create a file share. Make sure that STS is activated in the Region you are creating your file gateway in. If STS is not activated in this Region, activate it. For information about how to activate STS, see Activating and deactivating STS in an Region in the Identity and Access Management User Guide.
File gateways don't support creating hard or symbolic links on a file share.
Controls whether the shares on an S3 File Gateway are visible in a net view or browse list. The operation is only supported for S3 File Gateways.
", "UpdateSMBSecurityStrategy": "Updates the SMB security strategy on a file gateway. This action is only supported in file gateways.
This API is called Security level in the User Guide.
A higher security level can affect performance of the gateway.
Updates a snapshot schedule configured for a gateway volume. This operation is only supported in the cached volume and stored volume gateway types.
The default snapshot schedule for volume is once every 24 hours, starting at the creation time of the volume. You can use this API to change the snapshot schedule configured for the volume.
In the request you must identify the gateway volume whose snapshot schedule you want to update, and the schedule information, including when you want the snapshot to begin on a day and the frequency (in hours) of snapshots.
", "UpdateVTLDeviceType": "Updates the type of medium changer in a tape gateway. When you activate a tape gateway, you select a medium changer type for the tape gateway. This operation enables you to select a different type of medium changer after a tape gateway is activated. This operation is only supported in the tape gateway type.
" @@ -99,14 +99,14 @@ } }, "ActivateGatewayOutput": { - "base": "AWS Storage Gateway returns the Amazon Resource Name (ARN) of the activated gateway. It is a string made of information such as your account, gateway name, and AWS Region. This ARN is used to reference the gateway in other API operations as well as resource-based authorization.
For gateways activated prior to September 02, 2015, the gateway ARN contains the gateway name rather than the gateway ID. Changing the name of the gateway has no effect on the gateway ARN.
Storage Gateway returns the Amazon Resource Name (ARN) of the activated gateway. It is a string made of information such as your account, gateway name, and Region. This ARN is used to reference the gateway in other API operations as well as resource-based authorization.
For gateways activated prior to September 02, 2015, the gateway ARN contains the gateway name rather than the gateway ID. Changing the name of the gateway has no effect on the gateway ARN.
Your gateway activation key. You can obtain the activation key by sending an HTTP GET request with redirects enabled to the gateway IP address (port 80). The redirect URL returned in the response provides you the activation key for your gateway in the query string parameter activationKey. It may also include other activation-related parameters, however, these are merely defaults -- the arguments you pass to the ActivateGateway API call determine the actual configuration of your gateway.
For more information, see Getting activation key in the AWS Storage Gateway User Guide.
" + "ActivateGatewayInput$ActivationKey": "Your gateway activation key. You can obtain the activation key by sending an HTTP GET request with redirects enabled to the gateway IP address (port 80). The redirect URL returned in the response provides you the activation key for your gateway in the query string parameter activationKey. It may also include other activation-related parameters, however, these are merely defaults -- the arguments you pass to the ActivateGateway API call determine the actual configuration of your gateway.
For more information, see Getting activation key in the Storage Gateway User Guide.
" } }, "ActiveDirectoryStatus": { @@ -273,22 +273,23 @@ "Boolean": { "base": null, "refs": { - "CreateCachediSCSIVolumeInput$KMSEncrypted": "Set to true to use Amazon S3 server-side encryption with your own AWS KMS key, or false to use a key managed by Amazon S3. Optional.
Valid Values: true | false
Set to true to use Amazon S3 server-side encryption with your own AWS KMS key, or false to use a key managed by Amazon S3. Optional.
Valid Values: true | false
Set to true to use Amazon S3 server-side encryption with your own KMS key, or false to use a key managed by Amazon S3. Optional.
Valid Values: true | false
Set to true to use Amazon S3 server-side encryption with your own KMS key, or false to use a key managed by Amazon S3. Optional.
Valid Values: true | false
A value that sets the write status of a file share. Set this value to true to set the write status to read-only, otherwise set to false.
Valid Values: true | false
A value that enables guessing of the MIME type for uploaded objects based on file extensions. Set this value to true to enable MIME type guessing, otherwise set to false. The default value is true.
Valid Values: true | false
A value that sets who pays the cost of the request and the cost associated with data download from the S3 bucket. If this value is set to true, the requester pays the costs; otherwise, the S3 bucket owner pays. However, the S3 bucket owner always pays the cost of storing data.
RequesterPays is a configuration for the S3 bucket that backs the file share, so make sure that the configuration on the file share is the same as the S3 bucket configuration.
Valid Values: true | false
Set to true to use Amazon S3 server-side encryption with your own AWS KMS key, or false to use a key managed by Amazon S3. Optional.
Valid Values: true | false
Set to true to use Amazon S3 server-side encryption with your own KMS key, or false to use a key managed by Amazon S3. Optional.
Valid Values: true | false
A value that sets the write status of a file share. Set this value to true to set the write status to read-only, otherwise set to false.
Valid Values: true | false
A value that enables guessing of the MIME type for uploaded objects based on file extensions. Set this value to true to enable MIME type guessing, otherwise set to false. The default value is true.
Valid Values: true | false
A value that sets who pays the cost of the request and the cost associated with data download from the S3 bucket. If this value is set to true, the requester pays the costs; otherwise, the S3 bucket owner pays. However, the S3 bucket owner always pays the cost of storing data.
RequesterPays is a configuration for the S3 bucket that backs the file share, so make sure that the configuration on the file share is the same as the S3 bucket configuration.
Valid Values: true | false
Set this value to true to enable access control list (ACL) on the SMB file share. Set it to false to map file and directory permissions to the POSIX permissions.
For more information, see Using Microsoft Windows ACLs to control access to an SMB file share in the AWS Storage Gateway User Guide.
Valid Values: true | false
Set this value to true to enable access control list (ACL) on the SMB file share. Set it to false to map file and directory permissions to the POSIX permissions.
For more information, see Using Microsoft Windows ACLs to control access to an SMB file share in the Storage Gateway User Guide.
Valid Values: true | false
The files and folders on this share will only be visible to users with read access.
", - "CreateStorediSCSIVolumeInput$KMSEncrypted": "Set to true to use Amazon S3 server-side encryption with your own AWS KMS key, or false to use a key managed by Amazon S3. Optional.
Valid Values: true | false
Set to true to use Amazon S3 server-side encryption with your own AWS KMS key, or false to use a key managed by Amazon S3. Optional.
Valid Values: true | false
Set to true to use Amazon S3 server-side encryption with your own AWS KMS key, or false to use a key managed by Amazon S3. Optional.
Valid Values: true | false
This value is true if a password for the guest user smbguest is set, otherwise false.
Valid Values: true | false
The shares on this gateway appear when listing shares.
", + "CreateSMBFileShareInput$OplocksEnabled": "Specifies whether opportunistic locking is enabled for the SMB file share.
Enabling opportunistic locking on case-sensitive shares is not recommended for workloads that involve access to files with the same name in different case.
Valid Values: true | false
Set to true to use Amazon S3 server-side encryption with your own KMS key, or false to use a key managed by Amazon S3. Optional.
Valid Values: true | false
Set to true to use Amazon S3 server-side encryption with your own KMS key, or false to use a key managed by Amazon S3. Optional.
Valid Values: true | false
Set to true to use Amazon S3 server-side encryption with your own KMS key, or false to use a key managed by Amazon S3. Optional.
Valid Values: true | false
This value is true if a password for the guest user smbguest is set, otherwise false. Only supported for S3 File Gateways.
Valid Values: true | false
The shares on this gateway appear when listing shares. Only supported for S3 File Gateways.
", "DetachVolumeInput$ForceDetach": "Set to true to forcibly remove the iSCSI connection of the target volume and detach the volume. The default is false. If this value is set to false, you must manually disconnect the iSCSI connection from the target volume.
Valid Values: true | false
A value that sets the write status of a file share. Set this value to true to set the write status to read-only, otherwise set to false.
Valid Values: true | false
A value that enables guessing of the MIME type for uploaded objects based on file extensions. Set this value to true to enable MIME type guessing, otherwise set to false. The default value is true.
Valid Values: true | false
A value that sets the write status of a file share. Set this value to true to set the write status to read-only, otherwise set to false.
Valid Values: true | false
A value that enables guessing of the MIME type for uploaded objects based on file extensions. Set this value to true to enable MIME type guessing, otherwise set to false. The default value is true.
Valid Values: true | false
A value that sets who pays the cost of the request and the cost associated with data download from the S3 bucket. If this value is set to true, the requester pays the costs; otherwise, the S3 bucket owner pays. However, the S3 bucket owner always pays the cost of storing data.
RequesterPays is a configuration for the S3 bucket that backs the file share, so make sure that the configuration on the file share is the same as the S3 bucket configuration.
Valid Values: true | false
If this value is set to true, it indicates that access control list (ACL) is enabled on the SMB file share. If it is set to false, it indicates that file and directory permissions are mapped to the POSIX permission.
For more information, see Using Microsoft Windows ACLs to control access to an SMB file share in the AWS Storage Gateway User Guide.
", + "SMBFileShareInfo$SMBACLEnabled": "If this value is set to true, it indicates that access control list (ACL) is enabled on the SMB file share. If it is set to false, it indicates that file and directory permissions are mapped to the POSIX permission.
For more information, see Using Microsoft Windows ACLs to control access to an SMB file share in the Storage Gateway User Guide.
", "SMBFileShareInfo$AccessBasedEnumeration": "Indicates whether AccessBasedEnumeration is enabled.
Set to true to use Amazon S3 server-side encryption with your own AWS KMS key, or false to use a key managed by Amazon S3. Optional.
Valid Values: true | false
Specifies whether opportunistic locking is enabled for the SMB file share.
Enabling opportunistic locking on case-sensitive shares is not recommended for workloads that involve access to files with the same name in different case.
Valid Values: true | false
Set to true to use Amazon S3 server-side encryption with your own KMS key, or false to use a key managed by Amazon S3. Optional.
Valid Values: true | false
A value that sets the write status of a file share. Set this value to true to set the write status to read-only, otherwise set to false.
Valid Values: true | false
A value that enables guessing of the MIME type for uploaded objects based on file extensions. Set this value to true to enable MIME type guessing, otherwise set to false. The default value is true.
Valid Values: true | false
A value that sets who pays the cost of the request and the cost associated with data download from the S3 bucket. If this value is set to true, the requester pays the costs; otherwise, the S3 bucket owner pays. However, the S3 bucket owner always pays the cost of storing data.
RequesterPays is a configuration for the S3 bucket that backs the file share, so make sure that the configuration on the file share is the same as the S3 bucket configuration.
Valid Values: true | false
Set to true to use Amazon S3 server-side encryption with your own AWS KMS key, or false to use a key managed by Amazon S3. Optional.
Valid Values: true | false
Set to true to use Amazon S3 server-side encryption with your own KMS key, or false to use a key managed by Amazon S3. Optional.
Valid Values: true | false
A value that sets the write status of a file share. Set this value to true to set write status to read-only, otherwise set to false.
Valid Values: true | false
A value that enables guessing of the MIME type for uploaded objects based on file extensions. Set this value to true to enable MIME type guessing, otherwise set to false. The default value is true.
Valid Values: true | false
A value that sets who pays the cost of the request and the cost associated with data download from the S3 bucket. If this value is set to true, the requester pays the costs; otherwise, the S3 bucket owner pays. However, the S3 bucket owner always pays the cost of storing data.
RequesterPays is a configuration for the S3 bucket that backs the file share, so make sure that the configuration on the file share is the same as the S3 bucket configuration.
Valid Values: true | false
Set this value to true to enable access control list (ACL) on the SMB file share. Set it to false to map file and directory permissions to the POSIX permissions.
For more information, see Using Microsoft Windows ACLs to control access to an SMB file share in the AWS Storage Gateway User Guide.
Valid Values: true | false
Set this value to true to enable access control list (ACL) on the SMB file share. Set it to false to map file and directory permissions to the POSIX permissions.
For more information, see Using Microsoft Windows ACLs to control access to an SMB file share in the Storage Gateway User Guide.
Valid Values: true | false
The files and folders on this share will only be visible to users with read access.
", + "UpdateSMBFileShareInput$OplocksEnabled": "Specifies whether opportunistic locking is enabled for the SMB file share.
Enabling opportunistic locking on case-sensitive shares is not recommended for workloads that involve access to files with the same name in different case.
Valid Values: true | false
The shares on this gateway appear when listing shares.
" } }, "CacheAttributes": { - "base": "The refresh cache information for the file share.
", + "base": "The refresh cache information for the file share or FSx file systems.
", "refs": { "AssociateFileSystemInput$CacheAttributes": null, "CreateNFSFileShareInput$CacheAttributes": "Specifies refresh cache information for the file share.
", @@ -329,7 +332,7 @@ "CacheStaleTimeoutInSeconds": { "base": null, "refs": { - "CacheAttributes$CacheStaleTimeoutInSeconds": "Refreshes a file share's cache by using Time To Live (TTL). TTL is the length of time since the last refresh after which access to the directory would cause the file gateway to first refresh that directory's contents from the Amazon S3 bucket or Amazon FSx file system. The TTL duration is in seconds.
Valid Values: 300 to 2,592,000 seconds (5 minutes to 30 days)
" + "CacheAttributes$CacheStaleTimeoutInSeconds": "Refreshes a file share's cache by using Time To Live (TTL). TTL is the length of time since the last refresh after which access to the directory would cause the file gateway to first refresh that directory's contents from the Amazon S3 bucket or Amazon FSx file system. The TTL duration is in seconds.
Valid Values:0, 300 to 2,592,000 seconds (5 minutes to 30 days)
" } }, "CachediSCSIVolume": { @@ -396,10 +399,10 @@ "ClientToken": { "base": null, "refs": { - "AssociateFileSystemInput$ClientToken": "A unique string value that you supply that is used by the file gateway to ensure idempotent file system association creation.
", + "AssociateFileSystemInput$ClientToken": "A unique string value that you supply that is used by the FSx File Gateway to ensure idempotent file system association creation.
", "CreateCachediSCSIVolumeInput$ClientToken": "A unique identifier that you use to retry a request. If you retry a request, use the same ClientToken you specified in the initial request.
A unique string value that you supply that is used by file gateway to ensure idempotent file share creation.
", - "CreateSMBFileShareInput$ClientToken": "A unique string value that you supply that is used by file gateway to ensure idempotent file share creation.
", + "CreateNFSFileShareInput$ClientToken": "A unique string value that you supply that is used by S3 File Gateway to ensure idempotent file share creation.
", + "CreateSMBFileShareInput$ClientToken": "A unique string value that you supply that is used by S3 File Gateway to ensure idempotent file share creation.
", "CreateTapesInput$ClientToken": "A unique identifier that you use to retry a request. If you retry a request, use the same ClientToken you specified in the initial request.
Using the same ClientToken prevents creating the tape multiple times.
The date the volume was created. Volumes created prior to March 28, 2017 don’t have this timestamp.
" } }, + "DNSHostName": { + "base": null, + "refs": { + "CreateNFSFileShareInput$VPCEndpointDNSName": "Specifies the DNS name for the VPC endpoint that the NFS file share uses to connect to Amazon S3.
This parameter is required for NFS file shares that connect to Amazon S3 through a VPC endpoint, a VPC access point, or an access point alias that points to a VPC access point.
Specifies the DNS name for the VPC endpoint that the SMB file share uses to connect to Amazon S3.
This parameter is required for SMB file shares that connect to Amazon S3 through a VPC endpoint, a VPC access point, or an access point alias that points to a VPC access point.
Specifies the DNS name for the VPC endpoint that the NFS file share uses to connect to Amazon S3.
This parameter is required for NFS file shares that connect to Amazon S3 through a VPC endpoint, a VPC access point, or an access point alias that points to a VPC access point.
Specifies the DNS name for the VPC endpoint that the SMB file share uses to connect to Amazon S3.
This parameter is required for SMB file shares that connect to Amazon S3 through a VPC endpoint, a VPC access point, or an access point alias that points to a VPC access point.
The AWS Region where the Amazon EC2 instance is located.
", - "GatewayInfo$Ec2InstanceRegion": "The AWS Region where the Amazon EC2 instance is located.
" + "DescribeGatewayInformationOutput$Ec2InstanceRegion": "The Region where the Amazon EC2 instance is located.
", + "GatewayInfo$Ec2InstanceRegion": "The Region where the Amazon EC2 instance is located.
" + } + }, + "EndpointNetworkConfiguration": { + "base": "Specifies network configuration information for the gateway associated with the Amazon FSx file system.
", + "refs": { + "AssociateFileSystemInput$EndpointNetworkConfiguration": "Specifies the network configuration information for the gateway associated with the Amazon FSx file system.
If multiple file systems are associated with this gateway, this parameter's IpAddresses field is required.
Specifies network configuration information for the gateway associated with the Amazon FSx file system.
If multiple file systems are associated with this gateway, this parameter's IpAddresses field is required.
The list of clients that are allowed to access the file gateway. The list must contain either valid IP addresses or valid CIDR blocks.
", + "base": "The list of clients that are allowed to access the S3 File Gateway. The list must contain either valid IP addresses or valid CIDR blocks.
", "refs": { - "CreateNFSFileShareInput$ClientList": "The list of clients that are allowed to access the file gateway. The list must contain either valid IP addresses or valid CIDR blocks.
", + "CreateNFSFileShareInput$ClientList": "The list of clients that are allowed to access the S3 File Gateway. The list must contain either valid IP addresses or valid CIDR blocks.
", "NFSFileShareInfo$ClientList": null, - "UpdateNFSFileShareInput$ClientList": "The list of clients that are allowed to access the file gateway. The list must contain either valid IP addresses or valid CIDR blocks.
" + "UpdateNFSFileShareInput$ClientList": "The list of clients that are allowed to access the S3 File Gateway. The list must contain either valid IP addresses or valid CIDR blocks.
" } }, "FileShareId": { @@ -1036,7 +1055,7 @@ } }, "FileShareInfo": { - "base": "Describes a file share.
", + "base": "Describes a file share. Only supported S3 File Gateway.
", "refs": { "FileShareInfoList$member": null } @@ -1044,7 +1063,7 @@ "FileShareInfoList": { "base": null, "refs": { - "ListFileSharesOutput$FileShareInfoList": "An array of information about the file gateway's file shares.
" + "ListFileSharesOutput$FileShareInfoList": "An array of information about the S3 File Gateway's file shares.
" } }, "FileShareName": { @@ -1112,8 +1131,8 @@ "FileSystemAssociationStatus": { "base": null, "refs": { - "FileSystemAssociationInfo$FileSystemAssociationStatus": "The status of the file system association. Valid Values: AVAILABLE | CREATING | DELETING | FORCE_DELETING | MISCONFIGURED | UPDATING | UNAVAILABLE
The status of the file share. Valid Values: AVAILABLE | CREATING | DELETING | FORCE_DELETING | MISCONFIGURED | UPDATING | UNAVAILABLE
The status of the file system association. Valid Values: AVAILABLE | CREATING | DELETING | FORCE_DELETING | UPDATING | ERROR
The status of the file share. Valid Values: AVAILABLE | CREATING | DELETING | FORCE_DELETING | UPDATING | ERROR
The Amazon Resource Name (ARN) of the Amazon FSx file system to associate with the Amazon FSx file gateway.
", + "AssociateFileSystemInput$LocationARN": "The Amazon Resource Name (ARN) of the Amazon FSx file system to associate with the FSx File Gateway.
", "FileSystemAssociationInfo$LocationARN": "The ARN of the backend Amazon FSx file system used for storing file data. For information, see FileSystem in the Amazon FSx API Reference.
" } }, @@ -1148,7 +1167,7 @@ } }, "GatewayARN": { - "base": "The Amazon Resource Name (ARN) of the gateway. Use the ListGateways operation to return a list of gateways for your account and AWS Region.
", + "base": "The Amazon Resource Name (ARN) of the gateway. Use the ListGateways operation to return a list of gateways for your account and Region.
", "refs": { "ActivateGatewayOutput$GatewayARN": null, "AddCacheInput$GatewayARN": null, @@ -1163,18 +1182,18 @@ "CancelArchivalInput$GatewayARN": null, "CancelRetrievalInput$GatewayARN": null, "CreateCachediSCSIVolumeInput$GatewayARN": null, - "CreateNFSFileShareInput$GatewayARN": "The Amazon Resource Name (ARN) of the file gateway on which you want to create a file share.
", - "CreateSMBFileShareInput$GatewayARN": "The ARN of the file gateway on which you want to create a file share.
", + "CreateNFSFileShareInput$GatewayARN": "The Amazon Resource Name (ARN) of the S3 File Gateway on which you want to create a file share.
", + "CreateSMBFileShareInput$GatewayARN": "The ARN of the S3 File Gateway on which you want to create a file share.
", "CreateStorediSCSIVolumeInput$GatewayARN": null, - "CreateTapeWithBarcodeInput$GatewayARN": "The unique Amazon Resource Name (ARN) that represents the gateway to associate the virtual tape with. Use the ListGateways operation to return a list of gateways for your account and AWS Region.
", - "CreateTapesInput$GatewayARN": "The unique Amazon Resource Name (ARN) that represents the gateway to associate the virtual tapes with. Use the ListGateways operation to return a list of gateways for your account and AWS Region.
", + "CreateTapeWithBarcodeInput$GatewayARN": "The unique Amazon Resource Name (ARN) that represents the gateway to associate the virtual tape with. Use the ListGateways operation to return a list of gateways for your account and Region.
", + "CreateTapesInput$GatewayARN": "The unique Amazon Resource Name (ARN) that represents the gateway to associate the virtual tapes with. Use the ListGateways operation to return a list of gateways for your account and Region.
", "DeleteAutomaticTapeCreationPolicyInput$GatewayARN": null, "DeleteAutomaticTapeCreationPolicyOutput$GatewayARN": null, "DeleteBandwidthRateLimitInput$GatewayARN": null, "DeleteBandwidthRateLimitOutput$GatewayARN": null, "DeleteGatewayInput$GatewayARN": null, "DeleteGatewayOutput$GatewayARN": null, - "DeleteTapeInput$GatewayARN": "The unique Amazon Resource Name (ARN) of the gateway that the virtual tape to delete is associated with. Use the ListGateways operation to return a list of gateways for your account and AWS Region.
", + "DeleteTapeInput$GatewayARN": "The unique Amazon Resource Name (ARN) of the gateway that the virtual tape to delete is associated with. Use the ListGateways operation to return a list of gateways for your account and Region.
", "DescribeAvailabilityMonitorTestInput$GatewayARN": null, "DescribeAvailabilityMonitorTestOutput$GatewayARN": null, "DescribeBandwidthRateLimitInput$GatewayARN": null, @@ -1203,8 +1222,8 @@ "FileShareInfo$GatewayARN": null, "FileSystemAssociationInfo$GatewayARN": null, "FileSystemAssociationSummary$GatewayARN": null, - "GatewayInfo$GatewayARN": "The Amazon Resource Name (ARN) of the gateway. Use the ListGateways operation to return a list of gateways for your account and AWS Region.
", - "JoinDomainInput$GatewayARN": "The Amazon Resource Name (ARN) of the gateway. Use the ListGateways operation to return a list of gateways for your account and AWS Region.
The Amazon Resource Name (ARN) of the gateway. Use the ListGateways operation to return a list of gateways for your account and Region.
", + "JoinDomainInput$GatewayARN": "The Amazon Resource Name (ARN) of the gateway. Use the ListGateways operation to return a list of gateways for your account and Region.
The unique Amazon Resource Name (ARN) of the gateway that joined the domain.
", "ListAutomaticTapeCreationPoliciesInput$GatewayARN": null, "ListFileSharesInput$GatewayARN": "The Amazon Resource Name (ARN) of the gateway whose file shares you want to list. If this field is not present, all file shares under your account are listed.
", @@ -1218,12 +1237,12 @@ "NFSFileShareInfo$GatewayARN": null, "ResetCacheInput$GatewayARN": null, "ResetCacheOutput$GatewayARN": null, - "RetrieveTapeArchiveInput$GatewayARN": "The Amazon Resource Name (ARN) of the gateway you want to retrieve the virtual tape to. Use the ListGateways operation to return a list of gateways for your account and AWS Region.
You retrieve archived virtual tapes to only one gateway and the gateway must be a tape gateway.
", + "RetrieveTapeArchiveInput$GatewayARN": "The Amazon Resource Name (ARN) of the gateway you want to retrieve the virtual tape to. Use the ListGateways operation to return a list of gateways for your account and Region.
You retrieve archived virtual tapes to only one gateway and the gateway must be a tape gateway.
", "RetrieveTapeRecoveryPointInput$GatewayARN": null, "SMBFileShareInfo$GatewayARN": null, "SetLocalConsolePasswordInput$GatewayARN": null, "SetLocalConsolePasswordOutput$GatewayARN": null, - "SetSMBGuestPasswordInput$GatewayARN": "The Amazon Resource Name (ARN) of the file gateway the SMB file share is associated with.
", + "SetSMBGuestPasswordInput$GatewayARN": "The Amazon Resource Name (ARN) of the S3 File Gateway the SMB file share is associated with.
", "SetSMBGuestPasswordOutput$GatewayARN": null, "ShutdownGatewayInput$GatewayARN": null, "ShutdownGatewayOutput$GatewayARN": null, @@ -1232,7 +1251,7 @@ "StartGatewayInput$GatewayARN": null, "StartGatewayOutput$GatewayARN": null, "TapeArchive$RetrievedTo": "The Amazon Resource Name (ARN) of the tape gateway that the virtual tape is being retrieved to.
The virtual tape is retrieved from the virtual tape shelf (VTS).
", - "TapeInfo$GatewayARN": "The Amazon Resource Name (ARN) of the gateway. Use the ListGateways operation to return a list of gateways for your account and AWS Region.
", + "TapeInfo$GatewayARN": "The Amazon Resource Name (ARN) of the gateway. Use the ListGateways operation to return a list of gateways for your account and Region.
", "UpdateAutomaticTapeCreationPolicyInput$GatewayARN": null, "UpdateAutomaticTapeCreationPolicyOutput$GatewayARN": null, "UpdateBandwidthRateLimitInput$GatewayARN": null, @@ -1252,6 +1271,14 @@ "VolumeInfo$GatewayARN": null } }, + "GatewayCapacity": { + "base": null, + "refs": { + "DescribeGatewayInformationOutput$GatewayCapacity": "Specifies the size of the gateway's metadata cache.
", + "SupportedGatewayCapacities$member": null, + "UpdateGatewayInformationInput$GatewayCapacity": "Specifies the size of the gateway's metadata cache.
" + } + }, "GatewayId": { "base": null, "refs": { @@ -1304,7 +1331,7 @@ "GatewayType": { "base": null, "refs": { - "ActivateGatewayInput$GatewayType": "A value that defines the type of gateway to activate. The type specified is critical to all later functions of the gateway and cannot be changed after activation. The default value is CACHED.
Valid Values: STORED | CACHED | VTL | FILE_S3
A value that defines the type of gateway to activate. The type specified is critical to all later functions of the gateway and cannot be changed after activation. The default value is CACHED.
Valid Values: STORED | CACHED | VTL | FILE_S3 | FILE_FSX_SMB|
The type of the gateway.
", "GatewayInfo$GatewayType": "The type of the gateway.
" } @@ -1344,6 +1371,12 @@ "UpdateSnapshotScheduleInput$StartAt": "The hour of the day at which the snapshot schedule begins represented as hh, where hh is the hour (0 to 23). The hour of the day is in the time zone of the gateway.
" } }, + "IPV4Address": { + "base": null, + "refs": { + "IpAddressList$member": null + } + }, "IPV4AddressCIDR": { "base": null, "refs": { @@ -1372,6 +1405,12 @@ "refs": { } }, + "IpAddressList": { + "base": null, + "refs": { + "EndpointNetworkConfiguration$IpAddresses": "A list of gateway IP addresses on which the associated Amazon FSx file system is available.
If multiple file systems are associated with this gateway, this field is required.
The ARN of the backend storage used for storing file data. A prefix name can be added to the S3 bucket name. It must end with a \"/\".
", "refs": { - "CreateNFSFileShareInput$LocationARN": "The ARN of the backend storage used for storing file data. A prefix name can be added to the S3 bucket name. It must end with a \"/\".
", - "CreateSMBFileShareInput$LocationARN": "The ARN of the backend storage used for storing file data. A prefix name can be added to the S3 bucket name. It must end with a \"/\".
", + "CreateNFSFileShareInput$LocationARN": "The ARN of the backend storage used for storing file data. A prefix name can be added to the S3 bucket name. It must end with a \"/\".
You can specify a bucket attached to an access point using a complete ARN that includes the bucket region as shown:
arn:aws:s3:region:account-id:accesspoint/access-point-name
If you specify a bucket attached to an access point, the bucket policy must be configured to delegate access control to the access point. For information, see Delegating access control to access points in the Amazon S3 User Guide.
The ARN of the backend storage used for storing file data. A prefix name can be added to the S3 bucket name. It must end with a \"/\".
You can specify a bucket attached to an access point using a complete ARN that includes the bucket region as shown:
arn:aws:s3:region:account-id:accesspoint/access-point-name
If you specify a bucket attached to an access point, the bucket policy must be configured to delegate access control to the access point. For information, see Delegating access control to access points in the Amazon S3 User Guide.
Describes Network File System (NFS) file share default values. Files and folders stored as Amazon S3 objects in S3 buckets don't, by default, have Unix file permissions assigned to them. Upon discovery in an S3 bucket by Storage Gateway, the S3 objects that represent files and folders are assigned these default Unix permissions. This operation is only supported for file gateways.
", + "base": "Describes Network File System (NFS) file share default values. Files and folders stored as Amazon S3 objects in S3 buckets don't, by default, have Unix file permissions assigned to them. Upon discovery in an S3 bucket by Storage Gateway, the S3 objects that represent files and folders are assigned these default Unix permissions. This operation is only supported for S3 File Gateways.
", "refs": { "CreateNFSFileShareInput$NFSFileShareDefaults": "File share default values. Optional.
", "NFSFileShareInfo$NFSFileShareDefaults": null, @@ -1601,7 +1640,7 @@ } }, "NFSFileShareInfo": { - "base": "The Unix file permissions and ownership information assigned, by default, to native S3 objects when file gateway discovers them in S3 buckets. This operation is only supported in file gateways.
", + "base": "The Unix file permissions and ownership information assigned, by default, to native S3 objects when an S3 File Gateway discovers them in S3 buckets. This operation is only supported in S3 File Gateways.
", "refs": { "NFSFileShareInfoList$member": null } @@ -1669,14 +1708,14 @@ } }, "ObjectACL": { - "base": "A value that sets the access control list (ACL) permission for objects in the S3 bucket that a file gateway puts objects into. The default value is private.
A value that sets the access control list (ACL) permission for objects in the S3 bucket that an S3 File Gateway puts objects into. The default value is private.
A value that sets the access control list (ACL) permission for objects in the S3 bucket that a file gateway puts objects into. The default value is private.
A value that sets the access control list (ACL) permission for objects in the S3 bucket that a file gateway puts objects into. The default value is private.
A value that sets the access control list (ACL) permission for objects in the S3 bucket that a S3 File Gateway puts objects into. The default value is private.
A value that sets the access control list (ACL) permission for objects in the S3 bucket that a S3 File Gateway puts objects into. The default value is private.
A value that sets the access control list (ACL) permission for objects in the S3 bucket that a file gateway puts objects into. The default value is private.
A value that sets the access control list (ACL) permission for objects in the S3 bucket that a file gateway puts objects into. The default value is private.
A value that sets the access control list (ACL) permission for objects in the S3 bucket that a S3 File Gateway puts objects into. The default value is private.
A value that sets the access control list (ACL) permission for objects in the S3 bucket that a S3 File Gateway puts objects into. The default value is private.
The unique Amazon Resource Name (ARN) that represents the custom tape pool. Use the ListTapePools operation to return a list of tape pools for your account and AWS Region.
", + "CreateTapePoolOutput$PoolARN": "The unique Amazon Resource Name (ARN) that represents the custom tape pool. Use the ListTapePools operation to return a list of tape pools for your account and Region.
", "DeleteTapePoolInput$PoolARN": "The Amazon Resource Name (ARN) of the custom tape pool to delete.
", "DeleteTapePoolOutput$PoolARN": "The Amazon Resource Name (ARN) of the custom tape pool being deleted.
", "PoolARNs$member": null, - "PoolInfo$PoolARN": "The Amazon Resource Name (ARN) of the custom tape pool. Use the ListTapePools operation to return a list of custom tape pools for your account and AWS Region.
" + "PoolInfo$PoolARN": "The Amazon Resource Name (ARN) of the custom tape pool. Use the ListTapePools operation to return a list of custom tape pools for your account and Region.
" } }, "PoolARNs": { @@ -1796,7 +1835,11 @@ "RegionId": { "base": null, "refs": { - "ActivateGatewayInput$GatewayRegion": "A value that indicates the AWS Region where you want to store your data. The gateway AWS Region specified must be the same AWS Region as the AWS Region in your Host header in the request. For more information about available AWS Regions and endpoints for AWS Storage Gateway, see AWS Storage Gateway endpoints and quotas in the AWS General Reference.
Valid Values: See AWS Storage Gateway endpoints and quotas in the AWS General Reference.
" + "ActivateGatewayInput$GatewayRegion": "A value that indicates the Region where you want to store your data. The gateway Region specified must be the same Region as the Region in your Host header in the request. For more information about available Regions and endpoints for Storage Gateway, see Storage Gateway endpoints and quotas in the Amazon Web Services General Reference.
Valid Values: See Storage Gateway endpoints and quotas in the Amazon Web Services General Reference.
", + "CreateNFSFileShareInput$BucketRegion": "Specifies the Region of the S3 bucket where the NFS file share stores files.
This parameter is required for NFS file shares that connect to Amazon S3 through a VPC endpoint, a VPC access point, or an access point alias that points to a VPC access point.
Specifies the Region of the S3 bucket where the SMB file share stores files.
This parameter is required for SMB file shares that connect to Amazon S3 through a VPC endpoint, a VPC access point, or an access point alias that points to a VPC access point.
Specifies the Region of the S3 bucket where the NFS file share stores files.
This parameter is required for NFS file shares that connect to Amazon S3 through a VPC endpoint, a VPC access point, or an access point alias that points to a VPC access point.
Specifies the Region of the S3 bucket where the SMB file share stores files.
This parameter is required for SMB file shares that connect to Amazon S3 through a VPC endpoint, a VPC access point, or an access point alias that points to a VPC access point.
Tape retention lock can be configured in two modes. When configured in governance mode, AWS accounts with specific IAM permissions are authorized to remove the tape retention lock from archived virtual tapes. When configured in compliance mode, the tape retention lock cannot be removed by any user, including the root AWS account.
", - "PoolInfo$RetentionLockType": "Tape retention lock type, which can be configured in two modes. When configured in governance mode, AWS accounts with specific IAM permissions are authorized to remove the tape retention lock from archived virtual tapes. When configured in compliance mode, the tape retention lock cannot be removed by any user, including the root AWS account.
" + "CreateTapePoolInput$RetentionLockType": "Tape retention lock can be configured in two modes. When configured in governance mode, accounts with specific IAM permissions are authorized to remove the tape retention lock from archived virtual tapes. When configured in compliance mode, the tape retention lock cannot be removed by any user, including the root account.
", + "PoolInfo$RetentionLockType": "Tape retention lock type, which can be configured in two modes. When configured in governance mode, accounts with specific IAM permissions are authorized to remove the tape retention lock from archived virtual tapes. When configured in compliance mode, the tape retention lock cannot be removed by any user, including the root account.
" } }, "RetrieveTapeArchiveInput": { @@ -1865,16 +1908,16 @@ } }, "Role": { - "base": "The ARN of the IAM role that file gateway assumes when it accesses the underlying storage.
", + "base": "The ARN of the IAM role that an S3 File Gateway assumes when it accesses the underlying storage.
", "refs": { - "CreateNFSFileShareInput$Role": "The ARN of the AWS Identity and Access Management (IAM) role that a file gateway assumes when it accesses the underlying storage.
", - "CreateSMBFileShareInput$Role": "The ARN of the AWS Identity and Access Management (IAM) role that a file gateway assumes when it accesses the underlying storage.
", + "CreateNFSFileShareInput$Role": "The ARN of the Identity and Access Management (IAM) role that an S3 File Gateway assumes when it accesses the underlying storage.
", + "CreateSMBFileShareInput$Role": "The ARN of the Identity and Access Management (IAM) role that an S3 File Gateway assumes when it accesses the underlying storage.
", "NFSFileShareInfo$Role": null, "SMBFileShareInfo$Role": null } }, "SMBFileShareInfo": { - "base": "The Windows file permissions and ownership information assigned, by default, to native S3 objects when file gateway discovers them in S3 buckets. This operation is only supported for file gateways.
", + "base": "The Windows file permissions and ownership information assigned, by default, to native S3 objects when S3 File Gateway discovers them in S3 buckets. This operation is only supported for S3 File Gateways.
", "refs": { "SMBFileShareInfoList$member": null } @@ -1894,8 +1937,8 @@ "SMBSecurityStrategy": { "base": null, "refs": { - "DescribeSMBSettingsOutput$SMBSecurityStrategy": "The type of security strategy that was specified for file gateway.
ClientSpecified: If you use this option, requests are established based on what is negotiated by the client. This option is recommended when you want to maximize compatibility across different clients in your environment.
MandatorySigning: If you use this option, file gateway only allows connections from SMBv2 or SMBv3 clients that have signing enabled. This option works with SMB clients on Microsoft Windows Vista, Windows Server 2008 or newer.
MandatoryEncryption: If you use this option, file gateway only allows connections from SMBv3 clients that have encryption enabled. This option is highly recommended for environments that handle sensitive data. This option works with SMB clients on Microsoft Windows 8, Windows Server 2012 or newer.
Specifies the type of security strategy.
ClientSpecified: if you use this option, requests are established based on what is negotiated by the client. This option is recommended when you want to maximize compatibility across different clients in your environment.
MandatorySigning: if you use this option, file gateway only allows connections from SMBv2 or SMBv3 clients that have signing enabled. This option works with SMB clients on Microsoft Windows Vista, Windows Server 2008 or newer.
MandatoryEncryption: if you use this option, file gateway only allows connections from SMBv3 clients that have encryption enabled. This option is highly recommended for environments that handle sensitive data. This option works with SMB clients on Microsoft Windows 8, Windows Server 2012 or newer.
" + "DescribeSMBSettingsOutput$SMBSecurityStrategy": "The type of security strategy that was specified for file gateway.
ClientSpecified: If you use this option, requests are established based on what is negotiated by the client. This option is recommended when you want to maximize compatibility across different clients in your environment. Only supported for S3 File Gateways.
MandatorySigning: If you use this option, file gateway only allows connections from SMBv2 or SMBv3 clients that have signing enabled. This option works with SMB clients on Microsoft Windows Vista, Windows Server 2008 or newer.
MandatoryEncryption: If you use this option, file gateway only allows connections from SMBv3 clients that have encryption enabled. This option is highly recommended for environments that handle sensitive data. This option works with SMB clients on Microsoft Windows 8, Windows Server 2012 or newer.
Specifies the type of security strategy.
ClientSpecified: if you use this option, requests are established based on what is negotiated by the client. This option is recommended when you want to maximize compatibility across different clients in your environment. Supported only in S3 File Gateway.
MandatorySigning: if you use this option, file gateway only allows connections from SMBv2 or SMBv3 clients that have signing enabled. This option works with SMB clients on Microsoft Windows Vista, Windows Server 2008 or newer.
MandatoryEncryption: if you use this option, file gateway only allows connections from SMBv3 clients that have encryption enabled. This option is highly recommended for environments that handle sensitive data. This option works with SMB clients on Microsoft Windows 8, Windows Server 2012 or newer.
" } }, "ServiceUnavailableError": { @@ -1936,8 +1979,8 @@ "SnapshotDescription": { "base": null, "refs": { - "CreateSnapshotFromVolumeRecoveryPointInput$SnapshotDescription": "Textual description of the snapshot that appears in the Amazon EC2 console, Elastic Block Store snapshots panel in the Description field, and in the AWS Storage Gateway snapshot Details pane, Description field.
", - "CreateSnapshotInput$SnapshotDescription": "Textual description of the snapshot that appears in the Amazon EC2 console, Elastic Block Store snapshots panel in the Description field, and in the AWS Storage Gateway snapshot Details pane, Description field.
" + "CreateSnapshotFromVolumeRecoveryPointInput$SnapshotDescription": "Textual description of the snapshot that appears in the Amazon EC2 console, Elastic Block Store snapshots panel in the Description field, and in the Storage Gateway snapshot Details pane, Description field.
", + "CreateSnapshotInput$SnapshotDescription": "Textual description of the snapshot that appears in the Amazon EC2 console, Elastic Block Store snapshots panel in the Description field, and in the Storage Gateway snapshot Details pane, Description field.
" } }, "SnapshotId": { @@ -1988,12 +2031,12 @@ "StorageClass": { "base": "", "refs": { - "CreateNFSFileShareInput$DefaultStorageClass": "The default storage class for objects put into an Amazon S3 bucket by the file gateway. The default value is S3_INTELLIGENT_TIERING. Optional.
Valid Values: S3_STANDARD | S3_INTELLIGENT_TIERING | S3_STANDARD_IA | S3_ONEZONE_IA
The default storage class for objects put into an Amazon S3 bucket by the file gateway. The default value is S3_INTELLIGENT_TIERING. Optional.
Valid Values: S3_STANDARD | S3_INTELLIGENT_TIERING | S3_STANDARD_IA | S3_ONEZONE_IA
The default storage class for objects put into an Amazon S3 bucket by the file gateway. The default value is S3_INTELLIGENT_TIERING. Optional.
Valid Values: S3_STANDARD | S3_INTELLIGENT_TIERING | S3_STANDARD_IA | S3_ONEZONE_IA
The default storage class for objects put into an Amazon S3 bucket by the file gateway. The default value is S3_INTELLIGENT_TIERING. Optional.
Valid Values: S3_STANDARD | S3_INTELLIGENT_TIERING | S3_STANDARD_IA | S3_ONEZONE_IA
The default storage class for objects put into an Amazon S3 bucket by the file gateway. The default value is S3_INTELLIGENT_TIERING. Optional.
Valid Values: S3_STANDARD | S3_INTELLIGENT_TIERING | S3_STANDARD_IA | S3_ONEZONE_IA
The default storage class for objects put into an Amazon S3 bucket by the file gateway. The default value is S3_INTELLIGENT_TIERING. Optional.
Valid Values: S3_STANDARD | S3_INTELLIGENT_TIERING | S3_STANDARD_IA | S3_ONEZONE_IA
The default storage class for objects put into an Amazon S3 bucket by the S3 File Gateway. The default value is S3_INTELLIGENT_TIERING. Optional.
Valid Values: S3_STANDARD | S3_INTELLIGENT_TIERING | S3_STANDARD_IA | S3_ONEZONE_IA
The default storage class for objects put into an Amazon S3 bucket by the S3 File Gateway. The default value is S3_INTELLIGENT_TIERING. Optional.
Valid Values: S3_STANDARD | S3_INTELLIGENT_TIERING | S3_STANDARD_IA | S3_ONEZONE_IA
The default storage class for objects put into an Amazon S3 bucket by the S3 File Gateway. The default value is S3_INTELLIGENT_TIERING. Optional.
Valid Values: S3_STANDARD | S3_INTELLIGENT_TIERING | S3_STANDARD_IA | S3_ONEZONE_IA
The default storage class for objects put into an Amazon S3 bucket by the S3 File Gateway. The default value is S3_INTELLIGENT_TIERING. Optional.
Valid Values: S3_STANDARD | S3_INTELLIGENT_TIERING | S3_STANDARD_IA | S3_ONEZONE_IA
The default storage class for objects put into an Amazon S3 bucket by the S3 File Gateway. The default value is S3_INTELLIGENT_TIERING. Optional.
Valid Values: S3_STANDARD | S3_INTELLIGENT_TIERING | S3_STANDARD_IA | S3_ONEZONE_IA
The default storage class for objects put into an Amazon S3 bucket by the S3 File Gateway. The default value is S3_INTELLIGENT_TIERING. Optional.
Valid Values: S3_STANDARD | S3_INTELLIGENT_TIERING | S3_STANDARD_IA | S3_ONEZONE_IA
Describes a single unit of output from DescribeStorediSCSIVolumes. The following fields are returned:
ChapEnabled: Indicates whether mutual CHAP is enabled for the iSCSI target.
LunNumber: The logical disk number.
NetworkInterfaceId: The network interface ID of the stored volume that initiator use to map the stored volume as an iSCSI target.
NetworkInterfacePort: The port used to communicate with iSCSI targets.
PreservedExistingData: Indicates when the stored volume was created, existing data on the underlying local disk was preserved.
SourceSnapshotId: If the stored volume was created from a snapshot, this field contains the snapshot ID used, e.g. snap-1122aabb. Otherwise, this field is not included.
StorediSCSIVolumes: An array of StorediSCSIVolume objects where each object contains metadata about one stored volume.
TargetARN: The Amazon Resource Name (ARN) of the volume target.
VolumeARN: The Amazon Resource Name (ARN) of the stored volume.
VolumeDiskId: The disk ID of the local disk that was specified in the CreateStorediSCSIVolume operation.
VolumeId: The unique identifier of the storage volume, e.g. vol-1122AABB.
VolumeiSCSIAttributes: An VolumeiSCSIAttributes object that represents a collection of iSCSI attributes for one stored volume.
VolumeProgress: Represents the percentage complete if the volume is restoring or bootstrapping that represents the percent of data transferred. This field does not appear in the response if the stored volume is not restoring or bootstrapping.
VolumeSizeInBytes: The size of the volume in bytes.
VolumeStatus: One of the VolumeStatus values that indicates the state of the volume.
VolumeType: One of the enumeration values describing the type of the volume. Currently, only STORED volumes are supported.
A list of the metadata cache sizes that the gateway can support based on its current hardware specifications.
" + } + }, "Tag": { "base": "A key-value pair that helps you manage, filter, and search for your resource. Allowed characters: letters, white space, and numbers, representable in UTF-8, and the following characters: + - = . _ : /.
", "refs": { @@ -2582,13 +2631,13 @@ "CreateStorediSCSIVolumeInput$PreserveExistingData": "Set to true if you want to preserve the data on the local disk. Otherwise, set to false to create an empty volume.
Valid Values: true | false
Set to TRUE if the tape you are creating is to be configured as a write-once-read-many (WORM) tape.
Set to TRUE if the tape you are creating is to be configured as a write-once-read-many (WORM) tape.
If this value is set to true, the operation deletes a file share immediately and aborts all data uploads to AWS. Otherwise, the file share is not deleted until all data is uploaded to AWS. This process aborts the data upload process, and the file share enters the FORCE_DELETING status.
Valid Values: true | false
If this value is set to true, the operation deletes a file share immediately and aborts all data uploads to Amazon Web Services. Otherwise, the file share is not deleted until all data is uploaded to Amazon Web Services. This process aborts the data upload process, and the file share enters the FORCE_DELETING status.
Valid Values: true | false
Set to TRUE to delete an archived tape that belongs to a custom pool with tape retention lock. Only archived tapes with tape retention lock set to governance can be deleted. Archived tapes with tape retention lock set to compliance can't be deleted.
Set to TRUE to delete an archived tape that belongs to a custom pool with tape retention lock. Only archived tapes with tape retention lock set to governance can be deleted. Archived tapes with tape retention lock set to compliance can't be deleted.
Indicates whether mutual CHAP is enabled for the iSCSI target.
", "DisassociateFileSystemInput$ForceDelete": "If this value is set to true, the operation disassociates an Amazon FSx file system immediately. It ends all data uploads to the file system, and the file system association enters the FORCE_DELETING status. If this value is set to false, the Amazon FSx file system does not disassociate until all data is uploaded.
Set to true to use Amazon S3 server-side encryption with your own AWS KMS key, or false to use a key managed by Amazon S3. Optional.
Valid Values: true | false
Set to true to use Amazon S3 server-side encryption with your own AWS KMS key, or false to use a key managed by Amazon S3. Optional.
Valid Values: true | false
Set to true to use Amazon S3 server-side encryption with your own KMS key, or false to use a key managed by Amazon S3. Optional.
Valid Values: true | false
Set to true to use Amazon S3 server-side encryption with your own KMS key, or false to use a key managed by Amazon S3. Optional.
Valid Values: true | false
Indicates if when the stored volume was created, existing data on the underlying local disk was preserved.
Valid Values: true | false
If the tape is archived as write-once-read-many (WORM), this value is true.
Set to true if the archived tape is stored as write-once-read-many (WORM).
Percent use of the gateway's cache storage. This metric applies only to the gateway-cached volume setup. The sample is taken at the end of the reporting period.
", - "DescribeCacheOutput$CacheDirtyPercentage": "The file share's contribution to the overall percentage of the gateway's cache that has not been persisted to AWS. The sample is taken at the end of the reporting period.
", + "DescribeCacheOutput$CacheDirtyPercentage": "The file share's contribution to the overall percentage of the gateway's cache that has not been persisted to Amazon Web Services. The sample is taken at the end of the reporting period.
", "DescribeCacheOutput$CacheHitPercentage": "Percent of application read operations from the file shares that are served from cache. The sample is taken at the end of the reporting period.
", "DescribeCacheOutput$CacheMissPercentage": "Percent of application read operations from the file shares that are not served from cache. The sample is taken at the end of the reporting period.
" } diff --git a/models/apis/sts/2011-06-15/docs-2.json b/models/apis/sts/2011-06-15/docs-2.json index f0f6c11e51d..6b8f014cccf 100644 --- a/models/apis/sts/2011-06-15/docs-2.json +++ b/models/apis/sts/2011-06-15/docs-2.json @@ -1,15 +1,15 @@ { "version": "2.0", - "service": "AWS Security Token Service (STS) enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users). This guide provides descriptions of the STS API. For more information about using this service, see Temporary Security Credentials.
", + "service": "Security Token Service (STS) enables you to request temporary, limited-privilege credentials for Identity and Access Management (IAM) users or for users that you authenticate (federated users). This guide provides descriptions of the STS API. For more information about using this service, see Temporary Security Credentials.
", "operations": { - "AssumeRole": "Returns a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to. These temporary credentials consist of an access key ID, a secret access key, and a security token. Typically, you use AssumeRole within your account or for cross-account access. For a comparison of AssumeRole with other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS API operations in the IAM User Guide.
Permissions
The temporary security credentials created by AssumeRole can be used to make API calls to any AWS service with the following exception: You cannot call the AWS STS GetFederationToken or GetSessionToken API operations.
(Optional) You can pass inline or managed session policies to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
To assume a role from a different account, your AWS account must be trusted by the role. The trust relationship is defined in the role's trust policy when the role is created. That trust policy states which accounts are allowed to delegate that access to users in the account.
A user who wants to access a role in a different account must also have permissions that are delegated from the user account administrator. The administrator must attach a policy that allows the user to call AssumeRole for the ARN of the role in the other account. If the user is in the same account as the role, then you can do either of the following:
Attach a policy to the user (identical to the previous user in a different account).
Add the user as a principal directly in the role's trust policy.
In this case, the trust policy acts as an IAM resource-based policy. Users in the same account as the role do not need explicit permission to assume the role. For more information about trust policies and resource-based policies, see IAM Policies in the IAM User Guide.
Tags
(Optional) You can pass tag key-value pairs to your session. These tags are called session tags. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide.
You can set the session tags as transitive. Transitive tags persist during role chaining. For more information, see Chaining Roles with Session Tags in the IAM User Guide.
Using MFA with AssumeRole
(Optional) You can include multi-factor authentication (MFA) information when you call AssumeRole. This is useful for cross-account scenarios to ensure that the user that assumes the role has been authenticated with an AWS MFA device. In that scenario, the trust policy of the role being assumed includes a condition that tests for MFA authentication. If the caller does not include valid MFA information, the request to assume the role is denied. The condition in a trust policy that tests for MFA authentication might look like the following example.
\"Condition\": {\"Bool\": {\"aws:MultiFactorAuthPresent\": true}}
For more information, see Configuring MFA-Protected API Access in the IAM User Guide guide.
To use MFA with AssumeRole, you pass values for the SerialNumber and TokenCode parameters. The SerialNumber value identifies the user's hardware or virtual MFA device. The TokenCode is the time-based one-time password (TOTP) that the MFA device produces.
Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response. This operation provides a mechanism for tying an enterprise identity store or directory to role-based AWS access without user-specific credentials or configuration. For a comparison of AssumeRoleWithSAML with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS API operations in the IAM User Guide.
The temporary security credentials returned by this operation consist of an access key ID, a secret access key, and a security token. Applications can use these temporary security credentials to sign calls to AWS services.
Session Duration
By default, the temporary security credentials created by AssumeRoleWithSAML last for one hour. However, you can use the optional DurationSeconds parameter to specify the duration of your session. Your role session lasts for the duration that you specify, or until the time specified in the SAML authentication response's SessionNotOnOrAfter value, whichever is shorter. You can provide a DurationSeconds value from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide. The maximum session duration limit applies when you use the AssumeRole* API operations or the assume-role* CLI commands. However the limit does not apply when you use those operations to create a console URL. For more information, see Using IAM Roles in the IAM User Guide.
Role chaining limits your AWS CLI or AWS API role session to a maximum of one hour. When you use the AssumeRole API operation to assume a role, you can specify the duration of your role session with the DurationSeconds parameter. You can specify a parameter value of up to 43200 seconds (12 hours), depending on the maximum session duration setting for your role. However, if you assume a role using role chaining and provide a DurationSeconds parameter value greater than one hour, the operation fails.
Permissions
The temporary security credentials created by AssumeRoleWithSAML can be used to make API calls to any AWS service with the following exception: you cannot call the STS GetFederationToken or GetSessionToken API operations.
(Optional) You can pass inline or managed session policies to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
Calling AssumeRoleWithSAML does not require the use of AWS security credentials. The identity of the caller is validated by using keys in the metadata document that is uploaded for the SAML provider entity for your identity provider.
Calling AssumeRoleWithSAML can result in an entry in your AWS CloudTrail logs. The entry includes the value in the NameID element of the SAML assertion. We recommend that you use a NameIDType that is not associated with any personally identifiable information (PII). For example, you could instead use the persistent identifier (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent).
Tags
(Optional) You can configure your IdP to pass attributes into your SAML assertion as session tags. Each session tag consists of a key name and an associated value. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
You can pass up to 50 session tags. The plaintext session tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.
An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
You can pass a session tag with the same key as a tag that is attached to the role. When you do, session tags override the role's tags with the same key.
An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide.
You can set the session tags as transitive. Transitive tags persist during role chaining. For more information, see Chaining Roles with Session Tags in the IAM User Guide.
SAML Configuration
Before your application can call AssumeRoleWithSAML, you must configure your SAML identity provider (IdP) to issue the claims required by AWS. Additionally, you must use AWS Identity and Access Management (IAM) to create a SAML provider entity in your AWS account that represents your identity provider. You must also create an IAM role that specifies this SAML provider in its trust policy.
For more information, see the following resources:
About SAML 2.0-based Federation in the IAM User Guide.
Creating SAML Identity Providers in the IAM User Guide.
Configuring a Relying Party and Claims in the IAM User Guide.
Creating a Role for SAML 2.0 Federation in the IAM User Guide.
Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider. Example providers include Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible identity provider.
For mobile applications, we recommend that you use Amazon Cognito. You can use Amazon Cognito with the AWS SDK for iOS Developer Guide and the AWS SDK for Android Developer Guide to uniquely identify a user. You can also supply the user with a consistent identity throughout the lifetime of an application.
To learn more about Amazon Cognito, see Amazon Cognito Overview in AWS SDK for Android Developer Guide and Amazon Cognito Overview in the AWS SDK for iOS Developer Guide.
Calling AssumeRoleWithWebIdentity does not require the use of AWS security credentials. Therefore, you can distribute an application (for example, on mobile devices) that requests temporary security credentials without including long-term AWS credentials in the application. You also don't need to deploy server-based proxy services that use long-term AWS credentials. Instead, the identity of the caller is validated by using a token from the web identity provider. For a comparison of AssumeRoleWithWebIdentity with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS API operations in the IAM User Guide.
The temporary security credentials returned by this API consist of an access key ID, a secret access key, and a security token. Applications can use these temporary security credentials to sign calls to AWS service API operations.
Session Duration
By default, the temporary security credentials created by AssumeRoleWithWebIdentity last for one hour. However, you can use the optional DurationSeconds parameter to specify the duration of your session. You can provide a value from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide. The maximum session duration limit applies when you use the AssumeRole* API operations or the assume-role* CLI commands. However the limit does not apply when you use those operations to create a console URL. For more information, see Using IAM Roles in the IAM User Guide.
Permissions
The temporary security credentials created by AssumeRoleWithWebIdentity can be used to make API calls to any AWS service with the following exception: you cannot call the STS GetFederationToken or GetSessionToken API operations.
(Optional) You can pass inline or managed session policies to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
Tags
(Optional) You can configure your IdP to pass attributes into your web identity token as session tags. Each session tag consists of a key name and an associated value. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
You can pass up to 50 session tags. The plaintext session tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.
An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
You can pass a session tag with the same key as a tag that is attached to the role. When you do, the session tag overrides the role tag with the same key.
An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide.
You can set the session tags as transitive. Transitive tags persist during role chaining. For more information, see Chaining Roles with Session Tags in the IAM User Guide.
Identities
Before your application can call AssumeRoleWithWebIdentity, you must have an identity token from a supported identity provider and create a role that the application can assume. The role that your application assumes must trust the identity provider that is associated with the identity token. In other words, the identity provider must be specified in the role's trust policy.
Calling AssumeRoleWithWebIdentity can result in an entry in your AWS CloudTrail logs. The entry includes the Subject of the provided web identity token. We recommend that you avoid using any personally identifiable information (PII) in this field. For example, you could instead use a GUID or a pairwise identifier, as suggested in the OIDC specification.
For more information about how to use web identity federation and the AssumeRoleWithWebIdentity API, see the following resources:
Using Web Identity Federation API Operations for Mobile Apps and Federation Through a Web-based Identity Provider.
Web Identity Federation Playground. Walk through the process of authenticating through Login with Amazon, Facebook, or Google, getting temporary security credentials, and then using those credentials to make a request to AWS.
AWS SDK for iOS Developer Guide and AWS SDK for Android Developer Guide. These toolkits contain sample apps that show how to invoke the identity providers. The toolkits then show how to use the information from these providers to get and use temporary security credentials.
Web Identity Federation with Mobile Applications. This article discusses web identity federation and shows an example of how to use web identity federation to get access to content in Amazon S3.
Decodes additional information about the authorization status of a request from an encoded message returned in response to an AWS request.
For example, if a user is not authorized to perform an operation that he or she has requested, the request returns a Client.UnauthorizedOperation response (an HTTP 403 response). Some AWS operations additionally return an encoded message that can provide details about this authorization failure.
Only certain AWS operations return an encoded authorization message. The documentation for an individual operation indicates whether that operation returns an encoded message in addition to returning an HTTP code.
The message is encoded because the details of the authorization status can constitute privileged information that the user who requested the operation should not see. To decode an authorization status message, a user must be granted permissions via an IAM policy to request the DecodeAuthorizationMessage (sts:DecodeAuthorizationMessage) action.
The decoded message includes the following type of information:
Whether the request was denied due to an explicit deny or due to the absence of an explicit allow. For more information, see Determining Whether a Request is Allowed or Denied in the IAM User Guide.
The principal who made the request.
The requested action.
The requested resource.
The values of condition keys in the context of the user's request.
Returns the account identifier for the specified access key ID.
Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). For more information about access keys, see Managing Access Keys for IAM Users in the IAM User Guide.
When you pass an access key ID to this operation, it returns the ID of the AWS account to which the keys belong. Access key IDs beginning with AKIA are long-term credentials for an IAM user or the AWS account root user. Access key IDs beginning with ASIA are temporary credentials that are created using STS operations. If the account in the response belongs to you, you can sign in as the root user and review your root user access keys. Then, you can pull a credentials report to learn which IAM user owns the keys. To learn who requested the temporary credentials for an ASIA access key, view the STS events in your CloudTrail logs in the IAM User Guide.
This operation does not indicate the state of the access key. The key might be active, inactive, or deleted. Active keys might not have permissions to perform an operation. Providing a deleted access key might return an error that the key doesn't exist.
", + "AssumeRole": "Returns a set of temporary security credentials that you can use to access Amazon Web Services resources that you might not normally have access to. These temporary credentials consist of an access key ID, a secret access key, and a security token. Typically, you use AssumeRole within your account or for cross-account access. For a comparison of AssumeRole with other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the STS API operations in the IAM User Guide.
Permissions
The temporary security credentials created by AssumeRole can be used to make API calls to any Amazon Web Services service with the following exception: You cannot call the STS GetFederationToken or GetSessionToken API operations.
(Optional) You can pass inline or managed session policies to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
To assume a role from a different account, your account must be trusted by the role. The trust relationship is defined in the role's trust policy when the role is created. That trust policy states which accounts are allowed to delegate that access to users in the account.
A user who wants to access a role in a different account must also have permissions that are delegated from the user account administrator. The administrator must attach a policy that allows the user to call AssumeRole for the ARN of the role in the other account. If the user is in the same account as the role, then you can do either of the following:
Attach a policy to the user (identical to the previous user in a different account).
Add the user as a principal directly in the role's trust policy.
In this case, the trust policy acts as an IAM resource-based policy. Users in the same account as the role do not need explicit permission to assume the role. For more information about trust policies and resource-based policies, see IAM Policies in the IAM User Guide.
Tags
(Optional) You can pass tag key-value pairs to your session. These tags are called session tags. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide.
You can set the session tags as transitive. Transitive tags persist during role chaining. For more information, see Chaining Roles with Session Tags in the IAM User Guide.
Using MFA with AssumeRole
(Optional) You can include multi-factor authentication (MFA) information when you call AssumeRole. This is useful for cross-account scenarios to ensure that the user that assumes the role has been authenticated with an Amazon Web Services MFA device. In that scenario, the trust policy of the role being assumed includes a condition that tests for MFA authentication. If the caller does not include valid MFA information, the request to assume the role is denied. The condition in a trust policy that tests for MFA authentication might look like the following example.
\"Condition\": {\"Bool\": {\"aws:MultiFactorAuthPresent\": true}}
For more information, see Configuring MFA-Protected API Access in the IAM User Guide guide.
To use MFA with AssumeRole, you pass values for the SerialNumber and TokenCode parameters. The SerialNumber value identifies the user's hardware or virtual MFA device. The TokenCode is the time-based one-time password (TOTP) that the MFA device produces.
Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response. This operation provides a mechanism for tying an enterprise identity store or directory to role-based Amazon Web Services access without user-specific credentials or configuration. For a comparison of AssumeRoleWithSAML with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the STS API operations in the IAM User Guide.
The temporary security credentials returned by this operation consist of an access key ID, a secret access key, and a security token. Applications can use these temporary security credentials to sign calls to Amazon Web Services services.
Session Duration
By default, the temporary security credentials created by AssumeRoleWithSAML last for one hour. However, you can use the optional DurationSeconds parameter to specify the duration of your session. Your role session lasts for the duration that you specify, or until the time specified in the SAML authentication response's SessionNotOnOrAfter value, whichever is shorter. You can provide a DurationSeconds value from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide. The maximum session duration limit applies when you use the AssumeRole* API operations or the assume-role* CLI commands. However the limit does not apply when you use those operations to create a console URL. For more information, see Using IAM Roles in the IAM User Guide.
Role chaining limits your CLI or Amazon Web Services API role session to a maximum of one hour. When you use the AssumeRole API operation to assume a role, you can specify the duration of your role session with the DurationSeconds parameter. You can specify a parameter value of up to 43200 seconds (12 hours), depending on the maximum session duration setting for your role. However, if you assume a role using role chaining and provide a DurationSeconds parameter value greater than one hour, the operation fails.
Permissions
The temporary security credentials created by AssumeRoleWithSAML can be used to make API calls to any Amazon Web Services service with the following exception: you cannot call the STS GetFederationToken or GetSessionToken API operations.
(Optional) You can pass inline or managed session policies to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
Calling AssumeRoleWithSAML does not require the use of Amazon Web Services security credentials. The identity of the caller is validated by using keys in the metadata document that is uploaded for the SAML provider entity for your identity provider.
Calling AssumeRoleWithSAML can result in an entry in your CloudTrail logs. The entry includes the value in the NameID element of the SAML assertion. We recommend that you use a NameIDType that is not associated with any personally identifiable information (PII). For example, you could instead use the persistent identifier (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent).
Tags
(Optional) You can configure your IdP to pass attributes into your SAML assertion as session tags. Each session tag consists of a key name and an associated value. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
You can pass up to 50 session tags. The plaintext session tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.
An Amazon Web Services conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
You can pass a session tag with the same key as a tag that is attached to the role. When you do, session tags override the role's tags with the same key.
An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide.
You can set the session tags as transitive. Transitive tags persist during role chaining. For more information, see Chaining Roles with Session Tags in the IAM User Guide.
SAML Configuration
Before your application can call AssumeRoleWithSAML, you must configure your SAML identity provider (IdP) to issue the claims required by Amazon Web Services. Additionally, you must use Identity and Access Management (IAM) to create a SAML provider entity in your Amazon Web Services account that represents your identity provider. You must also create an IAM role that specifies this SAML provider in its trust policy.
For more information, see the following resources:
About SAML 2.0-based Federation in the IAM User Guide.
Creating SAML Identity Providers in the IAM User Guide.
Configuring a Relying Party and Claims in the IAM User Guide.
Creating a Role for SAML 2.0 Federation in the IAM User Guide.
Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider. Example providers include Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible identity provider.
For mobile applications, we recommend that you use Amazon Cognito. You can use Amazon Cognito with the Amazon Web Services SDK for iOS Developer Guide and the Amazon Web Services SDK for Android Developer Guide to uniquely identify a user. You can also supply the user with a consistent identity throughout the lifetime of an application.
To learn more about Amazon Cognito, see Amazon Cognito Overview in Amazon Web Services SDK for Android Developer Guide and Amazon Cognito Overview in the Amazon Web Services SDK for iOS Developer Guide.
Calling AssumeRoleWithWebIdentity does not require the use of Amazon Web Services security credentials. Therefore, you can distribute an application (for example, on mobile devices) that requests temporary security credentials without including long-term Amazon Web Services credentials in the application. You also don't need to deploy server-based proxy services that use long-term Amazon Web Services credentials. Instead, the identity of the caller is validated by using a token from the web identity provider. For a comparison of AssumeRoleWithWebIdentity with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the STS API operations in the IAM User Guide.
The temporary security credentials returned by this API consist of an access key ID, a secret access key, and a security token. Applications can use these temporary security credentials to sign calls to Amazon Web Services service API operations.
Session Duration
By default, the temporary security credentials created by AssumeRoleWithWebIdentity last for one hour. However, you can use the optional DurationSeconds parameter to specify the duration of your session. You can provide a value from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide. The maximum session duration limit applies when you use the AssumeRole* API operations or the assume-role* CLI commands. However the limit does not apply when you use those operations to create a console URL. For more information, see Using IAM Roles in the IAM User Guide.
Permissions
The temporary security credentials created by AssumeRoleWithWebIdentity can be used to make API calls to any Amazon Web Services service with the following exception: you cannot call the STS GetFederationToken or GetSessionToken API operations.
(Optional) You can pass inline or managed session policies to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
Tags
(Optional) You can configure your IdP to pass attributes into your web identity token as session tags. Each session tag consists of a key name and an associated value. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
You can pass up to 50 session tags. The plaintext session tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.
An Amazon Web Services conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
You can pass a session tag with the same key as a tag that is attached to the role. When you do, the session tag overrides the role tag with the same key.
An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide.
You can set the session tags as transitive. Transitive tags persist during role chaining. For more information, see Chaining Roles with Session Tags in the IAM User Guide.
Identities
Before your application can call AssumeRoleWithWebIdentity, you must have an identity token from a supported identity provider and create a role that the application can assume. The role that your application assumes must trust the identity provider that is associated with the identity token. In other words, the identity provider must be specified in the role's trust policy.
Calling AssumeRoleWithWebIdentity can result in an entry in your CloudTrail logs. The entry includes the Subject of the provided web identity token. We recommend that you avoid using any personally identifiable information (PII) in this field. For example, you could instead use a GUID or a pairwise identifier, as suggested in the OIDC specification.
For more information about how to use web identity federation and the AssumeRoleWithWebIdentity API, see the following resources:
Using Web Identity Federation API Operations for Mobile Apps and Federation Through a Web-based Identity Provider.
Web Identity Federation Playground. Walk through the process of authenticating through Login with Amazon, Facebook, or Google, getting temporary security credentials, and then using those credentials to make a request to Amazon Web Services.
Amazon Web Services SDK for iOS Developer Guide and Amazon Web Services SDK for Android Developer Guide. These toolkits contain sample apps that show how to invoke the identity providers. The toolkits then show how to use the information from these providers to get and use temporary security credentials.
Web Identity Federation with Mobile Applications. This article discusses web identity federation and shows an example of how to use web identity federation to get access to content in Amazon S3.
Decodes additional information about the authorization status of a request from an encoded message returned in response to an Amazon Web Services request.
For example, if a user is not authorized to perform an operation that he or she has requested, the request returns a Client.UnauthorizedOperation response (an HTTP 403 response). Some Amazon Web Services operations additionally return an encoded message that can provide details about this authorization failure.
Only certain Amazon Web Services operations return an encoded authorization message. The documentation for an individual operation indicates whether that operation returns an encoded message in addition to returning an HTTP code.
The message is encoded because the details of the authorization status can constitute privileged information that the user who requested the operation should not see. To decode an authorization status message, a user must be granted permissions via an IAM policy to request the DecodeAuthorizationMessage (sts:DecodeAuthorizationMessage) action.
The decoded message includes the following type of information:
Whether the request was denied due to an explicit deny or due to the absence of an explicit allow. For more information, see Determining Whether a Request is Allowed or Denied in the IAM User Guide.
The principal who made the request.
The requested action.
The requested resource.
The values of condition keys in the context of the user's request.
Returns the account identifier for the specified access key ID.
Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). For more information about access keys, see Managing Access Keys for IAM Users in the IAM User Guide.
When you pass an access key ID to this operation, it returns the ID of the Amazon Web Services account to which the keys belong. Access key IDs beginning with AKIA are long-term credentials for an IAM user or the Amazon Web Services account root user. Access key IDs beginning with ASIA are temporary credentials that are created using STS operations. If the account in the response belongs to you, you can sign in as the root user and review your root user access keys. Then, you can pull a credentials report to learn which IAM user owns the keys. To learn who requested the temporary credentials for an ASIA access key, view the STS events in your CloudTrail logs in the IAM User Guide.
This operation does not indicate the state of the access key. The key might be active, inactive, or deleted. Active keys might not have permissions to perform an operation. Providing a deleted access key might return an error that the key doesn't exist.
", "GetCallerIdentity": "Returns details about the IAM user or role whose credentials are used to call the operation.
No permissions are required to perform this operation. If an administrator adds a policy to your IAM user or role that explicitly denies access to the sts:GetCallerIdentity action, you can still perform this operation. Permissions are not required because the same information is returned when an IAM user or role is denied access. To view an example response, see I Am Not Authorized to Perform: iam:DeleteVirtualMFADevice in the IAM User Guide.
Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user. A typical use is in a proxy application that gets temporary security credentials on behalf of distributed applications inside a corporate network. You must call the GetFederationToken operation using the long-term security credentials of an IAM user. As a result, this call is appropriate in contexts where those credentials can be safely stored, usually in a server-based application. For a comparison of GetFederationToken with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS API operations in the IAM User Guide.
You can create a mobile-based or browser-based app that can authenticate users using a web identity provider like Login with Amazon, Facebook, Google, or an OpenID Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or AssumeRoleWithWebIdentity. For more information, see Federation Through a Web-based Identity Provider in the IAM User Guide.
You can also call GetFederationToken using the security credentials of an AWS account root user, but we do not recommend it. Instead, we recommend that you create an IAM user for the purpose of the proxy application. Then attach a policy to the IAM user that limits federated users to only the actions and resources that they need to access. For more information, see IAM Best Practices in the IAM User Guide.
Session duration
The temporary credentials are valid for the specified duration, from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default session duration is 43,200 seconds (12 hours). Temporary credentials that are obtained by using AWS account root user credentials have a maximum duration of 3,600 seconds (1 hour).
Permissions
You can use the temporary credentials created by GetFederationToken in any AWS service except the following:
You cannot call any IAM operations using the AWS CLI or the AWS API.
You cannot call any STS operations except GetCallerIdentity.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters.
Though the session policy parameters are optional, if you do not pass a policy, then the resulting federated user session has no permissions. When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide. For information about using GetFederationToken to create temporary security credentials, see GetFederationToken—Federation Through a Custom Identity Broker.
You can use the credentials to access a resource that has a resource-based policy. If that policy specifically references the federated user session in the Principal element of the policy, the session has the permissions allowed by the policy. These permissions are granted in addition to the permissions granted by the session policies.
Tags
(Optional) You can pass tag key-value pairs to your session. These are called session tags. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
You can create a mobile-based or browser-based app that can authenticate users using a web identity provider like Login with Amazon, Facebook, Google, or an OpenID Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or AssumeRoleWithWebIdentity. For more information, see Federation Through a Web-based Identity Provider in the IAM User Guide.
You can also call GetFederationToken using the security credentials of an AWS account root user, but we do not recommend it. Instead, we recommend that you create an IAM user for the purpose of the proxy application. Then attach a policy to the IAM user that limits federated users to only the actions and resources that they need to access. For more information, see IAM Best Practices in the IAM User Guide.
Session duration
The temporary credentials are valid for the specified duration, from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default session duration is 43,200 seconds (12 hours). Temporary credentials that are obtained by using AWS account root user credentials have a maximum duration of 3,600 seconds (1 hour).
Permissions
You can use the temporary credentials created by GetFederationToken in any AWS service except the following:
You cannot call any IAM operations using the AWS CLI or the AWS API.
You cannot call any STS operations except GetCallerIdentity.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plain text that you use for both inline and managed session policies can't exceed 2,048 characters.
Though the session policy parameters are optional, if you do not pass a policy, then the resulting federated user session has no permissions. When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide. For information about using GetFederationToken to create temporary security credentials, see GetFederationToken—Federation Through a Custom Identity Broker.
You can use the credentials to access a resource that has a resource-based policy. If that policy specifically references the federated user session in the Principal element of the policy, the session has the permissions allowed by the policy. These permissions are granted in addition to the permissions granted by the session policies.
Tags
(Optional) You can pass tag key-value pairs to your session. These are called session tags. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide.
Tag key–value pairs are not case sensitive, but case is preserved. This means that you cannot have separate Department and department tag keys. Assume that the user that you are federating has the Department=Marketing tag and you pass the department=engineering session tag. Department and department are not saved as separate tags, and the session tag passed in the request takes precedence over the user tag.
Returns a set of temporary credentials for an AWS account or IAM user. The credentials consist of an access key ID, a secret access key, and a security token. Typically, you use GetSessionToken if you want to use MFA to protect programmatic calls to specific AWS API operations like Amazon EC2 StopInstances. MFA-enabled IAM users would need to call GetSessionToken and submit an MFA code that is associated with their MFA device. Using the temporary security credentials that are returned from the call, IAM users can then make programmatic calls to API operations that require MFA authentication. If you do not supply a correct MFA code, then the API returns an access denied error. For a comparison of GetSessionToken with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS API operations in the IAM User Guide.
Session Duration
The GetSessionToken operation must be called by using the long-term AWS security credentials of the AWS account root user or an IAM user. Credentials that are created by IAM users are valid for the duration that you specify. This duration can range from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours), with a default of 43,200 seconds (12 hours). Credentials based on account credentials can range from 900 seconds (15 minutes) up to 3,600 seconds (1 hour), with a default of 1 hour.
Permissions
The temporary security credentials created by GetSessionToken can be used to make API calls to any AWS service with the following exceptions:
You cannot call any IAM API operations unless MFA authentication information is included in the request.
You cannot call any STS API except AssumeRole or GetCallerIdentity.
We recommend that you do not call GetSessionToken with AWS account root user credentials. Instead, follow our best practices by creating one or more IAM users, giving them the necessary permissions, and using IAM users for everyday interaction with AWS.
The credentials that are returned by GetSessionToken are based on permissions associated with the user whose credentials were used to call the operation. If GetSessionToken is called using AWS account root user credentials, the temporary credentials have root user permissions. Similarly, if GetSessionToken is called using the credentials of an IAM user, the temporary credentials have the same permissions as the IAM user.
For more information about using GetSessionToken to create temporary credentials, go to Temporary Credentials for Users in Untrusted Environments in the IAM User Guide.
Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user. A typical use is in a proxy application that gets temporary security credentials on behalf of distributed applications inside a corporate network. You must call the GetFederationToken operation using the long-term security credentials of an IAM user. As a result, this call is appropriate in contexts where those credentials can be safely stored, usually in a server-based application. For a comparison of GetFederationToken with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the STS API operations in the IAM User Guide.
You can create a mobile-based or browser-based app that can authenticate users using a web identity provider like Login with Amazon, Facebook, Google, or an OpenID Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or AssumeRoleWithWebIdentity. For more information, see Federation Through a Web-based Identity Provider in the IAM User Guide.
You can also call GetFederationToken using the security credentials of an Amazon Web Services account root user, but we do not recommend it. Instead, we recommend that you create an IAM user for the purpose of the proxy application. Then attach a policy to the IAM user that limits federated users to only the actions and resources that they need to access. For more information, see IAM Best Practices in the IAM User Guide.
Session duration
The temporary credentials are valid for the specified duration, from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default session duration is 43,200 seconds (12 hours). Temporary credentials that are obtained by using Amazon Web Services account root user credentials have a maximum duration of 3,600 seconds (1 hour).
Permissions
You can use the temporary credentials created by GetFederationToken in any Amazon Web Services service except the following:
You cannot call any IAM operations using the CLI or the Amazon Web Services API.
You cannot call any STS operations except GetCallerIdentity.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters.
Though the session policy parameters are optional, if you do not pass a policy, then the resulting federated user session has no permissions. When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide. For information about using GetFederationToken to create temporary security credentials, see GetFederationToken—Federation Through a Custom Identity Broker.
You can use the credentials to access a resource that has a resource-based policy. If that policy specifically references the federated user session in the Principal element of the policy, the session has the permissions allowed by the policy. These permissions are granted in addition to the permissions granted by the session policies.
Tags
(Optional) You can pass tag key-value pairs to your session. These are called session tags. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
You can create a mobile-based or browser-based app that can authenticate users using a web identity provider like Login with Amazon, Facebook, Google, or an OpenID Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or AssumeRoleWithWebIdentity. For more information, see Federation Through a Web-based Identity Provider in the IAM User Guide.
You can also call GetFederationToken using the security credentials of an Amazon Web Services account root user, but we do not recommend it. Instead, we recommend that you create an IAM user for the purpose of the proxy application. Then attach a policy to the IAM user that limits federated users to only the actions and resources that they need to access. For more information, see IAM Best Practices in the IAM User Guide.
Session duration
The temporary credentials are valid for the specified duration, from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default session duration is 43,200 seconds (12 hours). Temporary credentials that are obtained by using Amazon Web Services account root user credentials have a maximum duration of 3,600 seconds (1 hour).
Permissions
You can use the temporary credentials created by GetFederationToken in any Amazon Web Services service except the following:
You cannot call any IAM operations using the CLI or the Amazon Web Services API.
You cannot call any STS operations except GetCallerIdentity.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plain text that you use for both inline and managed session policies can't exceed 2,048 characters.
Though the session policy parameters are optional, if you do not pass a policy, then the resulting federated user session has no permissions. When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide. For information about using GetFederationToken to create temporary security credentials, see GetFederationToken—Federation Through a Custom Identity Broker.
You can use the credentials to access a resource that has a resource-based policy. If that policy specifically references the federated user session in the Principal element of the policy, the session has the permissions allowed by the policy. These permissions are granted in addition to the permissions granted by the session policies.
Tags
(Optional) You can pass tag key-value pairs to your session. These are called session tags. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide.
Tag key–value pairs are not case sensitive, but case is preserved. This means that you cannot have separate Department and department tag keys. Assume that the user that you are federating has the Department=Marketing tag and you pass the department=engineering session tag. Department and department are not saved as separate tags, and the session tag passed in the request takes precedence over the user tag.
Returns a set of temporary credentials for an Amazon Web Services account or IAM user. The credentials consist of an access key ID, a secret access key, and a security token. Typically, you use GetSessionToken if you want to use MFA to protect programmatic calls to specific Amazon Web Services API operations like Amazon EC2 StopInstances. MFA-enabled IAM users would need to call GetSessionToken and submit an MFA code that is associated with their MFA device. Using the temporary security credentials that are returned from the call, IAM users can then make programmatic calls to API operations that require MFA authentication. If you do not supply a correct MFA code, then the API returns an access denied error. For a comparison of GetSessionToken with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the STS API operations in the IAM User Guide.
Session Duration
The GetSessionToken operation must be called by using the long-term Amazon Web Services security credentials of the Amazon Web Services account root user or an IAM user. Credentials that are created by IAM users are valid for the duration that you specify. This duration can range from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours), with a default of 43,200 seconds (12 hours). Credentials based on account credentials can range from 900 seconds (15 minutes) up to 3,600 seconds (1 hour), with a default of 1 hour.
Permissions
The temporary security credentials created by GetSessionToken can be used to make API calls to any Amazon Web Services service with the following exceptions:
You cannot call any IAM API operations unless MFA authentication information is included in the request.
You cannot call any STS API except AssumeRole or GetCallerIdentity.
We recommend that you do not call GetSessionToken with Amazon Web Services account root user credentials. Instead, follow our best practices by creating one or more IAM users, giving them the necessary permissions, and using IAM users for everyday interaction with Amazon Web Services.
The credentials that are returned by GetSessionToken are based on permissions associated with the user whose credentials were used to call the operation. If GetSessionToken is called using Amazon Web Services account root user credentials, the temporary credentials have root user permissions. Similarly, if GetSessionToken is called using the credentials of an IAM user, the temporary credentials have the same permissions as the IAM user.
For more information about using GetSessionToken to create temporary credentials, go to Temporary Credentials for Users in Untrusted Environments in the IAM User Guide.
Contains the response to a successful AssumeRole request, including temporary AWS credentials that can be used to make AWS requests.
", + "base": "Contains the response to a successful AssumeRole request, including temporary Amazon Web Services credentials that can be used to make Amazon Web Services requests.
", "refs": { } }, @@ -28,7 +28,7 @@ } }, "AssumeRoleWithSAMLResponse": { - "base": "Contains the response to a successful AssumeRoleWithSAML request, including temporary AWS credentials that can be used to make AWS requests.
", + "base": "Contains the response to a successful AssumeRoleWithSAML request, including temporary Amazon Web Services credentials that can be used to make Amazon Web Services requests.
", "refs": { } }, @@ -38,7 +38,7 @@ } }, "AssumeRoleWithWebIdentityResponse": { - "base": "Contains the response to a successful AssumeRoleWithWebIdentity request, including temporary AWS credentials that can be used to make AWS requests.
", + "base": "Contains the response to a successful AssumeRoleWithWebIdentity request, including temporary Amazon Web Services credentials that can be used to make Amazon Web Services requests.
", "refs": { } }, @@ -58,7 +58,7 @@ } }, "Credentials": { - "base": "AWS credentials for API authentication.
", + "base": "Amazon Web Services credentials for API authentication.
", "refs": { "AssumeRoleResponse$Credentials": "The temporary security credentials, which include an access key ID, a secret access key, and a security (or session) token.
The size of the security token that STS API operations return is not fixed. We strongly recommend that you make no assumptions about the maximum size.
The temporary security credentials, which include an access key ID, a secret access key, and a security (or session) token.
The size of the security token that STS API operations return is not fixed. We strongly recommend that you make no assumptions about the maximum size.
A document that contains additional information about the authorization status of a request from an encoded message that is returned in response to an AWS request.
", + "base": "A document that contains additional information about the authorization status of a request from an encoded message that is returned in response to an Amazon Web Services request.
", "refs": { } }, @@ -114,7 +114,7 @@ } }, "GetFederationTokenResponse": { - "base": "Contains the response to a successful GetFederationToken request, including temporary AWS credentials that can be used to make AWS requests.
", + "base": "Contains the response to a successful GetFederationToken request, including temporary Amazon Web Services credentials that can be used to make Amazon Web Services requests.
", "refs": { } }, @@ -124,7 +124,7 @@ } }, "GetSessionTokenResponse": { - "base": "Contains the response to a successful GetSessionToken request, including temporary AWS credentials that can be used to make AWS requests.
", + "base": "Contains the response to a successful GetSessionToken request, including temporary Amazon Web Services credentials that can be used to make Amazon Web Services requests.
", "refs": { } }, @@ -144,7 +144,7 @@ } }, "InvalidIdentityTokenException": { - "base": "The web identity token that was passed could not be validated by AWS. Get a new identity token from the identity provider and then retry the request.
", + "base": "The web identity token that was passed could not be validated by Amazon Web Services. Get a new identity token from the identity provider and then retry the request.
", "refs": { } }, @@ -163,11 +163,11 @@ "NameQualifier": { "base": null, "refs": { - "AssumeRoleWithSAMLResponse$NameQualifier": "A hash value based on the concatenation of the following:
The Issuer response value.
The AWS account ID.
The friendly name (the last part of the ARN) of the SAML provider in IAM.
The combination of NameQualifier and Subject can be used to uniquely identify a federated user.
The following pseudocode shows how the hash value is calculated:
BASE64 ( SHA1 ( \"https://example.com/saml\" + \"123456789012\" + \"/MySAMLIdP\" ) )
A hash value based on the concatenation of the following:
The Issuer response value.
The Amazon Web Services account ID.
The friendly name (the last part of the ARN) of the SAML provider in IAM.
The combination of NameQualifier and Subject can be used to uniquely identify a federated user.
The following pseudocode shows how the hash value is calculated:
BASE64 ( SHA1 ( \"https://example.com/saml\" + \"123456789012\" + \"/MySAMLIdP\" ) )
The request was rejected because the total packed size of the session policies and session tags combined was too large. An AWS conversion compresses the session policy document, session policy ARNs, and session tags into a packed binary format that has a separate limit. The error message indicates by percentage how close the policies and tags are to the upper size limit. For more information, see Passing Session Tags in STS in the IAM User Guide.
You could receive this error even though you meet other defined session policy and session tag limits. For more information, see IAM and STS Entity Character Limits in the IAM User Guide.
", + "base": "The request was rejected because the total packed size of the session policies and session tags combined was too large. An Amazon Web Services conversion compresses the session policy document, session policy ARNs, and session tags into a packed binary format that has a separate limit. The error message indicates by percentage how close the policies and tags are to the upper size limit. For more information, see Passing Session Tags in STS in the IAM User Guide.
You could receive this error even though you meet other defined session policy and session tag limits. For more information, see IAM and STS Entity Character Limits in the IAM User Guide.
", "refs": { } }, @@ -178,7 +178,7 @@ } }, "RegionDisabledException": { - "base": "STS is not activated in the requested region for the account that is being asked to generate credentials. The account administrator must use the IAM console to activate STS in that region. For more information, see Activating and Deactivating AWS STS in an AWS Region in the IAM User Guide.
", + "base": "STS is not activated in the requested region for the account that is being asked to generate credentials. The account administrator must use the IAM console to activate STS in that region. For more information, see Activating and Deactivating Amazon Web Services STS in an Amazon Web Services Region in the IAM User Guide.
", "refs": { } }, @@ -201,7 +201,7 @@ } }, "Tag": { - "base": "You can pass custom key-value pair attributes when you assume a role or federate a user. These are called session tags. You can then use the session tags to control access to resources. For more information, see Tagging AWS STS Sessions in the IAM User Guide.
", + "base": "You can pass custom key-value pair attributes when you assume a role or federate a user. These are called session tags. You can then use the session tags to control access to resources. For more information, see Tagging STS Sessions in the IAM User Guide.
", "refs": { "tagListType$member": null } @@ -222,8 +222,8 @@ "accountType": { "base": null, "refs": { - "GetAccessKeyInfoResponse$Account": "The number used to identify the AWS account.
", - "GetCallerIdentityResponse$Account": "The AWS account ID number of the account that owns or contains the calling entity.
" + "GetAccessKeyInfoResponse$Account": "The number used to identify the Amazon Web Services account.
", + "GetCallerIdentityResponse$Account": "The Amazon Web Services account ID number of the account that owns or contains the calling entity.
" } }, "arnType": { @@ -235,14 +235,14 @@ "AssumeRoleWithWebIdentityRequest$RoleArn": "The Amazon Resource Name (ARN) of the role that the caller is assuming.
", "AssumedRoleUser$Arn": "The ARN of the temporary security credentials that are returned from the AssumeRole action. For more information about ARNs and how to use them in policies, see IAM Identifiers in the IAM User Guide.
", "FederatedUser$Arn": "The ARN that specifies the federated user that is associated with the credentials. For more information about ARNs and how to use them in policies, see IAM Identifiers in the IAM User Guide.
", - "GetCallerIdentityResponse$Arn": "The AWS ARN associated with the calling entity.
", - "PolicyDescriptorType$arn": "The Amazon Resource Name (ARN) of the IAM managed policy to use as a session policy for the role. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.
" + "GetCallerIdentityResponse$Arn": "The Amazon Web Services ARN associated with the calling entity.
", + "PolicyDescriptorType$arn": "The Amazon Resource Name (ARN) of the IAM managed policy to use as a session policy for the role. For more information about ARNs, see Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces in the Amazon Web Services General Reference.
" } }, "assumedRoleIdType": { "base": null, "refs": { - "AssumedRoleUser$AssumedRoleId": "A unique identifier that contains the role ID and the role session name of the role that is being assumed. The role ID is generated by AWS when the role is created.
" + "AssumedRoleUser$AssumedRoleId": "A unique identifier that contains the role ID and the role session name of the role that is being assumed. The role ID is generated by Amazon Web Services when the role is created.
" } }, "clientTokenType": { @@ -266,8 +266,8 @@ "durationSecondsType": { "base": null, "refs": { - "GetFederationTokenRequest$DurationSeconds": "The duration, in seconds, that the session should last. Acceptable durations for federation sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the default. Sessions obtained using AWS account root user credentials are restricted to a maximum of 3,600 seconds (one hour). If the specified duration is longer than one hour, the session obtained by using root user credentials defaults to one hour.
", - "GetSessionTokenRequest$DurationSeconds": "The duration, in seconds, that the credentials should remain valid. Acceptable durations for IAM user sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the default. Sessions for AWS account owners are restricted to a maximum of 3,600 seconds (one hour). If the duration is longer than one hour, the session for AWS account owners defaults to one hour.
" + "GetFederationTokenRequest$DurationSeconds": "The duration, in seconds, that the session should last. Acceptable durations for federation sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the default. Sessions obtained using Amazon Web Services account root user credentials are restricted to a maximum of 3,600 seconds (one hour). If the specified duration is longer than one hour, the session obtained by using root user credentials defaults to one hour.
", + "GetSessionTokenRequest$DurationSeconds": "The duration, in seconds, that the credentials should remain valid. Acceptable durations for IAM user sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the default. Sessions for Amazon Web Services account owners are restricted to a maximum of 3,600 seconds (one hour). If the duration is longer than one hour, the session for Amazon Web Services account owners defaults to one hour.
" } }, "encodedMessageType": { @@ -285,7 +285,7 @@ "externalIdType": { "base": null, "refs": { - "AssumeRoleRequest$ExternalId": "A unique identifier that might be required when you assume a role in another account. If the administrator of the account to which the role belongs provided you with an external ID, then provide that value in the ExternalId parameter. This value can be any string, such as a passphrase or account number. A cross-account role is usually set up to trust everyone in an account. Therefore, the administrator of the trusting account might send an external ID to the administrator of the trusted account. That way, only someone with the ID can assume the role, rather than everyone in the account. For more information about the external ID, see How to Use an External ID When Granting Access to Your AWS Resources to a Third Party in the IAM User Guide.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:/-
" + "AssumeRoleRequest$ExternalId": "A unique identifier that might be required when you assume a role in another account. If the administrator of the account to which the role belongs provided you with an external ID, then provide that value in the ExternalId parameter. This value can be any string, such as a passphrase or account number. A cross-account role is usually set up to trust everyone in an account. Therefore, the administrator of the trusting account might send an external ID to the administrator of the trusted account. That way, only someone with the ID can assume the role, rather than everyone in the account. For more information about the external ID, see How to Use an External ID When Granting Access to Your Amazon Web Services Resources to a Third Party in the IAM User Guide.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:/-
" } }, "federatedIdType": { @@ -342,10 +342,10 @@ "policyDescriptorListType": { "base": null, "refs": { - "AssumeRoleRequest$PolicyArns": "The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as managed session policies. The policies must exist in the same account as the role.
This parameter is optional. You can provide up to 10 managed policy ARNs. However, the plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.
An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
", - "AssumeRoleWithSAMLRequest$PolicyArns": "The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as managed session policies. The policies must exist in the same account as the role.
This parameter is optional. You can provide up to 10 managed policy ARNs. However, the plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.
An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
", - "AssumeRoleWithWebIdentityRequest$PolicyArns": "The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as managed session policies. The policies must exist in the same account as the role.
This parameter is optional. You can provide up to 10 managed policy ARNs. However, the plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.
An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
", - "GetFederationTokenRequest$PolicyArns": "The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as a managed session policy. The policies must exist in the same account as the IAM user that is requesting federated access.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. You can provide up to 10 managed policy ARNs. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.
This parameter is optional. However, if you do not pass any session policies, then the resulting federated user session has no permissions.
When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide.
The resulting credentials can be used to access a resource that has a resource-based policy. If that policy specifically references the federated user session in the Principal element of the policy, the session has the permissions allowed by the policy. These permissions are granted in addition to the permissions that are granted by the session policies.
An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as managed session policies. The policies must exist in the same account as the role.
This parameter is optional. You can provide up to 10 managed policy ARNs. However, the plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. For more information about ARNs, see Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces in the Amazon Web Services General Reference.
An Amazon Web Services conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
", + "AssumeRoleWithSAMLRequest$PolicyArns": "The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as managed session policies. The policies must exist in the same account as the role.
This parameter is optional. You can provide up to 10 managed policy ARNs. However, the plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. For more information about ARNs, see Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces in the Amazon Web Services General Reference.
An Amazon Web Services conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
", + "AssumeRoleWithWebIdentityRequest$PolicyArns": "The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as managed session policies. The policies must exist in the same account as the role.
This parameter is optional. You can provide up to 10 managed policy ARNs. However, the plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. For more information about ARNs, see Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces in the Amazon Web Services General Reference.
An Amazon Web Services conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
", + "GetFederationTokenRequest$PolicyArns": "The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as a managed session policy. The policies must exist in the same account as the IAM user that is requesting federated access.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. You can provide up to 10 managed policy ARNs. For more information about ARNs, see Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces in the Amazon Web Services General Reference.
This parameter is optional. However, if you do not pass any session policies, then the resulting federated user session has no permissions.
When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide.
The resulting credentials can be used to access a resource that has a resource-based policy. If that policy specifically references the federated user session in the Principal element of the policy, the session has the permissions allowed by the policy. These permissions are granted in addition to the permissions that are granted by the session policies.
An Amazon Web Services conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
The duration, in seconds, of the role session. The value specified can can range from 900 seconds (15 minutes) up to the maximum session duration that is set for the role. The maximum session duration setting can have a value from 1 hour to 12 hours. If you specify a value higher than this setting or the administrator setting (whichever is lower), the operation fails. For example, if you specify a session duration of 12 hours, but your administrator set the maximum session duration to 6 hours, your operation fails. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide.
By default, the value is set to 3600 seconds.
The DurationSeconds parameter is separate from the duration of a console session that you might request using the returned credentials. The request to the federation endpoint for a console sign-in token takes a SessionDuration parameter that specifies the maximum length of the console session. For more information, see Creating a URL that Enables Federated Users to Access the AWS Management Console in the IAM User Guide.
The duration, in seconds, of the role session. Your role session lasts for the duration that you specify for the DurationSeconds parameter, or until the time specified in the SAML authentication response's SessionNotOnOrAfter value, whichever is shorter. You can provide a DurationSeconds value from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. If you specify a value higher than this setting, the operation fails. For example, if you specify a session duration of 12 hours, but your administrator set the maximum session duration to 6 hours, your operation fails. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide.
By default, the value is set to 3600 seconds.
The DurationSeconds parameter is separate from the duration of a console session that you might request using the returned credentials. The request to the federation endpoint for a console sign-in token takes a SessionDuration parameter that specifies the maximum length of the console session. For more information, see Creating a URL that Enables Federated Users to Access the AWS Management Console in the IAM User Guide.
The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. If you specify a value higher than this setting, the operation fails. For example, if you specify a session duration of 12 hours, but your administrator set the maximum session duration to 6 hours, your operation fails. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide.
By default, the value is set to 3600 seconds.
The DurationSeconds parameter is separate from the duration of a console session that you might request using the returned credentials. The request to the federation endpoint for a console sign-in token takes a SessionDuration parameter that specifies the maximum length of the console session. For more information, see Creating a URL that Enables Federated Users to Access the AWS Management Console in the IAM User Guide.
The duration, in seconds, of the role session. The value specified can can range from 900 seconds (15 minutes) up to the maximum session duration that is set for the role. The maximum session duration setting can have a value from 1 hour to 12 hours. If you specify a value higher than this setting or the administrator setting (whichever is lower), the operation fails. For example, if you specify a session duration of 12 hours, but your administrator set the maximum session duration to 6 hours, your operation fails. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide.
By default, the value is set to 3600 seconds.
The DurationSeconds parameter is separate from the duration of a console session that you might request using the returned credentials. The request to the federation endpoint for a console sign-in token takes a SessionDuration parameter that specifies the maximum length of the console session. For more information, see Creating a URL that Enables Federated Users to Access the Management Console in the IAM User Guide.
The duration, in seconds, of the role session. Your role session lasts for the duration that you specify for the DurationSeconds parameter, or until the time specified in the SAML authentication response's SessionNotOnOrAfter value, whichever is shorter. You can provide a DurationSeconds value from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. If you specify a value higher than this setting, the operation fails. For example, if you specify a session duration of 12 hours, but your administrator set the maximum session duration to 6 hours, your operation fails. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide.
By default, the value is set to 3600 seconds.
The DurationSeconds parameter is separate from the duration of a console session that you might request using the returned credentials. The request to the federation endpoint for a console sign-in token takes a SessionDuration parameter that specifies the maximum length of the console session. For more information, see Creating a URL that Enables Federated Users to Access the Management Console in the IAM User Guide.
The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. If you specify a value higher than this setting, the operation fails. For example, if you specify a session duration of 12 hours, but your administrator set the maximum session duration to 6 hours, your operation fails. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide.
By default, the value is set to 3600 seconds.
The DurationSeconds parameter is separate from the duration of a console session that you might request using the returned credentials. The request to the federation endpoint for a console sign-in token takes a SessionDuration parameter that specifies the maximum length of the console session. For more information, see Creating a URL that Enables Federated Users to Access the Management Console in the IAM User Guide.
An identifier for the assumed role session.
Use the role session name to uniquely identify a session when the same role is assumed by different principals or for different reasons. In cross-account scenarios, the role session name is visible to, and can be logged by the account that owns the role. The role session name is also used in the ARN of the assumed role principal. This means that subsequent cross-account API requests that use the temporary security credentials will expose the role session name to the external account in their AWS CloudTrail logs.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
", + "AssumeRoleRequest$RoleSessionName": "An identifier for the assumed role session.
Use the role session name to uniquely identify a session when the same role is assumed by different principals or for different reasons. In cross-account scenarios, the role session name is visible to, and can be logged by the account that owns the role. The role session name is also used in the ARN of the assumed role principal. This means that subsequent cross-account API requests that use the temporary security credentials will expose the role session name to the external account in their CloudTrail logs.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
", "AssumeRoleWithWebIdentityRequest$RoleSessionName": "An identifier for the assumed role session. Typically, you pass the name or identifier that is associated with the user who is using your application. That way, the temporary security credentials that your application will use are associated with that user. This session name is included as part of the ARN and assumed role ID in the AssumedRoleUser response element.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
" } }, @@ -373,23 +373,23 @@ "base": null, "refs": { "AssumeRoleRequest$SerialNumber": "The identification number of the MFA device that is associated with the user who is making the AssumeRole call. Specify this value if the trust policy of the role being assumed includes a condition that requires MFA authentication. The value is either the serial number for a hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user).
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
", - "GetSessionTokenRequest$SerialNumber": "The identification number of the MFA device that is associated with the IAM user who is making the GetSessionToken call. Specify this value if the IAM user has a policy that requires MFA authentication. The value is either the serial number for a hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user). You can find the device for an IAM user by going to the AWS Management Console and viewing the user's security credentials.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:/-
" + "GetSessionTokenRequest$SerialNumber": "The identification number of the MFA device that is associated with the IAM user who is making the GetSessionToken call. Specify this value if the IAM user has a policy that requires MFA authentication. The value is either the serial number for a hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user). You can find the device for an IAM user by going to the Management Console and viewing the user's security credentials.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:/-
" } }, "sessionPolicyDocumentType": { "base": null, "refs": { - "AssumeRoleRequest$Policy": "An IAM policy in JSON format that you want to use as an inline session policy.
This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list (\\u0020 through \\u00FF). It can also include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
An IAM policy in JSON format that you want to use as an inline session policy.
This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list (\\u0020 through \\u00FF). It can also include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
An IAM policy in JSON format that you want to use as an inline session policy.
This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list (\\u0020 through \\u00FF). It can also include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
An IAM policy in JSON format that you want to use as an inline session policy.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies.
This parameter is optional. However, if you do not pass any session policies, then the resulting federated user session has no permissions.
When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide.
The resulting credentials can be used to access a resource that has a resource-based policy. If that policy specifically references the federated user session in the Principal element of the policy, the session has the permissions allowed by the policy. These permissions are granted in addition to the permissions that are granted by the session policies.
The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list (\\u0020 through \\u00FF). It can also include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
An IAM policy in JSON format that you want to use as an inline session policy.
This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list (\\u0020 through \\u00FF). It can also include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
An Amazon Web Services conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
An IAM policy in JSON format that you want to use as an inline session policy.
This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list (\\u0020 through \\u00FF). It can also include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
An Amazon Web Services conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
An IAM policy in JSON format that you want to use as an inline session policy.
This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list (\\u0020 through \\u00FF). It can also include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
An Amazon Web Services conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
An IAM policy in JSON format that you want to use as an inline session policy.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies.
This parameter is optional. However, if you do not pass any session policies, then the resulting federated user session has no permissions.
When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide.
The resulting credentials can be used to access a resource that has a resource-based policy. If that policy specifically references the federated user session in the Principal element of the policy, the session has the permissions allowed by the policy. These permissions are granted in addition to the permissions that are granted by the session policies.
The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list (\\u0020 through \\u00FF). It can also include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
An Amazon Web Services conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
The source identity specified by the principal that is calling the AssumeRole operation.
You can require users to specify a source identity when they assume a role. You do this by using the sts:SourceIdentity condition key in a role trust policy. You can use source identity information in AWS CloudTrail logs to determine who took actions with a role. You can use the aws:SourceIdentity condition key to further control access to AWS resources based on the value of source identity. For more information about using source identity, see Monitor and control actions taken with assumed roles in the IAM User Guide.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-. You cannot use a value that begins with the text aws:. This prefix is reserved for AWS internal use.
The source identity specified by the principal that is calling the AssumeRole operation.
You can require users to specify a source identity when they assume a role. You do this by using the sts:SourceIdentity condition key in a role trust policy. You can use source identity information in AWS CloudTrail logs to determine who took actions with a role. You can use the aws:SourceIdentity condition key to further control access to AWS resources based on the value of source identity. For more information about using source identity, see Monitor and control actions taken with assumed roles in the IAM User Guide.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
", + "AssumeRoleRequest$SourceIdentity": "The source identity specified by the principal that is calling the AssumeRole operation.
You can require users to specify a source identity when they assume a role. You do this by using the sts:SourceIdentity condition key in a role trust policy. You can use source identity information in CloudTrail logs to determine who took actions with a role. You can use the aws:SourceIdentity condition key to further control access to Amazon Web Services resources based on the value of source identity. For more information about using source identity, see Monitor and control actions taken with assumed roles in the IAM User Guide.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-. You cannot use a value that begins with the text aws:. This prefix is reserved for Amazon Web Services internal use.
The source identity specified by the principal that is calling the AssumeRole operation.
You can require users to specify a source identity when they assume a role. You do this by using the sts:SourceIdentity condition key in a role trust policy. You can use source identity information in CloudTrail logs to determine who took actions with a role. You can use the aws:SourceIdentity condition key to further control access to Amazon Web Services resources based on the value of source identity. For more information about using source identity, see Monitor and control actions taken with assumed roles in the IAM User Guide.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
", "AssumeRoleWithSAMLResponse$SourceIdentity": "The value in the SourceIdentity attribute in the SAML assertion.
You can require users to set a source identity value when they assume a role. You do this by using the sts:SourceIdentity condition key in a role trust policy. That way, actions that are taken with the role are associated with that user. After the source identity is set, the value cannot be changed. It is present in the request for all actions that are taken by the role and persists across chained role sessions. You can configure your SAML identity provider to use an attribute associated with your users, like user name or email, as the source identity when calling AssumeRoleWithSAML. You do this by adding an attribute to the SAML assertion. For more information about using source identity, see Monitor and control actions taken with assumed roles in the IAM User Guide.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
", "AssumeRoleWithWebIdentityResponse$SourceIdentity": "The value of the source identity that is returned in the JSON web token (JWT) from the identity provider.
You can require users to set a source identity value when they assume a role. You do this by using the sts:SourceIdentity condition key in a role trust policy. That way, actions that are taken with the role are associated with that user. After the source identity is set, the value cannot be changed. It is present in the request for all actions that are taken by the role and persists across chained role sessions. You can configure your identity provider to use an attribute associated with your users, like user name or email, as the source identity when calling AssumeRoleWithWebIdentity. You do this by adding a claim to the JSON web token. To learn more about OIDC tokens and claims, see Using Tokens with User Pools in the Amazon Cognito Developer Guide. For more information about using source identity, see Monitor and control actions taken with assumed roles in the IAM User Guide.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
" } @@ -410,8 +410,8 @@ "tagListType": { "base": null, "refs": { - "AssumeRoleRequest$Tags": "A list of session tags that you want to pass. Each session tag consists of a key name and an associated value. For more information about session tags, see Tagging AWS STS Sessions in the IAM User Guide.
This parameter is optional. You can pass up to 50 session tags. The plaintext session tag keys can’t exceed 128 characters, and the values can’t exceed 256 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.
An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
You can pass a session tag with the same key as a tag that is already attached to the role. When you do, session tags override a role tag with the same key.
Tag key–value pairs are not case sensitive, but case is preserved. This means that you cannot have separate Department and department tag keys. Assume that the role has the Department=Marketing tag and you pass the department=engineering session tag. Department and department are not saved as separate tags, and the session tag passed in the request takes precedence over the role tag.
Additionally, if you used temporary credentials to perform this operation, the new session inherits any transitive session tags from the calling session. If you pass a session tag with the same key as an inherited tag, the operation fails. To view the inherited tags for a session, see the AWS CloudTrail logs. For more information, see Viewing Session Tags in CloudTrail in the IAM User Guide.
", - "GetFederationTokenRequest$Tags": "A list of session tags. Each session tag consists of a key name and an associated value. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
This parameter is optional. You can pass up to 50 session tags. The plaintext session tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.
An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
You can pass a session tag with the same key as a tag that is already attached to the user you are federating. When you do, session tags override a user tag with the same key.
Tag key–value pairs are not case sensitive, but case is preserved. This means that you cannot have separate Department and department tag keys. Assume that the role has the Department=Marketing tag and you pass the department=engineering session tag. Department and department are not saved as separate tags, and the session tag passed in the request takes precedence over the role tag.
A list of session tags that you want to pass. Each session tag consists of a key name and an associated value. For more information about session tags, see Tagging STS Sessions in the IAM User Guide.
This parameter is optional. You can pass up to 50 session tags. The plaintext session tag keys can’t exceed 128 characters, and the values can’t exceed 256 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.
An Amazon Web Services conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
You can pass a session tag with the same key as a tag that is already attached to the role. When you do, session tags override a role tag with the same key.
Tag key–value pairs are not case sensitive, but case is preserved. This means that you cannot have separate Department and department tag keys. Assume that the role has the Department=Marketing tag and you pass the department=engineering session tag. Department and department are not saved as separate tags, and the session tag passed in the request takes precedence over the role tag.
Additionally, if you used temporary credentials to perform this operation, the new session inherits any transitive session tags from the calling session. If you pass a session tag with the same key as an inherited tag, the operation fails. To view the inherited tags for a session, see the CloudTrail logs. For more information, see Viewing Session Tags in CloudTrail in the IAM User Guide.
", + "GetFederationTokenRequest$Tags": "A list of session tags. Each session tag consists of a key name and an associated value. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
This parameter is optional. You can pass up to 50 session tags. The plaintext session tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.
An Amazon Web Services conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
You can pass a session tag with the same key as a tag that is already attached to the user you are federating. When you do, session tags override a user tag with the same key.
Tag key–value pairs are not case sensitive, but case is preserved. This means that you cannot have separate Department and department tag keys. Assume that the role has the Department=Marketing tag and you pass the department=engineering session tag. Department and department are not saved as separate tags, and the session tag passed in the request takes precedence over the role tag.