You get all of this information from the OIDC IdP you want to use to access * Amazon Web Services.
*Amazon Web Services secures communication with some OIDC identity providers (IdPs) through our library - * of trusted root certificate authorities (CAs) instead of using a certificate thumbprint to - * verify your IdP server certificate. In these cases, your legacy thumbprint remains in your - * configuration, but is no longer used for validation. These OIDC IdPs include Auth0, GitHub, - * GitLab, Google, and those that use an Amazon S3 bucket to host a JSON Web Key Set (JWKS) - * endpoint.
+ *Amazon Web Services secures communication with OIDC identity providers (IdPs) using our library of + * trusted root certificate authorities (CAs) to verify the JSON Web Key Set (JWKS) + * endpoint's TLS certificate. If your OIDC IdP relies on a certificate that is not signed + * by one of these trusted CAs, only then we secure communication using the thumbprints set + * in the IdP's configuration.
*The trust for the OIDC provider is derived from the IAM provider that this @@ -130,7 +129,8 @@ export interface CreateOpenIDConnectProviderCommandOutput * Amazon Web Services account limits. The error message describes the limit exceeded.
* * @throws {@link OpenIdIdpCommunicationErrorException} (client fault) - *The request failed because IAM cannot connect to the OpenID Connect identity provider URL.
+ *The request failed because IAM cannot connect to the OpenID Connect identity provider + * URL.
* * @throws {@link ServiceFailureException} (server fault) *The request processing has failed because of an unknown error, exception or diff --git a/clients/client-iam/src/commands/GetAccessKeyLastUsedCommand.ts b/clients/client-iam/src/commands/GetAccessKeyLastUsedCommand.ts index 2345381e7b71..f2cc205e3360 100644 --- a/clients/client-iam/src/commands/GetAccessKeyLastUsedCommand.ts +++ b/clients/client-iam/src/commands/GetAccessKeyLastUsedCommand.ts @@ -45,7 +45,7 @@ export interface GetAccessKeyLastUsedCommandOutput extends GetAccessKeyLastUsedR * // { // GetAccessKeyLastUsedResponse * // UserName: "STRING_VALUE", * // AccessKeyLastUsed: { // AccessKeyLastUsed - * // LastUsedDate: new Date("TIMESTAMP"), // required + * // LastUsedDate: new Date("TIMESTAMP"), * // ServiceName: "STRING_VALUE", // required * // Region: "STRING_VALUE", // required * // }, diff --git a/clients/client-iam/src/commands/ListAccountAliasesCommand.ts b/clients/client-iam/src/commands/ListAccountAliasesCommand.ts index ce217ad0570d..128bef0eb5b9 100644 --- a/clients/client-iam/src/commands/ListAccountAliasesCommand.ts +++ b/clients/client-iam/src/commands/ListAccountAliasesCommand.ts @@ -29,9 +29,9 @@ export interface ListAccountAliasesCommandOutput extends ListAccountAliasesRespo /** *
Lists the account alias associated with the Amazon Web Services account (Note: you can have only - * one). For information about using an Amazon Web Services account alias, see Creating, - * deleting, and listing an Amazon Web Services account alias in the Amazon Web Services Sign-In - * User Guide.
+ * one). For information about using an Amazon Web Services account alias, see Creating, + * deleting, and listing an Amazon Web Services account alias in the + * IAM User Guide. * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-iam/src/commands/UpdateOpenIDConnectProviderThumbprintCommand.ts b/clients/client-iam/src/commands/UpdateOpenIDConnectProviderThumbprintCommand.ts index b5daab0fd8e5..46756beaa6dc 100644 --- a/clients/client-iam/src/commands/UpdateOpenIDConnectProviderThumbprintCommand.ts +++ b/clients/client-iam/src/commands/UpdateOpenIDConnectProviderThumbprintCommand.ts @@ -42,12 +42,11 @@ export interface UpdateOpenIDConnectProviderThumbprintCommandOutput extends __Me * the OIDC provider as a principal fails until the certificate thumbprint is * updated. *Amazon Web Services secures communication with some OIDC identity providers (IdPs) through our library - * of trusted root certificate authorities (CAs) instead of using a certificate thumbprint to - * verify your IdP server certificate. In these cases, your legacy thumbprint remains in your - * configuration, but is no longer used for validation. These OIDC IdPs include Auth0, GitHub, - * GitLab, Google, and those that use an Amazon S3 bucket to host a JSON Web Key Set (JWKS) - * endpoint.
+ *Amazon Web Services secures communication with OIDC identity providers (IdPs) using our library of + * trusted root certificate authorities (CAs) to verify the JSON Web Key Set (JWKS) + * endpoint's TLS certificate. If your OIDC IdP relies on a certificate that is not signed + * by one of these trusted CAs, only then we secure communication using the thumbprints set + * in the IdP's configuration.
*Trust for the OIDC provider is derived from the provider certificate and is diff --git a/clients/client-iam/src/models/models_0.ts b/clients/client-iam/src/models/models_0.ts index d23544cc72b6..66600fed6773 100644 --- a/clients/client-iam/src/models/models_0.ts +++ b/clients/client-iam/src/models/models_0.ts @@ -163,7 +163,7 @@ export interface AccessKeyLastUsed { * * @public */ - LastUsedDate: Date | undefined; + LastUsedDate?: Date; /** *
The name of the Amazon Web Services service with which this access key was most recently used. The @@ -1275,7 +1275,8 @@ export interface CreateOpenIDConnectProviderResponse { } /** - *
The request failed because IAM cannot connect to the OpenID Connect identity provider URL.
+ *The request failed because IAM cannot connect to the OpenID Connect identity provider + * URL.
* @public */ export class OpenIdIdpCommunicationErrorException extends __BaseException { diff --git a/codegen/sdk-codegen/aws-models/iam.json b/codegen/sdk-codegen/aws-models/iam.json index e4a96f301e40..a868a045d15f 100644 --- a/codegen/sdk-codegen/aws-models/iam.json +++ b/codegen/sdk-codegen/aws-models/iam.json @@ -1995,8 +1995,7 @@ "LastUsedDate": { "target": "com.amazonaws.iam#dateType", "traits": { - "smithy.api#documentation": "The date and time, in ISO 8601 date-time\n format, when the access key was most recently used. This field is null in the\n following situations:
\nThe user does not have an access key.
\nAn access key exists but has not been used since IAM began tracking this\n information.
\nThere is no sign-in data associated with the user.
\nThe date and time, in ISO 8601 date-time\n format, when the access key was most recently used. This field is null in the\n following situations:
\nThe user does not have an access key.
\nAn access key exists but has not been used since IAM began tracking this\n information.
\nThere is no sign-in data associated with the user.
\nCreates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC).
\nThe OIDC provider that you create with this operation can be used as a principal in a\n role's trust policy. Such a policy establishes a trust relationship between Amazon Web Services and\n the OIDC provider.
\nIf you are using an OIDC identity provider from Google, Facebook, or Amazon Cognito, you don't\n need to create a separate IAM identity provider. These OIDC identity providers are\n already built-in to Amazon Web Services and are available for your use. Instead, you can move directly\n to creating new roles using your identity provider. To learn more, see Creating\n a role for web identity or OpenID connect federation in the IAM\n User Guide.
\nWhen you create the IAM OIDC provider, you specify the following:
\nThe URL of the OIDC identity provider (IdP) to trust
\nA list of client IDs (also known as audiences) that identify the application\n or applications allowed to authenticate using the OIDC provider
\nA list of tags that are attached to the specified IAM OIDC provider
\nA list of thumbprints of one or more server certificates that the IdP\n uses
\nYou get all of this information from the OIDC IdP you want to use to access\n Amazon Web Services.
\nAmazon Web Services secures communication with some OIDC identity providers (IdPs) through our library\n of trusted root certificate authorities (CAs) instead of using a certificate thumbprint to\n verify your IdP server certificate. In these cases, your legacy thumbprint remains in your\n configuration, but is no longer used for validation. These OIDC IdPs include Auth0, GitHub,\n GitLab, Google, and those that use an Amazon S3 bucket to host a JSON Web Key Set (JWKS)\n endpoint.
\nThe trust for the OIDC provider is derived from the IAM provider that this\n operation creates. Therefore, it is best to limit access to the CreateOpenIDConnectProvider operation to highly privileged\n users.
\nCreates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC).
\nThe OIDC provider that you create with this operation can be used as a principal in a\n role's trust policy. Such a policy establishes a trust relationship between Amazon Web Services and\n the OIDC provider.
\nIf you are using an OIDC identity provider from Google, Facebook, or Amazon Cognito, you don't\n need to create a separate IAM identity provider. These OIDC identity providers are\n already built-in to Amazon Web Services and are available for your use. Instead, you can move directly\n to creating new roles using your identity provider. To learn more, see Creating\n a role for web identity or OpenID connect federation in the IAM\n User Guide.
\nWhen you create the IAM OIDC provider, you specify the following:
\nThe URL of the OIDC identity provider (IdP) to trust
\nA list of client IDs (also known as audiences) that identify the application\n or applications allowed to authenticate using the OIDC provider
\nA list of tags that are attached to the specified IAM OIDC provider
\nA list of thumbprints of one or more server certificates that the IdP\n uses
\nYou get all of this information from the OIDC IdP you want to use to access\n Amazon Web Services.
\nAmazon Web Services secures communication with OIDC identity providers (IdPs) using our library of\n trusted root certificate authorities (CAs) to verify the JSON Web Key Set (JWKS)\n endpoint's TLS certificate. If your OIDC IdP relies on a certificate that is not signed\n by one of these trusted CAs, only then we secure communication using the thumbprints set\n in the IdP's configuration.
\nThe trust for the OIDC provider is derived from the IAM provider that this\n operation creates. Therefore, it is best to limit access to the CreateOpenIDConnectProvider operation to highly privileged\n users.
\nLists the account alias associated with the Amazon Web Services account (Note: you can have only\n one). For information about using an Amazon Web Services account alias, see Creating,\n deleting, and listing an Amazon Web Services account alias in the Amazon Web Services Sign-In\n User Guide.
", + "smithy.api#documentation": "Lists the account alias associated with the Amazon Web Services account (Note: you can have only\n one). For information about using an Amazon Web Services account alias, see Creating,\n deleting, and listing an Amazon Web Services account alias in the\n IAM User Guide.
", "smithy.api#examples": [ { "title": "To list account aliases", @@ -11310,7 +11309,7 @@ "code": "OpenIdIdpCommunicationError", "httpResponseCode": 400 }, - "smithy.api#documentation": "The request failed because IAM cannot connect to the OpenID Connect identity provider URL.
", + "smithy.api#documentation": "The request failed because IAM cannot connect to the OpenID Connect identity provider\n URL.
", "smithy.api#error": "client", "smithy.api#httpError": 400 } @@ -14924,7 +14923,7 @@ } ], "traits": { - "smithy.api#documentation": "Replaces the existing list of server certificate thumbprints associated with an OpenID\n Connect (OIDC) provider resource object with a new list of thumbprints.
\nThe list that you pass with this operation completely replaces the existing list of\n thumbprints. (The lists are not merged.)
\nTypically, you need to update a thumbprint only when the identity provider certificate\n changes, which occurs rarely. However, if the provider's certificate\n does change, any attempt to assume an IAM role that specifies\n the OIDC provider as a principal fails until the certificate thumbprint is\n updated.
\nAmazon Web Services secures communication with some OIDC identity providers (IdPs) through our library\n of trusted root certificate authorities (CAs) instead of using a certificate thumbprint to\n verify your IdP server certificate. In these cases, your legacy thumbprint remains in your\n configuration, but is no longer used for validation. These OIDC IdPs include Auth0, GitHub,\n GitLab, Google, and those that use an Amazon S3 bucket to host a JSON Web Key Set (JWKS)\n endpoint.
\nTrust for the OIDC provider is derived from the provider certificate and is\n validated by the thumbprint. Therefore, it is best to limit access to the\n UpdateOpenIDConnectProviderThumbprint operation to highly\n privileged users.
Replaces the existing list of server certificate thumbprints associated with an OpenID\n Connect (OIDC) provider resource object with a new list of thumbprints.
\nThe list that you pass with this operation completely replaces the existing list of\n thumbprints. (The lists are not merged.)
\nTypically, you need to update a thumbprint only when the identity provider certificate\n changes, which occurs rarely. However, if the provider's certificate\n does change, any attempt to assume an IAM role that specifies\n the OIDC provider as a principal fails until the certificate thumbprint is\n updated.
\nAmazon Web Services secures communication with OIDC identity providers (IdPs) using our library of\n trusted root certificate authorities (CAs) to verify the JSON Web Key Set (JWKS)\n endpoint's TLS certificate. If your OIDC IdP relies on a certificate that is not signed\n by one of these trusted CAs, only then we secure communication using the thumbprints set\n in the IdP's configuration.
\nTrust for the OIDC provider is derived from the provider certificate and is\n validated by the thumbprint. Therefore, it is best to limit access to the\n UpdateOpenIDConnectProviderThumbprint operation to highly\n privileged users.