feat(client-sts): API updates for the AWS Security Token Service

aws · Jul 25, 2023 · b01ad93 · b01ad93
1 parent e28d57d
commit b01ad93
Show file tree

Hide file tree

Showing 9 changed files with 248 additions and 124 deletions.
diff --git a/clients/client-sts/src/commands/AssumeRoleCommand.ts b/clients/client-sts/src/commands/AssumeRoleCommand.ts
@@ -72,8 +72,8 @@ export interface AssumeRoleCommandOutput extends AssumeRoleResponse, __MetadataB
  *          created. That trust policy states which accounts are allowed to delegate that access to
  *          users in the account. </p>
  *          <p>A user who wants to access a role in a different account must also have permissions that
- *          are delegated from the account administrator. The administrator must attach a policy
- *          that allows the user to call <code>AssumeRole</code> for the ARN of the role in the other
+ *          are delegated from the account administrator. The administrator must attach a policy that
+ *          allows the user to call <code>AssumeRole</code> for the ARN of the role in the other
  *          account.</p>
  *          <p>To allow a user to assume a role in the same account, you can do either of the
  *          following:</p>
@@ -154,6 +154,12 @@ export interface AssumeRoleCommandOutput extends AssumeRoleResponse, __MetadataB
  *   SerialNumber: "STRING_VALUE",
  *   TokenCode: "STRING_VALUE",
  *   SourceIdentity: "STRING_VALUE",
+ *   ProvidedContexts: [ // ProvidedContextsListType
+ *     { // ProvidedContext
+ *       ProviderArn: "STRING_VALUE",
+ *       ContextAssertion: "STRING_VALUE",
+ *     },
+ *   ],
  * };
  * const command = new AssumeRoleCommand(input);
  * const response = await client.send(command);

diff --git a/clients/client-sts/src/commands/AssumeRoleWithWebIdentityCommand.ts b/clients/client-sts/src/commands/AssumeRoleWithWebIdentityCommand.ts
@@ -50,8 +50,8 @@ export interface AssumeRoleWithWebIdentityCommandOutput extends AssumeRoleWithWe
  *                <a href="http://aws.amazon.com/sdkforios/">Amazon Web Services SDK for iOS Developer Guide</a> and the <a href="http://aws.amazon.com/sdkforandroid/">Amazon Web Services SDK for Android Developer Guide</a> to uniquely
  *             identify a user. You can also supply the user with a consistent identity throughout the
  *             lifetime of an application.</p>
- *             <p>To learn more about Amazon Cognito, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html">Amazon Cognito identity pools</a> in
- *             <i>Amazon Cognito Developer Guide</i>.</p>
+ *             <p>To learn more about Amazon Cognito, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html">Amazon Cognito identity
+ *                pools</a> in <i>Amazon Cognito Developer Guide</i>.</p>
  *          </note>
  *          <p>Calling <code>AssumeRoleWithWebIdentity</code> does not require the use of Amazon Web Services
  *          security credentials. Therefore, you can distribute an application (for example, on mobile

diff --git a/clients/client-sts/src/commands/GetAccessKeyInfoCommand.ts b/clients/client-sts/src/commands/GetAccessKeyInfoCommand.ts
@@ -45,13 +45,12 @@ export interface GetAccessKeyInfoCommandOutput extends GetAccessKeyInfoResponse,
  *             Users</a> in the <i>IAM User Guide</i>.</p>
  *          <p>When you pass an access key ID to this operation, it returns the ID of the Amazon Web Services account
  *          to which the keys belong. Access key IDs beginning with <code>AKIA</code> are long-term
- *          credentials for an IAM user or the Amazon Web Services account root user. Access key IDs beginning with
- *             <code>ASIA</code> are temporary credentials that are created using STS operations. If
- *          the account in the response belongs to you, you can sign in as the root user and review
- *          your root user access keys. Then, you can pull a <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html">credentials report</a> to
- *          learn which IAM user owns the keys. To learn who requested the temporary credentials for
- *          an <code>ASIA</code> access key, view the STS events in your <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html">CloudTrail logs</a> in the
- *             <i>IAM User Guide</i>.</p>
+ *          credentials for an IAM user or the Amazon Web Services account root user. Access key IDs
+ *          beginning with <code>ASIA</code> are temporary credentials that are created using STS
+ *          operations. If the account in the response belongs to you, you can sign in as the root user and review your root user access keys. Then, you can pull a <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html">credentials
+ *             report</a> to learn which IAM user owns the keys. To learn who
+ *          requested the temporary credentials for an <code>ASIA</code> access key, view the STS
+ *          events in your <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html">CloudTrail logs</a> in the <i>IAM User Guide</i>.</p>
  *          <p>This operation does not indicate the state of the access key. The key might be active,
  *          inactive, or deleted. Active keys might not have permissions to perform an operation.
  *          Providing a deleted access key might return an error that the key doesn't exist.</p>

diff --git a/clients/client-sts/src/commands/GetCallerIdentityCommand.ts b/clients/client-sts/src/commands/GetCallerIdentityCommand.ts
@@ -37,12 +37,14 @@ export interface GetCallerIdentityCommandOutput extends GetCallerIdentityRespons
 
 /**
  * @public
- * <p>Returns details about the IAM user or role whose credentials are used to call the operation.</p>
+ * <p>Returns details about the IAM user or role whose credentials are used to
+ *          call the operation.</p>
  *          <note>
- *             <p>No permissions are required to perform this operation. If an administrator
- *            attaches a policy to your identity that explicitly denies access to the
+ *             <p>No permissions are required to perform this operation. If an administrator attaches a
+ *             policy to your identity that explicitly denies access to the
  *                <code>sts:GetCallerIdentity</code> action, you can still perform this operation.
- *             Permissions are not required because the same information is returned when access is denied. To view an example response, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa">I Am Not Authorized to Perform: iam:DeleteVirtualMFADevice</a> in the
+ *             Permissions are not required because the same information is returned when access is
+ *             denied. To view an example response, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa">I Am Not Authorized to Perform: iam:DeleteVirtualMFADevice</a> in the
  *                <i>IAM User Guide</i>.</p>
  *          </note>
  * @example

diff --git a/clients/client-sts/src/commands/GetFederationTokenCommand.ts b/clients/client-sts/src/commands/GetFederationTokenCommand.ts
@@ -45,16 +45,18 @@ export interface GetFederationTokenCommandOutput extends GetFederationTokenRespo
  *          secret access key, and a security token) for a user. A typical use is in a proxy
  *          application that gets temporary security credentials on behalf of distributed applications
  *          inside a corporate network.</p>
- *          <p>You must call the <code>GetFederationToken</code> operation
- *          using the long-term security credentials of an IAM user. As a result, this call is
- *          appropriate in contexts where those credentials can be safeguarded, usually in a
- *          server-based application. For a comparison of <code>GetFederationToken</code> with the
- *          other API operations that produce temporary credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html">Requesting Temporary Security
+ *          <p>You must call the <code>GetFederationToken</code> operation using the long-term security
+ *          credentials of an IAM user. As a result, this call is appropriate in
+ *          contexts where those credentials can be safeguarded, usually in a server-based application.
+ *          For a comparison of <code>GetFederationToken</code> with the other API operations that
+ *          produce temporary credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html">Requesting Temporary Security
  *             Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing the
  *             Amazon Web Services STS API operations</a> in the <i>IAM User Guide</i>.</p>
- *          <p>Although it is possible to call <code>GetFederationToken</code> using the security credentials of an
- *          Amazon Web Services account root user rather than an IAM user that you create for the purpose of a proxy application, we do not recommend it. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials">Safeguard your root user credentials and don't use them for everyday tasks</a> in the
- *          <i>IAM User Guide</i>. </p>
+ *          <p>Although it is possible to call <code>GetFederationToken</code> using the security
+ *          credentials of an Amazon Web Services account root user rather than an IAM user that you
+ *          create for the purpose of a proxy application, we do not recommend it. For more
+ *          information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials">Safeguard your root user credentials and don't use them for everyday tasks</a> in the
+ *             <i>IAM User Guide</i>. </p>
  *          <note>
  *             <p>You can create a mobile-based or browser-based app that can authenticate users using
  *             a web identity provider like Login with Amazon, Facebook, Google, or an OpenID
@@ -67,15 +69,17 @@ export interface GetFederationTokenCommandOutput extends GetFederationTokenRespo
  *          </p>
  *          <p>The temporary credentials are valid for the specified duration, from 900 seconds (15
  *          minutes) up to a maximum of 129,600 seconds (36 hours). The default session duration is
- *          43,200 seconds (12 hours). Temporary credentials obtained by using the root user credentials have a maximum duration of 3,600 seconds (1 hour).</p>
+ *          43,200 seconds (12 hours). Temporary credentials obtained by using the root user
+ *          credentials have a maximum duration of 3,600 seconds (1 hour).</p>
  *          <p>
  *             <b>Permissions</b>
  *          </p>
  *          <p>You can use the temporary credentials created by <code>GetFederationToken</code> in any
  *          Amazon Web Services service with the following exceptions:</p>
  *          <ul>
  *             <li>
- *                <p>You cannot call any IAM operations using the CLI or the Amazon Web Services API. This limitation does not apply to console sessions.</p>
+ *                <p>You cannot call any IAM operations using the CLI or the Amazon Web Services API. This
+ *                limitation does not apply to console sessions.</p>
  *             </li>
  *             <li>
  *                <p>You cannot call any STS operations except <code>GetCallerIdentity</code>.</p>
@@ -89,12 +93,13 @@ export interface GetFederationTokenCommandOutput extends GetFederationTokenRespo
  *          policies can't exceed 2,048 characters.</p>
  *          <p>Though the session policy parameters are optional, if you do not pass a policy, then the
  *          resulting federated user session has no permissions. When you pass session policies, the
- *          session permissions are the intersection of the IAM user policies and the session
- *          policies that you pass. This gives you a way to further restrict the permissions for a
- *          federated user. You cannot use session policies to grant more permissions than those that
- *          are defined in the permissions policy of the IAM user. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session
- *             Policies</a> in the <i>IAM User Guide</i>. For information about
- *          using <code>GetFederationToken</code> to create temporary security credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken">GetFederationToken—Federation Through a Custom Identity Broker</a>. </p>
+ *          session permissions are the intersection of the IAM user policies and the
+ *          session policies that you pass. This gives you a way to further restrict the permissions
+ *          for a federated user. You cannot use session policies to grant more permissions than those
+ *          that are defined in the permissions policy of the IAM user. For more
+ *          information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session Policies</a> in
+ *          the <i>IAM User Guide</i>. For information about using
+ *             <code>GetFederationToken</code> to create temporary security credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken">GetFederationToken—Federation Through a Custom Identity Broker</a>. </p>
  *          <p>You can use the credentials to access a resource that has a resource-based policy. If
  *          that policy specifically references the federated user session in the
  *             <code>Principal</code> element of the policy, the session has the permissions allowed by

diff --git a/clients/client-sts/src/commands/GetSessionTokenCommand.ts b/clients/client-sts/src/commands/GetSessionTokenCommand.ts
@@ -41,15 +41,17 @@ export interface GetSessionTokenCommandOutput extends GetSessionTokenResponse, _
 
 /**
  * @public
- * <p>Returns a set of temporary credentials for an Amazon Web Services account or IAM user. The
- *          credentials consist of an access key ID, a secret access key, and a security token.
+ * <p>Returns a set of temporary credentials for an Amazon Web Services account or IAM user.
+ *          The credentials consist of an access key ID, a secret access key, and a security token.
  *          Typically, you use <code>GetSessionToken</code> if you want to use MFA to protect
- *          programmatic calls to specific Amazon Web Services API operations like Amazon EC2 <code>StopInstances</code>.</p>
- *          <p>MFA-enabled IAM users must call <code>GetSessionToken</code> and submit an MFA
- *          code that is associated with their MFA device. Using the temporary security credentials
- *          that the call returns, IAM users can then make programmatic calls to API
- *          operations that require MFA authentication. An incorrect MFA code causes the API to return an access denied error. For a comparison of <code>GetSessionToken</code>
- *          with the other API operations that produce temporary credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html">Requesting
+ *          programmatic calls to specific Amazon Web Services API operations like Amazon EC2
+ *          <code>StopInstances</code>.</p>
+ *          <p>MFA-enabled IAM users must call <code>GetSessionToken</code> and submit
+ *          an MFA code that is associated with their MFA device. Using the temporary security
+ *          credentials that the call returns, IAM users can then make programmatic
+ *          calls to API operations that require MFA authentication. An incorrect MFA code causes the
+ *          API to return an access denied error. For a comparison of <code>GetSessionToken</code> with
+ *          the other API operations that produce temporary credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html">Requesting
  *             Temporary Security Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing the
  *             Amazon Web Services STS API operations</a> in the <i>IAM User Guide</i>.</p>
  *          <note>
@@ -63,8 +65,7 @@ export interface GetSessionTokenCommandOutput extends GetSessionTokenResponse, _
  *             <b>Session Duration</b>
  *          </p>
  *          <p>The <code>GetSessionToken</code> operation must be called by using the long-term Amazon Web Services
- *          security credentials of an IAM user. Credentials that are
- *          created by IAM users are valid for the duration that you specify. This duration can range
+ *          security credentials of an IAM user. Credentials that are created by IAM users are valid for the duration that you specify. This duration can range
  *          from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours), with a default
  *          of 43,200 seconds (12 hours). Credentials based on account credentials can range from 900
  *          seconds (15 minutes) up to 3,600 seconds (1 hour), with a default of 1 hour. </p>
@@ -83,15 +84,16 @@ export interface GetSessionTokenCommandOutput extends GetSessionTokenResponse, _
  *                   <code>AssumeRole</code> or <code>GetCallerIdentity</code>.</p>
  *             </li>
  *          </ul>
- *          <p>The credentials that <code>GetSessionToken</code> returns are based on
- *          permissions associated with the IAM user whose credentials were used to call the operation. The
- *          temporary credentials have the same permissions as the IAM user.</p>
+ *          <p>The credentials that <code>GetSessionToken</code> returns are based on permissions
+ *          associated with the IAM user whose credentials were used to call the
+ *          operation. The temporary credentials have the same permissions as the IAM user.</p>
  *          <note>
- *             <p>Although it is possible to call <code>GetSessionToken</code> using the security credentials of an
- *             Amazon Web Services account root user rather than an IAM user, we do not recommend it. If
- *             <code>GetSessionToken</code> is called using root user credentials, the
- *             temporary credentials have root user permissions. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials">Safeguard your root user credentials and don't use them for everyday tasks</a> in the
- *             <i>IAM User Guide</i>
+ *             <p>Although it is possible to call <code>GetSessionToken</code> using the security
+ *             credentials of an Amazon Web Services account root user rather than an IAM user, we do
+ *             not recommend it. If <code>GetSessionToken</code> is called using root user
+ *             credentials, the temporary credentials have root user permissions. For more
+ *             information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials">Safeguard your root user credentials and don't use them for everyday tasks</a> in the
+ *                <i>IAM User Guide</i>
  *             </p>
  *          </note>
  *          <p>For more information about using <code>GetSessionToken</code> to create temporary