From 9f80461fc7b29f6c794307984d55630c312e9357 Mon Sep 17 00:00:00 2001 From: aws-sdk-go-automation <43143561+aws-sdk-go-automation@users.noreply.github.com> Date: Fri, 5 Apr 2024 14:26:50 -0400 Subject: [PATCH] Release v1.51.16 (2024-04-05) (#5219) Release v1.51.16 (2024-04-05) === ### Service Client Updates * `service/quicksight`: Updates service API and documentation * Adding IAMIdentityCenterInstanceArn parameter to CreateAccountSubscription * `service/resource-groups`: Updates service API and documentation * `service/verifiedpermissions`: Updates service API and documentation --- CHANGELOG.md | 9 + aws/endpoints/defaults.go | 107 ++ aws/version.go | 2 +- models/apis/quicksight/2018-04-01/api-2.json | 3 +- models/apis/quicksight/2018-04-01/docs-2.json | 5 +- .../resource-groups/2017-11-27/api-2.json | 3 +- .../resource-groups/2017-11-27/docs-2.json | 12 +- .../2017-11-27/endpoint-rule-set-1.json | 370 ++--- .../2017-11-27/endpoint-tests-1.json | 1266 +++-------------- .../verifiedpermissions/2021-12-01/api-2.json | 70 + .../2021-12-01/docs-2.json | 77 +- models/endpoints/endpoints.json | 60 + service/quicksight/api.go | 19 +- service/resourcegroups/api.go | 44 +- service/verifiedpermissions/api.go | 552 ++++++- .../verifiedpermissionsiface/interface.go | 4 + 16 files changed, 1289 insertions(+), 1314 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 843532d2737..b41df1fe6f3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,12 @@ +Release v1.51.16 (2024-04-05) +=== + +### Service Client Updates +* `service/quicksight`: Updates service API and documentation + * Adding IAMIdentityCenterInstanceArn parameter to CreateAccountSubscription +* `service/resource-groups`: Updates service API and documentation +* `service/verifiedpermissions`: Updates service API and documentation + Release v1.51.15 (2024-04-04) === diff --git a/aws/endpoints/defaults.go b/aws/endpoints/defaults.go index 8b887877ff5..ff9e9662df4 100644 --- a/aws/endpoints/defaults.go +++ b/aws/endpoints/defaults.go @@ -18846,6 +18846,9 @@ var awsPartition = partition{ endpointKey{ Region: "ca-central-1", }: endpoint{}, + endpointKey{ + Region: "ca-west-1", + }: endpoint{}, endpointKey{ Region: "eu-central-1", }: endpoint{}, @@ -23297,6 +23300,14 @@ var awsPartition = partition{ Region: "ap-south-1", }, }, + endpointKey{ + Region: "ap-south-2", + }: endpoint{ + Hostname: "portal.sso.ap-south-2.amazonaws.com", + CredentialScope: credentialScope{ + Region: "ap-south-2", + }, + }, endpointKey{ Region: "ap-southeast-1", }: endpoint{ @@ -23369,6 +23380,14 @@ var awsPartition = partition{ Region: "eu-south-1", }, }, + endpointKey{ + Region: "eu-south-2", + }: endpoint{ + Hostname: "portal.sso.eu-south-2.amazonaws.com", + CredentialScope: credentialScope{ + Region: "eu-south-2", + }, + }, endpointKey{ Region: "eu-west-1", }: endpoint{ @@ -25895,33 +25914,66 @@ var awsPartition = partition{ }, "rum": service{ Endpoints: serviceEndpoints{ + endpointKey{ + Region: "af-south-1", + }: endpoint{}, endpointKey{ Region: "ap-northeast-1", }: endpoint{}, + endpointKey{ + Region: "ap-northeast-2", + }: endpoint{}, + endpointKey{ + Region: "ap-northeast-3", + }: endpoint{}, + endpointKey{ + Region: "ap-south-1", + }: endpoint{}, endpointKey{ Region: "ap-southeast-1", }: endpoint{}, endpointKey{ Region: "ap-southeast-2", }: endpoint{}, + endpointKey{ + Region: "ap-southeast-3", + }: endpoint{}, + endpointKey{ + Region: "ca-central-1", + }: endpoint{}, endpointKey{ Region: "eu-central-1", }: endpoint{}, endpointKey{ Region: "eu-north-1", }: endpoint{}, + endpointKey{ + Region: "eu-south-1", + }: endpoint{}, endpointKey{ Region: "eu-west-1", }: endpoint{}, endpointKey{ Region: "eu-west-2", }: endpoint{}, + endpointKey{ + Region: "eu-west-3", + }: endpoint{}, + endpointKey{ + Region: "me-south-1", + }: endpoint{}, + endpointKey{ + Region: "sa-east-1", + }: endpoint{}, endpointKey{ Region: "us-east-1", }: endpoint{}, endpointKey{ Region: "us-east-2", }: endpoint{}, + endpointKey{ + Region: "us-west-1", + }: endpoint{}, endpointKey{ Region: "us-west-2", }: endpoint{}, @@ -30951,6 +31003,9 @@ var awsPartition = partition{ endpointKey{ Region: "ap-south-1", }: endpoint{}, + endpointKey{ + Region: "ap-south-2", + }: endpoint{}, endpointKey{ Region: "ap-southeast-1", }: endpoint{}, @@ -30978,6 +31033,9 @@ var awsPartition = partition{ endpointKey{ Region: "eu-south-1", }: endpoint{}, + endpointKey{ + Region: "eu-south-2", + }: endpoint{}, endpointKey{ Region: "eu-west-1", }: endpoint{}, @@ -44579,6 +44637,55 @@ var awsisoPartition = partition{ }: endpoint{}, }, }, + "fsx": service{ + Endpoints: serviceEndpoints{ + endpointKey{ + Region: "fips-prod-us-iso-east-1", + }: endpoint{ + Hostname: "fsx-fips.us-iso-east-1.c2s.ic.gov", + CredentialScope: credentialScope{ + Region: "us-iso-east-1", + }, + Deprecated: boxedTrue, + }, + endpointKey{ + Region: "fips-us-iso-east-1", + }: endpoint{ + Hostname: "fsx-fips.us-iso-east-1.c2s.ic.gov", + CredentialScope: credentialScope{ + Region: "us-iso-east-1", + }, + Deprecated: boxedTrue, + }, + endpointKey{ + Region: "prod-us-iso-east-1", + }: endpoint{ + CredentialScope: credentialScope{ + Region: "us-iso-east-1", + }, + Deprecated: boxedTrue, + }, + endpointKey{ + Region: "prod-us-iso-east-1", + Variant: fipsVariant, + }: endpoint{ + Hostname: "fsx-fips.us-iso-east-1.c2s.ic.gov", + CredentialScope: credentialScope{ + Region: "us-iso-east-1", + }, + Deprecated: boxedTrue, + }, + endpointKey{ + Region: "us-iso-east-1", + }: endpoint{}, + endpointKey{ + Region: "us-iso-east-1", + Variant: fipsVariant, + }: endpoint{ + Hostname: "fsx-fips.us-iso-east-1.c2s.ic.gov", + }, + }, + }, "glacier": service{ Endpoints: serviceEndpoints{ endpointKey{ diff --git a/aws/version.go b/aws/version.go index f92a863eb34..aef1528f9ce 100644 --- a/aws/version.go +++ b/aws/version.go @@ -5,4 +5,4 @@ package aws const SDKName = "aws-sdk-go" // SDKVersion is the version of this SDK -const SDKVersion = "1.51.15" +const SDKVersion = "1.51.16" diff --git a/models/apis/quicksight/2018-04-01/api-2.json b/models/apis/quicksight/2018-04-01/api-2.json index d3f5ec62b0c..2cef7e39b65 100644 --- a/models/apis/quicksight/2018-04-01/api-2.json +++ b/models/apis/quicksight/2018-04-01/api-2.json @@ -5491,7 +5491,8 @@ "FirstName":{"shape":"String"}, "LastName":{"shape":"String"}, "EmailAddress":{"shape":"String"}, - "ContactNumber":{"shape":"String"} + "ContactNumber":{"shape":"String"}, + "IAMIdentityCenterInstanceArn":{"shape":"String"} } }, "CreateAccountSubscriptionResponse":{ diff --git a/models/apis/quicksight/2018-04-01/docs-2.json b/models/apis/quicksight/2018-04-01/docs-2.json index 515084136b5..0d26690057d 100644 --- a/models/apis/quicksight/2018-04-01/docs-2.json +++ b/models/apis/quicksight/2018-04-01/docs-2.json @@ -291,9 +291,9 @@ } }, "AllSheetsFilterScopeConfiguration": { - "base": "
The configuration for applying a filter to all sheets. You can apply this filter to all visuals on every sheet.
This is a union type structure. For this structure to be valid, only one of the attributes can be defined.
", + "base": "An empty object that represents that the AllSheets
option is the chosen value for the FilterScopeConfiguration
parameter. This structure applies the filter to all visuals on all sheets of an Analysis, Dashboard, or Template.
This is a union type structure. For this structure to be valid, only one of the attributes can be defined.
", "refs": { - "FilterScopeConfiguration$AllSheets": "The configuration for applying a filter to all sheets.
" + "FilterScopeConfiguration$AllSheets": "The configuration that applies a filter to all sheets. When you choose AllSheets
as the value for a FilterScopeConfiguration
, this filter is applied to all visuals of all sheets in an Analysis, Dashboard, or Template. The AllSheetsFilterScopeConfiguration
is chosen.
The last name of the author of the Amazon QuickSight account to use for future communications. This field is required if ENTERPPRISE_AND_Q
is the selected edition of the new Amazon QuickSight account.
The email address of the author of the Amazon QuickSight account to use for future communications. This field is required if ENTERPPRISE_AND_Q
is the selected edition of the new Amazon QuickSight account.
A 10-digit phone number for the author of the Amazon QuickSight account to use for future communications. This field is required if ENTERPPRISE_AND_Q
is the selected edition of the new Amazon QuickSight account.
The Amazon Resource Name (ARN) for the IAM Identity Center instance.
", "CreateAccountSubscriptionResponse$RequestId": "The Amazon Web Services request ID for this operation.
", "CreateAnalysisResponse$RequestId": "The Amazon Web Services request ID for this operation.
", "CreateDashboardResponse$RequestId": "The Amazon Web Services request ID for this operation.
", diff --git a/models/apis/resource-groups/2017-11-27/api-2.json b/models/apis/resource-groups/2017-11-27/api-2.json index fe5f4b34b3d..7a5fd0e5452 100644 --- a/models/apis/resource-groups/2017-11-27/api-2.json +++ b/models/apis/resource-groups/2017-11-27/api-2.json @@ -809,7 +809,8 @@ "enum":[ "CLOUDFORMATION_STACK_INACTIVE", "CLOUDFORMATION_STACK_NOT_EXISTING", - "CLOUDFORMATION_STACK_UNASSUMABLE_ROLE" + "CLOUDFORMATION_STACK_UNASSUMABLE_ROLE", + "RESOURCE_TYPE_NOT_SUPPORTED" ] }, "QueryErrorList":{ diff --git a/models/apis/resource-groups/2017-11-27/docs-2.json b/models/apis/resource-groups/2017-11-27/docs-2.json index f2c9f4be5ba..6bfebc812b9 100644 --- a/models/apis/resource-groups/2017-11-27/docs-2.json +++ b/models/apis/resource-groups/2017-11-27/docs-2.json @@ -240,7 +240,7 @@ "GroupFilterList": { "base": null, "refs": { - "ListGroupsInput$Filters": "Filters, formatted as GroupFilter objects, that you want to apply to a ListGroups
operation.
resource-type
- Filter the results to include only those of the specified resource types. Specify up to five resource types in the format AWS::ServiceCode::ResourceType
. For example, AWS::EC2::Instance
, or AWS::S3::Bucket
.
configuration-type
- Filter the results to include only those groups that have the specified configuration types attached. The current supported values are:
AWS::EC2::CapacityReservationPool
AWS::EC2::HostManagement
Filters, formatted as GroupFilter objects, that you want to apply to a ListGroups
operation.
resource-type
- Filter the results to include only those resource groups that have the specified resource type in their ResourceTypeFilter
. For example, AWS::EC2::Instance
would return any resource group with a ResourceTypeFilter
that includes AWS::EC2::Instance
.
configuration-type
- Filter the results to include only those groups that have the specified configuration types attached. The current supported values are:
AWS::AppRegistry::Application
AWS::AppRegistry::ApplicationResourceGroups
AWS::CloudFormation::Stack
AWS::EC2::CapacityReservationPool
AWS::EC2::HostManagement
AWS::NetworkFirewall::RuleGroup
The name of the group, which is the identifier of the group in other operations. You can't change the name of a resource group after you create it. A resource group name can consist of letters, numbers, hyphens, periods, and underscores. The name cannot start with AWS
or aws
; these are reserved. A resource group name must be unique within each Amazon Web Services Region in your Amazon Web Services account.
The name of the group, which is the identifier of the group in other operations. You can't change the name of a resource group after you create it. A resource group name can consist of letters, numbers, hyphens, periods, and underscores. The name cannot start with AWS
, aws
, or any other possible capitalization; these are reserved. A resource group name must be unique within each Amazon Web Services Region in your Amazon Web Services account.
Deprecated - don't use this parameter. Use Group
instead.
Deprecated - don't use this parameter. Use Group
instead.
Don't use this parameter. Use Group
instead.
A two-part error structure that can occur in ListGroupResources
or SearchResources
operations on CloudFront stack-based queries. The error occurs if the CloudFront stack on which the query is based either does not exist, or has a status that renders the stack inactive. A QueryError
occurrence does not necessarily mean that Resource Groups could not complete the operation, but the resulting group might have no member resources.
A two-part error structure that can occur in ListGroupResources
or SearchResources
.
A list of QueryError
objects. Each error is an object that contains ErrorCode
and Message
structures. Possible values for ErrorCode
are CLOUDFORMATION_STACK_INACTIVE
and CLOUDFORMATION_STACK_NOT_EXISTING
.
A list of QueryError
objects. Each error is an object that contains ErrorCode
and Message
structures.
Possible values for ErrorCode
:
CLOUDFORMATION_STACK_INACTIVE
CLOUDFORMATION_STACK_NOT_EXISTING
A list of QueryError
objects. Each error contains an ErrorCode
and Message
. Possible values for ErrorCode are CLOUDFORMATION_STACK_INACTIVE
, CLOUDFORMATION_STACK_NOT_EXISTING
, CLOUDFORMATION_STACK_UNASSUMABLE_ROLE
and RESOURCE_TYPE_NOT_SUPPORTED
.
A list of QueryError
objects. Each error contains an ErrorCode
and Message
.
Possible values for ErrorCode
:
CLOUDFORMATION_STACK_INACTIVE
CLOUDFORMATION_STACK_NOT_EXISTING
CLOUDFORMATION_STACK_UNASSUMABLE_ROLE
A message that explains the ErrorCode
value. Messages might state that the specified CloudFront stack does not exist (or no longer exists). For CLOUDFORMATION_STACK_INACTIVE
, the message typically states that the CloudFront stack has a status that is not (or no longer) active, such as CREATE_FAILED
.
A message that explains the ErrorCode
.
Amazon Verified Permissions is a permissions management service from Amazon Web Services. You can use Verified Permissions to manage permissions for your application, and authorize user access based on those permissions. Using Verified Permissions, application developers can grant access based on information about the users, resources, and requested actions. You can also evaluate additional information like group membership, attributes of the resources, and session context, such as time of request and IP addresses. Verified Permissions manages these permissions by letting you create and store authorization policies for your applications, such as consumer-facing web sites and enterprise business systems.
Verified Permissions uses Cedar as the policy language to express your permission requirements. Cedar supports both role-based access control (RBAC) and attribute-based access control (ABAC) authorization models.
For more information about configuring, administering, and using Amazon Verified Permissions in your applications, see the Amazon Verified Permissions User Guide.
For more information about the Cedar policy language, see the Cedar Policy Language Guide.
When you write Cedar policies that reference principals, resources and actions, you can define the unique identifiers used for each of those elements. We strongly recommend that you follow these best practices:
Use values like universally unique identifiers (UUIDs) for all principal and resource identifiers.
For example, if user jane
leaves the company, and you later let someone else use the name jane
, then that new user automatically gets access to everything granted by policies that still reference User::\"jane\"
. Cedar can’t distinguish between the new user and the old. This applies to both principal and resource identifiers. Always use identifiers that are guaranteed unique and never reused to ensure that you don’t unintentionally grant access because of the presence of an old identifier in a policy.
Where you use a UUID for an entity, we recommend that you follow it with the // comment specifier and the ‘friendly’ name of your entity. This helps to make your policies easier to understand. For example: principal == User::\"a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111\", // alice
Do not include personally identifying, confidential, or sensitive information as part of the unique identifier for your principals or resources. These identifiers are included in log entries shared in CloudTrail trails.
Several operations return structures that appear similar, but have different purposes. As new functionality is added to the product, the structure used in a parameter of one operation might need to change in a way that wouldn't make sense for the same parameter in a different operation. To help you understand the purpose of each, the following naming convention is used for the structures:
Parameter type structures that end in Detail
are used in Get
operations.
Parameter type structures that end in Item
are used in List
operations.
Parameter type structures that use neither suffix are used in the mutating (create and update) operations.
Makes a series of decisions about multiple authorization requests for one principal or resource. Each request contains the equivalent content of an IsAuthorized
request: principal, action, resource, and context. Either the principal
or the resource
parameter must be identical across all requests. For example, Verified Permissions won't evaluate a pair of requests where bob
views photo1
and alice
views photo2
. Authorization of bob
to view photo1
and photo2
, or bob
and alice
to view photo1
, are valid batches.
The request is evaluated against all policies in the specified policy store that match the entities that you declare. The result of the decisions is a series of Allow
or Deny
responses, along with the IDs of the policies that produced each decision.
The entities
of a BatchIsAuthorized
API request can contain up to 100 principals and up to 100 resources. The requests
of a BatchIsAuthorized
API request can contain up to 30 requests.
The BatchIsAuthorized
operation doesn't have its own IAM permission. To authorize this operation for Amazon Web Services principals, include the permission verifiedpermissions:IsAuthorized
in their IAM policies.
Makes a series of decisions about multiple authorization requests for one token. The principal in this request comes from an external identity source in the form of an identity or access token, formatted as a JSON web token (JWT). The information in the parameters can also define additional context that Verified Permissions can include in the evaluations.
The request is evaluated against all policies in the specified policy store that match the entities that you provide in the entities declaration and in the token. The result of the decisions is a series of Allow
or Deny
responses, along with the IDs of the policies that produced each decision.
The entities
of a BatchIsAuthorizedWithToken
API request can contain up to 100 resources and up to 99 user groups. The requests
of a BatchIsAuthorizedWithToken
API request can contain up to 30 requests.
The BatchIsAuthorizedWithToken
operation doesn't have its own IAM permission. To authorize this operation for Amazon Web Services principals, include the permission verifiedpermissions:IsAuthorizedWithToken
in their IAM policies.
Creates a reference to an Amazon Cognito user pool as an external identity provider (IdP).
After you create an identity source, you can use the identities provided by the IdP as proxies for the principal in authorization queries that use the IsAuthorizedWithToken operation. These identities take the form of tokens that contain claims about the user, such as IDs, attributes and group memberships. Amazon Cognito provides both identity tokens and access tokens, and Verified Permissions can use either or both. Any combination of identity and access tokens results in the same Cedar principal. Verified Permissions automatically translates the information about the identities into the standard Cedar attributes that can be evaluated by your policies. Because the Amazon Cognito identity and access tokens can contain different information, the tokens you choose to use determine which principal attributes are available to access when evaluating Cedar policies.
If you delete a Amazon Cognito user pool or user, tokens from that deleted pool or that deleted user continue to be usable until they expire.
To reference a user from this identity source in your Cedar policies, use the following syntax.
IdentityType::\"<CognitoUserPoolIdentifier>|<CognitoClientId>
Where IdentityType
is the string that you provide to the PrincipalEntityType
parameter for this operation. The CognitoUserPoolId
and CognitoClientId
are defined by the Amazon Cognito user pool.
Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.
Creates a Cedar policy and saves it in the specified policy store. You can create either a static policy or a policy linked to a policy template.
To create a static policy, provide the Cedar policy text in the StaticPolicy
section of the PolicyDefinition
.
To create a policy that is dynamically linked to a policy template, specify the policy template ID and the principal and resource to associate with this policy in the templateLinked
section of the PolicyDefinition
. If the policy template is ever updated, any policies linked to the policy template automatically use the updated template.
Creating a policy causes it to be validated against the schema in the policy store. If the policy doesn't pass validation, the operation fails and the policy isn't stored.
Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.
Creates a policy store. A policy store is a container for policy resources.
Although Cedar supports multiple namespaces, Verified Permissions currently supports only one namespace per policy store.
Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.
Retrieve the details for the specified policy template in the specified policy store.
", "GetSchema": "Retrieve the details for the specified schema in the specified policy store.
", "IsAuthorized": "Makes an authorization decision about a service request described in the parameters. The information in the parameters can also define additional context that Verified Permissions can include in the evaluation. The request is evaluated against all matching policies in the specified policy store. The result of the decision is either Allow
or Deny
, along with a list of the policies that resulted in the decision.
Makes an authorization decision about a service request described in the parameters. The principal in this request comes from an external identity source in the form of an identity token formatted as a JSON web token (JWT). The information in the parameters can also define additional context that Verified Permissions can include in the evaluation. The request is evaluated against all matching policies in the specified policy store. The result of the decision is either Allow
or Deny
, along with a list of the policies that resulted in the decision.
If you specify the identityToken
parameter, then this operation derives the principal from that token. You must not also include that principal in the entities
parameter or the operation fails and reports a conflict between the two entity sources.
If you provide only an accessToken
, then you can include the entity as part of the entities
parameter to provide additional attributes.
At this time, Verified Permissions accepts tokens from only Amazon Cognito.
Verified Permissions validates each token that is specified in a request by checking its expiration date and its signature.
If you delete a Amazon Cognito user pool or user, tokens from that deleted pool or that deleted user continue to be usable until they expire.
Makes an authorization decision about a service request described in the parameters. The principal in this request comes from an external identity source in the form of an identity token formatted as a JSON web token (JWT). The information in the parameters can also define additional context that Verified Permissions can include in the evaluation. The request is evaluated against all matching policies in the specified policy store. The result of the decision is either Allow
or Deny
, along with a list of the policies that resulted in the decision.
At this time, Verified Permissions accepts tokens from only Amazon Cognito.
Verified Permissions validates each token that is specified in a request by checking its expiration date and its signature.
If you delete a Amazon Cognito user pool or user, tokens from that deleted pool or that deleted user continue to be usable until they expire.
Returns a paginated list of all of the identity sources defined in the specified policy store.
", "ListPolicies": "Returns a paginated list of all policies stored in the specified policy store.
", "ListPolicyStores": "Returns a paginated list of all policy stores in the calling Amazon Web Services account.
", @@ -44,6 +45,7 @@ "base": "Contains information about an action for a request for which an authorization decision is made.
This data type is used as a request parameter to the IsAuthorized, BatchIsAuthorized, and IsAuthorizedWithToken operations.
Example: { \"actionId\": \"<action name>\", \"actionType\": \"Action\" }
Specifies the requested action to be authorized. For example, PhotoFlash::ReadPhoto
.
Specifies the requested action to be authorized. For example, PhotoFlash::ReadPhoto
.
Specifies the requested action to be authorized. For example, is the principal authorized to perform this action on the resource?
", "IsAuthorizedWithTokenInput$action": "Specifies the requested action to be authorized. Is the specified principal authorized to perform this action on the specified resource.
" } @@ -98,6 +100,41 @@ "BatchIsAuthorizedOutput$results": "A series of Allow
or Deny
decisions for each request, and the policies that produced them.
An authorization request that you include in a BatchIsAuthorizedWithToken
API request.
The authorization request that initiated the decision.
" + } + }, + "BatchIsAuthorizedWithTokenInputList": { + "base": null, + "refs": { + "BatchIsAuthorizedWithTokenInput$requests": "An array of up to 30 requests that you want Verified Permissions to evaluate.
" + } + }, + "BatchIsAuthorizedWithTokenOutput": { + "base": null, + "refs": { + } + }, + "BatchIsAuthorizedWithTokenOutputItem": { + "base": "The decision, based on policy evaluation, from an individual authorization request in a BatchIsAuthorizedWithToken
API request.
A series of Allow
or Deny
decisions for each request, and the policies that produced them.
The type of entity that a policy store maps to groups from an Amazon Cognito user pool identity source.
This data type is part of a CognitoUserPoolConfiguration structure and is a request parameter in CreateIdentitySource.
", + "base": "A list of user groups and entities from an Amazon Cognito user pool identity source.
This data type is part of a CognitoUserPoolConfiguration structure and is a request parameter in CreateIdentitySource.
", "refs": { - "CognitoUserPoolConfiguration$groupConfiguration": "The type of entity that a policy store maps to groups from an Amazon Cognito user pool identity source.
" + "CognitoUserPoolConfiguration$groupConfiguration": "The configuration of the user groups from an Amazon Cognito user pool identity source.
" } }, "CognitoGroupConfigurationDetail": { - "base": "The type of entity that a policy store maps to groups from an Amazon Cognito user pool identity source.
This data type is part of an CognitoUserPoolConfigurationDetail structure and is a response parameter to GetIdentitySource.
", + "base": "A list of user groups and entities from an Amazon Cognito user pool identity source.
This data type is part of an CognitoUserPoolConfigurationDetail structure and is a response parameter to GetIdentitySource.
", "refs": { - "CognitoUserPoolConfigurationDetail$groupConfiguration": "The type of entity that a policy store maps to groups from an Amazon Cognito user pool identity source.
" + "CognitoUserPoolConfigurationDetail$groupConfiguration": "The configuration of the user groups from an Amazon Cognito user pool identity source.
" } }, "CognitoGroupConfigurationItem": { - "base": "The type of entity that a policy store maps to groups from an Amazon Cognito user pool identity source.
This data type is part of an CognitoUserPoolConfigurationItem structure and is a response parameter to ListIdentitySources.
", + "base": "A list of user groups and entities from an Amazon Cognito user pool identity source.
This data type is part of an CognitoUserPoolConfigurationItem structure and is a response parameter to ListIdentitySources.
", "refs": { - "CognitoUserPoolConfigurationItem$groupConfiguration": "The type of entity that a policy store maps to groups from an Amazon Cognito user pool identity source.
" + "CognitoUserPoolConfigurationItem$groupConfiguration": "The configuration of the user groups from an Amazon Cognito user pool identity source.
" } }, "CognitoUserPoolConfiguration": { - "base": "The configuration for an identity source that represents a connection to an Amazon Cognito user pool used as an identity provider for Verified Permissions.
This data type is used as a field that is part of an Configuration structure that is used as a parameter to CreateIdentitySource.
Example:\"CognitoUserPoolConfiguration\":{\"UserPoolArn\":\"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5\",\"ClientIds\": [\"a1b2c3d4e5f6g7h8i9j0kalbmc\"],\"groupConfiguration\": {\"groupEntityType\": \"MyCorp::Group\"}}
The configuration for an identity source that represents a connection to an Amazon Cognito user pool used as an identity provider for Verified Permissions.
This data type is used as a field that is part of an Configuration structure that is used as a parameter to CreateIdentitySource.
Example:\"CognitoUserPoolConfiguration\":{\"UserPoolArn\":\"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5\",\"ClientIds\": [\"a1b2c3d4e5f6g7h8i9j0kalbmc\"]}
Contains configuration details of a Amazon Cognito user pool that Verified Permissions can use as a source of authenticated identities as entities. It specifies the Amazon Resource Name (ARN) of a Amazon Cognito user pool and one or more application client IDs.
Example: \"configuration\":{\"cognitoUserPoolConfiguration\":{\"userPoolArn\":\"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5\",\"clientIds\": [\"a1b2c3d4e5f6g7h8i9j0kalbmc\"],\"groupConfiguration\": {\"groupEntityType\": \"MyCorp::Group\"}}}
The configuration for an identity source that represents a connection to an Amazon Cognito user pool used as an identity provider for Verified Permissions.
This data type is used as a field that is part of an ConfigurationDetail structure that is part of the response to GetIdentitySource.
Example:\"CognitoUserPoolConfiguration\":{\"UserPoolArn\":\"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5\",\"ClientIds\": [\"a1b2c3d4e5f6g7h8i9j0kalbmc\"],\"groupConfiguration\": {\"groupEntityType\": \"MyCorp::Group\"}}
The configuration for an identity source that represents a connection to an Amazon Cognito user pool used as an identity provider for Verified Permissions.
This data type is used as a field that is part of an ConfigurationDetail structure that is part of the response to GetIdentitySource.
Example:\"CognitoUserPoolConfiguration\":{\"UserPoolArn\":\"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5\",\"ClientIds\": [\"a1b2c3d4e5f6g7h8i9j0kalbmc\"]}
Contains configuration details of a Amazon Cognito user pool that Verified Permissions can use as a source of authenticated identities as entities. It specifies the Amazon Resource Name (ARN) of a Amazon Cognito user pool, the policy store entity that you want to assign to user groups, and one or more application client IDs.
Example: \"configuration\":{\"cognitoUserPoolConfiguration\":{\"userPoolArn\":\"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5\",\"clientIds\": [\"a1b2c3d4e5f6g7h8i9j0kalbmc\"],\"groupConfiguration\": {\"groupEntityType\": \"MyCorp::Group\"}}}
Contains configuration details of a Amazon Cognito user pool that Verified Permissions can use as a source of authenticated identities as entities. It specifies the Amazon Resource Name (ARN) of a Amazon Cognito user pool and one or more application client IDs.
Example: \"configuration\":{\"cognitoUserPoolConfiguration\":{\"userPoolArn\":\"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5\",\"clientIds\": [\"a1b2c3d4e5f6g7h8i9j0kalbmc\"],\"groupConfiguration\": {\"groupEntityType\": \"MyCorp::Group\"}}}
The configuration for an identity source that represents a connection to an Amazon Cognito user pool used as an identity provider for Verified Permissions.
This data type is used as a field that is part of the ConfigurationItem structure that is part of the response to ListIdentitySources.
Example:\"CognitoUserPoolConfiguration\":{\"UserPoolArn\":\"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5\",\"ClientIds\": [\"a1b2c3d4e5f6g7h8i9j0kalbmc\"],\"groupConfiguration\": {\"groupEntityType\": \"MyCorp::Group\"}}
The configuration for an identity source that represents a connection to an Amazon Cognito user pool used as an identity provider for Verified Permissions.
This data type is used as a field that is part of the ConfigurationItem structure that is part of the response to ListIdentitySources.
Example:\"CognitoUserPoolConfiguration\":{\"UserPoolArn\":\"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5\",\"ClientIds\": [\"a1b2c3d4e5f6g7h8i9j0kalbmc\"]}
Contains configuration details of a Amazon Cognito user pool that Verified Permissions can use as a source of authenticated identities as entities. It specifies the Amazon Resource Name (ARN) of a Amazon Cognito user pool, the policy store entity that you want to assign to user groups, and one or more application client IDs.
Example: \"configuration\":{\"cognitoUserPoolConfiguration\":{\"userPoolArn\":\"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5\",\"clientIds\": [\"a1b2c3d4e5f6g7h8i9j0kalbmc\"],\"groupConfiguration\": {\"groupEntityType\": \"MyCorp::Group\"}}}
Contains configuration details of a Amazon Cognito user pool that Verified Permissions can use as a source of authenticated identities as entities. It specifies the Amazon Resource Name (ARN) of a Amazon Cognito user pool and one or more application client IDs.
Example: \"configuration\":{\"cognitoUserPoolConfiguration\":{\"userPoolArn\":\"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5\",\"clientIds\": [\"a1b2c3d4e5f6g7h8i9j0kalbmc\"],\"groupConfiguration\": {\"groupEntityType\": \"MyCorp::Group\"}}}
Contains configuration information used when creating a new identity source.
At this time, the only valid member of this structure is a Amazon Cognito user pool configuration.
Specifies a userPoolArn
, a groupConfiguration
, and a ClientId
.
This data type is used as a request parameter for the CreateIdentitySource operation.
", + "base": "Contains configuration information used when creating a new identity source.
At this time, the only valid member of this structure is a Amazon Cognito user pool configuration.
You must specify a userPoolArn
, and optionally, a ClientId
.
This data type is used as a request parameter for the CreateIdentitySource operation.
", "refs": { "CreateIdentitySourceInput$configuration": "Specifies the details required to communicate with the identity provider (IdP) associated with this identity source.
At this time, the only valid member of this structure is a Amazon Cognito user pool configuration.
You must specify a UserPoolArn
, and optionally, a ClientId
.
Contains additional details about the context of the request. Verified Permissions evaluates this information in an authorization request as part of the when
and unless
clauses in a policy.
This data type is used as a request parameter for the IsAuthorized, BatchIsAuthorized, and IsAuthorizedWithToken operations.
Example: \"context\":{\"contextMap\":{\"<KeyName1>\":{\"boolean\":true},\"<KeyName2>\":{\"long\":1234}}}
Specifies additional context that can be used to make more granular authorization decisions.
", + "BatchIsAuthorizedWithTokenInputItem$context": "Specifies additional context that can be used to make more granular authorization decisions.
", "IsAuthorizedInput$context": "Specifies additional context that can be used to make more granular authorization decisions.
", "IsAuthorizedWithTokenInput$context": "Specifies additional context that can be used to make more granular authorization decisions.
" } @@ -244,6 +282,7 @@ "base": null, "refs": { "BatchIsAuthorizedOutputItem$decision": "An authorization decision that indicates if the authorization request should be allowed or denied.
", + "BatchIsAuthorizedWithTokenOutputItem$decision": "An authorization decision that indicates if the authorization request should be allowed or denied.
", "IsAuthorizedOutput$decision": "An authorization decision that indicates if the authorization request should be allowed or denied.
", "IsAuthorizedWithTokenOutput$decision": "An authorization decision that indicates if the authorization request should be allowed or denied.
" } @@ -298,6 +337,7 @@ "base": null, "refs": { "BatchIsAuthorizedOutputItem$determiningPolicies": "The list of determining policies used to make the authorization decision. For example, if there are two matching policies, where one is a forbid and the other is a permit, then the forbid policy will be the determining policy. In the case of multiple matching permit policies then there would be multiple determining policies. In the case that no policies match, and hence the response is DENY, there would be no determining policies.
", + "BatchIsAuthorizedWithTokenOutputItem$determiningPolicies": "The list of determining policies used to make the authorization decision. For example, if there are two matching policies, where one is a forbid and the other is a permit, then the forbid policy will be the determining policy. In the case of multiple matching permit policies then there would be multiple determining policies. In the case that no policies match, and hence the response is DENY, there would be no determining policies.
", "IsAuthorizedOutput$determiningPolicies": "The list of determining policies used to make the authorization decision. For example, if there are two matching policies, where one is a forbid and the other is a permit, then the forbid policy will be the determining policy. In the case of multiple matching permit policies then there would be multiple determining policies. In the case that no policies match, and hence the response is DENY, there would be no determining policies.
", "IsAuthorizedWithTokenOutput$determiningPolicies": "The list of determining policies used to make the authorization decision. For example, if there are multiple matching policies, where at least one is a forbid policy, then because forbid always overrides permit the forbid policies are the determining policies. If all matching policies are permit policies, then those policies are the determining policies. When no policies match and the response is the default DENY, there are no determining policies.
" } @@ -313,8 +353,9 @@ "base": "Contains the list of entities to be considered during an authorization request. This includes all principals, resources, and actions required to successfully evaluate the request.
This data type is used as a field in the response parameter for the IsAuthorized and IsAuthorizedWithToken operations.
", "refs": { "BatchIsAuthorizedInput$entities": "Specifies the list of resources and principals and their associated attributes that Verified Permissions can examine when evaluating the policies.
You can include only principal and resource entities in this parameter; you can't include actions. You must specify actions in the schema.
Specifies the list of resources and their associated attributes that Verified Permissions can examine when evaluating the policies.
You can't include principals in this parameter, only resource and action entities. This parameter can't include any entities of a type that matches the user or group entity types that you defined in your identity source.
The BatchIsAuthorizedWithToken
operation takes principal attributes from only the identityToken
or accessToken
passed to the operation.
For action entities, you can include only their Identifier
and EntityType
.
Specifies the list of resources and principals and their associated attributes that Verified Permissions can examine when evaluating the policies.
You can include only principal and resource entities in this parameter; you can't include actions. You must specify actions in the schema.
Specifies the list of resources and their associated attributes that Verified Permissions can examine when evaluating the policies.
You can include only resource and action entities in this parameter; you can't include principals.
The IsAuthorizedWithToken
operation takes principal attributes from only the identityToken
or accessToken
passed to the operation.
For action entities, you can include only their Identifier
and EntityType
.
Specifies the list of resources and their associated attributes that Verified Permissions can examine when evaluating the policies.
You can't include principals in this parameter, only resource and action entities. This parameter can't include any entities of a type that matches the user or group entity types that you defined in your identity source.
The IsAuthorizedWithToken
operation takes principal attributes from only the identityToken
or accessToken
passed to the operation.
For action entities, you can include only their Identifier
and EntityType
.
An attribute value of type EntityIdentifier.
Example: \"entityIdentifier\": { \"entityId\": \"<id>\", \"entityType\": \"<entity type>\"}
Specifies the principal for which the authorization decision is to be made.
", "BatchIsAuthorizedInputItem$resource": "Specifies the resource that you want an authorization decision for. For example, PhotoFlash::Photo
.
Specifies the resource that you want an authorization decision for. For example, PhotoFlash::Photo
.
The identifier of the principal in the ID or access token.
", "CreatePolicyOutput$principal": "The principal specified in the new policy's scope. This response element isn't present when principal
isn't specified in the policy content.
The resource specified in the new policy's scope. This response element isn't present when the resource
isn't specified in the policy content.
The identifier of the entity.
", @@ -393,6 +436,7 @@ "base": null, "refs": { "BatchIsAuthorizedOutputItem$errors": "Errors that occurred while making an authorization decision. For example, a policy might reference an entity or attribute that doesn't exist in the request.
", + "BatchIsAuthorizedWithTokenOutputItem$errors": "Errors that occurred while making an authorization decision. For example, a policy might reference an entity or attribute that doesn't exist in the request.
", "IsAuthorizedOutput$errors": "Errors that occurred while making an authorization decision, for example, a policy references an Entity or entity Attribute that does not exist in the slice.
", "IsAuthorizedWithTokenOutput$errors": "Errors that occurred while making an authorization decision. For example, a policy references an entity or entity attribute that does not exist in the slice.
" } @@ -717,6 +761,7 @@ "base": null, "refs": { "BatchIsAuthorizedInput$policyStoreId": "Specifies the ID of the policy store. Policies in this policy store will be used to make the authorization decisions for the input.
", + "BatchIsAuthorizedWithTokenInput$policyStoreId": "Specifies the ID of the policy store. Policies in this policy store will be used to make an authorization decision for the input.
", "CreateIdentitySourceInput$policyStoreId": "Specifies the ID of the policy store in which you want to store this identity source. Only policies and requests made using this policy store can reference identities from the identity provider configured in the new identity source.
", "CreateIdentitySourceOutput$policyStoreId": "The ID of the policy store that contains the identity source.
", "CreatePolicyInput$policyStoreId": "Specifies the PolicyStoreId
of the policy store you want to store the policy in.
Specifies an identity (ID) token for the principal that you want to authorize in each request. This token is provided to you by the identity provider (IdP) associated with the specified identity source. You must specify either an accessToken
, an identityToken
, or both.
Must be an ID token. Verified Permissions returns an error if the token_use
claim in the submitted token isn't id
.
Specifies an access token for the principal that you want to authorize in each request. This token is provided to you by the identity provider (IdP) associated with the specified identity source. You must specify either an accessToken
, an identityToken
, or both.
Must be an access token. Verified Permissions returns an error if the token_use
claim in the submitted token isn't access
.
Specifies an identity token for the principal to be authorized. This token is provided to you by the identity provider (IdP) associated with the specified identity source. You must specify either an accessToken
, an identityToken
, or both.
Must be an ID token. Verified Permissions returns an error if the token_use
claim in the submitted token isn't id
.
Specifies an access token for the principal to be authorized. This token is provided to you by the identity provider (IdP) associated with the specified identity source. You must specify either an accessToken
, an identityToken
, or both.
Must be an access token. Verified Permissions returns an error if the token_use
claim in the submitted token isn't access
.
The user group entities from an Amazon Cognito user pool identity source.
", + "base": "A list of user groups and entities from an Amazon Cognito user pool identity source.
", "refs": { "UpdateCognitoUserPoolConfiguration$groupConfiguration": "The configuration of the user groups from an Amazon Cognito user pool identity source.
" } diff --git a/models/endpoints/endpoints.json b/models/endpoints/endpoints.json index a8254739179..8fb3f59ff15 100644 --- a/models/endpoints/endpoints.json +++ b/models/endpoints/endpoints.json @@ -11040,6 +11040,7 @@ "ap-southeast-3" : { }, "ap-southeast-4" : { }, "ca-central-1" : { }, + "ca-west-1" : { }, "eu-central-1" : { }, "eu-central-2" : { }, "eu-north-1" : { }, @@ -13494,6 +13495,12 @@ }, "hostname" : "portal.sso.ap-south-1.amazonaws.com" }, + "ap-south-2" : { + "credentialScope" : { + "region" : "ap-south-2" + }, + "hostname" : "portal.sso.ap-south-2.amazonaws.com" + }, "ap-southeast-1" : { "credentialScope" : { "region" : "ap-southeast-1" @@ -13548,6 +13555,12 @@ }, "hostname" : "portal.sso.eu-south-1.amazonaws.com" }, + "eu-south-2" : { + "credentialScope" : { + "region" : "eu-south-2" + }, + "hostname" : "portal.sso.eu-south-2.amazonaws.com" + }, "eu-west-1" : { "credentialScope" : { "region" : "eu-west-1" @@ -15007,15 +15020,26 @@ }, "rum" : { "endpoints" : { + "af-south-1" : { }, "ap-northeast-1" : { }, + "ap-northeast-2" : { }, + "ap-northeast-3" : { }, + "ap-south-1" : { }, "ap-southeast-1" : { }, "ap-southeast-2" : { }, + "ap-southeast-3" : { }, + "ca-central-1" : { }, "eu-central-1" : { }, "eu-north-1" : { }, + "eu-south-1" : { }, "eu-west-1" : { }, "eu-west-2" : { }, + "eu-west-3" : { }, + "me-south-1" : { }, + "sa-east-1" : { }, "us-east-1" : { }, "us-east-2" : { }, + "us-west-1" : { }, "us-west-2" : { } } }, @@ -18018,6 +18042,7 @@ "ap-northeast-2" : { }, "ap-northeast-3" : { }, "ap-south-1" : { }, + "ap-south-2" : { }, "ap-southeast-1" : { }, "ap-southeast-2" : { }, "ap-southeast-3" : { }, @@ -18027,6 +18052,7 @@ "eu-central-2" : { }, "eu-north-1" : { }, "eu-south-1" : { }, + "eu-south-2" : { }, "eu-west-1" : { }, "eu-west-2" : { }, "eu-west-3" : { }, @@ -27126,6 +27152,40 @@ "us-iso-west-1" : { } } }, + "fsx" : { + "endpoints" : { + "fips-prod-us-iso-east-1" : { + "credentialScope" : { + "region" : "us-iso-east-1" + }, + "deprecated" : true, + "hostname" : "fsx-fips.us-iso-east-1.c2s.ic.gov" + }, + "fips-us-iso-east-1" : { + "credentialScope" : { + "region" : "us-iso-east-1" + }, + "deprecated" : true, + "hostname" : "fsx-fips.us-iso-east-1.c2s.ic.gov" + }, + "prod-us-iso-east-1" : { + "credentialScope" : { + "region" : "us-iso-east-1" + }, + "deprecated" : true, + "variants" : [ { + "hostname" : "fsx-fips.us-iso-east-1.c2s.ic.gov", + "tags" : [ "fips" ] + } ] + }, + "us-iso-east-1" : { + "variants" : [ { + "hostname" : "fsx-fips.us-iso-east-1.c2s.ic.gov", + "tags" : [ "fips" ] + } ] + } + } + }, "glacier" : { "endpoints" : { "us-iso-east-1" : { diff --git a/service/quicksight/api.go b/service/quicksight/api.go index 86221a6ce69..072187e4611 100644 --- a/service/quicksight/api.go +++ b/service/quicksight/api.go @@ -20179,8 +20179,9 @@ func (s *AggregationSortConfiguration) SetSortDirection(v string) *AggregationSo return s } -// The configuration for applying a filter to all sheets. You can apply this -// filter to all visuals on every sheet. +// An empty object that represents that the AllSheets option is the chosen value +// for the FilterScopeConfiguration parameter. This structure applies the filter +// to all visuals on all sheets of an Analysis, Dashboard, or Template. // // This is a union type structure. For this structure to be valid, only one // of the attributes can be defined. @@ -31516,6 +31517,9 @@ type CreateAccountSubscriptionInput struct { // selected edition of the new Amazon QuickSight account. FirstName *string `type:"string"` + // The Amazon Resource Name (ARN) for the IAM Identity Center instance. + IAMIdentityCenterInstanceArn *string `type:"string"` + // The last name of the author of the Amazon QuickSight account to use for future // communications. This field is required if ENTERPPRISE_AND_Q is the selected // edition of the new Amazon QuickSight account. @@ -31659,6 +31663,12 @@ func (s *CreateAccountSubscriptionInput) SetFirstName(v string) *CreateAccountSu return s } +// SetIAMIdentityCenterInstanceArn sets the IAMIdentityCenterInstanceArn field's value. +func (s *CreateAccountSubscriptionInput) SetIAMIdentityCenterInstanceArn(v string) *CreateAccountSubscriptionInput { + s.IAMIdentityCenterInstanceArn = &v + return s +} + // SetLastName sets the LastName field's value. func (s *CreateAccountSubscriptionInput) SetLastName(v string) *CreateAccountSubscriptionInput { s.LastName = &v @@ -55991,7 +56001,10 @@ func (s *FilterRelativeDateTimeControl) SetTitle(v string) *FilterRelativeDateTi type FilterScopeConfiguration struct { _ struct{} `type:"structure"` - // The configuration for applying a filter to all sheets. + // The configuration that applies a filter to all sheets. When you choose AllSheets + // as the value for a FilterScopeConfiguration, this filter is applied to all + // visuals of all sheets in an Analysis, Dashboard, or Template. The AllSheetsFilterScopeConfiguration + // is chosen. AllSheets *AllSheetsFilterScopeConfiguration `type:"structure"` // The configuration for applying a filter to specific sheets. diff --git a/service/resourcegroups/api.go b/service/resourcegroups/api.go index 5f9371264ca..15856ee5ed7 100644 --- a/service/resourcegroups/api.go +++ b/service/resourcegroups/api.go @@ -2173,9 +2173,9 @@ type CreateGroupInput struct { // The name of the group, which is the identifier of the group in other operations. // You can't change the name of a resource group after you create it. A resource // group name can consist of letters, numbers, hyphens, periods, and underscores. - // The name cannot start with AWS or aws; these are reserved. A resource group - // name must be unique within each Amazon Web Services Region in your Amazon - // Web Services account. + // The name cannot start with AWS, aws, or any other possible capitalization; + // these are reserved. A resource group name must be unique within each Amazon + // Web Services Region in your Amazon Web Services account. // // Name is a required field Name *string `min:"1" type:"string" required:"true"` @@ -3730,9 +3730,9 @@ type ListGroupResourcesOutput struct { // should repeat this until the NextToken response element comes back as null. NextToken *string `type:"string"` - // A list of QueryError objects. Each error is an object that contains ErrorCode - // and Message structures. Possible values for ErrorCode are CLOUDFORMATION_STACK_INACTIVE - // and CLOUDFORMATION_STACK_NOT_EXISTING. + // A list of QueryError objects. Each error contains an ErrorCode and Message. + // Possible values for ErrorCode are CLOUDFORMATION_STACK_INACTIVE, CLOUDFORMATION_STACK_NOT_EXISTING, + // CLOUDFORMATION_STACK_UNASSUMABLE_ROLE and RESOURCE_TYPE_NOT_SUPPORTED. QueryErrors []*QueryError `type:"list"` // @@ -3795,13 +3795,16 @@ type ListGroupsInput struct { // Filters, formatted as GroupFilter objects, that you want to apply to a ListGroups // operation. // - // * resource-type - Filter the results to include only those of the specified - // resource types. Specify up to five resource types in the format AWS::ServiceCode::ResourceType - // . For example, AWS::EC2::Instance, or AWS::S3::Bucket. + // * resource-type - Filter the results to include only those resource groups + // that have the specified resource type in their ResourceTypeFilter. For + // example, AWS::EC2::Instance would return any resource group with a ResourceTypeFilter + // that includes AWS::EC2::Instance. // // * configuration-type - Filter the results to include only those groups // that have the specified configuration types attached. The current supported - // values are: AWS::EC2::CapacityReservationPool AWS::EC2::HostManagement + // values are: AWS::AppRegistry::Application AWS::AppRegistry::ApplicationResourceGroups + // AWS::CloudFormation::Stack AWS::EC2::CapacityReservationPool AWS::EC2::HostManagement + // AWS::NetworkFirewall::RuleGroup Filters []*GroupFilter `type:"list"` // The total number of results that you want included on each page of the response. @@ -4195,22 +4198,14 @@ func (s PutGroupConfigurationOutput) GoString() string { return s.String() } -// A two-part error structure that can occur in ListGroupResources or SearchResources -// operations on CloudFront stack-based queries. The error occurs if the CloudFront -// stack on which the query is based either does not exist, or has a status -// that renders the stack inactive. A QueryError occurrence does not necessarily -// mean that Resource Groups could not complete the operation, but the resulting -// group might have no member resources. +// A two-part error structure that can occur in ListGroupResources or SearchResources. type QueryError struct { _ struct{} `type:"structure"` // Specifies the error code that was raised. ErrorCode *string `type:"string" enum:"QueryErrorCode"` - // A message that explains the ErrorCode value. Messages might state that the - // specified CloudFront stack does not exist (or no longer exists). For CLOUDFORMATION_STACK_INACTIVE, - // the message typically states that the CloudFront stack has a status that - // is not (or no longer) active, such as CREATE_FAILED. + // A message that explains the ErrorCode. Message *string `type:"string"` } @@ -4615,14 +4610,15 @@ type SearchResourcesOutput struct { // should repeat this until the NextToken response element comes back as null. NextToken *string `type:"string"` - // A list of QueryError objects. Each error is an object that contains ErrorCode - // and Message structures. + // A list of QueryError objects. Each error contains an ErrorCode and Message. // // Possible values for ErrorCode: // // * CLOUDFORMATION_STACK_INACTIVE // // * CLOUDFORMATION_STACK_NOT_EXISTING + // + // * CLOUDFORMATION_STACK_UNASSUMABLE_ROLE QueryErrors []*QueryError `type:"list"` // The ARNs and resource types of resources that are members of the group that @@ -5484,6 +5480,9 @@ const ( // QueryErrorCodeCloudformationStackUnassumableRole is a QueryErrorCode enum value QueryErrorCodeCloudformationStackUnassumableRole = "CLOUDFORMATION_STACK_UNASSUMABLE_ROLE" + + // QueryErrorCodeResourceTypeNotSupported is a QueryErrorCode enum value + QueryErrorCodeResourceTypeNotSupported = "RESOURCE_TYPE_NOT_SUPPORTED" ) // QueryErrorCode_Values returns all elements of the QueryErrorCode enum @@ -5492,6 +5491,7 @@ func QueryErrorCode_Values() []string { QueryErrorCodeCloudformationStackInactive, QueryErrorCodeCloudformationStackNotExisting, QueryErrorCodeCloudformationStackUnassumableRole, + QueryErrorCodeResourceTypeNotSupported, } } diff --git a/service/verifiedpermissions/api.go b/service/verifiedpermissions/api.go index 7da23073e56..61e57cc59f2 100644 --- a/service/verifiedpermissions/api.go +++ b/service/verifiedpermissions/api.go @@ -167,6 +167,159 @@ func (c *VerifiedPermissions) BatchIsAuthorizedWithContext(ctx aws.Context, inpu return out, req.Send() } +const opBatchIsAuthorizedWithToken = "BatchIsAuthorizedWithToken" + +// BatchIsAuthorizedWithTokenRequest generates a "aws/request.Request" representing the +// client's request for the BatchIsAuthorizedWithToken operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See BatchIsAuthorizedWithToken for more information on using the BatchIsAuthorizedWithToken +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// // Example sending a request using the BatchIsAuthorizedWithTokenRequest method. +// req, resp := client.BatchIsAuthorizedWithTokenRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/verifiedpermissions-2021-12-01/BatchIsAuthorizedWithToken +func (c *VerifiedPermissions) BatchIsAuthorizedWithTokenRequest(input *BatchIsAuthorizedWithTokenInput) (req *request.Request, output *BatchIsAuthorizedWithTokenOutput) { + op := &request.Operation{ + Name: opBatchIsAuthorizedWithToken, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &BatchIsAuthorizedWithTokenInput{} + } + + output = &BatchIsAuthorizedWithTokenOutput{} + req = c.newRequest(op, input, output) + return +} + +// BatchIsAuthorizedWithToken API operation for Amazon Verified Permissions. +// +// Makes a series of decisions about multiple authorization requests for one +// token. The principal in this request comes from an external identity source +// in the form of an identity or access token, formatted as a JSON web token +// (JWT) (https://wikipedia.org/wiki/JSON_Web_Token). The information in the +// parameters can also define additional context that Verified Permissions can +// include in the evaluations. +// +// The request is evaluated against all policies in the specified policy store +// that match the entities that you provide in the entities declaration and +// in the token. The result of the decisions is a series of Allow or Deny responses, +// along with the IDs of the policies that produced each decision. +// +// The entities of a BatchIsAuthorizedWithToken API request can contain up to +// 100 resources and up to 99 user groups. The requests of a BatchIsAuthorizedWithToken +// API request can contain up to 30 requests. +// +// The BatchIsAuthorizedWithToken operation doesn't have its own IAM permission. +// To authorize this operation for Amazon Web Services principals, include the +// permission verifiedpermissions:IsAuthorizedWithToken in their IAM policies. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon Verified Permissions's +// API operation BatchIsAuthorizedWithToken for usage and error information. +// +// Returned Error Types: +// +// - ValidationException +// The request failed because one or more input parameters don't satisfy their +// constraint requirements. The output is provided as a list of fields and a +// reason for each field that isn't valid. +// +// The possible reasons include the following: +// +// - UnrecognizedEntityType The policy includes an entity type that isn't +// found in the schema. +// +// - UnrecognizedActionId The policy includes an action id that isn't found +// in the schema. +// +// - InvalidActionApplication The policy includes an action that, according +// to the schema, doesn't support the specified principal and resource. +// +// - UnexpectedType The policy included an operand that isn't a valid type +// for the specified operation. +// +// - IncompatibleTypes The types of elements included in a set, or the types +// of expressions used in an if...then...else clause aren't compatible in +// this context. +// +// - MissingAttribute The policy attempts to access a record or entity attribute +// that isn't specified in the schema. Test for the existence of the attribute +// first before attempting to access its value. For more information, see +// the has (presence of attribute test) operator (https://docs.cedarpolicy.com/policies/syntax-operators.html#has-presence-of-attribute-test) +// in the Cedar Policy Language Guide. +// +// - UnsafeOptionalAttributeAccess The policy attempts to access a record +// or entity attribute that is optional and isn't guaranteed to be present. +// Test for the existence of the attribute first before attempting to access +// its value. For more information, see the has (presence of attribute test) +// operator (https://docs.cedarpolicy.com/policies/syntax-operators.html#has-presence-of-attribute-test) +// in the Cedar Policy Language Guide. +// +// - ImpossiblePolicy Cedar has determined that a policy condition always +// evaluates to false. If the policy is always false, it can never apply +// to any query, and so it can never affect an authorization decision. +// +// - WrongNumberArguments The policy references an extension type with the +// wrong number of arguments. +// +// - FunctionArgumentValidationError Cedar couldn't parse the argument passed +// to an extension type. For example, a string that is to be parsed as an +// IPv4 address can contain only digits and the period character. +// +// - AccessDeniedException +// You don't have sufficient access to perform this action. +// +// - ResourceNotFoundException +// The request failed because it references a resource that doesn't exist. +// +// - ThrottlingException +// The request failed because it exceeded a throttling quota. +// +// - InternalServerException +// The request failed because of an internal error. Try your request again later +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/verifiedpermissions-2021-12-01/BatchIsAuthorizedWithToken +func (c *VerifiedPermissions) BatchIsAuthorizedWithToken(input *BatchIsAuthorizedWithTokenInput) (*BatchIsAuthorizedWithTokenOutput, error) { + req, out := c.BatchIsAuthorizedWithTokenRequest(input) + return out, req.Send() +} + +// BatchIsAuthorizedWithTokenWithContext is the same as BatchIsAuthorizedWithToken with the addition of +// the ability to pass a context and additional request options. +// +// See BatchIsAuthorizedWithToken for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *VerifiedPermissions) BatchIsAuthorizedWithTokenWithContext(ctx aws.Context, input *BatchIsAuthorizedWithTokenInput, opts ...request.Option) (*BatchIsAuthorizedWithTokenOutput, error) { + req, out := c.BatchIsAuthorizedWithTokenRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + const opCreateIdentitySource = "CreateIdentitySource" // CreateIdentitySourceRequest generates a "aws/request.Request" representing the @@ -2234,14 +2387,6 @@ func (c *VerifiedPermissions) IsAuthorizedWithTokenRequest(input *IsAuthorizedWi // in the specified policy store. The result of the decision is either Allow // or Deny, along with a list of the policies that resulted in the decision. // -// If you specify the identityToken parameter, then this operation derives the -// principal from that token. You must not also include that principal in the -// entities parameter or the operation fails and reports a conflict between -// the two entity sources. -// -// If you provide only an accessToken, then you can include the entity as part -// of the entities parameter to provide additional attributes. -// // At this time, Verified Permissions accepts tokens from only Amazon Cognito. // // Verified Permissions validates each token that is specified in a request @@ -4453,8 +4598,350 @@ func (s *BatchIsAuthorizedOutputItem) SetRequest(v *BatchIsAuthorizedInputItem) return s } -// The type of entity that a policy store maps to groups from an Amazon Cognito -// user pool identity source. +type BatchIsAuthorizedWithTokenInput struct { + _ struct{} `type:"structure"` + + // Specifies an access token for the principal that you want to authorize in + // each request. This token is provided to you by the identity provider (IdP) + // associated with the specified identity source. You must specify either an + // accessToken, an identityToken, or both. + // + // Must be an access token. Verified Permissions returns an error if the token_use + // claim in the submitted token isn't access. + // + // AccessToken is a sensitive parameter and its value will be + // replaced with "sensitive" in string returned by BatchIsAuthorizedWithTokenInput's + // String and GoString methods. + AccessToken *string `locationName:"accessToken" min:"1" type:"string" sensitive:"true"` + + // Specifies the list of resources and their associated attributes that Verified + // Permissions can examine when evaluating the policies. + // + // You can't include principals in this parameter, only resource and action + // entities. This parameter can't include any entities of a type that matches + // the user or group entity types that you defined in your identity source. + // + // * The BatchIsAuthorizedWithToken operation takes principal attributes + // from only the identityToken or accessToken passed to the operation. + // + // * For action entities, you can include only their Identifier and EntityType. + Entities *EntitiesDefinition `locationName:"entities" type:"structure"` + + // Specifies an identity (ID) token for the principal that you want to authorize + // in each request. This token is provided to you by the identity provider (IdP) + // associated with the specified identity source. You must specify either an + // accessToken, an identityToken, or both. + // + // Must be an ID token. Verified Permissions returns an error if the token_use + // claim in the submitted token isn't id. + // + // IdentityToken is a sensitive parameter and its value will be + // replaced with "sensitive" in string returned by BatchIsAuthorizedWithTokenInput's + // String and GoString methods. + IdentityToken *string `locationName:"identityToken" min:"1" type:"string" sensitive:"true"` + + // Specifies the ID of the policy store. Policies in this policy store will + // be used to make an authorization decision for the input. + // + // PolicyStoreId is a required field + PolicyStoreId *string `locationName:"policyStoreId" min:"1" type:"string" required:"true"` + + // An array of up to 30 requests that you want Verified Permissions to evaluate. + // + // Requests is a required field + Requests []*BatchIsAuthorizedWithTokenInputItem `locationName:"requests" min:"1" type:"list" required:"true"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s BatchIsAuthorizedWithTokenInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s BatchIsAuthorizedWithTokenInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *BatchIsAuthorizedWithTokenInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "BatchIsAuthorizedWithTokenInput"} + if s.AccessToken != nil && len(*s.AccessToken) < 1 { + invalidParams.Add(request.NewErrParamMinLen("AccessToken", 1)) + } + if s.IdentityToken != nil && len(*s.IdentityToken) < 1 { + invalidParams.Add(request.NewErrParamMinLen("IdentityToken", 1)) + } + if s.PolicyStoreId == nil { + invalidParams.Add(request.NewErrParamRequired("PolicyStoreId")) + } + if s.PolicyStoreId != nil && len(*s.PolicyStoreId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("PolicyStoreId", 1)) + } + if s.Requests == nil { + invalidParams.Add(request.NewErrParamRequired("Requests")) + } + if s.Requests != nil && len(s.Requests) < 1 { + invalidParams.Add(request.NewErrParamMinLen("Requests", 1)) + } + if s.Entities != nil { + if err := s.Entities.Validate(); err != nil { + invalidParams.AddNested("Entities", err.(request.ErrInvalidParams)) + } + } + if s.Requests != nil { + for i, v := range s.Requests { + if v == nil { + continue + } + if err := v.Validate(); err != nil { + invalidParams.AddNested(fmt.Sprintf("%s[%v]", "Requests", i), err.(request.ErrInvalidParams)) + } + } + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetAccessToken sets the AccessToken field's value. +func (s *BatchIsAuthorizedWithTokenInput) SetAccessToken(v string) *BatchIsAuthorizedWithTokenInput { + s.AccessToken = &v + return s +} + +// SetEntities sets the Entities field's value. +func (s *BatchIsAuthorizedWithTokenInput) SetEntities(v *EntitiesDefinition) *BatchIsAuthorizedWithTokenInput { + s.Entities = v + return s +} + +// SetIdentityToken sets the IdentityToken field's value. +func (s *BatchIsAuthorizedWithTokenInput) SetIdentityToken(v string) *BatchIsAuthorizedWithTokenInput { + s.IdentityToken = &v + return s +} + +// SetPolicyStoreId sets the PolicyStoreId field's value. +func (s *BatchIsAuthorizedWithTokenInput) SetPolicyStoreId(v string) *BatchIsAuthorizedWithTokenInput { + s.PolicyStoreId = &v + return s +} + +// SetRequests sets the Requests field's value. +func (s *BatchIsAuthorizedWithTokenInput) SetRequests(v []*BatchIsAuthorizedWithTokenInputItem) *BatchIsAuthorizedWithTokenInput { + s.Requests = v + return s +} + +// An authorization request that you include in a BatchIsAuthorizedWithToken +// API request. +type BatchIsAuthorizedWithTokenInputItem struct { + _ struct{} `type:"structure"` + + // Specifies the requested action to be authorized. For example, PhotoFlash::ReadPhoto. + Action *ActionIdentifier `locationName:"action" type:"structure"` + + // Specifies additional context that can be used to make more granular authorization + // decisions. + Context *ContextDefinition `locationName:"context" type:"structure"` + + // Specifies the resource that you want an authorization decision for. For example, + // PhotoFlash::Photo. + Resource *EntityIdentifier `locationName:"resource" type:"structure"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s BatchIsAuthorizedWithTokenInputItem) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s BatchIsAuthorizedWithTokenInputItem) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *BatchIsAuthorizedWithTokenInputItem) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "BatchIsAuthorizedWithTokenInputItem"} + if s.Action != nil { + if err := s.Action.Validate(); err != nil { + invalidParams.AddNested("Action", err.(request.ErrInvalidParams)) + } + } + if s.Context != nil { + if err := s.Context.Validate(); err != nil { + invalidParams.AddNested("Context", err.(request.ErrInvalidParams)) + } + } + if s.Resource != nil { + if err := s.Resource.Validate(); err != nil { + invalidParams.AddNested("Resource", err.(request.ErrInvalidParams)) + } + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetAction sets the Action field's value. +func (s *BatchIsAuthorizedWithTokenInputItem) SetAction(v *ActionIdentifier) *BatchIsAuthorizedWithTokenInputItem { + s.Action = v + return s +} + +// SetContext sets the Context field's value. +func (s *BatchIsAuthorizedWithTokenInputItem) SetContext(v *ContextDefinition) *BatchIsAuthorizedWithTokenInputItem { + s.Context = v + return s +} + +// SetResource sets the Resource field's value. +func (s *BatchIsAuthorizedWithTokenInputItem) SetResource(v *EntityIdentifier) *BatchIsAuthorizedWithTokenInputItem { + s.Resource = v + return s +} + +type BatchIsAuthorizedWithTokenOutput struct { + _ struct{} `type:"structure"` + + // The identifier of the principal in the ID or access token. + Principal *EntityIdentifier `locationName:"principal" type:"structure"` + + // A series of Allow or Deny decisions for each request, and the policies that + // produced them. + // + // Results is a required field + Results []*BatchIsAuthorizedWithTokenOutputItem `locationName:"results" type:"list" required:"true"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s BatchIsAuthorizedWithTokenOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s BatchIsAuthorizedWithTokenOutput) GoString() string { + return s.String() +} + +// SetPrincipal sets the Principal field's value. +func (s *BatchIsAuthorizedWithTokenOutput) SetPrincipal(v *EntityIdentifier) *BatchIsAuthorizedWithTokenOutput { + s.Principal = v + return s +} + +// SetResults sets the Results field's value. +func (s *BatchIsAuthorizedWithTokenOutput) SetResults(v []*BatchIsAuthorizedWithTokenOutputItem) *BatchIsAuthorizedWithTokenOutput { + s.Results = v + return s +} + +// The decision, based on policy evaluation, from an individual authorization +// request in a BatchIsAuthorizedWithToken API request. +type BatchIsAuthorizedWithTokenOutputItem struct { + _ struct{} `type:"structure"` + + // An authorization decision that indicates if the authorization request should + // be allowed or denied. + // + // Decision is a required field + Decision *string `locationName:"decision" type:"string" required:"true" enum:"Decision"` + + // The list of determining policies used to make the authorization decision. + // For example, if there are two matching policies, where one is a forbid and + // the other is a permit, then the forbid policy will be the determining policy. + // In the case of multiple matching permit policies then there would be multiple + // determining policies. In the case that no policies match, and hence the response + // is DENY, there would be no determining policies. + // + // DeterminingPolicies is a required field + DeterminingPolicies []*DeterminingPolicyItem `locationName:"determiningPolicies" type:"list" required:"true"` + + // Errors that occurred while making an authorization decision. For example, + // a policy might reference an entity or attribute that doesn't exist in the + // request. + // + // Errors is a required field + Errors []*EvaluationErrorItem `locationName:"errors" type:"list" required:"true"` + + // The authorization request that initiated the decision. + // + // Request is a required field + Request *BatchIsAuthorizedWithTokenInputItem `locationName:"request" type:"structure" required:"true"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s BatchIsAuthorizedWithTokenOutputItem) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s BatchIsAuthorizedWithTokenOutputItem) GoString() string { + return s.String() +} + +// SetDecision sets the Decision field's value. +func (s *BatchIsAuthorizedWithTokenOutputItem) SetDecision(v string) *BatchIsAuthorizedWithTokenOutputItem { + s.Decision = &v + return s +} + +// SetDeterminingPolicies sets the DeterminingPolicies field's value. +func (s *BatchIsAuthorizedWithTokenOutputItem) SetDeterminingPolicies(v []*DeterminingPolicyItem) *BatchIsAuthorizedWithTokenOutputItem { + s.DeterminingPolicies = v + return s +} + +// SetErrors sets the Errors field's value. +func (s *BatchIsAuthorizedWithTokenOutputItem) SetErrors(v []*EvaluationErrorItem) *BatchIsAuthorizedWithTokenOutputItem { + s.Errors = v + return s +} + +// SetRequest sets the Request field's value. +func (s *BatchIsAuthorizedWithTokenOutputItem) SetRequest(v *BatchIsAuthorizedWithTokenInputItem) *BatchIsAuthorizedWithTokenOutputItem { + s.Request = v + return s +} + +// A list of user groups and entities from an Amazon Cognito user pool identity +// source. // // This data type is part of a CognitoUserPoolConfiguration (https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CognitoUserPoolConfiguration.html) // structure and is a request parameter in CreateIdentitySource (https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html). @@ -4512,8 +4999,8 @@ func (s *CognitoGroupConfiguration) SetGroupEntityType(v string) *CognitoGroupCo return s } -// The type of entity that a policy store maps to groups from an Amazon Cognito -// user pool identity source. +// A list of user groups and entities from an Amazon Cognito user pool identity +// source. // // This data type is part of an CognitoUserPoolConfigurationDetail (https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CognitoUserPoolConfigurationItem.html) // structure and is a response parameter to GetIdentitySource (https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_GetIdentitySource.html). @@ -4553,8 +5040,8 @@ func (s *CognitoGroupConfigurationDetail) SetGroupEntityType(v string) *CognitoG return s } -// The type of entity that a policy store maps to groups from an Amazon Cognito -// user pool identity source. +// A list of user groups and entities from an Amazon Cognito user pool identity +// source. // // This data type is part of an CognitoUserPoolConfigurationItem (https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CognitoUserPoolConfigurationDetail.html) // structure and is a response parameter to ListIdentitySources (http://forums.aws.amazon.com/verifiedpermissions/latest/apireference/API_ListIdentitySources.html). @@ -4601,8 +5088,7 @@ func (s *CognitoGroupConfigurationItem) SetGroupEntityType(v string) *CognitoGro // structure that is used as a parameter to CreateIdentitySource (https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html). // // Example:"CognitoUserPoolConfiguration":{"UserPoolArn":"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5","ClientIds": -// ["a1b2c3d4e5f6g7h8i9j0kalbmc"],"groupConfiguration": {"groupEntityType": -// "MyCorp::Group"}} +// ["a1b2c3d4e5f6g7h8i9j0kalbmc"]} type CognitoUserPoolConfiguration struct { _ struct{} `type:"structure"` @@ -4612,8 +5098,8 @@ type CognitoUserPoolConfiguration struct { // Example: "ClientIds": ["&ExampleCogClientId;"] ClientIds []*string `locationName:"clientIds" type:"list"` - // The type of entity that a policy store maps to groups from an Amazon Cognito - // user pool identity source. + // The configuration of the user groups from an Amazon Cognito user pool identity + // source. GroupConfiguration *CognitoGroupConfiguration `locationName:"groupConfiguration" type:"structure"` // The Amazon Resource Name (ARN) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) @@ -4690,8 +5176,7 @@ func (s *CognitoUserPoolConfiguration) SetUserPoolArn(v string) *CognitoUserPool // structure that is part of the response to GetIdentitySource (https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_GetIdentitySource.html). // // Example:"CognitoUserPoolConfiguration":{"UserPoolArn":"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5","ClientIds": -// ["a1b2c3d4e5f6g7h8i9j0kalbmc"],"groupConfiguration": {"groupEntityType": -// "MyCorp::Group"}} +// ["a1b2c3d4e5f6g7h8i9j0kalbmc"]} type CognitoUserPoolConfigurationDetail struct { _ struct{} `type:"structure"` @@ -4703,8 +5188,8 @@ type CognitoUserPoolConfigurationDetail struct { // ClientIds is a required field ClientIds []*string `locationName:"clientIds" type:"list" required:"true"` - // The type of entity that a policy store maps to groups from an Amazon Cognito - // user pool identity source. + // The configuration of the user groups from an Amazon Cognito user pool identity + // source. GroupConfiguration *CognitoGroupConfigurationDetail `locationName:"groupConfiguration" type:"structure"` // The OpenID Connect (OIDC) issuer ID of the Amazon Cognito user pool that @@ -4773,8 +5258,7 @@ func (s *CognitoUserPoolConfigurationDetail) SetUserPoolArn(v string) *CognitoUs // structure that is part of the response to ListIdentitySources (https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_ListIdentitySources.html). // // Example:"CognitoUserPoolConfiguration":{"UserPoolArn":"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5","ClientIds": -// ["a1b2c3d4e5f6g7h8i9j0kalbmc"],"groupConfiguration": {"groupEntityType": -// "MyCorp::Group"}} +// ["a1b2c3d4e5f6g7h8i9j0kalbmc"]} type CognitoUserPoolConfigurationItem struct { _ struct{} `type:"structure"` @@ -4786,8 +5270,8 @@ type CognitoUserPoolConfigurationItem struct { // ClientIds is a required field ClientIds []*string `locationName:"clientIds" type:"list" required:"true"` - // The type of entity that a policy store maps to groups from an Amazon Cognito - // user pool identity source. + // The configuration of the user groups from an Amazon Cognito user pool identity + // source. GroupConfiguration *CognitoGroupConfigurationItem `locationName:"groupConfiguration" type:"structure"` // The OpenID Connect (OIDC) issuer ID of the Amazon Cognito user pool that @@ -4854,7 +5338,7 @@ func (s *CognitoUserPoolConfigurationItem) SetUserPoolArn(v string) *CognitoUser // At this time, the only valid member of this structure is a Amazon Cognito // user pool configuration. // -// Specifies a userPoolArn, a groupConfiguration, and a ClientId. +// You must specify a userPoolArn, and optionally, a ClientId. // // This data type is used as a request parameter for the CreateIdentitySource // (https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html) @@ -4922,8 +5406,7 @@ type ConfigurationDetail struct { // Contains configuration details of a Amazon Cognito user pool that Verified // Permissions can use as a source of authenticated identities as entities. // It specifies the Amazon Resource Name (ARN) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) - // of a Amazon Cognito user pool, the policy store entity that you want to assign - // to user groups, and one or more application client IDs. + // of a Amazon Cognito user pool and one or more application client IDs. // // Example: "configuration":{"cognitoUserPoolConfiguration":{"userPoolArn":"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5","clientIds": // ["a1b2c3d4e5f6g7h8i9j0kalbmc"],"groupConfiguration": {"groupEntityType": @@ -4965,8 +5448,7 @@ type ConfigurationItem struct { // Contains configuration details of a Amazon Cognito user pool that Verified // Permissions can use as a source of authenticated identities as entities. // It specifies the Amazon Resource Name (ARN) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) - // of a Amazon Cognito user pool, the policy store entity that you want to assign - // to user groups, and one or more application client IDs. + // of a Amazon Cognito user pool and one or more application client IDs. // // Example: "configuration":{"cognitoUserPoolConfiguration":{"userPoolArn":"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5","clientIds": // ["a1b2c3d4e5f6g7h8i9j0kalbmc"],"groupConfiguration": {"groupEntityType": @@ -7966,8 +8448,9 @@ type IsAuthorizedWithTokenInput struct { // Specifies the list of resources and their associated attributes that Verified // Permissions can examine when evaluating the policies. // - // You can include only resource and action entities in this parameter; you - // can't include principals. + // You can't include principals in this parameter, only resource and action + // entities. This parameter can't include any entities of a type that matches + // the user or group entity types that you defined in your identity source. // // * The IsAuthorizedWithToken operation takes principal attributes from // only the identityToken or accessToken passed to the operation. @@ -10078,7 +10561,8 @@ func (s *ThrottlingException) RequestID() string { return s.RespMetadata.RequestID } -// The user group entities from an Amazon Cognito user pool identity source. +// A list of user groups and entities from an Amazon Cognito user pool identity +// source. type UpdateCognitoGroupConfiguration struct { _ struct{} `type:"structure"` diff --git a/service/verifiedpermissions/verifiedpermissionsiface/interface.go b/service/verifiedpermissions/verifiedpermissionsiface/interface.go index 72e36190cbd..fd0ed27f2a9 100644 --- a/service/verifiedpermissions/verifiedpermissionsiface/interface.go +++ b/service/verifiedpermissions/verifiedpermissionsiface/interface.go @@ -64,6 +64,10 @@ type VerifiedPermissionsAPI interface { BatchIsAuthorizedWithContext(aws.Context, *verifiedpermissions.BatchIsAuthorizedInput, ...request.Option) (*verifiedpermissions.BatchIsAuthorizedOutput, error) BatchIsAuthorizedRequest(*verifiedpermissions.BatchIsAuthorizedInput) (*request.Request, *verifiedpermissions.BatchIsAuthorizedOutput) + BatchIsAuthorizedWithToken(*verifiedpermissions.BatchIsAuthorizedWithTokenInput) (*verifiedpermissions.BatchIsAuthorizedWithTokenOutput, error) + BatchIsAuthorizedWithTokenWithContext(aws.Context, *verifiedpermissions.BatchIsAuthorizedWithTokenInput, ...request.Option) (*verifiedpermissions.BatchIsAuthorizedWithTokenOutput, error) + BatchIsAuthorizedWithTokenRequest(*verifiedpermissions.BatchIsAuthorizedWithTokenInput) (*request.Request, *verifiedpermissions.BatchIsAuthorizedWithTokenOutput) + CreateIdentitySource(*verifiedpermissions.CreateIdentitySourceInput) (*verifiedpermissions.CreateIdentitySourceOutput, error) CreateIdentitySourceWithContext(aws.Context, *verifiedpermissions.CreateIdentitySourceInput, ...request.Option) (*verifiedpermissions.CreateIdentitySourceOutput, error) CreateIdentitySourceRequest(*verifiedpermissions.CreateIdentitySourceInput) (*request.Request, *verifiedpermissions.CreateIdentitySourceOutput)