feat(client-sts): IAM now supports outbound identity federation via the STS GetWebIdentityToken API, enabling AWS workloads to securely authenticate with external services using short-lived JSON Web Tokens.

Author: awstools

clients/client-sts/README.md

@@ -287,3 +287,11 @@ GetSessionToken
 [Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/sts/command/GetSessionTokenCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-sts/Interface/GetSessionTokenCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-sts/Interface/GetSessionTokenCommandOutput/)
 
 </details>
+<details>
+<summary>
+GetWebIdentityToken
+</summary>
+
+[Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/sts/command/GetWebIdentityTokenCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-sts/Interface/GetWebIdentityTokenCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-sts/Interface/GetWebIdentityTokenCommandOutput/)
+
+</details>

clients/client-sts/src/STS.ts

@@ -44,6 +44,11 @@ import {
   GetSessionTokenCommandInput,
   GetSessionTokenCommandOutput,
 } from "./commands/GetSessionTokenCommand";
+import {
+  GetWebIdentityTokenCommand,
+  GetWebIdentityTokenCommandInput,
+  GetWebIdentityTokenCommandOutput,
+} from "./commands/GetWebIdentityTokenCommand";
 import { STSClient, STSClientConfig } from "./STSClient";
 
 const commands = {
@@ -57,6 +62,7 @@ const commands = {
   GetDelegatedAccessTokenCommand,
   GetFederationTokenCommand,
   GetSessionTokenCommand,
+  GetWebIdentityTokenCommand,
 };
 
 export interface STS {
@@ -216,6 +222,23 @@ export interface STS {
     options: __HttpHandlerOptions,
     cb: (err: any, data?: GetSessionTokenCommandOutput) => void
   ): void;
+
+  /**
+   * @see {@link GetWebIdentityTokenCommand}
+   */
+  getWebIdentityToken(
+    args: GetWebIdentityTokenCommandInput,
+    options?: __HttpHandlerOptions
+  ): Promise<GetWebIdentityTokenCommandOutput>;
+  getWebIdentityToken(
+    args: GetWebIdentityTokenCommandInput,
+    cb: (err: any, data?: GetWebIdentityTokenCommandOutput) => void
+  ): void;
+  getWebIdentityToken(
+    args: GetWebIdentityTokenCommandInput,
+    options: __HttpHandlerOptions,
+    cb: (err: any, data?: GetWebIdentityTokenCommandOutput) => void
+  ): void;
 }
 
 /**

clients/client-sts/src/STSClient.ts

@@ -76,6 +76,10 @@ import {
 } from "./commands/GetDelegatedAccessTokenCommand";
 import { GetFederationTokenCommandInput, GetFederationTokenCommandOutput } from "./commands/GetFederationTokenCommand";
 import { GetSessionTokenCommandInput, GetSessionTokenCommandOutput } from "./commands/GetSessionTokenCommand";
+import {
+  GetWebIdentityTokenCommandInput,
+  GetWebIdentityTokenCommandOutput,
+} from "./commands/GetWebIdentityTokenCommand";
 import {
   ClientInputEndpointParameters,
   ClientResolvedEndpointParameters,
@@ -100,7 +104,8 @@ export type ServiceInputTypes =
   | GetCallerIdentityCommandInput
   | GetDelegatedAccessTokenCommandInput
   | GetFederationTokenCommandInput
-  | GetSessionTokenCommandInput;
+  | GetSessionTokenCommandInput
+  | GetWebIdentityTokenCommandInput;
 
 /**
  * @public
@@ -115,7 +120,8 @@ export type ServiceOutputTypes =
   | GetCallerIdentityCommandOutput
   | GetDelegatedAccessTokenCommandOutput
   | GetFederationTokenCommandOutput
-  | GetSessionTokenCommandOutput;
+  | GetSessionTokenCommandOutput
+  | GetWebIdentityTokenCommandOutput;
 
 /**
  * @public

clients/client-sts/src/commands/AssumeRoleCommand.ts

@@ -200,9 +200,8 @@ export interface AssumeRoleCommandOutput extends AssumeRoleResponse, __MetadataB
  * @throws {@link RegionDisabledException} (client fault)
  *  <p>STS is not activated in the requested region for the account that is being asked to
  *             generate credentials. The account administrator must use the IAM console to activate
- *             STS in that region. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#sts-regions-activate-deactivate">Activating and
- *                 Deactivating STS in an Amazon Web Services Region</a> in the <i>IAM User
- *                 Guide</i>.</p>
+ *             STS in that region. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#sts-regions-activate-deactivate">Activating and Deactivating STS in an Amazon Web Services Region</a> in the <i>IAM
+ *                 User Guide</i>.</p>
  *
  * @throws {@link STSServiceException}
  * <p>Base exception class for all service exceptions from STS service.</p>

clients/client-sts/src/commands/AssumeRoleWithSAMLCommand.ts

@@ -242,9 +242,8 @@ export interface AssumeRoleWithSAMLCommandOutput extends AssumeRoleWithSAMLRespo
  * @throws {@link RegionDisabledException} (client fault)
  *  <p>STS is not activated in the requested region for the account that is being asked to
  *             generate credentials. The account administrator must use the IAM console to activate
- *             STS in that region. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#sts-regions-activate-deactivate">Activating and
- *                 Deactivating STS in an Amazon Web Services Region</a> in the <i>IAM User
- *                 Guide</i>.</p>
+ *             STS in that region. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#sts-regions-activate-deactivate">Activating and Deactivating STS in an Amazon Web Services Region</a> in the <i>IAM
+ *                 User Guide</i>.</p>
  *
  * @throws {@link STSServiceException}
  * <p>Base exception class for all service exceptions from STS service.</p>

clients/client-sts/src/commands/AssumeRoleWithWebIdentityCommand.ts

@@ -233,9 +233,8 @@ export interface AssumeRoleWithWebIdentityCommandOutput extends AssumeRoleWithWe
  * @throws {@link RegionDisabledException} (client fault)
  *  <p>STS is not activated in the requested region for the account that is being asked to
  *             generate credentials. The account administrator must use the IAM console to activate
- *             STS in that region. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#sts-regions-activate-deactivate">Activating and
- *                 Deactivating STS in an Amazon Web Services Region</a> in the <i>IAM User
- *                 Guide</i>.</p>
+ *             STS in that region. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#sts-regions-activate-deactivate">Activating and Deactivating STS in an Amazon Web Services Region</a> in the <i>IAM
+ *                 User Guide</i>.</p>
  *
  * @throws {@link STSServiceException}
  * <p>Base exception class for all service exceptions from STS service.</p>

clients/client-sts/src/commands/AssumeRootCommand.ts

@@ -88,9 +88,8 @@ export interface AssumeRootCommandOutput extends AssumeRootResponse, __MetadataB
  * @throws {@link RegionDisabledException} (client fault)
  *  <p>STS is not activated in the requested region for the account that is being asked to
  *             generate credentials. The account administrator must use the IAM console to activate
- *             STS in that region. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#sts-regions-activate-deactivate">Activating and
- *                 Deactivating STS in an Amazon Web Services Region</a> in the <i>IAM User
- *                 Guide</i>.</p>
+ *             STS in that region. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#sts-regions-activate-deactivate">Activating and Deactivating STS in an Amazon Web Services Region</a> in the <i>IAM
+ *                 User Guide</i>.</p>
  *
  * @throws {@link STSServiceException}
  * <p>Base exception class for all service exceptions from STS service.</p>

clients/client-sts/src/commands/GetDelegatedAccessTokenCommand.ts

@@ -27,7 +27,10 @@ export interface GetDelegatedAccessTokenCommandInput extends GetDelegatedAccessT
 export interface GetDelegatedAccessTokenCommandOutput extends GetDelegatedAccessTokenResponse, __MetadataBearer {}
 
 /**
- * <p>This API is currently unavailable for general use.</p>
+ * <p>Exchanges a trade-in token for temporary Amazon Web Services credentials with the permissions
+ *          associated with the assumed principal. This operation allows you to obtain credentials for
+ *          a specific principal based on a trade-in token, enabling delegation of access to Amazon Web Services
+ *          resources.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
@@ -61,14 +64,25 @@ export interface GetDelegatedAccessTokenCommandOutput extends GetDelegatedAccess
  * @see {@link STSClientResolvedConfig | config} for STSClient's `config` shape.
  *
  * @throws {@link ExpiredTradeInTokenException} (client fault)
- *  <p></p>
+ *  <p>The trade-in token provided in the request has expired and can no longer be exchanged
+ *             for credentials. Request a new token and retry the operation.</p>
+ *
+ * @throws {@link PackedPolicyTooLargeException} (client fault)
+ *  <p>The request was rejected because the total packed size of the session policies and
+ *             session tags combined was too large. An Amazon Web Services conversion compresses the session policy
+ *             document, session policy ARNs, and session tags into a packed binary format that has a
+ *             separate limit. The error message indicates by percentage how close the policies and
+ *             tags are to the upper size limit. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html">Passing Session Tags in STS</a> in
+ *             the <i>IAM User Guide</i>.</p>
+ *          <p>You could receive this error even though you meet other defined session policy and
+ *             session tag limits. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length">IAM and STS Entity Character Limits</a> in the <i>IAM User
+ *                 Guide</i>.</p>
  *
  * @throws {@link RegionDisabledException} (client fault)
  *  <p>STS is not activated in the requested region for the account that is being asked to
  *             generate credentials. The account administrator must use the IAM console to activate
- *             STS in that region. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#sts-regions-activate-deactivate">Activating and
- *                 Deactivating STS in an Amazon Web Services Region</a> in the <i>IAM User
- *                 Guide</i>.</p>
+ *             STS in that region. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#sts-regions-activate-deactivate">Activating and Deactivating STS in an Amazon Web Services Region</a> in the <i>IAM
+ *                 User Guide</i>.</p>
  *
  * @throws {@link STSServiceException}
  * <p>Base exception class for all service exceptions from STS service.</p>

clients/client-sts/src/commands/GetFederationTokenCommand.ts

@@ -182,9 +182,8 @@ export interface GetFederationTokenCommandOutput extends GetFederationTokenRespo
  * @throws {@link RegionDisabledException} (client fault)
  *  <p>STS is not activated in the requested region for the account that is being asked to
  *             generate credentials. The account administrator must use the IAM console to activate
- *             STS in that region. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#sts-regions-activate-deactivate">Activating and
- *                 Deactivating STS in an Amazon Web Services Region</a> in the <i>IAM User
- *                 Guide</i>.</p>
+ *             STS in that region. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#sts-regions-activate-deactivate">Activating and Deactivating STS in an Amazon Web Services Region</a> in the <i>IAM
+ *                 User Guide</i>.</p>
  *
  * @throws {@link STSServiceException}
  * <p>Base exception class for all service exceptions from STS service.</p>

clients/client-sts/src/commands/GetSessionTokenCommand.ts

@@ -121,9 +121,8 @@ export interface GetSessionTokenCommandOutput extends GetSessionTokenResponse, _
  * @throws {@link RegionDisabledException} (client fault)
  *  <p>STS is not activated in the requested region for the account that is being asked to
  *             generate credentials. The account administrator must use the IAM console to activate
- *             STS in that region. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#sts-regions-activate-deactivate">Activating and
- *                 Deactivating STS in an Amazon Web Services Region</a> in the <i>IAM User
- *                 Guide</i>.</p>
+ *             STS in that region. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#sts-regions-activate-deactivate">Activating and Deactivating STS in an Amazon Web Services Region</a> in the <i>IAM
+ *                 User Guide</i>.</p>
  *
  * @throws {@link STSServiceException}
  * <p>Base exception class for all service exceptions from STS service.</p>