From e5b2240847fa9294071721c78df5b14c33a4a4f3 Mon Sep 17 00:00:00 2001 From: AWS SDK for Ruby Date: Fri, 25 Sep 2020 18:05:53 +0000 Subject: [PATCH] Updated service API models for release. --- CHANGELOG.md | 12 +++ aws-sdk-core/apis/batch/2016-08-10/api-2.json | 74 ++++++++++++++++- .../apis/batch/2016-08-10/docs-2.json | 82 ++++++++++++++++--- .../apis/config/2014-11-12/api-2.json | 18 ++-- .../apis/docdb/2014-10-31/docs-2.json | 2 +- aws-sdk-core/apis/ec2/2016-11-15/api-2.json | 32 ++++++++ aws-sdk-core/apis/ec2/2016-11-15/docs-2.json | 10 ++- .../apis/frauddetector/2019-11-15/api-2.json | 6 +- .../apis/frauddetector/2019-11-15/docs-2.json | 6 +- aws-sdk-core/apis/sts/2011-06-15/api-2.json | 9 +- aws-sdk-core/apis/sts/2011-06-15/docs-2.json | 4 +- aws-sdk-core/endpoints.json | 1 + 12 files changed, 213 insertions(+), 43 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 420ebf2fc99..2cd45aa86f5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,18 @@ Unreleased Changes ------------------ +* Feature - Aws::Batch - Updated the API, and documentation for AWS Batch. + +* Feature - Aws::ConfigService - Updated the API for AWS Config. + +* Feature - Aws::DocDB - Updated the documentation for Amazon DocumentDB with MongoDB compatibility. + +* Feature - Aws::EC2 - Updated the API, and documentation for Amazon Elastic Compute Cloud. + +* Feature - Aws::FraudDetector - Updated the API, and documentation for Amazon Fraud Detector. + +* Feature - Aws::STS - Updated the API, and documentation for AWS Security Token Service. + 2.11.593 (2020-09-24) ------------------ diff --git a/aws-sdk-core/apis/batch/2016-08-10/api-2.json b/aws-sdk-core/apis/batch/2016-08-10/api-2.json index f538e89dee0..85fcde8a77c 100644 --- a/aws-sdk-core/apis/batch/2016-08-10/api-2.json +++ b/aws-sdk-core/apis/batch/2016-08-10/api-2.json @@ -427,6 +427,7 @@ "memory":{"shape":"Integer"}, "command":{"shape":"StringList"}, "jobRoleArn":{"shape":"String"}, + "executionRoleArn":{"shape":"String"}, "volumes":{"shape":"Volumes"}, "environment":{"shape":"EnvironmentVariables"}, "mountPoints":{"shape":"MountPoints"}, @@ -442,7 +443,9 @@ "instanceType":{"shape":"String"}, "networkInterfaces":{"shape":"NetworkInterfaceList"}, "resourceRequirements":{"shape":"ResourceRequirements"}, - "linuxParameters":{"shape":"LinuxParameters"} + "linuxParameters":{"shape":"LinuxParameters"}, + "logConfiguration":{"shape":"LogConfiguration"}, + "secrets":{"shape":"SecretList"} } }, "ContainerOverrides":{ @@ -464,6 +467,7 @@ "memory":{"shape":"Integer"}, "command":{"shape":"StringList"}, "jobRoleArn":{"shape":"String"}, + "executionRoleArn":{"shape":"String"}, "volumes":{"shape":"Volumes"}, "environment":{"shape":"EnvironmentVariables"}, "mountPoints":{"shape":"MountPoints"}, @@ -473,7 +477,9 @@ "user":{"shape":"String"}, "instanceType":{"shape":"String"}, "resourceRequirements":{"shape":"ResourceRequirements"}, - "linuxParameters":{"shape":"LinuxParameters"} + "linuxParameters":{"shape":"LinuxParameters"}, + "logConfiguration":{"shape":"LogConfiguration"}, + "secrets":{"shape":"SecretList"} } }, "ContainerSummary":{ @@ -840,7 +846,12 @@ "LinuxParameters":{ "type":"structure", "members":{ - "devices":{"shape":"DevicesList"} + "devices":{"shape":"DevicesList"}, + "initProcessEnabled":{"shape":"Boolean"}, + "sharedMemorySize":{"shape":"Integer"}, + "tmpfs":{"shape":"TmpfsList"}, + "maxSwap":{"shape":"Integer"}, + "swappiness":{"shape":"Integer"} } }, "ListJobsRequest":{ @@ -862,6 +873,32 @@ "nextToken":{"shape":"String"} } }, + "LogConfiguration":{ + "type":"structure", + "required":["logDriver"], + "members":{ + "logDriver":{"shape":"LogDriver"}, + "options":{"shape":"LogConfigurationOptionsMap"}, + "secretOptions":{"shape":"SecretList"} + } + }, + "LogConfigurationOptionsMap":{ + "type":"map", + "key":{"shape":"String"}, + "value":{"shape":"String"} + }, + "LogDriver":{ + "type":"string", + "enum":[ + "json-file", + "syslog", + "journald", + "gelf", + "fluentd", + "awslogs", + "splunk" + ] + }, "Long":{"type":"long"}, "MountPoint":{ "type":"structure", @@ -1005,6 +1042,21 @@ "attempts":{"shape":"Integer"} } }, + "Secret":{ + "type":"structure", + "required":[ + "name", + "valueFrom" + ], + "members":{ + "name":{"shape":"String"}, + "valueFrom":{"shape":"String"} + } + }, + "SecretList":{ + "type":"list", + "member":{"shape":"Secret"} + }, "ServerException":{ "type":"structure", "members":{ @@ -1071,6 +1123,22 @@ "members":{ } }, + "Tmpfs":{ + "type":"structure", + "required":[ + "containerPath", + "size" + ], + "members":{ + "containerPath":{"shape":"String"}, + "size":{"shape":"Integer"}, + "mountOptions":{"shape":"StringList"} + } + }, + "TmpfsList":{ + "type":"list", + "member":{"shape":"Tmpfs"} + }, "Ulimit":{ "type":"structure", "required":[ diff --git a/aws-sdk-core/apis/batch/2016-08-10/docs-2.json b/aws-sdk-core/apis/batch/2016-08-10/docs-2.json index fd222714bba..d0684025f41 100644 --- a/aws-sdk-core/apis/batch/2016-08-10/docs-2.json +++ b/aws-sdk-core/apis/batch/2016-08-10/docs-2.json @@ -75,6 +75,7 @@ "ContainerDetail$privileged": "

When this parameter is true, the container is given elevated privileges on the host container instance (similar to the root user).

", "ContainerProperties$readonlyRootFilesystem": "

When this parameter is true, the container is given read-only access to its root file system. This parameter maps to ReadonlyRootfs in the Create a container section of the Docker Remote API and the --read-only option to docker run.

", "ContainerProperties$privileged": "

When this parameter is true, the container is given elevated privileges on the host container instance (similar to the root user). This parameter maps to Privileged in the Create a container section of the Docker Remote API and the --privileged option to docker run.

", + "LinuxParameters$initProcessEnabled": "

Run an init process inside the container that forwards signals and reaps processes. This parameter maps to the --init option to docker run. This parameter requires version 1.25 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log into your container instance and run the following command: sudo docker version | grep \"Server API version\"

", "MountPoint$readOnly": "

If this value is true, the container has read-only access to the volume; otherwise, the container can write to the volume. The default value is false.

", "NodeDetails$isMainNode": "

Specifies whether the current node is the main node for a multi-node parallel job.

", "NodePropertiesSummary$isMainNode": "

Specifies whether the current node is the main node for a multi-node parallel job.

" @@ -345,8 +346,8 @@ "ContainerDetail$exitCode": "

The exit code to return upon completion.

", "ContainerOverrides$vcpus": "

The number of vCPUs to reserve for the container. This value overrides the value set in the job definition.

", "ContainerOverrides$memory": "

The number of MiB of memory reserved for the job. This value overrides the value set in the job definition.

", - "ContainerProperties$vcpus": "

The number of vCPUs reserved for the container. This parameter maps to CpuShares in the Create a container section of the Docker Remote API and the --cpu-shares option to docker run. Each vCPU is equivalent to 1,024 CPU shares. You must specify at least one vCPU.

", - "ContainerProperties$memory": "

The hard limit (in MiB) of memory to present to the container. If your container attempts to exceed the memory specified here, the container is killed. This parameter maps to Memory in the Create a container section of the Docker Remote API and the --memory option to docker run. You must specify at least 4 MiB of memory for a job.

If you are trying to maximize your resource utilization by providing your jobs as much memory as possible for a particular instance type, see Memory Management in the AWS Batch User Guide.

", + "ContainerProperties$vcpus": "

The number of vCPUs reserved for the container. This parameter maps to CpuShares in the Create a container section of the Docker Remote API and the --cpu-shares option to docker run. Each vCPU is equivalent to 1,024 CPU shares. You must specify at least one vCPU. This is required but can be specified in several places for multi-node parallel (MNP) jobs; it must be specified for each node at least once.

", + "ContainerProperties$memory": "

The hard limit (in MiB) of memory to present to the container. If your container attempts to exceed the memory specified here, the container is killed. This parameter maps to Memory in the Create a container section of the Docker Remote API and the --memory option to docker run. You must specify at least 4 MiB of memory for a job. This is required but can be specified in several places for multi-node parallel (MNP) jobs; it must be specified for each node at least once.

If you are trying to maximize your resource utilization by providing your jobs as much memory as possible for a particular instance type, see Memory Management in the AWS Batch User Guide.

", "ContainerSummary$exitCode": "

The exit code to return upon completion.

", "CreateJobQueueRequest$priority": "

The priority of the job queue. Job queues with a higher priority (or a higher integer value for the priority parameter) are evaluated first when associated with the same compute environment. Priority is determined in descending order, for example, a job queue with a priority value of 10 is given scheduling preference over a job queue with a priority value of 1.

", "DescribeComputeEnvironmentsRequest$maxResults": "

The maximum number of cluster results returned by DescribeComputeEnvironments in paginated output. When this parameter is used, DescribeComputeEnvironments only returns maxResults results in a single page along with a nextToken response element. The remaining results of the initial request can be seen by sending another DescribeComputeEnvironments request with the returned nextToken value. This value can be between 1 and 100. If this parameter is not used, then DescribeComputeEnvironments returns up to 100 results and a nextToken value if applicable.

", @@ -355,6 +356,9 @@ "JobDefinition$revision": "

The revision of the job definition.

", "JobQueueDetail$priority": "

The priority of the job queue.

", "JobTimeout$attemptDurationSeconds": "

The time duration in seconds (measured from the job attempt's startedAt timestamp) after which AWS Batch terminates your jobs if they have not finished.

", + "LinuxParameters$sharedMemorySize": "

The value for the size (in MiB) of the /dev/shm volume. This parameter maps to the --shm-size option to docker run.

", + "LinuxParameters$maxSwap": "

The total amount of swap memory (in MiB) a container can use. This parameter will be translated to the --memory-swap option to docker run where the value would be the sum of the container memory plus the maxSwap value.

If a maxSwap value of 0 is specified, the container will not use swap. Accepted values are 0 or any positive integer. If the maxSwap parameter is omitted, the container will use the swap configuration for the container instance it is running on. A maxSwap value must be set for the swappiness parameter to be used.

", + "LinuxParameters$swappiness": "

This allows you to tune a container's memory swappiness behavior. A swappiness value of 0 will cause swapping to not happen unless absolutely necessary. A swappiness value of 100 will cause pages to be swapped very aggressively. Accepted values are whole numbers between 0 and 100. If the swappiness parameter is not specified, a default value of 60 is used. If a value is not specified for maxSwap then this parameter is ignored. This parameter maps to the --memory-swappiness option to docker run.

", "ListJobsRequest$maxResults": "

The maximum number of results returned by ListJobs in paginated output. When this parameter is used, ListJobs only returns maxResults results in a single page along with a nextToken response element. The remaining results of the initial request can be seen by sending another ListJobs request with the returned nextToken value. This value can be between 1 and 100. If this parameter is not used, then ListJobs returns up to 100 results and a nextToken value if applicable.

", "NodeDetails$nodeIndex": "

The node index for the node. Node index numbering begins at zero. This index is also available on the node with the AWS_BATCH_JOB_NODE_INDEX environment variable.

", "NodeOverrides$numNodes": "

The number of nodes to use with a multi-node parallel job. This value overrides the number of nodes that are specified in the job definition. To use this override:

", @@ -364,6 +368,7 @@ "NodePropertiesSummary$nodeIndex": "

The node index for the node. Node index numbering begins at zero. This index is also available on the node with the AWS_BATCH_JOB_NODE_INDEX environment variable.

", "RegisterJobDefinitionResponse$revision": "

The revision of the job definition.

", "RetryStrategy$attempts": "

The number of times to move a job to the RUNNABLE status. You may specify between 1 and 10 attempts. If the value of attempts is greater than one, the job is retried on failure the same number of attempts as the value.

", + "Tmpfs$size": "

The size (in MiB) of the tmpfs volume.

", "Ulimit$hardLimit": "

The hard limit for the ulimit type.

", "Ulimit$softLimit": "

The soft limit for the ulimit type.

", "UpdateJobQueueRequest$priority": "

The priority of the job queue. Job queues with a higher priority (or a higher integer value for the priority parameter) are evaluated first when associated with the same compute environment. Priority is determined in descending order, for example, a job queue with a priority value of 10 is given scheduling preference over a job queue with a priority value of 1.

" @@ -372,9 +377,9 @@ "JQState": { "base": null, "refs": { - "CreateJobQueueRequest$state": "

The state of the job queue. If the job queue state is ENABLED, it is able to accept jobs.

", - "JobQueueDetail$state": "

Describes the ability of the queue to accept new jobs.

", - "UpdateJobQueueRequest$state": "

Describes the queue's ability to accept new jobs.

" + "CreateJobQueueRequest$state": "

The state of the job queue. If the job queue state is ENABLED, it is able to accept jobs. If the job queue state is DISABLED, new jobs cannot be added to the queue, but jobs already in the queue can finish.

", + "JobQueueDetail$state": "

Describes the ability of the queue to accept new jobs. If the job queue state is ENABLED, it is able to accept jobs. If the job queue state is DISABLED, new jobs cannot be added to the queue, but jobs already in the queue can finish.

", + "UpdateJobQueueRequest$state": "

Describes the queue's ability to accept new jobs. If the job queue state is ENABLED, it is able to accept jobs. If the job queue state is DISABLED, new jobs cannot be added to the queue, but jobs already in the queue can finish.

" } }, "JQStatus": { @@ -496,14 +501,33 @@ "refs": { } }, + "LogConfiguration": { + "base": "

Log configuration options to send to a custom log driver for the container.

", + "refs": { + "ContainerDetail$logConfiguration": "

The log configuration specification for the container.

This parameter maps to LogConfig in the Create a container section of the Docker Remote API and the --log-driver option to docker run. By default, containers use the same logging driver that the Docker daemon uses. However the container may use a different logging driver than the Docker daemon by specifying a log driver with this parameter in the container definition. To use a different logging driver for a container, the log system must be configured properly on the container instance (or on a different log server for remote logging options). For more information on the options for different supported log drivers, see Configure logging drivers in the Docker documentation.

AWS Batch currently supports a subset of the logging drivers available to the Docker daemon (shown in the LogConfiguration data type). Additional log drivers may be available in future releases of the Amazon ECS container agent.

This parameter requires version 1.18 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log into your container instance and run the following command: sudo docker version | grep \"Server API version\"

The Amazon ECS container agent running on a container instance must register the logging drivers available on that instance with the ECS_AVAILABLE_LOGGING_DRIVERS environment variable before containers placed on that instance can use these log configuration options. For more information, see Amazon ECS Container Agent Configuration in the Amazon Elastic Container Service Developer Guide.

", + "ContainerProperties$logConfiguration": "

The log configuration specification for the container.

This parameter maps to LogConfig in the Create a container section of the Docker Remote API and the --log-driver option to docker run. By default, containers use the same logging driver that the Docker daemon uses. However the container may use a different logging driver than the Docker daemon by specifying a log driver with this parameter in the container definition. To use a different logging driver for a container, the log system must be configured properly on the container instance (or on a different log server for remote logging options). For more information on the options for different supported log drivers, see Configure logging drivers in the Docker documentation.

AWS Batch currently supports a subset of the logging drivers available to the Docker daemon (shown in the LogConfiguration data type).

This parameter requires version 1.18 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log into your container instance and run the following command: sudo docker version | grep \"Server API version\"

The Amazon ECS container agent running on a container instance must register the logging drivers available on that instance with the ECS_AVAILABLE_LOGGING_DRIVERS environment variable before containers placed on that instance can use these log configuration options. For more information, see Amazon ECS Container Agent Configuration in the Amazon Elastic Container Service Developer Guide.

" + } + }, + "LogConfigurationOptionsMap": { + "base": null, + "refs": { + "LogConfiguration$options": "

The configuration options to send to the log driver. This parameter requires version 1.19 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log into your container instance and run the following command: sudo docker version | grep \"Server API version\"

" + } + }, + "LogDriver": { + "base": null, + "refs": { + "LogConfiguration$logDriver": "

The log driver to use for the container. The valid values listed for this parameter are log drivers that the Amazon ECS container agent can communicate with by default.

The supported log drivers are awslogs, fluentd, gelf, json-file, journald, logentries, syslog, and splunk.

For more information about using the awslogs log driver, see Using the awslogs Log Driver in the Amazon Elastic Container Service Developer Guide.

If you have a custom driver that is not listed earlier that you would like to work with the Amazon ECS container agent, you can fork the Amazon ECS container agent project that is available on GitHub and customize it to work with that driver. We encourage you to submit pull requests for changes that you would like to have included. However, Amazon Web Services does not currently support running modified copies of this software.

This parameter requires version 1.18 of the Docker Remote API or greater on your container instance. To check the Docker Remote API version on your container instance, log into your container instance and run the following command: sudo docker version | grep \"Server API version\"

" + } + }, "Long": { "base": null, "refs": { - "AttemptDetail$startedAt": "

The Unix timestamp (in seconds and milliseconds) for when the attempt was started (when the attempt transitioned from the STARTING state to the RUNNING state).

", - "AttemptDetail$stoppedAt": "

The Unix timestamp (in seconds and milliseconds) for when the attempt was stopped (when the attempt transitioned from the RUNNING state to a terminal state, such as SUCCEEDED or FAILED).

", - "JobDetail$createdAt": "

The Unix timestamp (in seconds and milliseconds) for when the job was created. For non-array jobs and parent array jobs, this is when the job entered the SUBMITTED state (at the time SubmitJob was called). For array child jobs, this is when the child job was spawned by its parent and entered the PENDING state.

", - "JobDetail$startedAt": "

The Unix timestamp (in seconds and milliseconds) for when the job was started (when the job transitioned from the STARTING state to the RUNNING state).

", - "JobDetail$stoppedAt": "

The Unix timestamp (in seconds and milliseconds) for when the job was stopped (when the job transitioned from the RUNNING state to a terminal state, such as SUCCEEDED or FAILED).

", + "AttemptDetail$startedAt": "

The Unix timestamp (in milliseconds) for when the attempt was started (when the attempt transitioned from the STARTING state to the RUNNING state).

", + "AttemptDetail$stoppedAt": "

The Unix timestamp (in milliseconds) for when the attempt was stopped (when the attempt transitioned from the RUNNING state to a terminal state, such as SUCCEEDED or FAILED).

", + "JobDetail$createdAt": "

The Unix timestamp (in milliseconds) for when the job was created. For non-array jobs and parent array jobs, this is when the job entered the SUBMITTED state (at the time SubmitJob was called). For array child jobs, this is when the child job was spawned by its parent and entered the PENDING state.

", + "JobDetail$startedAt": "

The Unix timestamp (in milliseconds) for when the job was started (when the job transitioned from the STARTING state to the RUNNING state). This parameter is not provided for child jobs of array jobs or multi-node parallel jobs.

", + "JobDetail$stoppedAt": "

The Unix timestamp (in milliseconds) for when the job was stopped (when the job transitioned from the RUNNING state to a terminal state, such as SUCCEEDED or FAILED).

", "JobSummary$createdAt": "

The Unix timestamp for when the job was created. For non-array jobs and parent array jobs, this is when the job entered the SUBMITTED state (at the time SubmitJob was called). For array child jobs, this is when the child job was spawned by its parent and entered the PENDING state.

", "JobSummary$startedAt": "

The Unix timestamp for when the job was started (when the job transitioned from the STARTING state to the RUNNING state).

", "JobSummary$stoppedAt": "

The Unix timestamp for when the job was stopped (when the job transitioned from the RUNNING state to a terminal state, such as SUCCEEDED or FAILED).

" @@ -633,6 +657,20 @@ "SubmitJobRequest$retryStrategy": "

The retry strategy to use for failed jobs from this SubmitJob operation. When a retry strategy is specified here, it overrides the retry strategy defined in the job definition.

" } }, + "Secret": { + "base": "

An object representing the secret to expose to your container. Secrets can be exposed to a container in the following ways:

For more information, see Specifying Sensitive Data in the Amazon Elastic Container Service Developer Guide.

", + "refs": { + "SecretList$member": null + } + }, + "SecretList": { + "base": null, + "refs": { + "ContainerDetail$secrets": "

The secrets to pass to the container. For more information, see Specifying Sensitive Data in the Amazon Elastic Container Service Developer Guide.

", + "ContainerProperties$secrets": "

The secrets for the container. For more information, see Specifying Sensitive Data in the Amazon Elastic Container Service Developer Guide.

", + "LogConfiguration$secretOptions": "

The secrets to pass to the log configuration. For more information, see Specifying Sensitive Data in the Amazon Elastic Container Service Developer Guide.

" + } + }, "ServerException": { "base": "

These errors are usually caused by a server issue.

", "refs": { @@ -663,6 +701,7 @@ "ComputeResource$spotIamFleetRole": "

The Amazon Resource Name (ARN) of the Amazon EC2 Spot Fleet IAM role applied to a SPOT compute environment. This role is required if the allocation strategy set to BEST_FIT or if the allocation strategy is not specified. For more information, see Amazon EC2 Spot Fleet Role in the AWS Batch User Guide.

", "ContainerDetail$image": "

The image used to start the container.

", "ContainerDetail$jobRoleArn": "

The Amazon Resource Name (ARN) associated with the job upon execution.

", + "ContainerDetail$executionRoleArn": "

The Amazon Resource Name (ARN) of the execution role that AWS Batch can assume. For more information, see Amazon ECS task execution IAM role.

", "ContainerDetail$user": "

The user name to use inside the container.

", "ContainerDetail$reason": "

A short (255 max characters) human-readable string to provide additional details about a running or stopped container.

", "ContainerDetail$containerInstanceArn": "

The Amazon Resource Name (ARN) of the container instance on which the container is running.

", @@ -672,6 +711,7 @@ "ContainerOverrides$instanceType": "

The instance type to use for a multi-node parallel job. This parameter is not valid for single-node container jobs.

", "ContainerProperties$image": "

The image used to start a container. This string is passed directly to the Docker daemon. Images in the Docker Hub registry are available by default. Other repositories are specified with repository-url/image:tag . Up to 255 letters (uppercase and lowercase), numbers, hyphens, underscores, colons, periods, forward slashes, and number signs are allowed. This parameter maps to Image in the Create a container section of the Docker Remote API and the IMAGE parameter of docker run.

", "ContainerProperties$jobRoleArn": "

The Amazon Resource Name (ARN) of the IAM role that the container can assume for AWS permissions.

", + "ContainerProperties$executionRoleArn": "

The Amazon Resource Name (ARN) of the execution role that AWS Batch can assume. For more information, see Amazon ECS task execution IAM role.

", "ContainerProperties$user": "

The user name to use inside the container. This parameter maps to User in the Create a container section of the Docker Remote API and the --user option to docker run.

", "ContainerProperties$instanceType": "

The instance type to use for a multi-node parallel job. Currently all node groups in a multi-node parallel job must use the same instance type. This parameter is not valid for single-node container jobs.

", "ContainerSummary$reason": "

A short (255 max characters) human-readable string to provide additional details about a running or stopped container.

", @@ -716,12 +756,14 @@ "KeyValuePair$value": "

The value of the key-value pair. For environment variables, this is the value of the environment variable.

", "LaunchTemplateSpecification$launchTemplateId": "

The ID of the launch template.

", "LaunchTemplateSpecification$launchTemplateName": "

The name of the launch template.

", - "LaunchTemplateSpecification$version": "

The version number of the launch template.

Default: The default version of the launch template.

", + "LaunchTemplateSpecification$version": "

The version number of the launch template, $Latest, or $Default.

If the value is $Latest, the latest version of the launch template is used. If the value is $Default, the default version of the launch template is used.

Default: $Default.

", "ListJobsRequest$jobQueue": "

The name or full Amazon Resource Name (ARN) of the job queue with which to list jobs.

", "ListJobsRequest$arrayJobId": "

The job ID for an array job. Specifying an array job ID with this parameter lists all child jobs from within the specified array.

", "ListJobsRequest$multiNodeJobId": "

The job ID for a multi-node parallel job. Specifying a multi-node parallel job ID with this parameter lists all nodes that are associated with the specified job.

", "ListJobsRequest$nextToken": "

The nextToken value returned from a previous paginated ListJobs request where maxResults was used and the results exceeded the value of that parameter. Pagination continues from the end of the previous results that returned the nextToken value. This value is null when there are no more results to return.

This token should be treated as an opaque identifier that is only used to retrieve the next items in a list and not for other programmatic purposes.

", "ListJobsResponse$nextToken": "

The nextToken value to include in a future ListJobs request. When the results of a ListJobs request exceed maxResults, this value can be used to retrieve the next page of results. This value is null when there are no more results to return.

", + "LogConfigurationOptionsMap$key": null, + "LogConfigurationOptionsMap$value": null, "MountPoint$containerPath": "

The path on the container at which to mount the host volume.

", "MountPoint$sourceVolume": "

The name of the volume to mount.

", "NetworkInterface$attachmentId": "

The attachment ID for the network interface.

", @@ -735,6 +777,8 @@ "RegisterJobDefinitionResponse$jobDefinitionName": "

The name of the job definition.

", "RegisterJobDefinitionResponse$jobDefinitionArn": "

The Amazon Resource Name (ARN) of the job definition.

", "ResourceRequirement$value": "

The number of physical GPUs to reserve for the container. The number of GPUs reserved for all containers in a job should not exceed the number of available GPUs on the compute resource that the job is launched on.

", + "Secret$name": "

The name of the secret.

", + "Secret$valueFrom": "

The secret to expose to the container. The supported values are either the full ARN of the AWS Secrets Manager secret or the full ARN of the parameter in the AWS Systems Manager Parameter Store.

If the AWS Systems Manager Parameter Store parameter exists in the same Region as the task you are launching, then you can use either the full ARN or name of the parameter. If the parameter exists in a different Region, then the full ARN must be specified.

", "ServerException$message": null, "StringList$member": null, "SubmitJobRequest$jobName": "

The name of the job. The first character must be alphanumeric, and up to 128 letters (uppercase and lowercase), numbers, hyphens, and underscores are allowed.

", @@ -746,6 +790,7 @@ "TagsMap$value": null, "TerminateJobRequest$jobId": "

The AWS Batch job ID of the job to terminate.

", "TerminateJobRequest$reason": "

A message to attach to the job that explains the reason for canceling it. This message is returned by future DescribeJobs operations on the job. This message is also recorded in the AWS Batch activity logs.

", + "Tmpfs$containerPath": "

The absolute file path where the tmpfs volume is to be mounted.

", "Ulimit$name": "

The type of the ulimit.

", "UpdateComputeEnvironmentRequest$computeEnvironment": "

The name or full Amazon Resource Name (ARN) of the compute environment to update.

", "UpdateComputeEnvironmentRequest$serviceRole": "

The full Amazon Resource Name (ARN) of the IAM role that allows AWS Batch to make calls to other AWS services on your behalf.

If your specified role has a path other than /, then you must either specify the full role ARN (this is recommended) or prefix the role name with the path.

Depending on how you created your AWS Batch service role, its ARN may contain the service-role path prefix. When you only specify the name of the service role, AWS Batch assumes that your ARN does not use the service-role path prefix. Because of this, we recommend that you specify the full ARN of your service role when you create compute environments.

", @@ -769,7 +814,8 @@ "DescribeComputeEnvironmentsRequest$computeEnvironments": "

A list of up to 100 compute environment names or full Amazon Resource Name (ARN) entries.

", "DescribeJobDefinitionsRequest$jobDefinitions": "

A list of up to 100 job definition names or full Amazon Resource Name (ARN) entries.

", "DescribeJobQueuesRequest$jobQueues": "

A list of up to 100 queue names or full queue Amazon Resource Name (ARN) entries.

", - "DescribeJobsRequest$jobs": "

A list of up to 100 job IDs.

" + "DescribeJobsRequest$jobs": "

A list of up to 100 job IDs.

", + "Tmpfs$mountOptions": "

The list of tmpfs volume mount options.

Valid values: \"defaults\" | \"ro\" | \"rw\" | \"suid\" | \"nosuid\" | \"dev\" | \"nodev\" | \"exec\" | \"noexec\" | \"sync\" | \"async\" | \"dirsync\" | \"remount\" | \"mand\" | \"nomand\" | \"atime\" | \"noatime\" | \"diratime\" | \"nodiratime\" | \"bind\" | \"rbind\" | \"unbindable\" | \"runbindable\" | \"private\" | \"rprivate\" | \"shared\" | \"rshared\" | \"slave\" | \"rslave\" | \"relatime\" | \"norelatime\" | \"strictatime\" | \"nostrictatime\" | \"mode\" | \"uid\" | \"gid\" | \"nr_inodes\" | \"nr_blocks\" | \"mpol\"

" } }, "SubmitJobRequest": { @@ -798,6 +844,18 @@ "refs": { } }, + "Tmpfs": { + "base": "

The container path, mount options, and size of the tmpfs mount.

", + "refs": { + "TmpfsList$member": null + } + }, + "TmpfsList": { + "base": null, + "refs": { + "LinuxParameters$tmpfs": "

The container path, mount options, and size (in MiB) of the tmpfs mount. This parameter maps to the --tmpfs option to docker run.

" + } + }, "Ulimit": { "base": "

The ulimit settings to pass to the container.

", "refs": { diff --git a/aws-sdk-core/apis/config/2014-11-12/api-2.json b/aws-sdk-core/apis/config/2014-11-12/api-2.json index 5d1a351ecd2..bba70eda71e 100644 --- a/aws-sdk-core/apis/config/2014-11-12/api-2.json +++ b/aws-sdk-core/apis/config/2014-11-12/api-2.json @@ -1681,8 +1681,7 @@ "required":[ "ConformancePackName", "ConformancePackArn", - "ConformancePackId", - "DeliveryS3Bucket" + "ConformancePackId" ], "members":{ "ConformancePackName":{"shape":"ConformancePackName"}, @@ -2017,12 +2016,12 @@ "DeliveryS3Bucket":{ "type":"string", "max":63, - "min":3 + "min":0 }, "DeliveryS3KeyPrefix":{ "type":"string", "max":1024, - "min":1 + "min":0 }, "DeliveryStatus":{ "type":"string", @@ -3246,7 +3245,6 @@ "required":[ "OrganizationConformancePackName", "OrganizationConformancePackArn", - "DeliveryS3Bucket", "LastUpdateTime" ], "members":{ @@ -3496,10 +3494,7 @@ }, "PutConformancePackRequest":{ "type":"structure", - "required":[ - "ConformancePackName", - "DeliveryS3Bucket" - ], + "required":["ConformancePackName"], "members":{ "ConformancePackName":{"shape":"ConformancePackName"}, "TemplateS3Uri":{"shape":"TemplateS3Uri"}, @@ -3555,10 +3550,7 @@ }, "PutOrganizationConformancePackRequest":{ "type":"structure", - "required":[ - "OrganizationConformancePackName", - "DeliveryS3Bucket" - ], + "required":["OrganizationConformancePackName"], "members":{ "OrganizationConformancePackName":{"shape":"OrganizationConformancePackName"}, "TemplateS3Uri":{"shape":"TemplateS3Uri"}, diff --git a/aws-sdk-core/apis/docdb/2014-10-31/docs-2.json b/aws-sdk-core/apis/docdb/2014-10-31/docs-2.json index 1443a7691b6..1d775943b24 100644 --- a/aws-sdk-core/apis/docdb/2014-10-31/docs-2.json +++ b/aws-sdk-core/apis/docdb/2014-10-31/docs-2.json @@ -1133,7 +1133,7 @@ "CreateDBClusterMessage$DBClusterParameterGroupName": "

The name of the cluster parameter group to associate with this cluster.

", "CreateDBClusterMessage$DBSubnetGroupName": "

A subnet group to associate with this cluster.

Constraints: Must match the name of an existing DBSubnetGroup. Must not be default.

Example: mySubnetgroup

", "CreateDBClusterMessage$Engine": "

The name of the database engine to be used for this cluster.

Valid values: docdb

", - "CreateDBClusterMessage$EngineVersion": "

The version number of the database engine to use.

", + "CreateDBClusterMessage$EngineVersion": "

The version number of the database engine to use. The --engine-version will default to the latest major engine version. For production workloads, we recommend explicitly declaring this parameter with the intended major engine version.

", "CreateDBClusterMessage$MasterUsername": "

The name of the master user for the cluster.

Constraints:

", "CreateDBClusterMessage$MasterUserPassword": "

The password for the master database user. This password can contain any printable ASCII character except forward slash (/), double quote (\"), or the \"at\" symbol (@).

Constraints: Must contain from 8 to 100 characters.

", "CreateDBClusterMessage$PreferredBackupWindow": "

The daily time range during which automated backups are created if automated backups are enabled using the BackupRetentionPeriod parameter.

The default is a 30-minute window selected at random from an 8-hour block of time for each AWS Region.

Constraints:

", diff --git a/aws-sdk-core/apis/ec2/2016-11-15/api-2.json b/aws-sdk-core/apis/ec2/2016-11-15/api-2.json index f48c17fa4c0..1adb5da0d63 100644 --- a/aws-sdk-core/apis/ec2/2016-11-15/api-2.json +++ b/aws-sdk-core/apis/ec2/2016-11-15/api-2.json @@ -20349,6 +20349,14 @@ "LocalGatewayRouteTableId":{ "shape":"LocalGatewayRoutetableId", "locationName":"localGatewayRouteTableId" + }, + "LocalGatewayRouteTableArn":{ + "shape":"ResourceArn", + "locationName":"localGatewayRouteTableArn" + }, + "OwnerId":{ + "shape":"String", + "locationName":"ownerId" } } }, @@ -20376,6 +20384,10 @@ "shape":"String", "locationName":"localGatewayRouteTableId" }, + "LocalGatewayRouteTableArn":{ + "shape":"ResourceArn", + "locationName":"localGatewayRouteTableArn" + }, "LocalGatewayId":{ "shape":"LocalGatewayId", "locationName":"localGatewayId" @@ -20384,6 +20396,10 @@ "shape":"String", "locationName":"outpostArn" }, + "OwnerId":{ + "shape":"String", + "locationName":"ownerId" + }, "State":{ "shape":"String", "locationName":"state" @@ -20427,6 +20443,14 @@ "shape":"LocalGatewayId", "locationName":"localGatewayRouteTableId" }, + "LocalGatewayRouteTableArn":{ + "shape":"ResourceArn", + "locationName":"localGatewayRouteTableArn" + }, + "OwnerId":{ + "shape":"String", + "locationName":"ownerId" + }, "State":{ "shape":"String", "locationName":"state" @@ -20463,6 +20487,10 @@ "shape":"String", "locationName":"localGatewayRouteTableId" }, + "LocalGatewayRouteTableArn":{ + "shape":"ResourceArn", + "locationName":"localGatewayRouteTableArn" + }, "LocalGatewayId":{ "shape":"String", "locationName":"localGatewayId" @@ -20471,6 +20499,10 @@ "shape":"String", "locationName":"vpcId" }, + "OwnerId":{ + "shape":"String", + "locationName":"ownerId" + }, "State":{ "shape":"String", "locationName":"state" diff --git a/aws-sdk-core/apis/ec2/2016-11-15/docs-2.json b/aws-sdk-core/apis/ec2/2016-11-15/docs-2.json index 3b08de13c93..c2ff8c22a33 100644 --- a/aws-sdk-core/apis/ec2/2016-11-15/docs-2.json +++ b/aws-sdk-core/apis/ec2/2016-11-15/docs-2.json @@ -11443,6 +11443,10 @@ "base": null, "refs": { "CoipPool$PoolArn": "

The ARN of the address pool.

", + "LocalGatewayRoute$LocalGatewayRouteTableArn": "

The Amazon Resource Name (ARN) of the local gateway route table.

", + "LocalGatewayRouteTable$LocalGatewayRouteTableArn": "

The Amazon Resource Name (ARN) of the local gateway route table.

", + "LocalGatewayRouteTableVirtualInterfaceGroupAssociation$LocalGatewayRouteTableArn": "

The Amazon Resource Name (ARN) of the local gateway route table for the virtual interface group.

", + "LocalGatewayRouteTableVpcAssociation$LocalGatewayRouteTableArn": "

The Amazon Resource Name (ARN) of the local gateway route table for the association.

", "ManagedPrefixList$PrefixListArn": "

The Amazon Resource Name (ARN) for the prefix list.

" } }, @@ -13263,17 +13267,21 @@ "LoadPermission$UserId": "

The AWS account ID.

", "LoadPermissionRequest$UserId": "

The AWS account ID.

", "LocalGateway$OutpostArn": "

The Amazon Resource Name (ARN) of the Outpost.

", - "LocalGateway$OwnerId": "

The ID of the AWS account ID that owns the local gateway.

", + "LocalGateway$OwnerId": "

The AWS account ID that owns the local gateway.

", "LocalGateway$State": "

The state of the local gateway.

", "LocalGatewayRoute$DestinationCidrBlock": "

The CIDR block used for destination matches.

", + "LocalGatewayRoute$OwnerId": "

The AWS account ID that owns the local gateway route.

", "LocalGatewayRouteTable$LocalGatewayRouteTableId": "

The ID of the local gateway route table.

", "LocalGatewayRouteTable$OutpostArn": "

The Amazon Resource Name (ARN) of the Outpost.

", + "LocalGatewayRouteTable$OwnerId": "

The AWS account ID that owns the local gateway route table.

", "LocalGatewayRouteTable$State": "

The state of the local gateway route table.

", "LocalGatewayRouteTableVirtualInterfaceGroupAssociation$LocalGatewayId": "

The ID of the local gateway.

", + "LocalGatewayRouteTableVirtualInterfaceGroupAssociation$OwnerId": "

The AWS account ID that owns the local gateway virtual interface group association.

", "LocalGatewayRouteTableVirtualInterfaceGroupAssociation$State": "

The state of the association.

", "LocalGatewayRouteTableVpcAssociation$LocalGatewayRouteTableId": "

The ID of the local gateway route table.

", "LocalGatewayRouteTableVpcAssociation$LocalGatewayId": "

The ID of the local gateway.

", "LocalGatewayRouteTableVpcAssociation$VpcId": "

The ID of the VPC.

", + "LocalGatewayRouteTableVpcAssociation$OwnerId": "

The AWS account ID that owns the local gateway route table for the association.

", "LocalGatewayRouteTableVpcAssociation$State": "

The state of the association.

", "LocalGatewayVirtualInterface$LocalGatewayId": "

The ID of the local gateway.

", "LocalGatewayVirtualInterface$LocalAddress": "

The local address.

", diff --git a/aws-sdk-core/apis/frauddetector/2019-11-15/api-2.json b/aws-sdk-core/apis/frauddetector/2019-11-15/api-2.json index 4395b450dae..ebb1ad36a51 100644 --- a/aws-sdk-core/apis/frauddetector/2019-11-15/api-2.json +++ b/aws-sdk-core/apis/frauddetector/2019-11-15/api-2.json @@ -1398,9 +1398,9 @@ }, "KmsEncryptionKeyArn":{ "type":"string", - "max":80, + "max":90, "min":7, - "pattern":"^\\w{8}-\\w{4}-\\w{4}-\\w{4}-\\w{12}$|DEFAULT|arn:[a-zA-Z0-9-]+:kms:[a-zA-Z0-9-]+:\\d{12}:key:[a-zA-Z0-9-_]+|[a-zA-Z0-9-_]\\S+" + "pattern":"^\\w{8}-\\w{4}-\\w{4}-\\w{4}-\\w{12}|DEFAULT|arn:[a-zA-Z0-9-]+:kms:[a-zA-Z0-9-]+:\\d{12}:key\\/\\w{8}-\\w{4}-\\w{4}-\\w{4}-\\w{12}$" }, "Label":{ "type":"structure", @@ -2266,7 +2266,7 @@ }, "variableValue":{ "type":"string", - "max":256, + "max":1024, "min":1, "sensitive":true }, diff --git a/aws-sdk-core/apis/frauddetector/2019-11-15/docs-2.json b/aws-sdk-core/apis/frauddetector/2019-11-15/docs-2.json index 024e7aab226..cf4d0bff846 100644 --- a/aws-sdk-core/apis/frauddetector/2019-11-15/docs-2.json +++ b/aws-sdk-core/apis/frauddetector/2019-11-15/docs-2.json @@ -1315,7 +1315,7 @@ "CreateVariableRequest$name": "

The name of the variable.

", "CreateVariableRequest$defaultValue": "

The default value for the variable when no value is received.

", "CreateVariableRequest$description": "

The description.

", - "CreateVariableRequest$variableType": "

The variable type. For more information see Variable types.

Valid Values: AUTH_CODE | AVS | BILLING_ADDRESS_L1 | BILLING_ADDRESS_L2 | BILLING_CITY | BILLING_COUNTRY | BILLING_NAME | BILLING_PHONE | BILLING_STATE | BILLING_ZIP | CARD_BIN | CATEGORICAL | CURRENCY_CODE | EMAIL_ADDRESS | FINGERPRINT | FRAUD_LABEL | FREE_FORM_TEXT | IP_ADDRESS | NUMERIC | ORDER_ID | PAYMENT_TYPE | PHONE_NUMBER | PRICE | PRODUCT_CATEGORY | SHIPPING_ADDRESS_L1 | SHIPPING_ADDRESS_L2 | SHIPPING_CITY | SHIPPING_COUNTRY | SHIPPING_NAME | SHIPPING_PHONE | SHIPPING_STATE | SHIPPING_ZIP | USERAGENT | SHIPPING_ZIP | USERAGENT

", + "CreateVariableRequest$variableType": "

The variable type. For more information see Variable types.

Valid Values: AUTH_CODE | AVS | BILLING_ADDRESS_L1 | BILLING_ADDRESS_L2 | BILLING_CITY | BILLING_COUNTRY | BILLING_NAME | BILLING_PHONE | BILLING_STATE | BILLING_ZIP | CARD_BIN | CATEGORICAL | CURRENCY_CODE | EMAIL_ADDRESS | FINGERPRINT | FRAUD_LABEL | FREE_FORM_TEXT | IP_ADDRESS | NUMERIC | ORDER_ID | PAYMENT_TYPE | PHONE_NUMBER | PRICE | PRODUCT_CATEGORY | SHIPPING_ADDRESS_L1 | SHIPPING_ADDRESS_L2 | SHIPPING_CITY | SHIPPING_COUNTRY | SHIPPING_NAME | SHIPPING_PHONE | SHIPPING_STATE | SHIPPING_ZIP | USERAGENT

", "CsvIndexToVariableMap$key": null, "CsvIndexToVariableMap$value": null, "DeleteEventRequest$eventId": "

The ID of the event to delete.

", @@ -1390,13 +1390,13 @@ "Variable$name": "

The name of the variable.

", "Variable$defaultValue": "

The default value of the variable.

", "Variable$description": "

The description of the variable.

", - "Variable$variableType": "

The variable type of the variable.

Valid Values: AUTH_CODE | AVS | BILLING_ADDRESS_L1 | BILLING_ADDRESS_L2 | BILLING_CITY | BILLING_COUNTRY | BILLING_NAME | BILLING_PHONE | BILLING_STATE | BILLING_ZIP | CARD_BIN | CATEGORICAL | CURRENCY_CODE | EMAIL_ADDRESS | FINGERPRINT | FRAUD_LABEL | FREE_FORM_TEXT | IP_ADDRESS | NUMERIC | ORDER_ID | PAYMENT_TYPE | PHONE_NUMBER | PRICE | PRODUCT_CATEGORY | SHIPPING_ADDRESS_L1 | SHIPPING_ADDRESS_L2 | SHIPPING_CITY | SHIPPING_COUNTRY | SHIPPING_NAME | SHIPPING_PHONE | SHIPPING_STATE | SHIPPING_ZIP | USERAGENT | SHIPPING_ZIP | USERAGENT

", + "Variable$variableType": "

The variable type of the variable.

Valid Values: AUTH_CODE | AVS | BILLING_ADDRESS_L1 | BILLING_ADDRESS_L2 | BILLING_CITY | BILLING_COUNTRY | BILLING_NAME | BILLING_PHONE | BILLING_STATE | BILLING_ZIP | CARD_BIN | CATEGORICAL | CURRENCY_CODE | EMAIL_ADDRESS | FINGERPRINT | FRAUD_LABEL | FREE_FORM_TEXT | IP_ADDRESS | NUMERIC | ORDER_ID | PAYMENT_TYPE | PHONE_NUMBER | PRICE | PRODUCT_CATEGORY | SHIPPING_ADDRESS_L1 | SHIPPING_ADDRESS_L2 | SHIPPING_CITY | SHIPPING_COUNTRY | SHIPPING_NAME | SHIPPING_PHONE | SHIPPING_STATE | SHIPPING_ZIP | USERAGENT

", "VariableEntry$name": "

The name of the variable.

", "VariableEntry$dataType": "

The data type of the variable.

", "VariableEntry$dataSource": "

The data source of the variable.

", "VariableEntry$defaultValue": "

The default value of the variable.

", "VariableEntry$description": "

The description of the variable.

", - "VariableEntry$variableType": "

The type of the variable. For more information see Variable types.

Valid Values: AUTH_CODE | AVS | BILLING_ADDRESS_L1 | BILLING_ADDRESS_L2 | BILLING_CITY | BILLING_COUNTRY | BILLING_NAME | BILLING_PHONE | BILLING_STATE | BILLING_ZIP | CARD_BIN | CATEGORICAL | CURRENCY_CODE | EMAIL_ADDRESS | FINGERPRINT | FRAUD_LABEL | FREE_FORM_TEXT | IP_ADDRESS | NUMERIC | ORDER_ID | PAYMENT_TYPE | PHONE_NUMBER | PRICE | PRODUCT_CATEGORY | SHIPPING_ADDRESS_L1 | SHIPPING_ADDRESS_L2 | SHIPPING_CITY | SHIPPING_COUNTRY | SHIPPING_NAME | SHIPPING_PHONE | SHIPPING_STATE | SHIPPING_ZIP | USERAGENT | SHIPPING_ZIP | USERAGENT

", + "VariableEntry$variableType": "

The type of the variable. For more information see Variable types.

Valid Values: AUTH_CODE | AVS | BILLING_ADDRESS_L1 | BILLING_ADDRESS_L2 | BILLING_CITY | BILLING_COUNTRY | BILLING_NAME | BILLING_PHONE | BILLING_STATE | BILLING_ZIP | CARD_BIN | CATEGORICAL | CURRENCY_CODE | EMAIL_ADDRESS | FINGERPRINT | FRAUD_LABEL | FREE_FORM_TEXT | IP_ADDRESS | NUMERIC | ORDER_ID | PAYMENT_TYPE | PHONE_NUMBER | PRICE | PRODUCT_CATEGORY | SHIPPING_ADDRESS_L1 | SHIPPING_ADDRESS_L2 | SHIPPING_CITY | SHIPPING_COUNTRY | SHIPPING_NAME | SHIPPING_PHONE | SHIPPING_STATE | SHIPPING_ZIP | USERAGENT

", "labelMapper$key": null } }, diff --git a/aws-sdk-core/apis/sts/2011-06-15/api-2.json b/aws-sdk-core/apis/sts/2011-06-15/api-2.json index 33182e507db..a9e29231ebf 100644 --- a/aws-sdk-core/apis/sts/2011-06-15/api-2.json +++ b/aws-sdk-core/apis/sts/2011-06-15/api-2.json @@ -27,7 +27,8 @@ "errors":[ {"shape":"MalformedPolicyDocumentException"}, {"shape":"PackedPolicyTooLargeException"}, - {"shape":"RegionDisabledException"} + {"shape":"RegionDisabledException"}, + {"shape":"ExpiredTokenException"} ] }, "AssumeRoleWithSAML":{ @@ -445,8 +446,7 @@ "SAMLAssertionType":{ "type":"string", "max":100000, - "min":4, - "sensitive":true + "min":4 }, "Subject":{"type":"string"}, "SubjectType":{"type":"string"}, @@ -484,8 +484,7 @@ "clientTokenType":{ "type":"string", "max":2048, - "min":4, - "sensitive":true + "min":4 }, "dateType":{"type":"timestamp"}, "decodedMessageType":{"type":"string"}, diff --git a/aws-sdk-core/apis/sts/2011-06-15/docs-2.json b/aws-sdk-core/apis/sts/2011-06-15/docs-2.json index b0756ef8e94..155d03bb161 100644 --- a/aws-sdk-core/apis/sts/2011-06-15/docs-2.json +++ b/aws-sdk-core/apis/sts/2011-06-15/docs-2.json @@ -1,10 +1,10 @@ { "version": "2.0", - "service": "AWS Security Token Service

The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users). This guide provides descriptions of the STS API. For more detailed information about using this service, go to Temporary Security Credentials.

For information about setting up signatures and authorization through the API, go to Signing AWS API Requests in the AWS General Reference. For general information about the Query API, go to Making Query Requests in Using IAM. For information about using security tokens with other AWS products, go to AWS Services That Work with IAM in the IAM User Guide.

If you're new to AWS and need additional technical information about a specific AWS product, you can find the product's technical documentation at http://aws.amazon.com/documentation/.

Endpoints

By default, AWS Security Token Service (STS) is available as a global service, and all AWS STS requests go to a single endpoint at https://sts.amazonaws.com. Global requests map to the US East (N. Virginia) region. AWS recommends using Regional AWS STS endpoints instead of the global endpoint to reduce latency, build in redundancy, and increase session token validity. For more information, see Managing AWS STS in an AWS Region in the IAM User Guide.

Most AWS Regions are enabled for operations in all AWS services by default. Those Regions are automatically activated for use with AWS STS. Some Regions, such as Asia Pacific (Hong Kong), must be manually enabled. To learn more about enabling and disabling AWS Regions, see Managing AWS Regions in the AWS General Reference. When you enable these AWS Regions, they are automatically activated for use with AWS STS. You cannot activate the STS endpoint for a Region that is disabled. Tokens that are valid in all AWS Regions are longer than tokens that are valid in Regions that are enabled by default. Changing this setting might affect existing systems where you temporarily store tokens. For more information, see Managing Global Endpoint Session Tokens in the IAM User Guide.

After you activate a Region for use with AWS STS, you can direct AWS STS API calls to that Region. AWS STS recommends that you provide both the Region and endpoint when you make calls to a Regional endpoint. You can provide the Region alone for manually enabled Regions, such as Asia Pacific (Hong Kong). In this case, the calls are directed to the STS Regional endpoint. However, if you provide the Region alone for Regions enabled by default, the calls are directed to the global endpoint of https://sts.amazonaws.com.

To view the list of AWS STS endpoints and whether they are active by default, see Writing Code to Use AWS STS Regions in the IAM User Guide.

Recording API requests

STS supports AWS CloudTrail, which is a service that records AWS calls for your AWS account and delivers log files to an Amazon S3 bucket. By using information collected by CloudTrail, you can determine what requests were successfully made to STS, who made the request, when it was made, and so on.

If you activate AWS STS endpoints in Regions other than the default global endpoint, then you must also turn on CloudTrail logging in those Regions. This is necessary to record any AWS STS API calls that are made in those Regions. For more information, see Turning On CloudTrail in Additional Regions in the AWS CloudTrail User Guide.

AWS Security Token Service (STS) is a global service with a single endpoint at https://sts.amazonaws.com. Calls to this endpoint are logged as calls to a global service. However, because this endpoint is physically located in the US East (N. Virginia) Region, your logs list us-east-1 as the event Region. CloudTrail does not write these logs to the US East (Ohio) Region unless you choose to include global service logs in that Region. CloudTrail writes calls to all Regional endpoints to their respective Regions. For example, calls to sts.us-east-2.amazonaws.com are published to the US East (Ohio) Region and calls to sts.eu-central-1.amazonaws.com are published to the EU (Frankfurt) Region.

To learn more about CloudTrail, including how to turn it on and find your log files, see the AWS CloudTrail User Guide.

", + "service": "AWS Security Token Service

AWS Security Token Service (STS) enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users). This guide provides descriptions of the STS API. For more information about using this service, see Temporary Security Credentials.

", "operations": { "AssumeRole": "

Returns a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to. These temporary credentials consist of an access key ID, a secret access key, and a security token. Typically, you use AssumeRole within your account or for cross-account access. For a comparison of AssumeRole with other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS API operations in the IAM User Guide.

You cannot use AWS account root user credentials to call AssumeRole. You must use credentials for an IAM user or an IAM role to call AssumeRole.

For cross-account access, imagine that you own multiple accounts and need to access resources in each account. You could create long-term credentials in each account to access those resources. However, managing all those credentials and remembering which one can access which account can be time consuming. Instead, you can create one set of long-term credentials in one account. Then use temporary security credentials to access all the other accounts by assuming roles in those accounts. For more information about roles, see IAM Roles in the IAM User Guide.

Session Duration

By default, the temporary security credentials created by AssumeRole last for one hour. However, you can use the optional DurationSeconds parameter to specify the duration of your session. You can provide a value from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide. The maximum session duration limit applies when you use the AssumeRole* API operations or the assume-role* CLI commands. However the limit does not apply when you use those operations to create a console URL. For more information, see Using IAM Roles in the IAM User Guide.

Permissions

The temporary security credentials created by AssumeRole can be used to make API calls to any AWS service with the following exception: You cannot call the AWS STS GetFederationToken or GetSessionToken API operations.

(Optional) You can pass inline or managed session policies to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plain text that you use for both inline and managed session policies can't exceed 2,048 characters. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.

To assume a role from a different account, your AWS account must be trusted by the role. The trust relationship is defined in the role's trust policy when the role is created. That trust policy states which accounts are allowed to delegate that access to users in the account.

A user who wants to access a role in a different account must also have permissions that are delegated from the user account administrator. The administrator must attach a policy that allows the user to call AssumeRole for the ARN of the role in the other account. If the user is in the same account as the role, then you can do either of the following:

In this case, the trust policy acts as an IAM resource-based policy. Users in the same account as the role do not need explicit permission to assume the role. For more information about trust policies and resource-based policies, see IAM Policies in the IAM User Guide.

Tags

(Optional) You can pass tag key-value pairs to your session. These tags are called session tags. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.

An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide.

You can set the session tags as transitive. Transitive tags persist during role chaining. For more information, see Chaining Roles with Session Tags in the IAM User Guide.

Using MFA with AssumeRole

(Optional) You can include multi-factor authentication (MFA) information when you call AssumeRole. This is useful for cross-account scenarios to ensure that the user that assumes the role has been authenticated with an AWS MFA device. In that scenario, the trust policy of the role being assumed includes a condition that tests for MFA authentication. If the caller does not include valid MFA information, the request to assume the role is denied. The condition in a trust policy that tests for MFA authentication might look like the following example.

\"Condition\": {\"Bool\": {\"aws:MultiFactorAuthPresent\": true}}

For more information, see Configuring MFA-Protected API Access in the IAM User Guide guide.

To use MFA with AssumeRole, you pass values for the SerialNumber and TokenCode parameters. The SerialNumber value identifies the user's hardware or virtual MFA device. The TokenCode is the time-based one-time password (TOTP) that the MFA device produces.

", "AssumeRoleWithSAML": "

Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response. This operation provides a mechanism for tying an enterprise identity store or directory to role-based AWS access without user-specific credentials or configuration. For a comparison of AssumeRoleWithSAML with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS API operations in the IAM User Guide.

The temporary security credentials returned by this operation consist of an access key ID, a secret access key, and a security token. Applications can use these temporary security credentials to sign calls to AWS services.

Session Duration

By default, the temporary security credentials created by AssumeRoleWithSAML last for one hour. However, you can use the optional DurationSeconds parameter to specify the duration of your session. Your role session lasts for the duration that you specify, or until the time specified in the SAML authentication response's SessionNotOnOrAfter value, whichever is shorter. You can provide a DurationSeconds value from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide. The maximum session duration limit applies when you use the AssumeRole* API operations or the assume-role* CLI commands. However the limit does not apply when you use those operations to create a console URL. For more information, see Using IAM Roles in the IAM User Guide.

Permissions

The temporary security credentials created by AssumeRoleWithSAML can be used to make API calls to any AWS service with the following exception: you cannot call the STS GetFederationToken or GetSessionToken API operations.

(Optional) You can pass inline or managed session policies to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plain text that you use for both inline and managed session policies can't exceed 2,048 characters. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.

Calling AssumeRoleWithSAML does not require the use of AWS security credentials. The identity of the caller is validated by using keys in the metadata document that is uploaded for the SAML provider entity for your identity provider.

Calling AssumeRoleWithSAML can result in an entry in your AWS CloudTrail logs. The entry includes the value in the NameID element of the SAML assertion. We recommend that you use a NameIDType that is not associated with any personally identifiable information (PII). For example, you could instead use the persistent identifier (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent).

Tags

(Optional) You can configure your IdP to pass attributes into your SAML assertion as session tags. Each session tag consists of a key name and an associated value. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.

You can pass up to 50 session tags. The plain text session tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.

An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plain text meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.

You can pass a session tag with the same key as a tag that is attached to the role. When you do, session tags override the role's tags with the same key.

An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide.

You can set the session tags as transitive. Transitive tags persist during role chaining. For more information, see Chaining Roles with Session Tags in the IAM User Guide.

SAML Configuration

Before your application can call AssumeRoleWithSAML, you must configure your SAML identity provider (IdP) to issue the claims required by AWS. Additionally, you must use AWS Identity and Access Management (IAM) to create a SAML provider entity in your AWS account that represents your identity provider. You must also create an IAM role that specifies this SAML provider in its trust policy.

For more information, see the following resources:

", - "AssumeRoleWithWebIdentity": "

Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider. Example providers include Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible identity provider.

For mobile applications, we recommend that you use Amazon Cognito. You can use Amazon Cognito with the AWS SDK for iOS Developer Guide and the AWS SDK for Android Developer Guide to uniquely identify a user. You can also supply the user with a consistent identity throughout the lifetime of an application.

To learn more about Amazon Cognito, see Amazon Cognito Overview in AWS SDK for Android Developer Guide and Amazon Cognito Overview in the AWS SDK for iOS Developer Guide.

Calling AssumeRoleWithWebIdentity does not require the use of AWS security credentials. Therefore, you can distribute an application (for example, on mobile devices) that requests temporary security credentials without including long-term AWS credentials in the application. You also don't need to deploy server-based proxy services that use long-term AWS credentials. Instead, the identity of the caller is validated by using a token from the web identity provider. For a comparison of AssumeRoleWithWebIdentity with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS API operations in the IAM User Guide.

The temporary security credentials returned by this API consist of an access key ID, a secret access key, and a security token. Applications can use these temporary security credentials to sign calls to AWS service API operations.

Session Duration

By default, the temporary security credentials created by AssumeRoleWithWebIdentity last for one hour. However, you can use the optional DurationSeconds parameter to specify the duration of your session. You can provide a value from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide. The maximum session duration limit applies when you use the AssumeRole* API operations or the assume-role* CLI commands. However the limit does not apply when you use those operations to create a console URL. For more information, see Using IAM Roles in the IAM User Guide.

Permissions

The temporary security credentials created by AssumeRoleWithWebIdentity can be used to make API calls to any AWS service with the following exception: you cannot call the STS GetFederationToken or GetSessionToken API operations.

(Optional) You can pass inline or managed session policies to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plain text that you use for both inline and managed session policies can't exceed 2,048 characters. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.

Tags

(Optional) You can configure your IdP to pass attributes into your web identity token as session tags. Each session tag consists of a key name and an associated value. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.

You can pass up to 50 session tags. The plain text session tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.

An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plain text meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.

You can pass a session tag with the same key as a tag that is attached to the role. When you do, the session tag overrides the role tag with the same key.

An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide.

You can set the session tags as transitive. Transitive tags persist during role chaining. For more information, see Chaining Roles with Session Tags in the IAM User Guide.

Identities

Before your application can call AssumeRoleWithWebIdentity, you must have an identity token from a supported identity provider and create a role that the application can assume. The role that your application assumes must trust the identity provider that is associated with the identity token. In other words, the identity provider must be specified in the role's trust policy.

Calling AssumeRoleWithWebIdentity can result in an entry in your AWS CloudTrail logs. The entry includes the Subject of the provided Web Identity Token. We recommend that you avoid using any personally identifiable information (PII) in this field. For example, you could instead use a GUID or a pairwise identifier, as suggested in the OIDC specification.

For more information about how to use web identity federation and the AssumeRoleWithWebIdentity API, see the following resources:

", + "AssumeRoleWithWebIdentity": "

Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider. Example providers include Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible identity provider.

For mobile applications, we recommend that you use Amazon Cognito. You can use Amazon Cognito with the AWS SDK for iOS Developer Guide and the AWS SDK for Android Developer Guide to uniquely identify a user. You can also supply the user with a consistent identity throughout the lifetime of an application.

To learn more about Amazon Cognito, see Amazon Cognito Overview in AWS SDK for Android Developer Guide and Amazon Cognito Overview in the AWS SDK for iOS Developer Guide.

Calling AssumeRoleWithWebIdentity does not require the use of AWS security credentials. Therefore, you can distribute an application (for example, on mobile devices) that requests temporary security credentials without including long-term AWS credentials in the application. You also don't need to deploy server-based proxy services that use long-term AWS credentials. Instead, the identity of the caller is validated by using a token from the web identity provider. For a comparison of AssumeRoleWithWebIdentity with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS API operations in the IAM User Guide.

The temporary security credentials returned by this API consist of an access key ID, a secret access key, and a security token. Applications can use these temporary security credentials to sign calls to AWS service API operations.

Session Duration

By default, the temporary security credentials created by AssumeRoleWithWebIdentity last for one hour. However, you can use the optional DurationSeconds parameter to specify the duration of your session. You can provide a value from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide. The maximum session duration limit applies when you use the AssumeRole* API operations or the assume-role* CLI commands. However the limit does not apply when you use those operations to create a console URL. For more information, see Using IAM Roles in the IAM User Guide.

Permissions

The temporary security credentials created by AssumeRoleWithWebIdentity can be used to make API calls to any AWS service with the following exception: you cannot call the STS GetFederationToken or GetSessionToken API operations.

(Optional) You can pass inline or managed session policies to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plain text that you use for both inline and managed session policies can't exceed 2,048 characters. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.

Tags

(Optional) You can configure your IdP to pass attributes into your web identity token as session tags. Each session tag consists of a key name and an associated value. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.

You can pass up to 50 session tags. The plain text session tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.

An AWS conversion compresses the passed session policies and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plain text meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.

You can pass a session tag with the same key as a tag that is attached to the role. When you do, the session tag overrides the role tag with the same key.

An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide.

You can set the session tags as transitive. Transitive tags persist during role chaining. For more information, see Chaining Roles with Session Tags in the IAM User Guide.

Identities

Before your application can call AssumeRoleWithWebIdentity, you must have an identity token from a supported identity provider and create a role that the application can assume. The role that your application assumes must trust the identity provider that is associated with the identity token. In other words, the identity provider must be specified in the role's trust policy.

Calling AssumeRoleWithWebIdentity can result in an entry in your AWS CloudTrail logs. The entry includes the Subject of the provided Web Identity Token. We recommend that you avoid using any personally identifiable information (PII) in this field. For example, you could instead use a GUID or a pairwise identifier, as suggested in the OIDC specification.

For more information about how to use web identity federation and the AssumeRoleWithWebIdentity API, see the following resources:

", "DecodeAuthorizationMessage": "

Decodes additional information about the authorization status of a request from an encoded message returned in response to an AWS request.

For example, if a user is not authorized to perform an operation that he or she has requested, the request returns a Client.UnauthorizedOperation response (an HTTP 403 response). Some AWS operations additionally return an encoded message that can provide details about this authorization failure.

Only certain AWS operations return an encoded authorization message. The documentation for an individual operation indicates whether that operation returns an encoded message in addition to returning an HTTP code.

The message is encoded because the details of the authorization status can constitute privileged information that the user who requested the operation should not see. To decode an authorization status message, a user must be granted permissions via an IAM policy to request the DecodeAuthorizationMessage (sts:DecodeAuthorizationMessage) action.

The decoded message includes the following type of information:

", "GetAccessKeyInfo": "

Returns the account identifier for the specified access key ID.

Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). For more information about access keys, see Managing Access Keys for IAM Users in the IAM User Guide.

When you pass an access key ID to this operation, it returns the ID of the AWS account to which the keys belong. Access key IDs beginning with AKIA are long-term credentials for an IAM user or the AWS account root user. Access key IDs beginning with ASIA are temporary credentials that are created using STS operations. If the account in the response belongs to you, you can sign in as the root user and review your root user access keys. Then, you can pull a credentials report to learn which IAM user owns the keys. To learn who requested the temporary credentials for an ASIA access key, view the STS events in your CloudTrail logs in the IAM User Guide.

This operation does not indicate the state of the access key. The key might be active, inactive, or deleted. Active keys might not have permissions to perform an operation. Providing a deleted access key might return an error that the key doesn't exist.

", "GetCallerIdentity": "

Returns details about the IAM user or role whose credentials are used to call the operation.

No permissions are required to perform this operation. If an administrator adds a policy to your IAM user or role that explicitly denies access to the sts:GetCallerIdentity action, you can still perform this operation. Permissions are not required because the same information is returned when an IAM user or role is denied access. To view an example response, see I Am Not Authorized to Perform: iam:DeleteVirtualMFADevice in the IAM User Guide.

", diff --git a/aws-sdk-core/endpoints.json b/aws-sdk-core/endpoints.json index b28f49a8805..7a85c0b759b 100644 --- a/aws-sdk-core/endpoints.json +++ b/aws-sdk-core/endpoints.json @@ -1081,6 +1081,7 @@ "ca-central-1" : { }, "eu-central-1" : { }, "eu-north-1" : { }, + "eu-south-1" : { }, "eu-west-1" : { }, "eu-west-2" : { }, "eu-west-3" : { },