diff --git a/src/code.cloudfoundry.org/go.mod b/src/code.cloudfoundry.org/go.mod index c2d23759bf..8134df8f65 100644 --- a/src/code.cloudfoundry.org/go.mod +++ b/src/code.cloudfoundry.org/go.mod @@ -43,7 +43,7 @@ require ( code.cloudfoundry.org/tlsconfig v0.0.0-20231017135636-f0e44068c22f github.com/GaryBoone/GoStats v0.0.0-20130122001700-1993eafbef57 github.com/ajstarks/svgo v0.0.0-20211024235047-1546f124cd8b - github.com/aws/aws-sdk-go v1.47.11 + github.com/aws/aws-sdk-go v1.48.0 github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231111033029-eb10ac4f1f27 github.com/cactus/go-statsd-client v3.1.1-0.20161031215955-d8eabe07bc70+incompatible github.com/cloudfoundry-community/go-uaa v0.3.2 diff --git a/src/code.cloudfoundry.org/go.sum b/src/code.cloudfoundry.org/go.sum index 7f108666ba..cd8c2184c6 100644 --- a/src/code.cloudfoundry.org/go.sum +++ b/src/code.cloudfoundry.org/go.sum @@ -667,8 +667,8 @@ github.com/apache/arrow/go/v11 v11.0.0/go.mod h1:Eg5OsL5H+e299f7u5ssuXsuHQVEGC4x github.com/apache/thrift v0.16.0/go.mod h1:PHK3hniurgQaNMZYaCLEqXKsYK8upmhPbmdP2FXSqgU= github.com/apoydence/eachers v0.0.0-20181020210610-23942921fe77 h1:afT88tB6u9JCKQZVAAaa9ICz/uGn5Uw9ekn6P22mYKM= github.com/apoydence/eachers v0.0.0-20181020210610-23942921fe77/go.mod h1:bXvGk6IkT1Agy7qzJ+DjIw/SJ1AaB3AvAuMDVV+Vkoo= -github.com/aws/aws-sdk-go v1.47.11 h1:Dol+MA+hQblbnXUI3Vk9qvoekU6O1uDEuAItezjiWNQ= -github.com/aws/aws-sdk-go v1.47.11/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= +github.com/aws/aws-sdk-go v1.48.0 h1:1SeJ8agckRDQvnSCt1dGZYAwUaoD2Ixj6IaXB4LCv8Q= +github.com/aws/aws-sdk-go v1.48.0/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= github.com/aws/aws-sdk-go-v2 v1.22.2 h1:lV0U8fnhAnPz8YcdmZVV60+tr6CakHzqA6P8T46ExJI= github.com/aws/aws-sdk-go-v2 v1.22.2/go.mod h1:Kd0OJtkW3Q0M0lUWGszapWjEvrXDzRW+D21JNsroB+c= github.com/aws/aws-sdk-go-v2/config v1.25.0 h1:WCwAqyrM/kqYi6pHjVpq/w2pLydeGKv8Af9vdtO3ciM= diff --git a/src/code.cloudfoundry.org/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go b/src/code.cloudfoundry.org/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go index ee86c50ee1..b11016c081 100644 --- a/src/code.cloudfoundry.org/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go +++ b/src/code.cloudfoundry.org/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go @@ -3977,6 +3977,12 @@ var awsPartition = partition{ endpointKey{ Region: "ca-central-1", }: endpoint{}, + endpointKey{ + Region: "ca-central-1", + Variant: fipsVariant, + }: endpoint{ + Hostname: "autoscaling-fips.ca-central-1.amazonaws.com", + }, endpointKey{ Region: "eu-central-1", }: endpoint{}, @@ -4001,6 +4007,51 @@ var awsPartition = partition{ endpointKey{ Region: "eu-west-3", }: endpoint{}, + endpointKey{ + Region: "fips-ca-central-1", + }: endpoint{ + Hostname: "autoscaling-fips.ca-central-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "ca-central-1", + }, + Deprecated: boxedTrue, + }, + endpointKey{ + Region: "fips-us-east-1", + }: endpoint{ + Hostname: "autoscaling-fips.us-east-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-east-1", + }, + Deprecated: boxedTrue, + }, + endpointKey{ + Region: "fips-us-east-2", + }: endpoint{ + Hostname: "autoscaling-fips.us-east-2.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-east-2", + }, + Deprecated: boxedTrue, + }, + endpointKey{ + Region: "fips-us-west-1", + }: endpoint{ + Hostname: "autoscaling-fips.us-west-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-west-1", + }, + Deprecated: boxedTrue, + }, + endpointKey{ + Region: "fips-us-west-2", + }: endpoint{ + Hostname: "autoscaling-fips.us-west-2.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-west-2", + }, + Deprecated: boxedTrue, + }, endpointKey{ Region: "il-central-1", }: endpoint{}, @@ -4016,15 +4067,39 @@ var awsPartition = partition{ endpointKey{ Region: "us-east-1", }: endpoint{}, + endpointKey{ + Region: "us-east-1", + Variant: fipsVariant, + }: endpoint{ + Hostname: "autoscaling-fips.us-east-1.amazonaws.com", + }, endpointKey{ Region: "us-east-2", }: endpoint{}, + endpointKey{ + Region: "us-east-2", + Variant: fipsVariant, + }: endpoint{ + Hostname: "autoscaling-fips.us-east-2.amazonaws.com", + }, endpointKey{ Region: "us-west-1", }: endpoint{}, + endpointKey{ + Region: "us-west-1", + Variant: fipsVariant, + }: endpoint{ + Hostname: "autoscaling-fips.us-west-1.amazonaws.com", + }, endpointKey{ Region: "us-west-2", }: endpoint{}, + endpointKey{ + Region: "us-west-2", + Variant: fipsVariant, + }: endpoint{ + Hostname: "autoscaling-fips.us-west-2.amazonaws.com", + }, }, }, "autoscaling-plans": service{ @@ -11790,6 +11865,9 @@ var awsPartition = partition{ }, "emr-serverless": service{ Endpoints: serviceEndpoints{ + endpointKey{ + Region: "af-south-1", + }: endpoint{}, endpointKey{ Region: "ap-east-1", }: endpoint{}, @@ -11799,6 +11877,9 @@ var awsPartition = partition{ endpointKey{ Region: "ap-northeast-2", }: endpoint{}, + endpointKey{ + Region: "ap-northeast-3", + }: endpoint{}, endpointKey{ Region: "ap-south-1", }: endpoint{}, @@ -11808,6 +11889,9 @@ var awsPartition = partition{ endpointKey{ Region: "ap-southeast-2", }: endpoint{}, + endpointKey{ + Region: "ap-southeast-3", + }: endpoint{}, endpointKey{ Region: "ca-central-1", }: endpoint{}, @@ -11823,6 +11907,9 @@ var awsPartition = partition{ endpointKey{ Region: "eu-north-1", }: endpoint{}, + endpointKey{ + Region: "eu-south-1", + }: endpoint{}, endpointKey{ Region: "eu-west-1", }: endpoint{}, @@ -26651,6 +26738,9 @@ var awsPartition = partition{ }, Deprecated: boxedTrue, }, + endpointKey{ + Region: "il-central-1", + }: endpoint{}, endpointKey{ Region: "me-central-1", }: endpoint{}, @@ -40232,20 +40322,40 @@ var awsusgovPartition = partition{ "simspaceweaver": service{ Endpoints: serviceEndpoints{ endpointKey{ - Region: "us-gov-east-1", + Region: "fips-us-gov-east-1", }: endpoint{ Hostname: "simspaceweaver.us-gov-east-1.amazonaws.com", CredentialScope: credentialScope{ Region: "us-gov-east-1", }, + Deprecated: boxedTrue, }, endpointKey{ - Region: "us-gov-west-1", + Region: "fips-us-gov-west-1", }: endpoint{ Hostname: "simspaceweaver.us-gov-west-1.amazonaws.com", CredentialScope: credentialScope{ Region: "us-gov-west-1", }, + Deprecated: boxedTrue, + }, + endpointKey{ + Region: "us-gov-east-1", + }: endpoint{}, + endpointKey{ + Region: "us-gov-east-1", + Variant: fipsVariant, + }: endpoint{ + Hostname: "simspaceweaver.us-gov-east-1.amazonaws.com", + }, + endpointKey{ + Region: "us-gov-west-1", + }: endpoint{}, + endpointKey{ + Region: "us-gov-west-1", + Variant: fipsVariant, + }: endpoint{ + Hostname: "simspaceweaver.us-gov-west-1.amazonaws.com", }, }, }, @@ -40464,6 +40574,24 @@ var awsusgovPartition = partition{ Region: "us-gov-east-1", }, }, + endpointKey{ + Region: "us-gov-east-1", + Variant: fipsVariant, + }: endpoint{ + Hostname: "sso.us-gov-east-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-gov-east-1", + }, + }, + endpointKey{ + Region: "us-gov-east-1-fips", + }: endpoint{ + Hostname: "sso.us-gov-east-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-gov-east-1", + }, + Deprecated: boxedTrue, + }, endpointKey{ Region: "us-gov-west-1", }: endpoint{ @@ -40472,6 +40600,24 @@ var awsusgovPartition = partition{ Region: "us-gov-west-1", }, }, + endpointKey{ + Region: "us-gov-west-1", + Variant: fipsVariant, + }: endpoint{ + Hostname: "sso.us-gov-west-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-gov-west-1", + }, + }, + endpointKey{ + Region: "us-gov-west-1-fips", + }: endpoint{ + Hostname: "sso.us-gov-west-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-gov-west-1", + }, + Deprecated: boxedTrue, + }, }, }, "states": service{ @@ -41503,6 +41649,9 @@ var awsisoPartition = partition{ endpointKey{ Region: "us-iso-east-1", }: endpoint{}, + endpointKey{ + Region: "us-iso-west-1", + }: endpoint{}, }, }, "ec2": service{ diff --git a/src/code.cloudfoundry.org/vendor/github.com/aws/aws-sdk-go/aws/version.go b/src/code.cloudfoundry.org/vendor/github.com/aws/aws-sdk-go/aws/version.go index 7fa477b832..77fb05c4e9 100644 --- a/src/code.cloudfoundry.org/vendor/github.com/aws/aws-sdk-go/aws/version.go +++ b/src/code.cloudfoundry.org/vendor/github.com/aws/aws-sdk-go/aws/version.go @@ -5,4 +5,4 @@ package aws const SDKName = "aws-sdk-go" // SDKVersion is the version of this SDK -const SDKVersion = "1.47.11" +const SDKVersion = "1.48.0" diff --git a/src/code.cloudfoundry.org/vendor/github.com/aws/aws-sdk-go/service/ecr/api.go b/src/code.cloudfoundry.org/vendor/github.com/aws/aws-sdk-go/service/ecr/api.go index 9f0a75ec36..7146f5ff74 100644 --- a/src/code.cloudfoundry.org/vendor/github.com/aws/aws-sdk-go/service/ecr/api.go +++ b/src/code.cloudfoundry.org/vendor/github.com/aws/aws-sdk-go/service/ecr/api.go @@ -272,6 +272,16 @@ func (c *ECR) BatchGetImageRequest(input *BatchGetImageInput) (req *request.Requ // The specified repository could not be found. Check the spelling of the specified // repository and ensure that you are performing operations on the correct registry. // +// - LimitExceededException +// The operation did not succeed because it would have exceeded a service limit +// for your account. For more information, see Amazon ECR service quotas (https://docs.aws.amazon.com/AmazonECR/latest/userguide/service-quotas.html) +// in the Amazon Elastic Container Registry User Guide. +// +// - UnableToGetUpstreamImageException +// The image or images were unable to be pulled using the pull through cache +// rule. This is usually caused because of an issue with the Secrets Manager +// secret containing the credentials for the upstream registry. +// // See also, https://docs.aws.amazon.com/goto/WebAPI/ecr-2015-09-21/BatchGetImage func (c *ECR) BatchGetImage(input *BatchGetImageInput) (*BatchGetImageOutput, error) { req, out := c.BatchGetImageRequest(input) @@ -544,8 +554,9 @@ func (c *ECR) CreatePullThroughCacheRuleRequest(input *CreatePullThroughCacheRul // CreatePullThroughCacheRule API operation for Amazon EC2 Container Registry. // // Creates a pull through cache rule. A pull through cache rule provides a way -// to cache images from an external public registry in your Amazon ECR private -// registry. +// to cache images from an upstream registry source in your Amazon ECR private +// registry. For more information, see Using pull through cache rules (https://docs.aws.amazon.com/AmazonECR/latest/userguide/pull-through-cache.html) +// in the Amazon Elastic Container Registry User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -578,6 +589,18 @@ func (c *ECR) CreatePullThroughCacheRuleRequest(input *CreatePullThroughCacheRul // for your account. For more information, see Amazon ECR service quotas (https://docs.aws.amazon.com/AmazonECR/latest/userguide/service-quotas.html) // in the Amazon Elastic Container Registry User Guide. // +// - UnableToAccessSecretException +// The secret is unable to be accessed. Verify the resource permissions for +// the secret and try again. +// +// - SecretNotFoundException +// The ARN of the secret specified in the pull through cache rule was not found. +// Update the pull through cache rule with a valid secret ARN and try again. +// +// - UnableToDecryptSecretValueException +// The secret is accessible but is unable to be decrypted. Verify the resource +// permisisons and try again. +// // See also, https://docs.aws.amazon.com/goto/WebAPI/ecr-2015-09-21/CreatePullThroughCacheRule func (c *ECR) CreatePullThroughCacheRule(input *CreatePullThroughCacheRuleInput) (*CreatePullThroughCacheRuleOutput, error) { req, out := c.CreatePullThroughCacheRuleRequest(input) @@ -1019,9 +1042,9 @@ func (c *ECR) DeleteRepositoryRequest(input *DeleteRepositoryInput) (req *reques // DeleteRepository API operation for Amazon EC2 Container Registry. // -// Deletes a repository. If the repository contains images, you must either -// delete all images in the repository or use the force option to delete the -// repository. +// Deletes a repository. If the repository isn't empty, you must either delete +// the contents of the repository or use the force option to delete the repository +// and have Amazon ECR delete all of its contents on your behalf. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -2114,6 +2137,10 @@ func (c *ECR) GetDownloadUrlForLayerRequest(input *GetDownloadUrlForLayerInput) // The specified repository could not be found. Check the spelling of the specified // repository and ensure that you are performing operations on the correct registry. // +// - UnableToGetUpstreamLayerException +// There was an issue getting the upstream layer matching the pull through cache +// rule. +// // See also, https://docs.aws.amazon.com/goto/WebAPI/ecr-2015-09-21/GetDownloadUrlForLayer func (c *ECR) GetDownloadUrlForLayer(input *GetDownloadUrlForLayerInput) (*GetDownloadUrlForLayerOutput, error) { req, out := c.GetDownloadUrlForLayerRequest(input) @@ -4138,6 +4165,108 @@ func (c *ECR) UntagResourceWithContext(ctx aws.Context, input *UntagResourceInpu return out, req.Send() } +const opUpdatePullThroughCacheRule = "UpdatePullThroughCacheRule" + +// UpdatePullThroughCacheRuleRequest generates a "aws/request.Request" representing the +// client's request for the UpdatePullThroughCacheRule operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See UpdatePullThroughCacheRule for more information on using the UpdatePullThroughCacheRule +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// // Example sending a request using the UpdatePullThroughCacheRuleRequest method. +// req, resp := client.UpdatePullThroughCacheRuleRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ecr-2015-09-21/UpdatePullThroughCacheRule +func (c *ECR) UpdatePullThroughCacheRuleRequest(input *UpdatePullThroughCacheRuleInput) (req *request.Request, output *UpdatePullThroughCacheRuleOutput) { + op := &request.Operation{ + Name: opUpdatePullThroughCacheRule, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &UpdatePullThroughCacheRuleInput{} + } + + output = &UpdatePullThroughCacheRuleOutput{} + req = c.newRequest(op, input, output) + return +} + +// UpdatePullThroughCacheRule API operation for Amazon EC2 Container Registry. +// +// Updates an existing pull through cache rule. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon EC2 Container Registry's +// API operation UpdatePullThroughCacheRule for usage and error information. +// +// Returned Error Types: +// +// - ServerException +// These errors are usually caused by a server-side issue. +// +// - InvalidParameterException +// The specified parameter is invalid. Review the available parameters for the +// API request. +// +// - ValidationException +// There was an exception validating this request. +// +// - UnableToAccessSecretException +// The secret is unable to be accessed. Verify the resource permissions for +// the secret and try again. +// +// - PullThroughCacheRuleNotFoundException +// The pull through cache rule was not found. Specify a valid pull through cache +// rule and try again. +// +// - SecretNotFoundException +// The ARN of the secret specified in the pull through cache rule was not found. +// Update the pull through cache rule with a valid secret ARN and try again. +// +// - UnableToDecryptSecretValueException +// The secret is accessible but is unable to be decrypted. Verify the resource +// permisisons and try again. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ecr-2015-09-21/UpdatePullThroughCacheRule +func (c *ECR) UpdatePullThroughCacheRule(input *UpdatePullThroughCacheRuleInput) (*UpdatePullThroughCacheRuleOutput, error) { + req, out := c.UpdatePullThroughCacheRuleRequest(input) + return out, req.Send() +} + +// UpdatePullThroughCacheRuleWithContext is the same as UpdatePullThroughCacheRule with the addition of +// the ability to pass a context and additional request options. +// +// See UpdatePullThroughCacheRule for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *ECR) UpdatePullThroughCacheRuleWithContext(ctx aws.Context, input *UpdatePullThroughCacheRuleInput, opts ...request.Option) (*UpdatePullThroughCacheRuleOutput, error) { + req, out := c.UpdatePullThroughCacheRuleRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + const opUploadLayerPart = "UploadLayerPart" // UploadLayerPartRequest generates a "aws/request.Request" representing the @@ -4249,6 +4378,99 @@ func (c *ECR) UploadLayerPartWithContext(ctx aws.Context, input *UploadLayerPart return out, req.Send() } +const opValidatePullThroughCacheRule = "ValidatePullThroughCacheRule" + +// ValidatePullThroughCacheRuleRequest generates a "aws/request.Request" representing the +// client's request for the ValidatePullThroughCacheRule operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See ValidatePullThroughCacheRule for more information on using the ValidatePullThroughCacheRule +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// // Example sending a request using the ValidatePullThroughCacheRuleRequest method. +// req, resp := client.ValidatePullThroughCacheRuleRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ecr-2015-09-21/ValidatePullThroughCacheRule +func (c *ECR) ValidatePullThroughCacheRuleRequest(input *ValidatePullThroughCacheRuleInput) (req *request.Request, output *ValidatePullThroughCacheRuleOutput) { + op := &request.Operation{ + Name: opValidatePullThroughCacheRule, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &ValidatePullThroughCacheRuleInput{} + } + + output = &ValidatePullThroughCacheRuleOutput{} + req = c.newRequest(op, input, output) + return +} + +// ValidatePullThroughCacheRule API operation for Amazon EC2 Container Registry. +// +// Validates an existing pull through cache rule for an upstream registry that +// requires authentication. This will retrieve the contents of the Amazon Web +// Services Secrets Manager secret, verify the syntax, and then validate that +// authentication to the upstream registry is successful. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon EC2 Container Registry's +// API operation ValidatePullThroughCacheRule for usage and error information. +// +// Returned Error Types: +// +// - ServerException +// These errors are usually caused by a server-side issue. +// +// - InvalidParameterException +// The specified parameter is invalid. Review the available parameters for the +// API request. +// +// - ValidationException +// There was an exception validating this request. +// +// - PullThroughCacheRuleNotFoundException +// The pull through cache rule was not found. Specify a valid pull through cache +// rule and try again. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ecr-2015-09-21/ValidatePullThroughCacheRule +func (c *ECR) ValidatePullThroughCacheRule(input *ValidatePullThroughCacheRuleInput) (*ValidatePullThroughCacheRuleOutput, error) { + req, out := c.ValidatePullThroughCacheRuleRequest(input) + return out, req.Send() +} + +// ValidatePullThroughCacheRuleWithContext is the same as ValidatePullThroughCacheRule with the addition of +// the ability to pass a context and additional request options. +// +// See ValidatePullThroughCacheRule for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *ECR) ValidatePullThroughCacheRuleWithContext(ctx aws.Context, input *ValidatePullThroughCacheRuleInput, opts ...request.Option) (*ValidatePullThroughCacheRuleOutput, error) { + req, out := c.ValidatePullThroughCacheRuleRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + // This data type is used in the ImageScanFinding data type. type Attribute struct { _ struct{} `type:"structure"` @@ -5075,6 +5297,10 @@ func (s *CompleteLayerUploadOutput) SetUploadId(v string) *CompleteLayerUploadOu type CreatePullThroughCacheRuleInput struct { _ struct{} `type:"structure"` + // The Amazon Resource Name (ARN) of the Amazon Web Services Secrets Manager + // secret that identifies the credentials to authenticate to the upstream registry. + CredentialArn *string `locationName:"credentialArn" min:"50" type:"string"` + // The repository name prefix to use when caching images from the source registry. // // EcrRepositoryPrefix is a required field @@ -5085,8 +5311,24 @@ type CreatePullThroughCacheRuleInput struct { // registry is assumed. RegistryId *string `locationName:"registryId" type:"string"` + // The name of the upstream registry. + UpstreamRegistry *string `locationName:"upstreamRegistry" type:"string" enum:"UpstreamRegistry"` + // The registry URL of the upstream public registry to use as the source for - // the pull through cache rule. + // the pull through cache rule. The following is the syntax to use for each + // supported upstream registry. + // + // * Amazon ECR Public (ecr-public) - public.ecr.aws + // + // * Docker Hub (docker-hub) - registry-1.docker.io + // + // * Quay (quay) - quay.io + // + // * Kubernetes (k8s) - registry.k8s.io + // + // * GitHub Container Registry (github-container-registry) - ghcr.io + // + // * Microsoft Azure Container Registry (azure-container-registry) - .azurecr.io // // UpstreamRegistryUrl is a required field UpstreamRegistryUrl *string `locationName:"upstreamRegistryUrl" type:"string" required:"true"` @@ -5113,6 +5355,9 @@ func (s CreatePullThroughCacheRuleInput) GoString() string { // Validate inspects the fields of the type to determine if they are valid. func (s *CreatePullThroughCacheRuleInput) Validate() error { invalidParams := request.ErrInvalidParams{Context: "CreatePullThroughCacheRuleInput"} + if s.CredentialArn != nil && len(*s.CredentialArn) < 50 { + invalidParams.Add(request.NewErrParamMinLen("CredentialArn", 50)) + } if s.EcrRepositoryPrefix == nil { invalidParams.Add(request.NewErrParamRequired("EcrRepositoryPrefix")) } @@ -5129,6 +5374,12 @@ func (s *CreatePullThroughCacheRuleInput) Validate() error { return nil } +// SetCredentialArn sets the CredentialArn field's value. +func (s *CreatePullThroughCacheRuleInput) SetCredentialArn(v string) *CreatePullThroughCacheRuleInput { + s.CredentialArn = &v + return s +} + // SetEcrRepositoryPrefix sets the EcrRepositoryPrefix field's value. func (s *CreatePullThroughCacheRuleInput) SetEcrRepositoryPrefix(v string) *CreatePullThroughCacheRuleInput { s.EcrRepositoryPrefix = &v @@ -5141,6 +5392,12 @@ func (s *CreatePullThroughCacheRuleInput) SetRegistryId(v string) *CreatePullThr return s } +// SetUpstreamRegistry sets the UpstreamRegistry field's value. +func (s *CreatePullThroughCacheRuleInput) SetUpstreamRegistry(v string) *CreatePullThroughCacheRuleInput { + s.UpstreamRegistry = &v + return s +} + // SetUpstreamRegistryUrl sets the UpstreamRegistryUrl field's value. func (s *CreatePullThroughCacheRuleInput) SetUpstreamRegistryUrl(v string) *CreatePullThroughCacheRuleInput { s.UpstreamRegistryUrl = &v @@ -5154,12 +5411,20 @@ type CreatePullThroughCacheRuleOutput struct { // rule was created. CreatedAt *time.Time `locationName:"createdAt" type:"timestamp"` + // The Amazon Resource Name (ARN) of the Amazon Web Services Secrets Manager + // secret associated with the pull through cache rule. + CredentialArn *string `locationName:"credentialArn" min:"50" type:"string"` + // The Amazon ECR repository prefix associated with the pull through cache rule. EcrRepositoryPrefix *string `locationName:"ecrRepositoryPrefix" min:"2" type:"string"` // The registry ID associated with the request. RegistryId *string `locationName:"registryId" type:"string"` + // The name of the upstream registry associated with the pull through cache + // rule. + UpstreamRegistry *string `locationName:"upstreamRegistry" type:"string" enum:"UpstreamRegistry"` + // The upstream registry URL associated with the pull through cache rule. UpstreamRegistryUrl *string `locationName:"upstreamRegistryUrl" type:"string"` } @@ -5188,6 +5453,12 @@ func (s *CreatePullThroughCacheRuleOutput) SetCreatedAt(v time.Time) *CreatePull return s } +// SetCredentialArn sets the CredentialArn field's value. +func (s *CreatePullThroughCacheRuleOutput) SetCredentialArn(v string) *CreatePullThroughCacheRuleOutput { + s.CredentialArn = &v + return s +} + // SetEcrRepositoryPrefix sets the EcrRepositoryPrefix field's value. func (s *CreatePullThroughCacheRuleOutput) SetEcrRepositoryPrefix(v string) *CreatePullThroughCacheRuleOutput { s.EcrRepositoryPrefix = &v @@ -5200,6 +5471,12 @@ func (s *CreatePullThroughCacheRuleOutput) SetRegistryId(v string) *CreatePullTh return s } +// SetUpstreamRegistry sets the UpstreamRegistry field's value. +func (s *CreatePullThroughCacheRuleOutput) SetUpstreamRegistry(v string) *CreatePullThroughCacheRuleOutput { + s.UpstreamRegistry = &v + return s +} + // SetUpstreamRegistryUrl sets the UpstreamRegistryUrl field's value. func (s *CreatePullThroughCacheRuleOutput) SetUpstreamRegistryUrl(v string) *CreatePullThroughCacheRuleOutput { s.UpstreamRegistryUrl = &v @@ -5715,6 +5992,10 @@ type DeletePullThroughCacheRuleOutput struct { // The timestamp associated with the pull through cache rule. CreatedAt *time.Time `locationName:"createdAt" type:"timestamp"` + // The Amazon Resource Name (ARN) of the Amazon Web Services Secrets Manager + // secret associated with the pull through cache rule. + CredentialArn *string `locationName:"credentialArn" min:"50" type:"string"` + // The Amazon ECR repository prefix associated with the request. EcrRepositoryPrefix *string `locationName:"ecrRepositoryPrefix" min:"2" type:"string"` @@ -5749,6 +6030,12 @@ func (s *DeletePullThroughCacheRuleOutput) SetCreatedAt(v time.Time) *DeletePull return s } +// SetCredentialArn sets the CredentialArn field's value. +func (s *DeletePullThroughCacheRuleOutput) SetCredentialArn(v string) *DeletePullThroughCacheRuleOutput { + s.CredentialArn = &v + return s +} + // SetEcrRepositoryPrefix sets the EcrRepositoryPrefix field's value. func (s *DeletePullThroughCacheRuleOutput) SetEcrRepositoryPrefix(v string) *DeletePullThroughCacheRuleOutput { s.EcrRepositoryPrefix = &v @@ -5832,7 +6119,8 @@ func (s *DeleteRegistryPolicyOutput) SetRegistryId(v string) *DeleteRegistryPoli type DeleteRepositoryInput struct { _ struct{} `type:"structure"` - // If a repository contains images, forces the deletion. + // If true, deleting the repository force deletes the contents of the repository. + // If false, the repository must be empty before attempting to delete it. Force *bool `locationName:"force" type:"boolean"` // The Amazon Web Services account ID associated with the registry that contains @@ -10473,6 +10761,10 @@ type PullThroughCacheRule struct { // The date and time the pull through cache was created. CreatedAt *time.Time `locationName:"createdAt" type:"timestamp"` + // The ARN of the Secrets Manager secret associated with the pull through cache + // rule. + CredentialArn *string `locationName:"credentialArn" min:"50" type:"string"` + // The Amazon ECR repository prefix associated with the pull through cache rule. EcrRepositoryPrefix *string `locationName:"ecrRepositoryPrefix" min:"2" type:"string"` @@ -10480,6 +10772,14 @@ type PullThroughCacheRule struct { // through cache rule is associated with. RegistryId *string `locationName:"registryId" type:"string"` + // The date and time, in JavaScript date format, when the pull through cache + // rule was last updated. + UpdatedAt *time.Time `locationName:"updatedAt" type:"timestamp"` + + // The name of the upstream source registry associated with the pull through + // cache rule. + UpstreamRegistry *string `locationName:"upstreamRegistry" type:"string" enum:"UpstreamRegistry"` + // The upstream registry URL associated with the pull through cache rule. UpstreamRegistryUrl *string `locationName:"upstreamRegistryUrl" type:"string"` } @@ -10508,6 +10808,12 @@ func (s *PullThroughCacheRule) SetCreatedAt(v time.Time) *PullThroughCacheRule { return s } +// SetCredentialArn sets the CredentialArn field's value. +func (s *PullThroughCacheRule) SetCredentialArn(v string) *PullThroughCacheRule { + s.CredentialArn = &v + return s +} + // SetEcrRepositoryPrefix sets the EcrRepositoryPrefix field's value. func (s *PullThroughCacheRule) SetEcrRepositoryPrefix(v string) *PullThroughCacheRule { s.EcrRepositoryPrefix = &v @@ -10520,6 +10826,18 @@ func (s *PullThroughCacheRule) SetRegistryId(v string) *PullThroughCacheRule { return s } +// SetUpdatedAt sets the UpdatedAt field's value. +func (s *PullThroughCacheRule) SetUpdatedAt(v time.Time) *PullThroughCacheRule { + s.UpdatedAt = &v + return s +} + +// SetUpstreamRegistry sets the UpstreamRegistry field's value. +func (s *PullThroughCacheRule) SetUpstreamRegistry(v string) *PullThroughCacheRule { + s.UpstreamRegistry = &v + return s +} + // SetUpstreamRegistryUrl sets the UpstreamRegistryUrl field's value. func (s *PullThroughCacheRule) SetUpstreamRegistryUrl(v string) *PullThroughCacheRule { s.UpstreamRegistryUrl = &v @@ -12782,6 +13100,71 @@ func (s *ScoreDetails) SetCvss(v *CvssScoreDetails) *ScoreDetails { return s } +// The ARN of the secret specified in the pull through cache rule was not found. +// Update the pull through cache rule with a valid secret ARN and try again. +type SecretNotFoundException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s SecretNotFoundException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s SecretNotFoundException) GoString() string { + return s.String() +} + +func newErrorSecretNotFoundException(v protocol.ResponseMetadata) error { + return &SecretNotFoundException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *SecretNotFoundException) Code() string { + return "SecretNotFoundException" +} + +// Message returns the exception's message. +func (s *SecretNotFoundException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *SecretNotFoundException) OrigErr() error { + return nil +} + +func (s *SecretNotFoundException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *SecretNotFoundException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *SecretNotFoundException) RequestID() string { + return s.RespMetadata.RequestID +} + // These errors are usually caused by a server-side issue. type ServerException struct { _ struct{} `type:"structure"` @@ -13476,8 +13859,9 @@ func (s *TooManyTagsException) RequestID() string { return s.RespMetadata.RequestID } -// The image is of a type that cannot be scanned. -type UnsupportedImageTypeException struct { +// The secret is unable to be accessed. Verify the resource permissions for +// the secret and try again. +type UnableToAccessSecretException struct { _ struct{} `type:"structure"` RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` @@ -13489,7 +13873,7 @@ type UnsupportedImageTypeException struct { // API parameter values that are decorated as "sensitive" in the API will not // be included in the string output. The member name will be present, but the // value will be replaced with "sensitive". -func (s UnsupportedImageTypeException) String() string { +func (s UnableToAccessSecretException) String() string { return awsutil.Prettify(s) } @@ -13498,19 +13882,279 @@ func (s UnsupportedImageTypeException) String() string { // API parameter values that are decorated as "sensitive" in the API will not // be included in the string output. The member name will be present, but the // value will be replaced with "sensitive". -func (s UnsupportedImageTypeException) GoString() string { +func (s UnableToAccessSecretException) GoString() string { return s.String() } -func newErrorUnsupportedImageTypeException(v protocol.ResponseMetadata) error { - return &UnsupportedImageTypeException{ +func newErrorUnableToAccessSecretException(v protocol.ResponseMetadata) error { + return &UnableToAccessSecretException{ RespMetadata: v, } } // Code returns the exception type name. -func (s *UnsupportedImageTypeException) Code() string { - return "UnsupportedImageTypeException" +func (s *UnableToAccessSecretException) Code() string { + return "UnableToAccessSecretException" +} + +// Message returns the exception's message. +func (s *UnableToAccessSecretException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *UnableToAccessSecretException) OrigErr() error { + return nil +} + +func (s *UnableToAccessSecretException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *UnableToAccessSecretException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *UnableToAccessSecretException) RequestID() string { + return s.RespMetadata.RequestID +} + +// The secret is accessible but is unable to be decrypted. Verify the resource +// permisisons and try again. +type UnableToDecryptSecretValueException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s UnableToDecryptSecretValueException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s UnableToDecryptSecretValueException) GoString() string { + return s.String() +} + +func newErrorUnableToDecryptSecretValueException(v protocol.ResponseMetadata) error { + return &UnableToDecryptSecretValueException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *UnableToDecryptSecretValueException) Code() string { + return "UnableToDecryptSecretValueException" +} + +// Message returns the exception's message. +func (s *UnableToDecryptSecretValueException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *UnableToDecryptSecretValueException) OrigErr() error { + return nil +} + +func (s *UnableToDecryptSecretValueException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *UnableToDecryptSecretValueException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *UnableToDecryptSecretValueException) RequestID() string { + return s.RespMetadata.RequestID +} + +// The image or images were unable to be pulled using the pull through cache +// rule. This is usually caused because of an issue with the Secrets Manager +// secret containing the credentials for the upstream registry. +type UnableToGetUpstreamImageException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s UnableToGetUpstreamImageException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s UnableToGetUpstreamImageException) GoString() string { + return s.String() +} + +func newErrorUnableToGetUpstreamImageException(v protocol.ResponseMetadata) error { + return &UnableToGetUpstreamImageException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *UnableToGetUpstreamImageException) Code() string { + return "UnableToGetUpstreamImageException" +} + +// Message returns the exception's message. +func (s *UnableToGetUpstreamImageException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *UnableToGetUpstreamImageException) OrigErr() error { + return nil +} + +func (s *UnableToGetUpstreamImageException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *UnableToGetUpstreamImageException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *UnableToGetUpstreamImageException) RequestID() string { + return s.RespMetadata.RequestID +} + +// There was an issue getting the upstream layer matching the pull through cache +// rule. +type UnableToGetUpstreamLayerException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s UnableToGetUpstreamLayerException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s UnableToGetUpstreamLayerException) GoString() string { + return s.String() +} + +func newErrorUnableToGetUpstreamLayerException(v protocol.ResponseMetadata) error { + return &UnableToGetUpstreamLayerException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *UnableToGetUpstreamLayerException) Code() string { + return "UnableToGetUpstreamLayerException" +} + +// Message returns the exception's message. +func (s *UnableToGetUpstreamLayerException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *UnableToGetUpstreamLayerException) OrigErr() error { + return nil +} + +func (s *UnableToGetUpstreamLayerException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *UnableToGetUpstreamLayerException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *UnableToGetUpstreamLayerException) RequestID() string { + return s.RespMetadata.RequestID +} + +// The image is of a type that cannot be scanned. +type UnsupportedImageTypeException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + Message_ *string `locationName:"message" type:"string"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s UnsupportedImageTypeException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s UnsupportedImageTypeException) GoString() string { + return s.String() +} + +func newErrorUnsupportedImageTypeException(v protocol.ResponseMetadata) error { + return &UnsupportedImageTypeException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *UnsupportedImageTypeException) Code() string { + return "UnsupportedImageTypeException" } // Message returns the exception's message. @@ -13687,6 +14331,144 @@ func (s UntagResourceOutput) GoString() string { return s.String() } +type UpdatePullThroughCacheRuleInput struct { + _ struct{} `type:"structure"` + + // The Amazon Resource Name (ARN) of the Amazon Web Services Secrets Manager + // secret that identifies the credentials to authenticate to the upstream registry. + // + // CredentialArn is a required field + CredentialArn *string `locationName:"credentialArn" min:"50" type:"string" required:"true"` + + // The repository name prefix to use when caching images from the source registry. + // + // EcrRepositoryPrefix is a required field + EcrRepositoryPrefix *string `locationName:"ecrRepositoryPrefix" min:"2" type:"string" required:"true"` + + // The Amazon Web Services account ID associated with the registry associated + // with the pull through cache rule. If you do not specify a registry, the default + // registry is assumed. + RegistryId *string `locationName:"registryId" type:"string"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s UpdatePullThroughCacheRuleInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s UpdatePullThroughCacheRuleInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *UpdatePullThroughCacheRuleInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "UpdatePullThroughCacheRuleInput"} + if s.CredentialArn == nil { + invalidParams.Add(request.NewErrParamRequired("CredentialArn")) + } + if s.CredentialArn != nil && len(*s.CredentialArn) < 50 { + invalidParams.Add(request.NewErrParamMinLen("CredentialArn", 50)) + } + if s.EcrRepositoryPrefix == nil { + invalidParams.Add(request.NewErrParamRequired("EcrRepositoryPrefix")) + } + if s.EcrRepositoryPrefix != nil && len(*s.EcrRepositoryPrefix) < 2 { + invalidParams.Add(request.NewErrParamMinLen("EcrRepositoryPrefix", 2)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetCredentialArn sets the CredentialArn field's value. +func (s *UpdatePullThroughCacheRuleInput) SetCredentialArn(v string) *UpdatePullThroughCacheRuleInput { + s.CredentialArn = &v + return s +} + +// SetEcrRepositoryPrefix sets the EcrRepositoryPrefix field's value. +func (s *UpdatePullThroughCacheRuleInput) SetEcrRepositoryPrefix(v string) *UpdatePullThroughCacheRuleInput { + s.EcrRepositoryPrefix = &v + return s +} + +// SetRegistryId sets the RegistryId field's value. +func (s *UpdatePullThroughCacheRuleInput) SetRegistryId(v string) *UpdatePullThroughCacheRuleInput { + s.RegistryId = &v + return s +} + +type UpdatePullThroughCacheRuleOutput struct { + _ struct{} `type:"structure"` + + // The Amazon Resource Name (ARN) of the Amazon Web Services Secrets Manager + // secret associated with the pull through cache rule. + CredentialArn *string `locationName:"credentialArn" min:"50" type:"string"` + + // The Amazon ECR repository prefix associated with the pull through cache rule. + EcrRepositoryPrefix *string `locationName:"ecrRepositoryPrefix" min:"2" type:"string"` + + // The registry ID associated with the request. + RegistryId *string `locationName:"registryId" type:"string"` + + // The date and time, in JavaScript date format, when the pull through cache + // rule was updated. + UpdatedAt *time.Time `locationName:"updatedAt" type:"timestamp"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s UpdatePullThroughCacheRuleOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s UpdatePullThroughCacheRuleOutput) GoString() string { + return s.String() +} + +// SetCredentialArn sets the CredentialArn field's value. +func (s *UpdatePullThroughCacheRuleOutput) SetCredentialArn(v string) *UpdatePullThroughCacheRuleOutput { + s.CredentialArn = &v + return s +} + +// SetEcrRepositoryPrefix sets the EcrRepositoryPrefix field's value. +func (s *UpdatePullThroughCacheRuleOutput) SetEcrRepositoryPrefix(v string) *UpdatePullThroughCacheRuleOutput { + s.EcrRepositoryPrefix = &v + return s +} + +// SetRegistryId sets the RegistryId field's value. +func (s *UpdatePullThroughCacheRuleOutput) SetRegistryId(v string) *UpdatePullThroughCacheRuleOutput { + s.RegistryId = &v + return s +} + +// SetUpdatedAt sets the UpdatedAt field's value. +func (s *UpdatePullThroughCacheRuleOutput) SetUpdatedAt(v time.Time) *UpdatePullThroughCacheRuleOutput { + s.UpdatedAt = &v + return s +} + type UploadLayerPartInput struct { _ struct{} `type:"structure"` @@ -13931,6 +14713,147 @@ func (s *UploadNotFoundException) RequestID() string { return s.RespMetadata.RequestID } +type ValidatePullThroughCacheRuleInput struct { + _ struct{} `type:"structure"` + + // The repository name prefix associated with the pull through cache rule. + // + // EcrRepositoryPrefix is a required field + EcrRepositoryPrefix *string `locationName:"ecrRepositoryPrefix" min:"2" type:"string" required:"true"` + + // The registry ID associated with the pull through cache rule. If you do not + // specify a registry, the default registry is assumed. + RegistryId *string `locationName:"registryId" type:"string"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s ValidatePullThroughCacheRuleInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s ValidatePullThroughCacheRuleInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *ValidatePullThroughCacheRuleInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "ValidatePullThroughCacheRuleInput"} + if s.EcrRepositoryPrefix == nil { + invalidParams.Add(request.NewErrParamRequired("EcrRepositoryPrefix")) + } + if s.EcrRepositoryPrefix != nil && len(*s.EcrRepositoryPrefix) < 2 { + invalidParams.Add(request.NewErrParamMinLen("EcrRepositoryPrefix", 2)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetEcrRepositoryPrefix sets the EcrRepositoryPrefix field's value. +func (s *ValidatePullThroughCacheRuleInput) SetEcrRepositoryPrefix(v string) *ValidatePullThroughCacheRuleInput { + s.EcrRepositoryPrefix = &v + return s +} + +// SetRegistryId sets the RegistryId field's value. +func (s *ValidatePullThroughCacheRuleInput) SetRegistryId(v string) *ValidatePullThroughCacheRuleInput { + s.RegistryId = &v + return s +} + +type ValidatePullThroughCacheRuleOutput struct { + _ struct{} `type:"structure"` + + // The Amazon Resource Name (ARN) of the Amazon Web Services Secrets Manager + // secret associated with the pull through cache rule. + CredentialArn *string `locationName:"credentialArn" min:"50" type:"string"` + + // The Amazon ECR repository prefix associated with the pull through cache rule. + EcrRepositoryPrefix *string `locationName:"ecrRepositoryPrefix" min:"2" type:"string"` + + // The reason the validation failed. For more details about possible causes + // and how to address them, see Using pull through cache rules (https://docs.aws.amazon.com/AmazonECR/latest/userguide/pull-through-cache.html) + // in the Amazon Elastic Container Registry User Guide. + Failure *string `locationName:"failure" type:"string"` + + // Whether or not the pull through cache rule was validated. If true, Amazon + // ECR was able to reach the upstream registry and authentication was successful. + // If false, there was an issue and validation failed. The failure reason indicates + // the cause. + IsValid *bool `locationName:"isValid" type:"boolean"` + + // The registry ID associated with the request. + RegistryId *string `locationName:"registryId" type:"string"` + + // The upstream registry URL associated with the pull through cache rule. + UpstreamRegistryUrl *string `locationName:"upstreamRegistryUrl" type:"string"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s ValidatePullThroughCacheRuleOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s ValidatePullThroughCacheRuleOutput) GoString() string { + return s.String() +} + +// SetCredentialArn sets the CredentialArn field's value. +func (s *ValidatePullThroughCacheRuleOutput) SetCredentialArn(v string) *ValidatePullThroughCacheRuleOutput { + s.CredentialArn = &v + return s +} + +// SetEcrRepositoryPrefix sets the EcrRepositoryPrefix field's value. +func (s *ValidatePullThroughCacheRuleOutput) SetEcrRepositoryPrefix(v string) *ValidatePullThroughCacheRuleOutput { + s.EcrRepositoryPrefix = &v + return s +} + +// SetFailure sets the Failure field's value. +func (s *ValidatePullThroughCacheRuleOutput) SetFailure(v string) *ValidatePullThroughCacheRuleOutput { + s.Failure = &v + return s +} + +// SetIsValid sets the IsValid field's value. +func (s *ValidatePullThroughCacheRuleOutput) SetIsValid(v bool) *ValidatePullThroughCacheRuleOutput { + s.IsValid = &v + return s +} + +// SetRegistryId sets the RegistryId field's value. +func (s *ValidatePullThroughCacheRuleOutput) SetRegistryId(v string) *ValidatePullThroughCacheRuleOutput { + s.RegistryId = &v + return s +} + +// SetUpstreamRegistryUrl sets the UpstreamRegistryUrl field's value. +func (s *ValidatePullThroughCacheRuleOutput) SetUpstreamRegistryUrl(v string) *ValidatePullThroughCacheRuleOutput { + s.UpstreamRegistryUrl = &v + return s +} + // There was an exception validating this request. type ValidationException struct { _ struct{} `type:"structure"` @@ -14171,6 +15094,15 @@ const ( // ImageFailureCodeKmsError is a ImageFailureCode enum value ImageFailureCodeKmsError = "KmsError" + + // ImageFailureCodeUpstreamAccessDenied is a ImageFailureCode enum value + ImageFailureCodeUpstreamAccessDenied = "UpstreamAccessDenied" + + // ImageFailureCodeUpstreamTooManyRequests is a ImageFailureCode enum value + ImageFailureCodeUpstreamTooManyRequests = "UpstreamTooManyRequests" + + // ImageFailureCodeUpstreamUnavailable is a ImageFailureCode enum value + ImageFailureCodeUpstreamUnavailable = "UpstreamUnavailable" ) // ImageFailureCode_Values returns all elements of the ImageFailureCode enum @@ -14183,6 +15115,9 @@ func ImageFailureCode_Values() []string { ImageFailureCodeMissingDigestAndTag, ImageFailureCodeImageReferencedByManifestList, ImageFailureCodeKmsError, + ImageFailureCodeUpstreamAccessDenied, + ImageFailureCodeUpstreamTooManyRequests, + ImageFailureCodeUpstreamUnavailable, } } @@ -14409,3 +15344,35 @@ func TagStatus_Values() []string { TagStatusAny, } } + +const ( + // UpstreamRegistryEcrPublic is a UpstreamRegistry enum value + UpstreamRegistryEcrPublic = "ecr-public" + + // UpstreamRegistryQuay is a UpstreamRegistry enum value + UpstreamRegistryQuay = "quay" + + // UpstreamRegistryK8s is a UpstreamRegistry enum value + UpstreamRegistryK8s = "k8s" + + // UpstreamRegistryDockerHub is a UpstreamRegistry enum value + UpstreamRegistryDockerHub = "docker-hub" + + // UpstreamRegistryGithubContainerRegistry is a UpstreamRegistry enum value + UpstreamRegistryGithubContainerRegistry = "github-container-registry" + + // UpstreamRegistryAzureContainerRegistry is a UpstreamRegistry enum value + UpstreamRegistryAzureContainerRegistry = "azure-container-registry" +) + +// UpstreamRegistry_Values returns all elements of the UpstreamRegistry enum +func UpstreamRegistry_Values() []string { + return []string{ + UpstreamRegistryEcrPublic, + UpstreamRegistryQuay, + UpstreamRegistryK8s, + UpstreamRegistryDockerHub, + UpstreamRegistryGithubContainerRegistry, + UpstreamRegistryAzureContainerRegistry, + } +} diff --git a/src/code.cloudfoundry.org/vendor/github.com/aws/aws-sdk-go/service/ecr/errors.go b/src/code.cloudfoundry.org/vendor/github.com/aws/aws-sdk-go/service/ecr/errors.go index a8392ade8f..4e2bed930f 100644 --- a/src/code.cloudfoundry.org/vendor/github.com/aws/aws-sdk-go/service/ecr/errors.go +++ b/src/code.cloudfoundry.org/vendor/github.com/aws/aws-sdk-go/service/ecr/errors.go @@ -189,6 +189,13 @@ const ( // enabled on the repository and try again. ErrCodeScanNotFoundException = "ScanNotFoundException" + // ErrCodeSecretNotFoundException for service response error code + // "SecretNotFoundException". + // + // The ARN of the secret specified in the pull through cache rule was not found. + // Update the pull through cache rule with a valid secret ARN and try again. + ErrCodeSecretNotFoundException = "SecretNotFoundException" + // ErrCodeServerException for service response error code // "ServerException". // @@ -202,6 +209,35 @@ const ( // of tags that can be applied to a repository is 50. ErrCodeTooManyTagsException = "TooManyTagsException" + // ErrCodeUnableToAccessSecretException for service response error code + // "UnableToAccessSecretException". + // + // The secret is unable to be accessed. Verify the resource permissions for + // the secret and try again. + ErrCodeUnableToAccessSecretException = "UnableToAccessSecretException" + + // ErrCodeUnableToDecryptSecretValueException for service response error code + // "UnableToDecryptSecretValueException". + // + // The secret is accessible but is unable to be decrypted. Verify the resource + // permisisons and try again. + ErrCodeUnableToDecryptSecretValueException = "UnableToDecryptSecretValueException" + + // ErrCodeUnableToGetUpstreamImageException for service response error code + // "UnableToGetUpstreamImageException". + // + // The image or images were unable to be pulled using the pull through cache + // rule. This is usually caused because of an issue with the Secrets Manager + // secret containing the credentials for the upstream registry. + ErrCodeUnableToGetUpstreamImageException = "UnableToGetUpstreamImageException" + + // ErrCodeUnableToGetUpstreamLayerException for service response error code + // "UnableToGetUpstreamLayerException". + // + // There was an issue getting the upstream layer matching the pull through cache + // rule. + ErrCodeUnableToGetUpstreamLayerException = "UnableToGetUpstreamLayerException" + // ErrCodeUnsupportedImageTypeException for service response error code // "UnsupportedImageTypeException". // @@ -256,8 +292,13 @@ var exceptionFromCode = map[string]func(protocol.ResponseMetadata) error{ "RepositoryNotFoundException": newErrorRepositoryNotFoundException, "RepositoryPolicyNotFoundException": newErrorRepositoryPolicyNotFoundException, "ScanNotFoundException": newErrorScanNotFoundException, + "SecretNotFoundException": newErrorSecretNotFoundException, "ServerException": newErrorServerException, "TooManyTagsException": newErrorTooManyTagsException, + "UnableToAccessSecretException": newErrorUnableToAccessSecretException, + "UnableToDecryptSecretValueException": newErrorUnableToDecryptSecretValueException, + "UnableToGetUpstreamImageException": newErrorUnableToGetUpstreamImageException, + "UnableToGetUpstreamLayerException": newErrorUnableToGetUpstreamLayerException, "UnsupportedImageTypeException": newErrorUnsupportedImageTypeException, "UnsupportedUpstreamRegistryException": newErrorUnsupportedUpstreamRegistryException, "UploadNotFoundException": newErrorUploadNotFoundException, diff --git a/src/code.cloudfoundry.org/vendor/github.com/aws/aws-sdk-go/service/ssooidc/api.go b/src/code.cloudfoundry.org/vendor/github.com/aws/aws-sdk-go/service/ssooidc/api.go index c743913c57..04f6c811b6 100644 --- a/src/code.cloudfoundry.org/vendor/github.com/aws/aws-sdk-go/service/ssooidc/api.go +++ b/src/code.cloudfoundry.org/vendor/github.com/aws/aws-sdk-go/service/ssooidc/api.go @@ -56,9 +56,10 @@ func (c *SSOOIDC) CreateTokenRequest(input *CreateTokenInput) (req *request.Requ // CreateToken API operation for AWS SSO OIDC. // -// Creates and returns an access token for the authorized client. The access -// token issued will be used to fetch short-term credentials for the assigned -// roles in the AWS account. +// Creates and returns access and refresh tokens for clients that are authenticated +// using client secrets. The access token can be used to fetch short-term credentials +// for the assigned AWS accounts or to access application APIs using bearer +// authentication. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -133,6 +134,131 @@ func (c *SSOOIDC) CreateTokenWithContext(ctx aws.Context, input *CreateTokenInpu return out, req.Send() } +const opCreateTokenWithIAM = "CreateTokenWithIAM" + +// CreateTokenWithIAMRequest generates a "aws/request.Request" representing the +// client's request for the CreateTokenWithIAM operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See CreateTokenWithIAM for more information on using the CreateTokenWithIAM +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// // Example sending a request using the CreateTokenWithIAMRequest method. +// req, resp := client.CreateTokenWithIAMRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/sso-oidc-2019-06-10/CreateTokenWithIAM +func (c *SSOOIDC) CreateTokenWithIAMRequest(input *CreateTokenWithIAMInput) (req *request.Request, output *CreateTokenWithIAMOutput) { + op := &request.Operation{ + Name: opCreateTokenWithIAM, + HTTPMethod: "POST", + HTTPPath: "/token?aws_iam=t", + } + + if input == nil { + input = &CreateTokenWithIAMInput{} + } + + output = &CreateTokenWithIAMOutput{} + req = c.newRequest(op, input, output) + return +} + +// CreateTokenWithIAM API operation for AWS SSO OIDC. +// +// Creates and returns access and refresh tokens for clients and applications +// that are authenticated using IAM entities. The access token can be used to +// fetch short-term credentials for the assigned AWS accounts or to access application +// APIs using bearer authentication. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS SSO OIDC's +// API operation CreateTokenWithIAM for usage and error information. +// +// Returned Error Types: +// +// - InvalidRequestException +// Indicates that something is wrong with the input to the request. For example, +// a required parameter might be missing or out of range. +// +// - InvalidClientException +// Indicates that the clientId or clientSecret in the request is invalid. For +// example, this can occur when a client sends an incorrect clientId or an expired +// clientSecret. +// +// - InvalidGrantException +// Indicates that a request contains an invalid grant. This can occur if a client +// makes a CreateToken request with an invalid grant type. +// +// - UnauthorizedClientException +// Indicates that the client is not currently authorized to make the request. +// This can happen when a clientId is not issued for a public client. +// +// - UnsupportedGrantTypeException +// Indicates that the grant type in the request is not supported by the service. +// +// - InvalidScopeException +// Indicates that the scope provided in the request is invalid. +// +// - AuthorizationPendingException +// Indicates that a request to authorize a client with an access user session +// token is pending. +// +// - SlowDownException +// Indicates that the client is making the request too frequently and is more +// than the service can handle. +// +// - AccessDeniedException +// You do not have sufficient access to perform this action. +// +// - ExpiredTokenException +// Indicates that the token issued by the service is expired and is no longer +// valid. +// +// - InternalServerException +// Indicates that an error from the service occurred while trying to process +// a request. +// +// - InvalidRequestRegionException +// Indicates that a token provided as input to the request was issued by and +// is only usable by calling IAM Identity Center endpoints in another region. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/sso-oidc-2019-06-10/CreateTokenWithIAM +func (c *SSOOIDC) CreateTokenWithIAM(input *CreateTokenWithIAMInput) (*CreateTokenWithIAMOutput, error) { + req, out := c.CreateTokenWithIAMRequest(input) + return out, req.Send() +} + +// CreateTokenWithIAMWithContext is the same as CreateTokenWithIAM with the addition of +// the ability to pass a context and additional request options. +// +// See CreateTokenWithIAM for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *SSOOIDC) CreateTokenWithIAMWithContext(ctx aws.Context, input *CreateTokenWithIAMInput, opts ...request.Option) (*CreateTokenWithIAMOutput, error) { + req, out := c.CreateTokenWithIAMRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + const opRegisterClient = "RegisterClient" // RegisterClientRequest generates a "aws/request.Request" representing the @@ -331,8 +457,11 @@ type AccessDeniedException struct { _ struct{} `type:"structure"` RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + // Single error code. For this exception the value will be access_denied. Error_ *string `locationName:"error" type:"string"` + // Human-readable text providing additional information, used to assist the + // client developer in understanding the error that occurred. Error_description *string `locationName:"error_description" type:"string"` Message_ *string `locationName:"message" type:"string"` @@ -400,8 +529,11 @@ type AuthorizationPendingException struct { _ struct{} `type:"structure"` RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + // Single error code. For this exception the value will be authorization_pending. Error_ *string `locationName:"error" type:"string"` + // Human-readable text providing additional information, used to assist the + // client developer in understanding the error that occurred. Error_description *string `locationName:"error_description" type:"string"` Message_ *string `locationName:"message" type:"string"` @@ -466,8 +598,8 @@ func (s *AuthorizationPendingException) RequestID() string { type CreateTokenInput struct { _ struct{} `type:"structure"` - // The unique identifier string for each client. This value should come from - // the persisted result of the RegisterClient API. + // The unique identifier string for the client or application. This value comes + // from the result of the RegisterClient API. // // ClientId is a required field ClientId *string `locationName:"clientId" type:"string" required:"true"` @@ -475,23 +607,30 @@ type CreateTokenInput struct { // A secret string generated for the client. This value should come from the // persisted result of the RegisterClient API. // + // ClientSecret is a sensitive parameter and its value will be + // replaced with "sensitive" in string returned by CreateTokenInput's + // String and GoString methods. + // // ClientSecret is a required field - ClientSecret *string `locationName:"clientSecret" type:"string" required:"true"` + ClientSecret *string `locationName:"clientSecret" type:"string" required:"true" sensitive:"true"` - // The authorization code received from the authorization service. This parameter - // is required to perform an authorization grant request to get access to a - // token. + // Used only when calling this API for the Authorization Code grant type. The + // short-term code is used to identify this authorization request. This grant + // type is currently unsupported for the CreateToken API. Code *string `locationName:"code" type:"string"` - // Used only when calling this API for the device code grant type. This short-term - // code is used to identify this authentication attempt. This should come from - // an in-memory reference to the result of the StartDeviceAuthorization API. + // Used only when calling this API for the Device Code grant type. This short-term + // code is used to identify this authorization request. This comes from the + // result of the StartDeviceAuthorization API. DeviceCode *string `locationName:"deviceCode" type:"string"` - // Supports grant types for the authorization code, refresh token, and device - // code request. For device code requests, specify the following value: + // Supports the following OAuth grant types: Device Code and Refresh Token. + // Specify either of the following values, depending on the grant type that + // you want: + // + // * Device Code - urn:ietf:params:oauth:grant-type:device_code // - // urn:ietf:params:oauth:grant-type:device_code + // * Refresh Token - refresh_token // // For information about how to obtain the device code, see the StartDeviceAuthorization // topic. @@ -499,21 +638,28 @@ type CreateTokenInput struct { // GrantType is a required field GrantType *string `locationName:"grantType" type:"string" required:"true"` - // The location of the application that will receive the authorization code. - // Users authorize the service to send the request to this location. + // Used only when calling this API for the Authorization Code grant type. This + // value specifies the location of the client or application that has registered + // to receive the authorization code. RedirectUri *string `locationName:"redirectUri" type:"string"` - // Currently, refreshToken is not yet implemented and is not supported. For - // more information about the features and limitations of the current IAM Identity - // Center OIDC implementation, see Considerations for Using this Guide in the - // IAM Identity Center OIDC API Reference (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html). + // Used only when calling this API for the Refresh Token grant type. This token + // is used to refresh short-term tokens, such as the access token, that might + // expire. // - // The token used to obtain an access token in the event that the access token - // is invalid or expired. - RefreshToken *string `locationName:"refreshToken" type:"string"` - - // The list of scopes that is defined by the client. Upon authorization, this - // list is used to restrict permissions when granting an access token. + // For more information about the features and limitations of the current IAM + // Identity Center OIDC implementation, see Considerations for Using this Guide + // in the IAM Identity Center OIDC API Reference (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html). + // + // RefreshToken is a sensitive parameter and its value will be + // replaced with "sensitive" in string returned by CreateTokenInput's + // String and GoString methods. + RefreshToken *string `locationName:"refreshToken" type:"string" sensitive:"true"` + + // The list of scopes for which authorization is requested. The access token + // that is issued is limited to the scopes that are granted. If this value is + // not specified, IAM Identity Center authorizes all scopes that are configured + // for the client during the call to RegisterClient. Scope []*string `locationName:"scope" type:"list"` } @@ -605,31 +751,43 @@ func (s *CreateTokenInput) SetScope(v []*string) *CreateTokenInput { type CreateTokenOutput struct { _ struct{} `type:"structure"` - // An opaque token to access IAM Identity Center resources assigned to a user. - AccessToken *string `locationName:"accessToken" type:"string"` + // A bearer token to access AWS accounts and applications assigned to a user. + // + // AccessToken is a sensitive parameter and its value will be + // replaced with "sensitive" in string returned by CreateTokenOutput's + // String and GoString methods. + AccessToken *string `locationName:"accessToken" type:"string" sensitive:"true"` // Indicates the time in seconds when an access token will expire. ExpiresIn *int64 `locationName:"expiresIn" type:"integer"` - // Currently, idToken is not yet implemented and is not supported. For more - // information about the features and limitations of the current IAM Identity - // Center OIDC implementation, see Considerations for Using this Guide in the - // IAM Identity Center OIDC API Reference (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html). + // The idToken is not implemented or supported. For more information about the + // features and limitations of the current IAM Identity Center OIDC implementation, + // see Considerations for Using this Guide in the IAM Identity Center OIDC API + // Reference (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html). // - // The identifier of the user that associated with the access token, if present. - IdToken *string `locationName:"idToken" type:"string"` - - // Currently, refreshToken is not yet implemented and is not supported. For - // more information about the features and limitations of the current IAM Identity - // Center OIDC implementation, see Considerations for Using this Guide in the - // IAM Identity Center OIDC API Reference (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html). + // A JSON Web Token (JWT) that identifies who is associated with the issued + // access token. // + // IdToken is a sensitive parameter and its value will be + // replaced with "sensitive" in string returned by CreateTokenOutput's + // String and GoString methods. + IdToken *string `locationName:"idToken" type:"string" sensitive:"true"` + // A token that, if present, can be used to refresh a previously issued access // token that might have expired. - RefreshToken *string `locationName:"refreshToken" type:"string"` + // + // For more information about the features and limitations of the current IAM + // Identity Center OIDC implementation, see Considerations for Using this Guide + // in the IAM Identity Center OIDC API Reference (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html). + // + // RefreshToken is a sensitive parameter and its value will be + // replaced with "sensitive" in string returned by CreateTokenOutput's + // String and GoString methods. + RefreshToken *string `locationName:"refreshToken" type:"string" sensitive:"true"` // Used to notify the client that the returned token is an access token. The - // supported type is BearerToken. + // supported token type is Bearer. TokenType *string `locationName:"tokenType" type:"string"` } @@ -681,14 +839,312 @@ func (s *CreateTokenOutput) SetTokenType(v string) *CreateTokenOutput { return s } +type CreateTokenWithIAMInput struct { + _ struct{} `type:"structure"` + + // Used only when calling this API for the JWT Bearer grant type. This value + // specifies the JSON Web Token (JWT) issued by a trusted token issuer. To authorize + // a trusted token issuer, configure the JWT Bearer GrantOptions for the application. + // + // Assertion is a sensitive parameter and its value will be + // replaced with "sensitive" in string returned by CreateTokenWithIAMInput's + // String and GoString methods. + Assertion *string `locationName:"assertion" type:"string" sensitive:"true"` + + // The unique identifier string for the client or application. This value is + // an application ARN that has OAuth grants configured. + // + // ClientId is a required field + ClientId *string `locationName:"clientId" type:"string" required:"true"` + + // Used only when calling this API for the Authorization Code grant type. This + // short-term code is used to identify this authorization request. The code + // is obtained through a redirect from IAM Identity Center to a redirect URI + // persisted in the Authorization Code GrantOptions for the application. + Code *string `locationName:"code" type:"string"` + + // Supports the following OAuth grant types: Authorization Code, Refresh Token, + // JWT Bearer, and Token Exchange. Specify one of the following values, depending + // on the grant type that you want: + // + // * Authorization Code - authorization_code + // + // * Refresh Token - refresh_token + // + // * JWT Bearer - urn:ietf:params:oauth:grant-type:jwt-bearer + // + // * Token Exchange - urn:ietf:params:oauth:grant-type:token-exchange + // + // GrantType is a required field + GrantType *string `locationName:"grantType" type:"string" required:"true"` + + // Used only when calling this API for the Authorization Code grant type. This + // value specifies the location of the client or application that has registered + // to receive the authorization code. + RedirectUri *string `locationName:"redirectUri" type:"string"` + + // Used only when calling this API for the Refresh Token grant type. This token + // is used to refresh short-term tokens, such as the access token, that might + // expire. + // + // For more information about the features and limitations of the current IAM + // Identity Center OIDC implementation, see Considerations for Using this Guide + // in the IAM Identity Center OIDC API Reference (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html). + // + // RefreshToken is a sensitive parameter and its value will be + // replaced with "sensitive" in string returned by CreateTokenWithIAMInput's + // String and GoString methods. + RefreshToken *string `locationName:"refreshToken" type:"string" sensitive:"true"` + + // Used only when calling this API for the Token Exchange grant type. This value + // specifies the type of token that the requester can receive. The following + // values are supported: + // + // * Access Token - urn:ietf:params:oauth:token-type:access_token + // + // * Refresh Token - urn:ietf:params:oauth:token-type:refresh_token + RequestedTokenType *string `locationName:"requestedTokenType" type:"string"` + + // The list of scopes for which authorization is requested. The access token + // that is issued is limited to the scopes that are granted. If the value is + // not specified, IAM Identity Center authorizes all scopes configured for the + // application, including the following default scopes: openid, aws, sts:identity_context. + Scope []*string `locationName:"scope" type:"list"` + + // Used only when calling this API for the Token Exchange grant type. This value + // specifies the subject of the exchange. The value of the subject token must + // be an access token issued by IAM Identity Center to a different client or + // application. The access token must have authorized scopes that indicate the + // requested application as a target audience. + // + // SubjectToken is a sensitive parameter and its value will be + // replaced with "sensitive" in string returned by CreateTokenWithIAMInput's + // String and GoString methods. + SubjectToken *string `locationName:"subjectToken" type:"string" sensitive:"true"` + + // Used only when calling this API for the Token Exchange grant type. This value + // specifies the type of token that is passed as the subject of the exchange. + // The following value is supported: + // + // * Access Token - urn:ietf:params:oauth:token-type:access_token + SubjectTokenType *string `locationName:"subjectTokenType" type:"string"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s CreateTokenWithIAMInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s CreateTokenWithIAMInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *CreateTokenWithIAMInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "CreateTokenWithIAMInput"} + if s.ClientId == nil { + invalidParams.Add(request.NewErrParamRequired("ClientId")) + } + if s.GrantType == nil { + invalidParams.Add(request.NewErrParamRequired("GrantType")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetAssertion sets the Assertion field's value. +func (s *CreateTokenWithIAMInput) SetAssertion(v string) *CreateTokenWithIAMInput { + s.Assertion = &v + return s +} + +// SetClientId sets the ClientId field's value. +func (s *CreateTokenWithIAMInput) SetClientId(v string) *CreateTokenWithIAMInput { + s.ClientId = &v + return s +} + +// SetCode sets the Code field's value. +func (s *CreateTokenWithIAMInput) SetCode(v string) *CreateTokenWithIAMInput { + s.Code = &v + return s +} + +// SetGrantType sets the GrantType field's value. +func (s *CreateTokenWithIAMInput) SetGrantType(v string) *CreateTokenWithIAMInput { + s.GrantType = &v + return s +} + +// SetRedirectUri sets the RedirectUri field's value. +func (s *CreateTokenWithIAMInput) SetRedirectUri(v string) *CreateTokenWithIAMInput { + s.RedirectUri = &v + return s +} + +// SetRefreshToken sets the RefreshToken field's value. +func (s *CreateTokenWithIAMInput) SetRefreshToken(v string) *CreateTokenWithIAMInput { + s.RefreshToken = &v + return s +} + +// SetRequestedTokenType sets the RequestedTokenType field's value. +func (s *CreateTokenWithIAMInput) SetRequestedTokenType(v string) *CreateTokenWithIAMInput { + s.RequestedTokenType = &v + return s +} + +// SetScope sets the Scope field's value. +func (s *CreateTokenWithIAMInput) SetScope(v []*string) *CreateTokenWithIAMInput { + s.Scope = v + return s +} + +// SetSubjectToken sets the SubjectToken field's value. +func (s *CreateTokenWithIAMInput) SetSubjectToken(v string) *CreateTokenWithIAMInput { + s.SubjectToken = &v + return s +} + +// SetSubjectTokenType sets the SubjectTokenType field's value. +func (s *CreateTokenWithIAMInput) SetSubjectTokenType(v string) *CreateTokenWithIAMInput { + s.SubjectTokenType = &v + return s +} + +type CreateTokenWithIAMOutput struct { + _ struct{} `type:"structure"` + + // A bearer token to access AWS accounts and applications assigned to a user. + // + // AccessToken is a sensitive parameter and its value will be + // replaced with "sensitive" in string returned by CreateTokenWithIAMOutput's + // String and GoString methods. + AccessToken *string `locationName:"accessToken" type:"string" sensitive:"true"` + + // Indicates the time in seconds when an access token will expire. + ExpiresIn *int64 `locationName:"expiresIn" type:"integer"` + + // A JSON Web Token (JWT) that identifies the user associated with the issued + // access token. + // + // IdToken is a sensitive parameter and its value will be + // replaced with "sensitive" in string returned by CreateTokenWithIAMOutput's + // String and GoString methods. + IdToken *string `locationName:"idToken" type:"string" sensitive:"true"` + + // Indicates the type of tokens that are issued by IAM Identity Center. The + // following values are supported: + // + // * Access Token - urn:ietf:params:oauth:token-type:access_token + // + // * Refresh Token - urn:ietf:params:oauth:token-type:refresh_token + IssuedTokenType *string `locationName:"issuedTokenType" type:"string"` + + // A token that, if present, can be used to refresh a previously issued access + // token that might have expired. + // + // For more information about the features and limitations of the current IAM + // Identity Center OIDC implementation, see Considerations for Using this Guide + // in the IAM Identity Center OIDC API Reference (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html). + // + // RefreshToken is a sensitive parameter and its value will be + // replaced with "sensitive" in string returned by CreateTokenWithIAMOutput's + // String and GoString methods. + RefreshToken *string `locationName:"refreshToken" type:"string" sensitive:"true"` + + // The list of scopes for which authorization is granted. The access token that + // is issued is limited to the scopes that are granted. + Scope []*string `locationName:"scope" type:"list"` + + // Used to notify the requester that the returned token is an access token. + // The supported token type is Bearer. + TokenType *string `locationName:"tokenType" type:"string"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s CreateTokenWithIAMOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s CreateTokenWithIAMOutput) GoString() string { + return s.String() +} + +// SetAccessToken sets the AccessToken field's value. +func (s *CreateTokenWithIAMOutput) SetAccessToken(v string) *CreateTokenWithIAMOutput { + s.AccessToken = &v + return s +} + +// SetExpiresIn sets the ExpiresIn field's value. +func (s *CreateTokenWithIAMOutput) SetExpiresIn(v int64) *CreateTokenWithIAMOutput { + s.ExpiresIn = &v + return s +} + +// SetIdToken sets the IdToken field's value. +func (s *CreateTokenWithIAMOutput) SetIdToken(v string) *CreateTokenWithIAMOutput { + s.IdToken = &v + return s +} + +// SetIssuedTokenType sets the IssuedTokenType field's value. +func (s *CreateTokenWithIAMOutput) SetIssuedTokenType(v string) *CreateTokenWithIAMOutput { + s.IssuedTokenType = &v + return s +} + +// SetRefreshToken sets the RefreshToken field's value. +func (s *CreateTokenWithIAMOutput) SetRefreshToken(v string) *CreateTokenWithIAMOutput { + s.RefreshToken = &v + return s +} + +// SetScope sets the Scope field's value. +func (s *CreateTokenWithIAMOutput) SetScope(v []*string) *CreateTokenWithIAMOutput { + s.Scope = v + return s +} + +// SetTokenType sets the TokenType field's value. +func (s *CreateTokenWithIAMOutput) SetTokenType(v string) *CreateTokenWithIAMOutput { + s.TokenType = &v + return s +} + // Indicates that the token issued by the service is expired and is no longer // valid. type ExpiredTokenException struct { _ struct{} `type:"structure"` RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + // Single error code. For this exception the value will be expired_token. Error_ *string `locationName:"error" type:"string"` + // Human-readable text providing additional information, used to assist the + // client developer in understanding the error that occurred. Error_description *string `locationName:"error_description" type:"string"` Message_ *string `locationName:"message" type:"string"` @@ -756,8 +1212,11 @@ type InternalServerException struct { _ struct{} `type:"structure"` RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + // Single error code. For this exception the value will be server_error. Error_ *string `locationName:"error" type:"string"` + // Human-readable text providing additional information, used to assist the + // client developer in understanding the error that occurred. Error_description *string `locationName:"error_description" type:"string"` Message_ *string `locationName:"message" type:"string"` @@ -826,8 +1285,11 @@ type InvalidClientException struct { _ struct{} `type:"structure"` RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + // Single error code. For this exception the value will be invalid_client. Error_ *string `locationName:"error" type:"string"` + // Human-readable text providing additional information, used to assist the + // client developer in understanding the error that occurred. Error_description *string `locationName:"error_description" type:"string"` Message_ *string `locationName:"message" type:"string"` @@ -895,8 +1357,11 @@ type InvalidClientMetadataException struct { _ struct{} `type:"structure"` RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + // Single error code. For this exception the value will be invalid_client_metadata. Error_ *string `locationName:"error" type:"string"` + // Human-readable text providing additional information, used to assist the + // client developer in understanding the error that occurred. Error_description *string `locationName:"error_description" type:"string"` Message_ *string `locationName:"message" type:"string"` @@ -964,8 +1429,11 @@ type InvalidGrantException struct { _ struct{} `type:"structure"` RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + // Single error code. For this exception the value will be invalid_grant. Error_ *string `locationName:"error" type:"string"` + // Human-readable text providing additional information, used to assist the + // client developer in understanding the error that occurred. Error_description *string `locationName:"error_description" type:"string"` Message_ *string `locationName:"message" type:"string"` @@ -1033,8 +1501,11 @@ type InvalidRequestException struct { _ struct{} `type:"structure"` RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + // Single error code. For this exception the value will be invalid_request. Error_ *string `locationName:"error" type:"string"` + // Human-readable text providing additional information, used to assist the + // client developer in understanding the error that occurred. Error_description *string `locationName:"error_description" type:"string"` Message_ *string `locationName:"message" type:"string"` @@ -1096,13 +1567,95 @@ func (s *InvalidRequestException) RequestID() string { return s.RespMetadata.RequestID } +// Indicates that a token provided as input to the request was issued by and +// is only usable by calling IAM Identity Center endpoints in another region. +type InvalidRequestRegionException struct { + _ struct{} `type:"structure"` + RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + + // Indicates the IAM Identity Center endpoint which the requester may call with + // this token. + Endpoint *string `locationName:"endpoint" type:"string"` + + // Single error code. For this exception the value will be invalid_request. + Error_ *string `locationName:"error" type:"string"` + + // Human-readable text providing additional information, used to assist the + // client developer in understanding the error that occurred. + Error_description *string `locationName:"error_description" type:"string"` + + Message_ *string `locationName:"message" type:"string"` + + // Indicates the region which the requester may call with this token. + Region *string `locationName:"region" type:"string"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s InvalidRequestRegionException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s InvalidRequestRegionException) GoString() string { + return s.String() +} + +func newErrorInvalidRequestRegionException(v protocol.ResponseMetadata) error { + return &InvalidRequestRegionException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *InvalidRequestRegionException) Code() string { + return "InvalidRequestRegionException" +} + +// Message returns the exception's message. +func (s *InvalidRequestRegionException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *InvalidRequestRegionException) OrigErr() error { + return nil +} + +func (s *InvalidRequestRegionException) Error() string { + return fmt.Sprintf("%s: %s\n%s", s.Code(), s.Message(), s.String()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *InvalidRequestRegionException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *InvalidRequestRegionException) RequestID() string { + return s.RespMetadata.RequestID +} + // Indicates that the scope provided in the request is invalid. type InvalidScopeException struct { _ struct{} `type:"structure"` RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + // Single error code. For this exception the value will be invalid_scope. Error_ *string `locationName:"error" type:"string"` + // Human-readable text providing additional information, used to assist the + // client developer in understanding the error that occurred. Error_description *string `locationName:"error_description" type:"string"` Message_ *string `locationName:"message" type:"string"` @@ -1238,7 +1791,7 @@ func (s *RegisterClientInput) SetScopes(v []*string) *RegisterClientInput { type RegisterClientOutput struct { _ struct{} `type:"structure"` - // The endpoint where the client can request authorization. + // An endpoint that the client can use to request authorization. AuthorizationEndpoint *string `locationName:"authorizationEndpoint" type:"string"` // The unique identifier string for each client. This client uses this identifier @@ -1250,12 +1803,16 @@ type RegisterClientOutput struct { // A secret string generated for the client. The client will use this string // to get authenticated by the service in subsequent calls. - ClientSecret *string `locationName:"clientSecret" type:"string"` + // + // ClientSecret is a sensitive parameter and its value will be + // replaced with "sensitive" in string returned by RegisterClientOutput's + // String and GoString methods. + ClientSecret *string `locationName:"clientSecret" type:"string" sensitive:"true"` // Indicates the time at which the clientId and clientSecret will become invalid. ClientSecretExpiresAt *int64 `locationName:"clientSecretExpiresAt" type:"long"` - // The endpoint where the client can get an access token. + // An endpoint that the client can use to create tokens. TokenEndpoint *string `locationName:"tokenEndpoint" type:"string"` } @@ -1319,8 +1876,11 @@ type SlowDownException struct { _ struct{} `type:"structure"` RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + // Single error code. For this exception the value will be slow_down. Error_ *string `locationName:"error" type:"string"` + // Human-readable text providing additional information, used to assist the + // client developer in understanding the error that occurred. Error_description *string `locationName:"error_description" type:"string"` Message_ *string `locationName:"message" type:"string"` @@ -1395,11 +1955,15 @@ type StartDeviceAuthorizationInput struct { // A secret string that is generated for the client. This value should come // from the persisted result of the RegisterClient API operation. // + // ClientSecret is a sensitive parameter and its value will be + // replaced with "sensitive" in string returned by StartDeviceAuthorizationInput's + // String and GoString methods. + // // ClientSecret is a required field - ClientSecret *string `locationName:"clientSecret" type:"string" required:"true"` + ClientSecret *string `locationName:"clientSecret" type:"string" required:"true" sensitive:"true"` - // The URL for the AWS access portal. For more information, see Using the AWS - // access portal (https://docs.aws.amazon.com/singlesignon/latest/userguide/using-the-portal.html) + // The URL for the Amazon Web Services access portal. For more information, + // see Using the Amazon Web Services access portal (https://docs.aws.amazon.com/singlesignon/latest/userguide/using-the-portal.html) // in the IAM Identity Center User Guide. // // StartUrl is a required field @@ -1550,8 +2114,11 @@ type UnauthorizedClientException struct { _ struct{} `type:"structure"` RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + // Single error code. For this exception the value will be unauthorized_client. Error_ *string `locationName:"error" type:"string"` + // Human-readable text providing additional information, used to assist the + // client developer in understanding the error that occurred. Error_description *string `locationName:"error_description" type:"string"` Message_ *string `locationName:"message" type:"string"` @@ -1618,8 +2185,11 @@ type UnsupportedGrantTypeException struct { _ struct{} `type:"structure"` RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` + // Single error code. For this exception the value will be unsupported_grant_type. Error_ *string `locationName:"error" type:"string"` + // Human-readable text providing additional information, used to assist the + // client developer in understanding the error that occurred. Error_description *string `locationName:"error_description" type:"string"` Message_ *string `locationName:"message" type:"string"` diff --git a/src/code.cloudfoundry.org/vendor/github.com/aws/aws-sdk-go/service/ssooidc/doc.go b/src/code.cloudfoundry.org/vendor/github.com/aws/aws-sdk-go/service/ssooidc/doc.go index 8b5ee6019a..083568c616 100644 --- a/src/code.cloudfoundry.org/vendor/github.com/aws/aws-sdk-go/service/ssooidc/doc.go +++ b/src/code.cloudfoundry.org/vendor/github.com/aws/aws-sdk-go/service/ssooidc/doc.go @@ -3,15 +3,13 @@ // Package ssooidc provides the client and types for making API // requests to AWS SSO OIDC. // -// AWS IAM Identity Center (successor to AWS Single Sign-On) OpenID Connect -// (OIDC) is a web service that enables a client (such as AWS CLI or a native -// application) to register with IAM Identity Center. The service also enables -// the client to fetch the user’s access token upon successful authentication -// and authorization with IAM Identity Center. +// IAM Identity Center OpenID Connect (OIDC) is a web service that enables a +// client (such as CLI or a native application) to register with IAM Identity +// Center. The service also enables the client to fetch the user’s access +// token upon successful authentication and authorization with IAM Identity +// Center. // -// Although AWS Single Sign-On was renamed, the sso and identitystore API namespaces -// will continue to retain their original name for backward compatibility purposes. -// For more information, see IAM Identity Center rename (https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html#renamed). +// IAM Identity Center uses the sso and identitystore API namespaces. // // # Considerations for Using This Guide // @@ -22,21 +20,24 @@ // - The IAM Identity Center OIDC service currently implements only the portions // of the OAuth 2.0 Device Authorization Grant standard (https://tools.ietf.org/html/rfc8628 // (https://tools.ietf.org/html/rfc8628)) that are necessary to enable single -// sign-on authentication with the AWS CLI. Support for other OIDC flows -// frequently needed for native applications, such as Authorization Code -// Flow (+ PKCE), will be addressed in future releases. +// sign-on authentication with the CLI. // -// - The service emits only OIDC access tokens, such that obtaining a new -// token (For example, token refresh) requires explicit user re-authentication. +// - With older versions of the CLI, the service only emits OIDC access tokens, +// so to obtain a new token, users must explicitly re-authenticate. To access +// the OIDC flow that supports token refresh and doesn’t require re-authentication, +// update to the latest CLI version (1.27.10 for CLI V1 and 2.9.0 for CLI +// V2) with support for OIDC token refresh and configurable IAM Identity +// Center session durations. For more information, see Configure Amazon Web +// Services access portal session duration (https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-user-session.html). // -// - The access tokens provided by this service grant access to all AWS account -// entitlements assigned to an IAM Identity Center user, not just a particular -// application. +// - The access tokens provided by this service grant access to all Amazon +// Web Services account entitlements assigned to an IAM Identity Center user, +// not just a particular application. // // - The documentation in this guide does not describe the mechanism to convert -// the access token into AWS Auth (“sigv4”) credentials for use with -// IAM-protected AWS service endpoints. For more information, see GetRoleCredentials -// (https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_GetRoleCredentials.html) +// the access token into Amazon Web Services Auth (“sigv4”) credentials +// for use with IAM-protected Amazon Web Services service endpoints. For +// more information, see GetRoleCredentials (https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_GetRoleCredentials.html) // in the IAM Identity Center Portal API Reference Guide. // // For general information about IAM Identity Center, see What is IAM Identity diff --git a/src/code.cloudfoundry.org/vendor/github.com/aws/aws-sdk-go/service/ssooidc/errors.go b/src/code.cloudfoundry.org/vendor/github.com/aws/aws-sdk-go/service/ssooidc/errors.go index 6983770126..e6242e4928 100644 --- a/src/code.cloudfoundry.org/vendor/github.com/aws/aws-sdk-go/service/ssooidc/errors.go +++ b/src/code.cloudfoundry.org/vendor/github.com/aws/aws-sdk-go/service/ssooidc/errors.go @@ -64,6 +64,13 @@ const ( // a required parameter might be missing or out of range. ErrCodeInvalidRequestException = "InvalidRequestException" + // ErrCodeInvalidRequestRegionException for service response error code + // "InvalidRequestRegionException". + // + // Indicates that a token provided as input to the request was issued by and + // is only usable by calling IAM Identity Center endpoints in another region. + ErrCodeInvalidRequestRegionException = "InvalidRequestRegionException" + // ErrCodeInvalidScopeException for service response error code // "InvalidScopeException". // @@ -100,6 +107,7 @@ var exceptionFromCode = map[string]func(protocol.ResponseMetadata) error{ "InvalidClientMetadataException": newErrorInvalidClientMetadataException, "InvalidGrantException": newErrorInvalidGrantException, "InvalidRequestException": newErrorInvalidRequestException, + "InvalidRequestRegionException": newErrorInvalidRequestRegionException, "InvalidScopeException": newErrorInvalidScopeException, "SlowDownException": newErrorSlowDownException, "UnauthorizedClientException": newErrorUnauthorizedClientException, diff --git a/src/code.cloudfoundry.org/vendor/github.com/aws/aws-sdk-go/service/ssooidc/service.go b/src/code.cloudfoundry.org/vendor/github.com/aws/aws-sdk-go/service/ssooidc/service.go index 969f33c37b..782bae3692 100644 --- a/src/code.cloudfoundry.org/vendor/github.com/aws/aws-sdk-go/service/ssooidc/service.go +++ b/src/code.cloudfoundry.org/vendor/github.com/aws/aws-sdk-go/service/ssooidc/service.go @@ -51,7 +51,7 @@ const ( func New(p client.ConfigProvider, cfgs ...*aws.Config) *SSOOIDC { c := p.ClientConfig(EndpointsID, cfgs...) if c.SigningNameDerived || len(c.SigningName) == 0 { - c.SigningName = "awsssooidc" + c.SigningName = "sso-oauth" } return newClient(*c.Config, c.Handlers, c.PartitionID, c.Endpoint, c.SigningRegion, c.SigningName, c.ResolvedRegion) } diff --git a/src/code.cloudfoundry.org/vendor/github.com/aws/aws-sdk-go/service/sts/api.go b/src/code.cloudfoundry.org/vendor/github.com/aws/aws-sdk-go/service/sts/api.go index 11af63b4d8..9305b9010d 100644 --- a/src/code.cloudfoundry.org/vendor/github.com/aws/aws-sdk-go/service/sts/api.go +++ b/src/code.cloudfoundry.org/vendor/github.com/aws/aws-sdk-go/service/sts/api.go @@ -1460,7 +1460,15 @@ type AssumeRoleInput struct { // in the IAM User Guide. PolicyArns []*PolicyDescriptorType `type:"list"` - // Reserved for future use. + // A list of previously acquired trusted context assertions in the format of + // a JSON array. The trusted context assertion is signed and encrypted by Amazon + // Web Services STS. + // + // The following is an example of a ProvidedContext value that includes a single + // trusted context assertion and the ARN of the context provider from which + // the trusted context assertion was generated. + // + // [{"ProviderArn":"arn:aws:iam::aws:contextProvider/identitycenter","ContextAssertion":"trusted-context-assertion"}] ProvidedContexts []*ProvidedContext `type:"list"` // The Amazon Resource Name (ARN) of the role to assume. @@ -3405,14 +3413,18 @@ func (s *PolicyDescriptorType) SetArn(v string) *PolicyDescriptorType { return s } -// Reserved for future use. +// Contains information about the provided context. This includes the signed +// and encrypted trusted context assertion and the context provider ARN from +// which the trusted context assertion was generated. type ProvidedContext struct { _ struct{} `type:"structure"` - // Reserved for future use. + // The signed and encrypted trusted context assertion generated by the context + // provider. The trusted context assertion is signed and encrypted by Amazon + // Web Services STS. ContextAssertion *string `min:"4" type:"string"` - // Reserved for future use. + // The context provider ARN from which the trusted context assertion was generated. ProviderArn *string `min:"20" type:"string"` } diff --git a/src/code.cloudfoundry.org/vendor/modules.txt b/src/code.cloudfoundry.org/vendor/modules.txt index e41f951d65..4a21031293 100644 --- a/src/code.cloudfoundry.org/vendor/modules.txt +++ b/src/code.cloudfoundry.org/vendor/modules.txt @@ -140,7 +140,7 @@ github.com/Microsoft/go-winio/pkg/guid # github.com/ajstarks/svgo v0.0.0-20211024235047-1546f124cd8b ## explicit; go 1.15 github.com/ajstarks/svgo -# github.com/aws/aws-sdk-go v1.47.11 +# github.com/aws/aws-sdk-go v1.48.0 ## explicit; go 1.19 github.com/aws/aws-sdk-go/aws github.com/aws/aws-sdk-go/aws/auth/bearer