Removes the association of tags from an Amazon DynamoDB resource. You can call UntagResource up to five times per second, per account.
For an overview on tagging DynamoDB resources, see Tagging for DynamoDB in the Amazon DynamoDB Developer Guide.
", "UpdateContinuousBackups": " UpdateContinuousBackups enables or disables point in time recovery for the specified table. A successful UpdateContinuousBackups call returns the current ContinuousBackupsDescription. Continuous backups are ENABLED on all tables at table creation. If point in time recovery is enabled, PointInTimeRecoveryStatus will be set to ENABLED.
Once continuous backups and point in time recovery are enabled, you can restore to any point in time within EarliestRestorableDateTime and LatestRestorableDateTime.
LatestRestorableDateTime is typically 5 minutes before the current time. You can restore your table to any point in time during the last 35 days.
Updates the status for contributor insights for a specific table or index. CloudWatch Contributor Insights for DynamoDB graphs display the partition key and (if applicable) sort key of frequently accessed items and frequently throttled items in plaintext. If you require the use of Amazon Web Services Key Management Service (KMS) to encrypt this table’s partition key and sort key data with an Amazon Web Services managed key or customer managed key, you should not enable CloudWatch Contributor Insights for DynamoDB for this table.
", - "UpdateGlobalTable": "Adds or removes replicas in the specified global table. The global table must already exist to be able to use this operation. Any replica to be added must be empty, have the same name as the global table, have the same key schema, have DynamoDB Streams enabled, and have the same provisioned and maximum write capacity units.
This operation only applies to Version 2017.11.29 (Legacy) of global tables. We recommend using Version 2019.11.21 (Current) when creating new global tables, as it provides greater flexibility, higher efficiency and consumes less write capacity than 2017.11.29 (Legacy). To determine which version you are using, see Determining the version. To update existing global tables from version 2017.11.29 (Legacy) to version 2019.11.21 (Current), see Updating global tables.
This operation only applies to Version 2017.11.29 of global tables. If you are using global tables Version 2019.11.21 you can use DescribeTable instead.
Although you can use UpdateGlobalTable to add replicas and remove replicas in a single request, for simplicity we recommend that you issue separate requests for adding or removing replicas.
If global secondary indexes are specified, then the following conditions must also be met:
The global secondary indexes must have the same name.
The global secondary indexes must have the same hash key and sort key (if present).
The global secondary indexes must have the same provisioned and maximum write capacity units.
Adds or removes replicas in the specified global table. The global table must already exist to be able to use this operation. Any replica to be added must be empty, have the same name as the global table, have the same key schema, have DynamoDB Streams enabled, and have the same provisioned and maximum write capacity units.
This operation only applies to Version 2017.11.29 (Legacy) of global tables. We recommend using Version 2019.11.21 (Current) when creating new global tables, as it provides greater flexibility, higher efficiency and consumes less write capacity than 2017.11.29 (Legacy). To determine which version you are using, see Determining the version. To update existing global tables from version 2017.11.29 (Legacy) to version 2019.11.21 (Current), see Updating global tables.
This operation only applies to Version 2017.11.29 of global tables. If you are using global tables Version 2019.11.21 you can use UpdateTable instead.
Although you can use UpdateGlobalTable to add replicas and remove replicas in a single request, for simplicity we recommend that you issue separate requests for adding or removing replicas.
If global secondary indexes are specified, then the following conditions must also be met:
The global secondary indexes must have the same name.
The global secondary indexes must have the same hash key and sort key (if present).
The global secondary indexes must have the same provisioned and maximum write capacity units.
Updates settings for a global table.
This operation only applies to Version 2017.11.29 (Legacy) of global tables. We recommend using Version 2019.11.21 (Current) when creating new global tables, as it provides greater flexibility, higher efficiency and consumes less write capacity than 2017.11.29 (Legacy). To determine which version you are using, see Determining the version. To update existing global tables from version 2017.11.29 (Legacy) to version 2019.11.21 (Current), see Updating global tables.
Edits an existing item's attributes, or adds a new item to the table if it does not already exist. You can put, delete, or add attribute values. You can also perform a conditional update on an existing item (insert a new attribute name-value pair if it doesn't exist, or replace an existing name-value pair if it has certain expected attribute values).
You can also return the item's attribute values in the same UpdateItem operation using the ReturnValues parameter.
The command to update the Kinesis stream destination.
", @@ -85,7 +85,7 @@ } }, "AttributeDefinition": { - "base": "Represents an attribute for describing the key schema for the table and indexes.
", + "base": "Represents an attribute for describing the schema for the table and indexes.
", "refs": { "AttributeDefinitions$member": null } @@ -555,7 +555,7 @@ "DeleteItemInput$ConditionExpression": "A condition that must be satisfied in order for a conditional DeleteItem to succeed.
An expression can contain any of the following:
Functions: attribute_exists | attribute_not_exists | attribute_type | contains | begins_with | size
These function names are case-sensitive.
Comparison operators: = | <> | < | > | <= | >= | BETWEEN | IN
Logical operators: AND | OR | NOT
For more information about condition expressions, see Condition Expressions in the Amazon DynamoDB Developer Guide.
", "Put$ConditionExpression": "A condition that must be satisfied in order for a conditional update to succeed.
", "PutItemInput$ConditionExpression": "A condition that must be satisfied in order for a conditional PutItem operation to succeed.
An expression can contain any of the following:
Functions: attribute_exists | attribute_not_exists | attribute_type | contains | begins_with | size
These function names are case-sensitive.
Comparison operators: = | <> | < | > | <= | >= | BETWEEN | IN
Logical operators: AND | OR | NOT
For more information on condition expressions, see Condition Expressions in the Amazon DynamoDB Developer Guide.
", - "QueryInput$FilterExpression": "A string that contains conditions that DynamoDB applies after the Query operation, but before the data is returned to you. Items that do not satisfy the FilterExpression criteria are not returned.
A FilterExpression does not allow key attributes. You cannot define a filter expression based on a partition key or a sort key.
A FilterExpression is applied after the items have already been read; the process of filtering does not consume any additional read capacity units.
For more information, see Filter Expressions in the Amazon DynamoDB Developer Guide.
", + "QueryInput$FilterExpression": "A string that contains conditions that DynamoDB applies after the Query operation, but before the data is returned to you. Items that do not satisfy the FilterExpression criteria are not returned.
A FilterExpression does not allow key attributes. You cannot define a filter expression based on a partition key or a sort key.
A FilterExpression is applied after the items have already been read; the process of filtering does not consume any additional read capacity units.
For more information, see Filter Expressions in the Amazon DynamoDB Developer Guide.
", "ScanInput$FilterExpression": "A string that contains conditions that DynamoDB applies after the Scan operation, but before the data is returned to you. Items that do not satisfy the FilterExpression criteria are not returned.
A FilterExpression is applied after the items have already been read; the process of filtering does not consume any additional read capacity units.
For more information, see Filter Expressions in the Amazon DynamoDB Developer Guide.
", "Update$ConditionExpression": "A condition that must be satisfied in order for a conditional update to succeed.
", "UpdateItemInput$ConditionExpression": "A condition that must be satisfied in order for a conditional update to succeed.
An expression can contain any of the following:
Functions: attribute_exists | attribute_not_exists | attribute_type | contains | begins_with | size
These function names are case-sensitive.
Comparison operators: = | <> | < | > | <= | >= | BETWEEN | IN
Logical operators: AND | OR | NOT
For more information about condition expressions, see Specifying Conditions in the Amazon DynamoDB Developer Guide.
" @@ -2154,7 +2154,7 @@ "ProjectionType": { "base": null, "refs": { - "Projection$ProjectionType": "The set of attributes that are projected into the index:
KEYS_ONLY - Only the index and primary keys are projected into the index.
INCLUDE - In addition to the attributes described in KEYS_ONLY, the secondary index will include other non-key attributes that you specify.
ALL - All of the table attributes are projected into the index.
The set of attributes that are projected into the index:
KEYS_ONLY - Only the index and primary keys are projected into the index.
INCLUDE - In addition to the attributes described in KEYS_ONLY, the secondary index will include other non-key attributes that you specify.
ALL - All of the table attributes are projected into the index.
When using the DynamoDB console, ALL is selected by default.
The ID of the Amazon Web Services account that owns the bucket containing the export.
", - "ExportTableToPointInTimeInput$S3BucketOwner": "The ID of the Amazon Web Services account that owns the bucket the export will be stored in.
", + "ExportTableToPointInTimeInput$S3BucketOwner": "The ID of the Amazon Web Services account that owns the bucket the export will be stored in.
S3BucketOwner is a required parameter when exporting to a S3 bucket in another account.
The account number of the S3 bucket that is being imported from. If the bucket is owned by the requester this is optional.
" } }, diff --git a/models/apis/imagebuilder/2019-12-02/api-2.json b/models/apis/imagebuilder/2019-12-02/api-2.json index 067e38af38b..91eedee79e2 100644 --- a/models/apis/imagebuilder/2019-12-02/api-2.json +++ b/models/apis/imagebuilder/2019-12-02/api-2.json @@ -3340,7 +3340,9 @@ "action":{"shape":"LifecycleExecutionResourceAction"}, "region":{"shape":"NonEmptyString"}, "snapshots":{"shape":"LifecycleExecutionSnapshotResourceList"}, - "imageUris":{"shape":"StringList"} + "imageUris":{"shape":"StringList"}, + "startTime":{"shape":"DateTimeTimestamp"}, + "endTime":{"shape":"DateTimeTimestamp"} } }, "LifecycleExecutionResourceAction":{ @@ -3410,7 +3412,8 @@ "CANCELLED", "CANCELLING", "FAILED", - "SUCCESS" + "SUCCESS", + "PENDING" ] }, "LifecycleExecutionsList":{ diff --git a/models/apis/imagebuilder/2019-12-02/docs-2.json b/models/apis/imagebuilder/2019-12-02/docs-2.json index ceef77ece86..7d69e25ea9d 100644 --- a/models/apis/imagebuilder/2019-12-02/docs-2.json +++ b/models/apis/imagebuilder/2019-12-02/docs-2.json @@ -635,6 +635,8 @@ "ImageSummary$deprecationTime": "The time when deprecation occurs for an image resource. This can be a past or future date.
", "LifecycleExecution$startTime": "The timestamp when the lifecycle runtime instance started.
", "LifecycleExecution$endTime": "The timestamp when the lifecycle runtime instance completed.
", + "LifecycleExecutionResource$startTime": "The starting timestamp from the lifecycle action that was applied to the resource.
", + "LifecycleExecutionResource$endTime": "The ending timestamp from the lifecycle action that was applied to the resource.
", "LifecyclePolicy$dateCreated": "The timestamp when Image Builder created the lifecycle policy resource.
", "LifecyclePolicy$dateUpdated": "The timestamp when Image Builder updated the lifecycle policy resource.
", "LifecyclePolicy$dateLastRun": "The timestamp for the last time Image Builder ran the lifecycle policy.
", @@ -2879,9 +2881,9 @@ "InfrastructureConfiguration$tags": "The tags of the infrastructure configuration.
", "InfrastructureConfigurationSummary$tags": "The tags of the infrastructure configuration.
", "LifecyclePolicy$tags": "To help manage your lifecycle policy resources, you can assign your own metadata to each resource in the form of tags. Each tag consists of a key and an optional value, both of which you define.
", - "LifecyclePolicyDetailExclusionRules$tagMap": "Contains a list of tags that Image Builder uses to skip lifecycle actions for resources that have them.
", + "LifecyclePolicyDetailExclusionRules$tagMap": "Contains a list of tags that Image Builder uses to skip lifecycle actions for Image Builder image resources that have them.
", "LifecyclePolicyDetailExclusionRulesAmis$tagMap": "Lists tags that should be excluded from lifecycle actions for the AMIs that have them.
", - "LifecyclePolicyResourceSelection$tagMap": "A list of tags that are used as selection criteria for the resources that the lifecycle policy applies to.
", + "LifecyclePolicyResourceSelection$tagMap": "A list of tags that are used as selection criteria for the Image Builder image resources that the lifecycle policy applies to.
", "LifecyclePolicySummary$tags": "To help manage your lifecycle policy resources, you can assign your own metadata to each resource in the form of tags. Each tag consists of a key and an optional value, both of which you define.
", "ListTagsForResourceResponse$tags": "The tags for the specified resource.
", "TagResourceRequest$tags": "The tags to apply to the resource.
", diff --git a/models/apis/mwaa/2020-07-01/docs-2.json b/models/apis/mwaa/2020-07-01/docs-2.json index 9fb10486c1f..292fe12dcf0 100644 --- a/models/apis/mwaa/2020-07-01/docs-2.json +++ b/models/apis/mwaa/2020-07-01/docs-2.json @@ -37,7 +37,7 @@ "AirflowVersion": { "base": null, "refs": { - "CreateEnvironmentInput$AirflowVersion": "The Apache Airflow version for your environment. If no value is specified, it defaults to the latest version. For more information, see Apache Airflow versions on Amazon Managed Workflows for Apache Airflow (MWAA).
Valid values: 1.10.12, 2.0.2, 2.2.2, 2.4.3, 2.5.1, 2.6.3, 2.7.2
The Apache Airflow version for your environment. If no value is specified, it defaults to the latest version. For more information, see Apache Airflow versions on Amazon Managed Workflows for Apache Airflow (MWAA).
Valid values: 1.10.12, 2.0.2, 2.2.2, 2.4.3, 2.5.1, 2.6.3, 2.7.2 2.8.1
The Apache Airflow version on your environment.
Valid values: 1.10.12, 2.0.2, 2.2.2, 2.4.3, 2.5.1, 2.6.3, 2.7.2.
The Apache Airflow version for your environment. To upgrade your environment, specify a newer version of Apache Airflow supported by Amazon MWAA.
Before you upgrade an environment, make sure your requirements, DAGs, plugins, and other resources used in your workflows are compatible with the new Apache Airflow version. For more information about updating your resources, see Upgrading an Amazon MWAA environment.
Valid values: 1.10.12, 2.0.2, 2.2.2, 2.4.3, 2.5.1, 2.6.3, 2.7.2.
Returns the details of the DB instance’s server certificate.
For more information, see Using SSL/TLS to encrypt a connection to a DB instance in the Amazon RDS User Guide and Using SSL/TLS to encrypt a connection to a DB cluster in the Amazon Aurora User Guide.
", "refs": { + "ClusterPendingModifiedValues$CertificateDetails": null, + "DBCluster$CertificateDetails": null, "DBInstance$CertificateDetails": "The details of the DB instance's server certificate.
" } }, @@ -2987,7 +2989,7 @@ "CreateDBClusterMessage$Iops": "The amount of Provisioned IOPS (input/output operations per second) to be initially allocated for each DB instance in the Multi-AZ DB cluster.
For information about valid IOPS values, see Provisioned IOPS storage in the Amazon RDS User Guide.
This setting is required to create a Multi-AZ DB cluster.
Valid for Cluster Type: Multi-AZ DB clusters only
Constraints:
Must be a multiple between .5 and 50 of the storage amount for the DB cluster.
The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the DB cluster. To turn off collecting Enhanced Monitoring metrics, specify 0.
If MonitoringRoleArn is specified, also set MonitoringInterval to a value other than 0.
Valid for Cluster Type: Multi-AZ DB clusters only
Valid Values: 0 | 1 | 5 | 10 | 15 | 30 | 60
Default: 0
The number of days to retain Performance Insights data.
Valid for Cluster Type: Multi-AZ DB clusters only
Valid Values:
7
month * 31, where month is a number of months from 1-23. Examples: 93 (3 months * 31), 341 (11 months * 31), 589 (19 months * 31)
731
Default: 7 days
If you specify a retention period that isn't valid, such as 94, Amazon RDS issues an error.
The amount of storage in gibibytes (GiB) to allocate for the DB instance.
This setting doesn't apply to Amazon Aurora DB instances. Aurora cluster volumes automatically grow as the amount of data in your database increases, though you are only charged for the space that you use in an Aurora cluster volume.
Constraints to the amount of storage for each storage type are the following:
General Purpose (SSD) storage (gp2, gp3): Must be an integer from 40 to 65536 for RDS Custom for Oracle, 16384 for RDS Custom for SQL Server.
Provisioned IOPS storage (io1): Must be an integer from 40 to 65536 for RDS Custom for Oracle, 16384 for RDS Custom for SQL Server.
Constraints to the amount of storage for each storage type are the following:
General Purpose (SSD) storage (gp3): Must be an integer from 20 to 64000.
Provisioned IOPS storage (io1): Must be an integer from 100 to 64000.
Constraints to the amount of storage for each storage type are the following:
General Purpose (SSD) storage (gp2, gp3): Must be an integer from 20 to 65536.
Provisioned IOPS storage (io1): Must be an integer from 100 to 65536.
Magnetic storage (standard): Must be an integer from 5 to 3072.
Constraints to the amount of storage for each storage type are the following:
General Purpose (SSD) storage (gp2, gp3): Must be an integer from 20 to 65536.
Provisioned IOPS storage (io1): Must be an integer from 100 to 65536.
Magnetic storage (standard): Must be an integer from 5 to 3072.
Constraints to the amount of storage for each storage type are the following:
General Purpose (SSD) storage (gp2, gp3): Must be an integer from 20 to 65536.
Provisioned IOPS storage (io1): Must be an integer from 100 to 65536.
Magnetic storage (standard): Must be an integer from 10 to 3072.
Constraints to the amount of storage for each storage type are the following:
General Purpose (SSD) storage (gp2, gp3): Must be an integer from 20 to 65536.
Provisioned IOPS storage (io1): Must be an integer from 100 to 65536.
Magnetic storage (standard): Must be an integer from 5 to 3072.
Constraints to the amount of storage for each storage type are the following:
General Purpose (SSD) storage (gp2, gp3):
Enterprise and Standard editions: Must be an integer from 20 to 16384.
Web and Express editions: Must be an integer from 20 to 16384.
Provisioned IOPS storage (io1):
Enterprise and Standard editions: Must be an integer from 100 to 16384.
Web and Express editions: Must be an integer from 100 to 16384.
Magnetic storage (standard):
Enterprise and Standard editions: Must be an integer from 20 to 1024.
Web and Express editions: Must be an integer from 20 to 1024.
The amount of storage in gibibytes (GiB) to allocate for the DB instance.
This setting doesn't apply to Amazon Aurora DB instances. Aurora cluster volumes automatically grow as the amount of data in your database increases, though you are only charged for the space that you use in an Aurora cluster volume.
Constraints to the amount of storage for each storage type are the following:
General Purpose (SSD) storage (gp2, gp3): Must be an integer from 40 to 65536 for RDS Custom for Oracle, 16384 for RDS Custom for SQL Server.
Provisioned IOPS storage (io1, io2): Must be an integer from 40 to 65536 for RDS Custom for Oracle, 16384 for RDS Custom for SQL Server.
Constraints to the amount of storage for each storage type are the following:
General Purpose (SSD) storage (gp3): Must be an integer from 20 to 65536.
Provisioned IOPS storage (io1, io2): Must be an integer from 100 to 65536.
Constraints to the amount of storage for each storage type are the following:
General Purpose (SSD) storage (gp2, gp3): Must be an integer from 20 to 65536.
Provisioned IOPS storage (io1, io2): Must be an integer from 100 to 65536.
Magnetic storage (standard): Must be an integer from 5 to 3072.
Constraints to the amount of storage for each storage type are the following:
General Purpose (SSD) storage (gp2, gp3): Must be an integer from 20 to 65536.
Provisioned IOPS storage (io1, io2): Must be an integer from 100 to 65536.
Magnetic storage (standard): Must be an integer from 5 to 3072.
Constraints to the amount of storage for each storage type are the following:
General Purpose (SSD) storage (gp2, gp3): Must be an integer from 20 to 65536.
Provisioned IOPS storage (io1, io2): Must be an integer from 100 to 65536.
Magnetic storage (standard): Must be an integer from 10 to 3072.
Constraints to the amount of storage for each storage type are the following:
General Purpose (SSD) storage (gp2, gp3): Must be an integer from 20 to 65536.
Provisioned IOPS storage (io1, io2): Must be an integer from 100 to 65536.
Magnetic storage (standard): Must be an integer from 5 to 3072.
Constraints to the amount of storage for each storage type are the following:
General Purpose (SSD) storage (gp2, gp3):
Enterprise and Standard editions: Must be an integer from 20 to 16384.
Web and Express editions: Must be an integer from 20 to 16384.
Provisioned IOPS storage (io1, io2):
Enterprise and Standard editions: Must be an integer from 100 to 16384.
Web and Express editions: Must be an integer from 100 to 16384.
Magnetic storage (standard):
Enterprise and Standard editions: Must be an integer from 20 to 1024.
Web and Express editions: Must be an integer from 20 to 1024.
The number of days for which automated backups are retained. Setting this parameter to a positive number enables backups. Setting this parameter to 0 disables automated backups.
This setting doesn't apply to Amazon Aurora DB instances. The retention period for automated backups is managed by the DB cluster.
Default: 1
Constraints:
Must be a value from 0 to 35.
Can't be set to 0 if the DB instance is a source to read replicas.
Can't be set to 0 for an RDS Custom for Oracle DB instance.
The port number on which the database accepts connections.
This setting doesn't apply to Aurora DB instances. The port number is managed by the cluster.
Valid Values: 1150-65535
Default:
RDS for Db2 - 50000
RDS for MariaDB - 3306
RDS for Microsoft SQL Server - 1433
RDS for MySQL - 3306
RDS for Oracle - 1521
RDS for PostgreSQL - 5432
Constraints:
For RDS for Microsoft SQL Server, the value can't be 1234, 1434, 3260, 3343, 3389, 47001, or 49152-49156.
The amount of Provisioned IOPS (input/output operations per second) to initially allocate for the DB instance. For information about valid IOPS values, see Amazon RDS DB instance storage in the Amazon RDS User Guide.
This setting doesn't apply to Amazon Aurora DB instances. Storage is managed by the DB cluster.
Constraints:
For RDS for Db2, MariaDB, MySQL, Oracle, and PostgreSQL - Must be a multiple between .5 and 50 of the storage amount for the DB instance.
For RDS for SQL Server - Must be a multiple between 1 and 50 of the storage amount for the DB instance.
The network type of the DB cluster.
The network type is determined by the DBSubnetGroup specified for the DB cluster. A DBSubnetGroup can support only the IPv4 protocol or the IPv4 and the IPv6 protocols (DUAL).
For more information, see Working with a DB instance in a VPC in the Amazon Aurora User Guide.
Valid for Cluster Type: Aurora DB clusters only
Valid Values: IPV4 | DUAL
Reserved for future use.
", "CreateDBClusterMessage$MasterUserSecretKmsKeyId": "The Amazon Web Services KMS key identifier to encrypt a secret that is automatically generated and managed in Amazon Web Services Secrets Manager.
This setting is valid only if the master user password is managed by RDS in Amazon Web Services Secrets Manager for the DB cluster.
The Amazon Web Services KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key. To use a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN.
If you don't specify MasterUserSecretKmsKeyId, then the aws/secretsmanager KMS key is used to encrypt the secret. If the secret is in a different Amazon Web Services account, then you can't use the aws/secretsmanager KMS key to encrypt the secret, and you must use a customer managed KMS key.
There is a default KMS key for your Amazon Web Services account. Your Amazon Web Services account has a different default KMS key for each Amazon Web Services Region.
Valid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters
", + "CreateDBClusterMessage$CACertificateIdentifier": "The CA certificate identifier to use for the DB cluster's server certificate.
Valid for Cluster Type: Multi-AZ DB clusters
", "CreateDBClusterParameterGroupMessage$DBClusterParameterGroupName": "The name of the DB cluster parameter group.
Constraints:
Must not match the name of an existing DB cluster parameter group.
This value is stored as a lowercase string.
The DB cluster parameter group family name. A DB cluster parameter group can be associated with one and only one DB cluster parameter group family, and can be applied only to a DB cluster running a database engine and engine version compatible with that DB cluster parameter group family.
Aurora MySQL
Example: aurora-mysql5.7, aurora-mysql8.0
Aurora PostgreSQL
Example: aurora-postgresql14
RDS for MySQL
Example: mysql8.0
RDS for PostgreSQL
Example: postgres13
To list all of the available parameter group families for a DB engine, use the following command:
aws rds describe-db-engine-versions --query \"DBEngineVersions[].DBParameterGroupFamily\" --engine <engine>
For example, to list all of the available parameter group families for the Aurora PostgreSQL DB engine, use the following command:
aws rds describe-db-engine-versions --query \"DBEngineVersions[].DBParameterGroupFamily\" --engine aurora-postgresql
The output contains duplicates.
The following are the valid DB engine values:
aurora-mysql
aurora-postgresql
mysql
postgres
The description for the DB cluster parameter group.
", @@ -4697,7 +4700,7 @@ "CreateDBInstanceMessage$CharacterSetName": "For supported engines, the character set (CharacterSet) to associate the DB instance with.
This setting doesn't apply to the following DB instances:
Amazon Aurora - The character set is managed by the DB cluster. For more information, see CreateDBCluster.
RDS Custom - However, if you need to change the character set, you can change it on the database itself.
The name of the NCHAR character set for the Oracle DB instance.
This setting doesn't apply to RDS Custom DB instances.
", "CreateDBInstanceMessage$DBClusterIdentifier": "The identifier of the DB cluster that this DB instance will belong to.
This setting doesn't apply to RDS Custom DB instances.
", - "CreateDBInstanceMessage$StorageType": "The storage type to associate with the DB instance.
If you specify io1 or gp3, you must also include a value for the Iops parameter.
This setting doesn't apply to Amazon Aurora DB instances. Storage is managed by the DB cluster.
Valid Values: gp2 | gp3 | io1 | standard
Default: io1, if the Iops parameter is specified. Otherwise, gp2.
The storage type to associate with the DB instance.
If you specify io1, io2, or gp3, you must also include a value for the Iops parameter.
This setting doesn't apply to Amazon Aurora DB instances. Storage is managed by the DB cluster.
Valid Values: gp2 | gp3 | io1 | io2 | standard
Default: io1, if the Iops parameter is specified. Otherwise, gp2.
The ARN from the key store with which to associate the instance for TDE encryption.
This setting doesn't apply to Amazon Aurora or RDS Custom DB instances.
", "CreateDBInstanceMessage$TdeCredentialPassword": "The password for the given ARN from the key store in order to access the device.
This setting doesn't apply to RDS Custom DB instances.
", "CreateDBInstanceMessage$KmsKeyId": "The Amazon Web Services KMS key identifier for an encrypted DB instance.
The Amazon Web Services KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key. To use a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN.
This setting doesn't apply to Amazon Aurora DB instances. The Amazon Web Services KMS key identifier is managed by the DB cluster. For more information, see CreateDBCluster.
If StorageEncrypted is enabled, and you do not specify a value for the KmsKeyId parameter, then Amazon RDS uses your default KMS key. There is a default KMS key for your Amazon Web Services account. Your Amazon Web Services account has a different default KMS key for each Amazon Web Services Region.
For Amazon RDS Custom, a KMS key is required for DB instances. For most RDS engines, if you leave this parameter empty while enabling StorageEncrypted, the engine uses the default KMS key. However, RDS Custom doesn't use the default key when this parameter is empty. You must explicitly specify a key.
The option group to associate the DB instance with. If not specified, RDS uses the option group associated with the source DB instance or cluster.
For SQL Server, you must use the option group associated with the source.
This setting doesn't apply to RDS Custom DB instances.
", "CreateDBInstanceReadReplicaMessage$DBParameterGroupName": "The name of the DB parameter group to associate with this DB instance.
If you don't specify a value for DBParameterGroupName, then Amazon RDS uses the DBParameterGroup of the source DB instance for a same Region read replica, or the default DBParameterGroup for the specified DB engine for a cross-Region read replica.
Specifying a parameter group for this operation is only supported for MySQL DB instances for cross-Region read replicas and for Oracle DB instances. It isn't supported for MySQL DB instances for same Region read replicas or for RDS Custom.
Constraints:
Must be 1 to 255 letters, numbers, or hyphens.
First character must be a letter.
Can't end with a hyphen or contain two consecutive hyphens.
A DB subnet group for the DB instance. The new DB instance is created in the VPC associated with the DB subnet group. If no DB subnet group is specified, then the new DB instance isn't created in a VPC.
Constraints:
If supplied, must match the name of an existing DB subnet group.
The specified DB subnet group must be in the same Amazon Web Services Region in which the operation is running.
All read replicas in one Amazon Web Services Region that are created from the same source DB instance must either:
Specify DB subnet groups from the same VPC. All these read replicas are created in the same VPC.
Not specify a DB subnet group. All these read replicas are created outside of any VPC.
Example: mydbsubnetgroup
The storage type to associate with the read replica.
If you specify io1 or gp3, you must also include a value for the Iops parameter.
Valid Values: gp2 | gp3 | io1 | standard
Default: io1 if the Iops parameter is specified. Otherwise, gp2.
The storage type to associate with the read replica.
If you specify io1, io2, or gp3, you must also include a value for the Iops parameter.
Valid Values: gp2 | gp3 | io1 | io2 | standard
Default: io1 if the Iops parameter is specified. Otherwise, gp2.
The ARN for the IAM role that permits RDS to send enhanced monitoring metrics to Amazon CloudWatch Logs. For example, arn:aws:iam:123456789012:role/emaccess. For information on creating a monitoring role, go to To create an IAM role for Amazon RDS Enhanced Monitoring in the Amazon RDS User Guide.
If MonitoringInterval is set to a value other than 0, then you must supply a MonitoringRoleArn value.
This setting doesn't apply to RDS Custom DB instances.
", "CreateDBInstanceReadReplicaMessage$KmsKeyId": "The Amazon Web Services KMS key identifier for an encrypted read replica.
The Amazon Web Services KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key.
If you create an encrypted read replica in the same Amazon Web Services Region as the source DB instance or Multi-AZ DB cluster, don't specify a value for this parameter. A read replica in the same Amazon Web Services Region is always encrypted with the same KMS key as the source DB instance or cluster.
If you create an encrypted read replica in a different Amazon Web Services Region, then you must specify a KMS key identifier for the destination Amazon Web Services Region. KMS keys are specific to the Amazon Web Services Region that they are created in, and you can't use KMS keys from one Amazon Web Services Region in another Amazon Web Services Region.
You can't create an encrypted read replica from an unencrypted DB instance or Multi-AZ DB cluster.
This setting doesn't apply to RDS Custom, which uses the same KMS key as the primary replica.
", "CreateDBInstanceReadReplicaMessage$PreSignedUrl": "When you are creating a read replica from one Amazon Web Services GovCloud (US) Region to another or from one China Amazon Web Services Region to another, the URL that contains a Signature Version 4 signed request for the CreateDBInstanceReadReplica API operation in the source Amazon Web Services Region that contains the source DB instance.
This setting applies only to Amazon Web Services GovCloud (US) Regions and China Amazon Web Services Regions. It's ignored in other Amazon Web Services Regions.
This setting applies only when replicating from a source DB instance. Source DB clusters aren't supported in Amazon Web Services GovCloud (US) Regions and China Amazon Web Services Regions.
You must specify this parameter when you create an encrypted read replica from another Amazon Web Services Region by using the Amazon RDS API. Don't specify PreSignedUrl when you are creating an encrypted read replica in the same Amazon Web Services Region.
The presigned URL must be a valid request for the CreateDBInstanceReadReplica API operation that can run in the source Amazon Web Services Region that contains the encrypted source DB instance. The presigned URL request must contain the following parameter values:
DestinationRegion - The Amazon Web Services Region that the encrypted read replica is created in. This Amazon Web Services Region is the same one where the CreateDBInstanceReadReplica operation is called that contains this presigned URL.
For example, if you create an encrypted DB instance in the us-west-1 Amazon Web Services Region, from a source DB instance in the us-east-2 Amazon Web Services Region, then you call the CreateDBInstanceReadReplica operation in the us-east-1 Amazon Web Services Region and provide a presigned URL that contains a call to the CreateDBInstanceReadReplica operation in the us-west-2 Amazon Web Services Region. For this example, the DestinationRegion in the presigned URL must be set to the us-east-1 Amazon Web Services Region.
KmsKeyId - The KMS key identifier for the key to use to encrypt the read replica in the destination Amazon Web Services Region. This is the same identifier for both the CreateDBInstanceReadReplica operation that is called in the destination Amazon Web Services Region, and the operation contained in the presigned URL.
SourceDBInstanceIdentifier - The DB instance identifier for the encrypted DB instance to be replicated. This identifier must be in the Amazon Resource Name (ARN) format for the source Amazon Web Services Region. For example, if you are creating an encrypted read replica from a DB instance in the us-west-2 Amazon Web Services Region, then your SourceDBInstanceIdentifier looks like the following example: arn:aws:rds:us-west-2:123456789012:instance:mysql-instance1-20161115.
To learn how to generate a Signature Version 4 signed request, see Authenticating Requests: Using Query Parameters (Amazon Web Services Signature Version 4) and Signature Version 4 Signing Process.
If you are using an Amazon Web Services SDK tool or the CLI, you can specify SourceRegion (or --source-region for the CLI) instead of specifying PreSignedUrl manually. Specifying SourceRegion autogenerates a presigned URL that is a valid request for the operation that can run in the source Amazon Web Services Region.
SourceRegion isn't supported for SQL Server, because Amazon RDS for SQL Server doesn't support cross-Region read replicas.
This setting doesn't apply to RDS Custom DB instances.
", @@ -5301,6 +5304,7 @@ "ModifyDBClusterMessage$NetworkType": "The network type of the DB cluster.
The network type is determined by the DBSubnetGroup specified for the DB cluster. A DBSubnetGroup can support only the IPv4 protocol or the IPv4 and the IPv6 protocols (DUAL).
For more information, see Working with a DB instance in a VPC in the Amazon Aurora User Guide.
Valid for Cluster Type: Aurora DB clusters only
Valid Values: IPV4 | DUAL
The Amazon Web Services KMS key identifier to encrypt a secret that is automatically generated and managed in Amazon Web Services Secrets Manager.
This setting is valid only if both of the following conditions are met:
The DB cluster doesn't manage the master user password in Amazon Web Services Secrets Manager.
If the DB cluster already manages the master user password in Amazon Web Services Secrets Manager, you can't change the KMS key that is used to encrypt the secret.
You are turning on ManageMasterUserPassword to manage the master user password in Amazon Web Services Secrets Manager.
If you are turning on ManageMasterUserPassword and don't specify MasterUserSecretKmsKeyId, then the aws/secretsmanager KMS key is used to encrypt the secret. If the secret is in a different Amazon Web Services account, then you can't use the aws/secretsmanager KMS key to encrypt the secret, and you must use a customer managed KMS key.
The Amazon Web Services KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key. To use a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN.
There is a default KMS key for your Amazon Web Services account. Your Amazon Web Services account has a different default KMS key for each Amazon Web Services Region.
Valid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters
", "ModifyDBClusterMessage$EngineMode": "The DB engine mode of the DB cluster, either provisioned or serverless.
The DB engine mode can be modified only from serverless to provisioned.
For more information, see CreateDBCluster.
Valid for Cluster Type: Aurora DB clusters only
", + "ModifyDBClusterMessage$CACertificateIdentifier": "The CA certificate identifier to use for the DB cluster's server certificate.
Valid for Cluster Type: Multi-AZ DB clusters
", "ModifyDBClusterParameterGroupMessage$DBClusterParameterGroupName": "The name of the DB cluster parameter group to modify.
", "ModifyDBClusterSnapshotAttributeMessage$DBClusterSnapshotIdentifier": "The identifier for the DB cluster snapshot to modify the attributes for.
", "ModifyDBClusterSnapshotAttributeMessage$AttributeName": "The name of the DB cluster snapshot attribute to modify.
To manage authorization for other Amazon Web Services accounts to copy or restore a manual DB cluster snapshot, set this value to restore.
To view the list of attributes available to modify, use the DescribeDBClusterSnapshotAttributes API operation.
The license model for the DB instance.
This setting doesn't apply to Amazon Aurora or RDS Custom DB instances.
Valid Values:
RDS for Db2 - bring-your-own-license
RDS for MariaDB - general-public-license
RDS for Microsoft SQL Server - license-included
RDS for MySQL - general-public-license
RDS for Oracle - bring-your-own-license | license-included
RDS for PostgreSQL - postgresql-license
The option group to associate the DB instance with.
Changing this parameter doesn't result in an outage, with one exception. If the parameter change results in an option group that enables OEM, it can cause a brief period, lasting less than a second, during which new connections are rejected but existing connections aren't interrupted.
The change is applied during the next maintenance window unless the ApplyImmediately parameter is enabled for this request.
Permanent options, such as the TDE option for Oracle Advanced Security TDE, can't be removed from an option group, and that option group can't be removed from a DB instance after it is associated with a DB instance.
This setting doesn't apply to RDS Custom DB instances.
", "ModifyDBInstanceMessage$NewDBInstanceIdentifier": "The new identifier for the DB instance when renaming a DB instance. When you change the DB instance identifier, an instance reboot occurs immediately if you enable ApplyImmediately, or will occur during the next maintenance window if you disable ApplyImmediately. This value is stored as a lowercase string.
This setting doesn't apply to RDS Custom DB instances.
Constraints:
Must contain from 1 to 63 letters, numbers, or hyphens.
The first character must be a letter.
Can't end with a hyphen or contain two consecutive hyphens.
Example: mydbinstance
The storage type to associate with the DB instance.
If you specify Provisioned IOPS (io1), you must also include a value for the Iops parameter.
If you choose to migrate your DB instance from using standard storage to using Provisioned IOPS, or from using Provisioned IOPS to using standard storage, the process can take time. The duration of the migration depends on several factors such as database load, storage size, storage type (standard or Provisioned IOPS), amount of IOPS provisioned (if any), and the number of prior scale storage operations. Typical migration times are under 24 hours, but the process can take up to several days in some cases. During the migration, the DB instance is available for use, but might experience performance degradation. While the migration takes place, nightly backups for the instance are suspended. No other Amazon RDS operations can take place for the instance, including modifying the instance, rebooting the instance, deleting the instance, creating a read replica for the instance, and creating a DB snapshot of the instance.
Valid Values: gp2 | gp3 | io1 | standard
Default: io1, if the Iops parameter is specified. Otherwise, gp2.
The storage type to associate with the DB instance.
If you specify io1), io2, or gp3 you must also include a value for the Iops parameter.
If you choose to migrate your DB instance from using standard storage to using Provisioned IOPS, or from using Provisioned IOPS to using standard storage, the process can take time. The duration of the migration depends on several factors such as database load, storage size, storage type (standard or Provisioned IOPS), amount of IOPS provisioned (if any), and the number of prior scale storage operations. Typical migration times are under 24 hours, but the process can take up to several days in some cases. During the migration, the DB instance is available for use, but might experience performance degradation. While the migration takes place, nightly backups for the instance are suspended. No other Amazon RDS operations can take place for the instance, including modifying the instance, rebooting the instance, deleting the instance, creating a read replica for the instance, and creating a DB snapshot of the instance.
Valid Values: gp2 | gp3 | io1 | io2 | standard
Default: io1, if the Iops parameter is specified. Otherwise, gp2.
The ARN from the key store with which to associate the instance for TDE encryption.
This setting doesn't apply to RDS Custom DB instances.
", "ModifyDBInstanceMessage$TdeCredentialPassword": "The password for the given ARN from the key store in order to access the device.
This setting doesn't apply to RDS Custom DB instances.
", "ModifyDBInstanceMessage$CACertificateIdentifier": "The CA certificate identifier to use for the DB instance's server certificate.
This setting doesn't apply to RDS Custom DB instances.
For more information, see Using SSL/TLS to encrypt a connection to a DB instance in the Amazon RDS User Guide and Using SSL/TLS to encrypt a connection to a DB cluster in the Amazon Aurora User Guide.
", @@ -5544,7 +5548,7 @@ "RestoreDBInstanceFromDBSnapshotMessage$DBName": "The name of the database for the restored DB instance.
This parameter only applies to RDS for Oracle and RDS for SQL Server DB instances. It doesn't apply to the other engines or to RDS Custom DB instances.
", "RestoreDBInstanceFromDBSnapshotMessage$Engine": "The database engine to use for the new instance.
This setting doesn't apply to RDS Custom.
Default: The same as source
Constraint: Must be compatible with the engine of the source. For example, you can restore a MariaDB 10.1 DB instance from a MySQL 5.6 snapshot.
Valid Values:
db2-ae
db2-se
mariadb
mysql
oracle-ee
oracle-ee-cdb
oracle-se2
oracle-se2-cdb
postgres
sqlserver-ee
sqlserver-se
sqlserver-ex
sqlserver-web
The name of the option group to be used for the restored DB instance.
Permanent options, such as the TDE option for Oracle Advanced Security TDE, can't be removed from an option group, and that option group can't be removed from a DB instance after it is associated with a DB instance.
This setting doesn't apply to RDS Custom.
", - "RestoreDBInstanceFromDBSnapshotMessage$StorageType": "Specifies the storage type to be associated with the DB instance.
Valid Values: gp2 | gp3 | io1 | standard
If you specify io1 or gp3, you must also include a value for the Iops parameter.
Default: io1 if the Iops parameter is specified, otherwise gp2
Specifies the storage type to be associated with the DB instance.
Valid Values: gp2 | gp3 | io1 | io2 | standard
If you specify io1, io2, or gp3, you must also include a value for the Iops parameter.
Default: io1 if the Iops parameter is specified, otherwise gp2
The ARN from the key store with which to associate the instance for TDE encryption.
This setting doesn't apply to RDS Custom.
", "RestoreDBInstanceFromDBSnapshotMessage$TdeCredentialPassword": "The password for the given ARN from the key store in order to access the device.
This setting doesn't apply to RDS Custom.
", "RestoreDBInstanceFromDBSnapshotMessage$Domain": "The Active Directory directory ID to restore the DB instance in. The domain/ must be created prior to this operation. Currently, you can create only Db2, MySQL, Microsoft SQL Server, Oracle, and PostgreSQL DB instances in an Active Directory Domain.
For more information, see Kerberos Authentication in the Amazon RDS User Guide.
This setting doesn't apply to RDS Custom.
", @@ -5571,7 +5575,7 @@ "RestoreDBInstanceFromS3Message$EngineVersion": "The version number of the database engine to use. Choose the latest minor version of your database engine. For information about engine versions, see CreateDBInstance, or call DescribeDBEngineVersions.
The license model for this DB instance. Use general-public-license.
The name of the option group to associate with this DB instance. If this argument is omitted, the default option group for the specified engine is used.
", - "RestoreDBInstanceFromS3Message$StorageType": "Specifies the storage type to be associated with the DB instance.
Valid Values: gp2 | gp3 | io1 | standard
If you specify io1 or gp3, you must also include a value for the Iops parameter.
Default: io1 if the Iops parameter is specified; otherwise gp2
Specifies the storage type to be associated with the DB instance.
Valid Values: gp2 | gp3 | io1 | io2 | standard
If you specify io1, io2, or gp3, you must also include a value for the Iops parameter.
Default: io1 if the Iops parameter is specified; otherwise gp2
The Amazon Web Services KMS key identifier for an encrypted DB instance.
The Amazon Web Services KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key. To use a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN.
If the StorageEncrypted parameter is enabled, and you do not specify a value for the KmsKeyId parameter, then Amazon RDS will use your default KMS key. There is a default KMS key for your Amazon Web Services account. Your Amazon Web Services account has a different default KMS key for each Amazon Web Services Region.
The ARN for the IAM role that permits RDS to send enhanced monitoring metrics to Amazon CloudWatch Logs. For example, arn:aws:iam:123456789012:role/emaccess. For information on creating a monitoring role, see Setting Up and Enabling Enhanced Monitoring in the Amazon RDS User Guide.
If MonitoringInterval is set to a value other than 0, then you must supply a MonitoringRoleArn value.
The name of the engine of your source database.
Valid Values: mysql
The database name for the restored DB instance.
This parameter doesn't apply to the following DB instances:
RDS Custom
RDS for Db2
RDS for MariaDB
RDS for MySQL
The database engine to use for the new instance.
This setting doesn't apply to RDS Custom.
Valid Values:
db2-ae
db2-se
mariadb
mysql
oracle-ee
oracle-ee-cdb
oracle-se2
oracle-se2-cdb
postgres
sqlserver-ee
sqlserver-se
sqlserver-ex
sqlserver-web
Default: The same as source
Constraints:
Must be compatible with the engine of the source.
The name of the option group to use for the restored DB instance.
Permanent options, such as the TDE option for Oracle Advanced Security TDE, can't be removed from an option group, and that option group can't be removed from a DB instance after it is associated with a DB instance
This setting doesn't apply to RDS Custom.
", - "RestoreDBInstanceToPointInTimeMessage$StorageType": "The storage type to associate with the DB instance.
Valid Values: gp2 | gp3 | io1 | standard
Default: io1, if the Iops parameter is specified. Otherwise, gp2.
Constraints:
If you specify io1 or gp3, you must also include a value for the Iops parameter.
The storage type to associate with the DB instance.
Valid Values: gp2 | gp3 | io1 | io2 | standard
Default: io1, if the Iops parameter is specified. Otherwise, gp2.
Constraints:
If you specify io1, io2, or gp3, you must also include a value for the Iops parameter.
The ARN from the key store with which to associate the instance for TDE encryption.
This setting doesn't apply to RDS Custom.
", "RestoreDBInstanceToPointInTimeMessage$TdeCredentialPassword": "The password for the given ARN from the key store in order to access the device.
This setting doesn't apply to RDS Custom.
", "RestoreDBInstanceToPointInTimeMessage$Domain": "The Active Directory directory ID to restore the DB instance in. Create the domain before running this command. Currently, you can create only the MySQL, Microsoft SQL Server, Oracle, and PostgreSQL DB instances in an Active Directory Domain.
This setting doesn't apply to RDS Custom.
For more information, see Kerberos Authentication in the Amazon RDS User Guide.
", @@ -5668,7 +5672,7 @@ "UserAuthConfigInfo$Description": "A user-specified description about the authentication used by a proxy to log in as a specific database user.
", "UserAuthConfigInfo$UserName": "The name of the database user to which the proxy connects.
", "UserAuthConfigInfo$SecretArn": "The Amazon Resource Name (ARN) representing the secret that the proxy uses to authenticate to the RDS DB instance or Aurora DB cluster. These secrets are stored within Amazon Secrets Manager.
", - "ValidStorageOptions$StorageType": "The valid storage types for your DB instance. For example: gp2, gp3, io1.
", + "ValidStorageOptions$StorageType": "The valid storage types for your DB instance. For example: gp2, gp3, io1, io2.
", "VpcSecurityGroupIdList$member": null, "VpcSecurityGroupMembership$VpcSecurityGroupId": "The name of the VPC security group.
", "VpcSecurityGroupMembership$Status": "The membership status of the VPC security group.
Currently, the only valid status is active.
The number of days that a manual snapshot is retained. If the value is -1, the manual snapshot is retained indefinitely.
The value must be either -1 or an integer between 1 and 3,653.
The default value is -1.
", "CreateClusterMessage$AutomatedSnapshotRetentionPeriod": "The number of days that automated snapshots are retained. If the value is 0, automated snapshots are disabled. Even if automated snapshots are disabled, you can still create manual snapshots when you want with CreateClusterSnapshot.
You can't disable automated snapshots for RA3 node types. Set the automated retention period from 1-35 days.
Default: 1
Constraints: Must be a value from 0 to 35.
", "CreateClusterMessage$ManualSnapshotRetentionPeriod": "The default number of days to retain a manual snapshot. If the value is -1, the snapshot is retained indefinitely. This setting doesn't change the retention period of existing snapshots.
The value must be either -1 or an integer between 1 and 3,653.
", - "CreateClusterMessage$Port": "The port number on which the cluster accepts incoming connections.
The cluster is accessible only via the JDBC and ODBC connection strings. Part of the connection string requires the port on which the cluster will listen for incoming connections.
Default: 5439
Valid Values: 1150-65535
The port number on which the cluster accepts incoming connections.
The cluster is accessible only via the JDBC and ODBC connection strings. Part of the connection string requires the port on which the cluster will listen for incoming connections.
Default: 5439
Valid Values:
For clusters with ra3 nodes - Select a port within the ranges 5431-5455 or 8191-8215. (If you have an existing cluster with ra3 nodes, it isn't required that you change the port to these ranges.)
For clusters with ds2 or dc2 nodes - Select a port within the range 1150-65535.
The number of compute nodes in the cluster. This parameter is required when the ClusterType parameter is specified as multi-node.
For information about determining how many nodes you need, go to Working with Clusters in the Amazon Redshift Cluster Management Guide.
If you don't specify this parameter, you get a single-node cluster. When requesting a multi-node cluster, you must specify the number of nodes that you want in the cluster.
Default: 1
Constraints: Value must be at least 1 and no more than 100.
", "CreateClusterSnapshotMessage$ManualSnapshotRetentionPeriod": "The number of days that a manual snapshot is retained. If the value is -1, the manual snapshot is retained indefinitely.
The value must be either -1 or an integer between 1 and 3,653.
The default value is -1.
", "CreateSnapshotScheduleMessage$NextInvocations": "", @@ -2009,14 +2009,14 @@ "ModifyClusterMessage$NumberOfNodes": "The new number of nodes of the cluster. If you specify a new number of nodes, you must also specify the node type parameter.
For more information about resizing clusters, go to Resizing Clusters in Amazon Redshift in the Amazon Redshift Cluster Management Guide.
Valid Values: Integer greater than 0.
The number of days that automated snapshots are retained. If the value is 0, automated snapshots are disabled. Even if automated snapshots are disabled, you can still create manual snapshots when you want with CreateClusterSnapshot.
If you decrease the automated snapshot retention period from its current value, existing automated snapshots that fall outside of the new retention period will be immediately deleted.
You can't disable automated snapshots for RA3 node types. Set the automated retention period from 1-35 days.
Default: Uses existing setting.
Constraints: Must be a value from 0 to 35.
", "ModifyClusterMessage$ManualSnapshotRetentionPeriod": "The default for number of days that a newly created manual snapshot is retained. If the value is -1, the manual snapshot is retained indefinitely. This value doesn't retroactively change the retention periods of existing manual snapshots.
The value must be either -1 or an integer between 1 and 3,653.
The default value is -1.
", - "ModifyClusterMessage$Port": "The option to change the port of an Amazon Redshift cluster.
", + "ModifyClusterMessage$Port": "The option to change the port of an Amazon Redshift cluster.
Valid Values:
For clusters with ra3 nodes - Select a port within the ranges 5431-5455 or 8191-8215. (If you have an existing cluster with ra3 nodes, it isn't required that you change the port to these ranges.)
For clusters with ds2 or dc2 nodes - Select a port within the range 1150-65535.
The number of days that a manual snapshot is retained. If the value is -1, the manual snapshot is retained indefinitely.
If the manual snapshot falls outside of the new retention period, you can specify the force option to immediately delete the snapshot.
The value must be either -1 or an integer between 1 and 3,653.
", "PendingModifiedValues$NumberOfNodes": "The pending or in-progress change of the number of nodes in the cluster.
", "PendingModifiedValues$AutomatedSnapshotRetentionPeriod": "The pending or in-progress change of the automated snapshot retention period.
", "PurchaseReservedNodeOfferingMessage$NodeCount": "The number of reserved nodes that you want to purchase.
Default: 1
The new number of nodes for the cluster. If not specified, the cluster's current number of nodes is used.
", "ResizeProgressMessage$TargetNumberOfNodes": "The number of nodes that the cluster will have after the resize operation is complete.
", - "RestoreFromClusterSnapshotMessage$Port": "The port number on which the cluster accepts connections.
Default: The same port as the original cluster.
Constraints: Must be between 1115 and 65535.
The port number on which the cluster accepts connections.
Default: The same port as the original cluster.
Valid values: For clusters with ds2 or dc2 nodes, must be within the range 1150-65535. For clusters with ra3 nodes, must be within the ranges 5431-5455 or 8191-8215.
The number of days that automated snapshots are retained. If the value is 0, automated snapshots are disabled. Even if automated snapshots are disabled, you can still create manual snapshots when you want with CreateClusterSnapshot.
You can't disable automated snapshots for RA3 node types. Set the automated retention period from 1-35 days.
Default: The value selected for the cluster from which the snapshot was taken.
Constraints: Must be a value from 0 to 35.
", "RestoreFromClusterSnapshotMessage$ManualSnapshotRetentionPeriod": "The default number of days to retain a manual snapshot. If the value is -1, the snapshot is retained indefinitely. This setting doesn't change the retention period of existing snapshots.
The value must be either -1 or an integer between 1 and 3,653.
", "RestoreFromClusterSnapshotMessage$NumberOfNodes": "The number of nodes specified when provisioning the restored cluster.
", @@ -3355,8 +3355,8 @@ "AccountAttribute$AttributeName": "The name of the attribute.
", "AccountWithRestoreAccess$AccountId": "The identifier of an Amazon Web Services account authorized to restore a snapshot.
", "AccountWithRestoreAccess$AccountAlias": "The identifier of an Amazon Web Services support account authorized to restore a snapshot. For Amazon Web Services Support, the identifier is amazon-redshift-support.
The Amazon Resource Name (ARN) of the datashare that the consumer is to use with the account or the namespace.
", - "AssociateDataShareConsumerMessage$ConsumerArn": "The Amazon Resource Name (ARN) of the consumer that is associated with the datashare.
", + "AssociateDataShareConsumerMessage$DataShareArn": "The Amazon Resource Name (ARN) of the datashare that the consumer is to use.
", + "AssociateDataShareConsumerMessage$ConsumerArn": "The Amazon Resource Name (ARN) of the consumer namespace associated with the datashare.
", "AssociateDataShareConsumerMessage$ConsumerRegion": "From a datashare consumer account, associates a datashare with all existing and future namespaces in the specified Amazon Web Services Region.
", "Association$CustomDomainCertificateArn": "The Amazon Resource Name (ARN) for the certificate associated with the custom domain.
", "AttributeNameList$member": null, @@ -3366,13 +3366,13 @@ "AuthorizeClusterSecurityGroupIngressMessage$CIDRIP": "The IP range to be added the Amazon Redshift security group.
", "AuthorizeClusterSecurityGroupIngressMessage$EC2SecurityGroupName": "The EC2 security group to be added the Amazon Redshift security group.
", "AuthorizeClusterSecurityGroupIngressMessage$EC2SecurityGroupOwnerId": "The Amazon Web Services account number of the owner of the security group specified by the EC2SecurityGroupName parameter. The Amazon Web Services Access Key ID is not an acceptable value.
Example: 111122223333
The Amazon Resource Name (ARN) of the datashare that producers are to authorize sharing for.
", + "AuthorizeDataShareMessage$DataShareArn": "The Amazon Resource Name (ARN) of the datashare namespace that producers are to authorize sharing for.
", "AuthorizeDataShareMessage$ConsumerIdentifier": "The identifier of the data consumer that is authorized to access the datashare. This identifier is an Amazon Web Services account ID or a keyword, such as ADX.
", "AuthorizeEndpointAccessMessage$ClusterIdentifier": "The cluster identifier of the cluster to grant access to.
", "AuthorizeEndpointAccessMessage$Account": "The Amazon Web Services account ID to grant access to.
", "AuthorizeSnapshotAccessMessage$SnapshotIdentifier": "The identifier of the snapshot the account is authorized to restore.
", "AuthorizeSnapshotAccessMessage$SnapshotArn": "The Amazon Resource Name (ARN) of the snapshot to authorize access to.
", - "AuthorizeSnapshotAccessMessage$SnapshotClusterIdentifier": "The identifier of the cluster the snapshot was created from. This parameter is required if your IAM user has a policy containing a snapshot resource element that specifies anything other than * for the cluster name.
", + "AuthorizeSnapshotAccessMessage$SnapshotClusterIdentifier": "The identifier of the cluster the snapshot was created from.
If the snapshot to access doesn't exist and the associated IAM policy doesn't allow access to all (*) snapshots - This parameter is required. Otherwise, permissions aren't available to check if the snapshot exists.
If the snapshot to access exists - This parameter isn't required. Redshift can retrieve the cluster identifier and use it to validate snapshot authorization.
The identifier of the Amazon Web Services account authorized to restore the specified snapshot.
To share a snapshot with Amazon Web Services Support, specify amazon-redshift-support.
", "AuthorizedAudienceList$member": null, "AuthorizedTokenIssuer$TrustedTokenIssuerArn": "The ARN for the authorized token issuer for integrating Amazon Redshift with IDC Identity Center.
", @@ -3516,14 +3516,14 @@ "CreateTagsMessage$ResourceName": "The Amazon Resource Name (ARN) to which you want to add the tag or tags. For example, arn:aws:redshift:us-east-2:123456789:cluster:t1.
The identifier of the cluster that you want to limit usage.
", "CustomDomainAssociationsMessage$Marker": "The marker for the custom domain association.
", - "DataShare$DataShareArn": "An Amazon Resource Name (ARN) that references the datashare that is owned by a specific namespace of the producer cluster. A datashare ARN is in the arn:aws:redshift:{region}:{account-id}:{datashare}:{namespace-guid}/{datashare-name} format.
The Amazon Resource Name (ARN) of the producer.
", + "DataShare$DataShareArn": "The Amazon Resource Name (ARN) of the datashare that the consumer is to use.
", + "DataShare$ProducerArn": "The Amazon Resource Name (ARN) of the producer namespace.
", "DataShare$ManagedBy": "The identifier of a datashare to show its managing entity.
", "DataShareAssociation$ConsumerIdentifier": "The name of the consumer accounts that have an association with a producer datashare.
", "DataShareAssociation$ConsumerRegion": "The Amazon Web Services Region of the consumer accounts that have an association with a producer datashare.
", "DataTransferProgress$Status": "Describes the status of the cluster. While the transfer is in progress the status is transferringdata.
The Amazon Resource Name (ARN) of the datashare to remove authorization from.
", + "DeauthorizeDataShareMessage$DataShareArn": "The namespace Amazon Resource Name (ARN) of the datashare to remove authorization from.
", "DeauthorizeDataShareMessage$ConsumerIdentifier": "The identifier of the data consumer that is to have authorization removed from the datashare. This identifier is an Amazon Web Services account ID or a keyword, such as ADX.
", "DefaultClusterParameters$ParameterGroupFamily": "The name of the cluster parameter group family to which the engine default parameters apply.
", "DefaultClusterParameters$Marker": "A value that indicates the starting point for the next set of response records in a subsequent request. If a value is returned in a response, you can retrieve the next set of records by providing this returned marker value in the Marker parameter and retrying the command. If the Marker field is empty, all response records have been retrieved for the request.
The unique identifier of a cluster whose properties you are requesting. This parameter is case sensitive.
The default is that all clusters defined for an account are returned.
", "DescribeClustersMessage$Marker": "An optional parameter that specifies the starting point to return a set of response records. When the results of a DescribeClusters request exceed the value specified in MaxRecords, Amazon Web Services returns a value in the Marker field of the response. You can retrieve the next set of response records by providing the returned marker value in the Marker parameter and retrying the request.
Constraints: You can specify either the ClusterIdentifier parameter or the Marker parameter, but not both.
", "DescribeCustomDomainAssociationsMessage$Marker": "The marker for the custom domain association.
", - "DescribeDataSharesForConsumerMessage$ConsumerArn": "The Amazon Resource Name (ARN) of the consumer that returns in the list of datashares.
", + "DescribeDataSharesForConsumerMessage$ConsumerArn": "The Amazon Resource Name (ARN) of the consumer namespace that returns in the list of datashares.
", "DescribeDataSharesForConsumerMessage$Marker": "An optional parameter that specifies the starting point to return a set of response records. When the results of a DescribeDataSharesForConsumer request exceed the value specified in MaxRecords, Amazon Web Services returns a value in the Marker field of the response. You can retrieve the next set of response records by providing the returned marker value in the Marker parameter and retrying the request.
An optional parameter that specifies the starting point to return a set of response records. When the results of a DescribeDataSharesForConsumer request exceed the value specified in MaxRecords, Amazon Web Services returns a value in the Marker field of the response. You can retrieve the next set of response records by providing the returned marker value in the Marker parameter and retrying the request.
The Amazon Resource Name (ARN) of the producer that returns in the list of datashares.
", + "DescribeDataSharesForProducerMessage$ProducerArn": "The Amazon Resource Name (ARN) of the producer namespace that returns in the list of datashares.
", "DescribeDataSharesForProducerMessage$Marker": "An optional parameter that specifies the starting point to return a set of response records. When the results of a DescribeDataSharesForProducer request exceed the value specified in MaxRecords, Amazon Web Services returns a value in the Marker field of the response. You can retrieve the next set of response records by providing the returned marker value in the Marker parameter and retrying the request.
An optional parameter that specifies the starting point to return a set of response records. When the results of a DescribeDataSharesForProducer request exceed the value specified in MaxRecords, Amazon Web Services returns a value in the Marker field of the response. You can retrieve the next set of response records by providing the returned marker value in the Marker parameter and retrying the request.
The identifier of the datashare to describe details of.
", + "DescribeDataSharesMessage$DataShareArn": "The Amazon resource name (ARN) of the datashare to describe details of.
", "DescribeDataSharesMessage$Marker": "An optional parameter that specifies the starting point to return a set of response records. When the results of a DescribeDataShares request exceed the value specified in MaxRecords, Amazon Web Services returns a value in the Marker field of the response. You can retrieve the next set of response records by providing the returned marker value in the Marker parameter and retrying the request.
An optional parameter that specifies the starting point to return a set of response records. When the results of a DescribeDataShares request exceed the value specified in MaxRecords, Amazon Web Services returns a value in the Marker field of the response. You can retrieve the next set of response records by providing the returned marker value in the Marker parameter and retrying the request.
The name of the cluster parameter group family.
", @@ -3643,8 +3643,8 @@ "DescribeUsageLimitsMessage$Marker": "An optional parameter that specifies the starting point to return a set of response records. When the results of a DescribeUsageLimits request exceed the value specified in MaxRecords, Amazon Web Services returns a value in the Marker field of the response. You can retrieve the next set of response records by providing the returned marker value in the Marker parameter and retrying the request.
The identifier of the cluster on which logging is to be stopped.
Example: examplecluster
The unique identifier of the source cluster that you want to disable copying of snapshots to a destination region.
Constraints: Must be the valid name of an existing cluster that has cross-region snapshot copy enabled.
", - "DisassociateDataShareConsumerMessage$DataShareArn": "The Amazon Resource Name (ARN) of the datashare to remove association for.
", - "DisassociateDataShareConsumerMessage$ConsumerArn": "The Amazon Resource Name (ARN) of the consumer that association for the datashare is removed from.
", + "DisassociateDataShareConsumerMessage$DataShareArn": "The Amazon Resource Name (ARN) of the datashare to remove association for.
", + "DisassociateDataShareConsumerMessage$ConsumerArn": "The Amazon Resource Name (ARN) of the consumer namespace that association for the datashare is removed from.
", "DisassociateDataShareConsumerMessage$ConsumerRegion": "From a datashare consumer account, removes association of a datashare from all the existing and future namespaces in the specified Amazon Web Services Region.
", "EC2SecurityGroup$Status": "The status of the EC2 security group.
", "EC2SecurityGroup$EC2SecurityGroupName": "The name of the EC2 Security Group.
", diff --git a/models/apis/verifiedpermissions/2021-12-01/api-2.json b/models/apis/verifiedpermissions/2021-12-01/api-2.json index e56db0b1a09..8c7f7aadd2d 100644 --- a/models/apis/verifiedpermissions/2021-12-01/api-2.json +++ b/models/apis/verifiedpermissions/2021-12-01/api-2.json @@ -570,6 +570,32 @@ "clientIds":{"shape":"ClientIds"} } }, + "CognitoUserPoolConfigurationDetail":{ + "type":"structure", + "required":[ + "userPoolArn", + "clientIds", + "issuer" + ], + "members":{ + "userPoolArn":{"shape":"UserPoolArn"}, + "clientIds":{"shape":"ClientIds"}, + "issuer":{"shape":"Issuer"} + } + }, + "CognitoUserPoolConfigurationItem":{ + "type":"structure", + "required":[ + "userPoolArn", + "clientIds", + "issuer" + ], + "members":{ + "userPoolArn":{"shape":"UserPoolArn"}, + "clientIds":{"shape":"ClientIds"}, + "issuer":{"shape":"Issuer"} + } + }, "Configuration":{ "type":"structure", "members":{ @@ -577,6 +603,20 @@ }, "union":true }, + "ConfigurationDetail":{ + "type":"structure", + "members":{ + "cognitoUserPoolConfiguration":{"shape":"CognitoUserPoolConfigurationDetail"} + }, + "union":true + }, + "ConfigurationItem":{ + "type":"structure", + "members":{ + "cognitoUserPoolConfiguration":{"shape":"CognitoUserPoolConfigurationItem"} + }, + "union":true + }, "ConflictException":{ "type":"structure", "required":[ @@ -893,7 +933,6 @@ "type":"structure", "required":[ "createdDate", - "details", "identitySourceId", "lastUpdatedDate", "policyStoreId", @@ -901,11 +940,16 @@ ], "members":{ "createdDate":{"shape":"TimestampFormat"}, - "details":{"shape":"IdentitySourceDetails"}, + "details":{ + "shape":"IdentitySourceDetails", + "deprecated":true, + "deprecatedMessage":"This attribute has been replaced by configuration.cognitoUserPoolConfiguration" + }, "identitySourceId":{"shape":"IdentitySourceId"}, "lastUpdatedDate":{"shape":"TimestampFormat"}, "policyStoreId":{"shape":"PolicyStoreId"}, - "principalEntityType":{"shape":"PrincipalEntityType"} + "principalEntityType":{"shape":"PrincipalEntityType"}, + "configuration":{"shape":"ConfigurationDetail"} } }, "GetPolicyInput":{ @@ -1026,11 +1070,29 @@ "IdentitySourceDetails":{ "type":"structure", "members":{ - "clientIds":{"shape":"ClientIds"}, - "userPoolArn":{"shape":"UserPoolArn"}, - "discoveryUrl":{"shape":"DiscoveryUrl"}, - "openIdIssuer":{"shape":"OpenIdIssuer"} - } + "clientIds":{ + "shape":"ClientIds", + "deprecated":true, + "deprecatedMessage":"This attribute has been replaced by configuration.cognitoUserPoolConfiguration.clientIds" + }, + "userPoolArn":{ + "shape":"UserPoolArn", + "deprecated":true, + "deprecatedMessage":"This attribute has been replaced by configuration.cognitoUserPoolConfiguration.userPoolArn" + }, + "discoveryUrl":{ + "shape":"DiscoveryUrl", + "deprecated":true, + "deprecatedMessage":"This attribute has been replaced by configuration.cognitoUserPoolConfiguration.issuer" + }, + "openIdIssuer":{ + "shape":"OpenIdIssuer", + "deprecated":true, + "deprecatedMessage":"This attribute has been replaced by configuration" + } + }, + "deprecated":true, + "deprecatedMessage":"This shape has been replaced by ConfigurationDetail" }, "IdentitySourceFilter":{ "type":"structure", @@ -1054,7 +1116,6 @@ "type":"structure", "required":[ "createdDate", - "details", "identitySourceId", "lastUpdatedDate", "policyStoreId", @@ -1062,21 +1123,44 @@ ], "members":{ "createdDate":{"shape":"TimestampFormat"}, - "details":{"shape":"IdentitySourceItemDetails"}, + "details":{ + "shape":"IdentitySourceItemDetails", + "deprecated":true, + "deprecatedMessage":"This attribute has been replaced by configuration.cognitoUserPoolConfiguration" + }, "identitySourceId":{"shape":"IdentitySourceId"}, "lastUpdatedDate":{"shape":"TimestampFormat"}, "policyStoreId":{"shape":"PolicyStoreId"}, - "principalEntityType":{"shape":"PrincipalEntityType"} + "principalEntityType":{"shape":"PrincipalEntityType"}, + "configuration":{"shape":"ConfigurationItem"} } }, "IdentitySourceItemDetails":{ "type":"structure", "members":{ - "clientIds":{"shape":"ClientIds"}, - "userPoolArn":{"shape":"UserPoolArn"}, - "discoveryUrl":{"shape":"DiscoveryUrl"}, - "openIdIssuer":{"shape":"OpenIdIssuer"} - } + "clientIds":{ + "shape":"ClientIds", + "deprecated":true, + "deprecatedMessage":"This attribute has been replaced by configuration.cognitoUserPoolConfiguration.clientIds" + }, + "userPoolArn":{ + "shape":"UserPoolArn", + "deprecated":true, + "deprecatedMessage":"This attribute has been replaced by configuration.cognitoUserPoolConfiguration.userPoolArn" + }, + "discoveryUrl":{ + "shape":"DiscoveryUrl", + "deprecated":true, + "deprecatedMessage":"This attribute has been replaced by configuration.cognitoUserPoolConfiguration.issuer" + }, + "openIdIssuer":{ + "shape":"OpenIdIssuer", + "deprecated":true, + "deprecatedMessage":"This attribute has been replaced by configuration" + } + }, + "deprecated":true, + "deprecatedMessage":"This shape has been replaced by ConfigurationItem" }, "IdentitySources":{ "type":"list", @@ -1143,6 +1227,12 @@ "errors":{"shape":"EvaluationErrorList"} } }, + "Issuer":{ + "type":"string", + "max":2048, + "min":1, + "pattern":"https://.*" + }, "ListIdentitySourcesInput":{ "type":"structure", "required":["policyStoreId"], diff --git a/models/apis/verifiedpermissions/2021-12-01/docs-2.json b/models/apis/verifiedpermissions/2021-12-01/docs-2.json index 4388b9ce323..bfc193e47cb 100644 --- a/models/apis/verifiedpermissions/2021-12-01/docs-2.json +++ b/models/apis/verifiedpermissions/2021-12-01/docs-2.json @@ -3,10 +3,10 @@ "service": "Amazon Verified Permissions is a permissions management service from Amazon Web Services. You can use Verified Permissions to manage permissions for your application, and authorize user access based on those permissions. Using Verified Permissions, application developers can grant access based on information about the users, resources, and requested actions. You can also evaluate additional information like group membership, attributes of the resources, and session context, such as time of request and IP addresses. Verified Permissions manages these permissions by letting you create and store authorization policies for your applications, such as consumer-facing web sites and enterprise business systems.
Verified Permissions uses Cedar as the policy language to express your permission requirements. Cedar supports both role-based access control (RBAC) and attribute-based access control (ABAC) authorization models.
For more information about configuring, administering, and using Amazon Verified Permissions in your applications, see the Amazon Verified Permissions User Guide.
For more information about the Cedar policy language, see the Cedar Policy Language Guide.
When you write Cedar policies that reference principals, resources and actions, you can define the unique identifiers used for each of those elements. We strongly recommend that you follow these best practices:
Use values like universally unique identifiers (UUIDs) for all principal and resource identifiers.
For example, if user jane leaves the company, and you later let someone else use the name jane, then that new user automatically gets access to everything granted by policies that still reference User::\"jane\". Cedar can’t distinguish between the new user and the old. This applies to both principal and resource identifiers. Always use identifiers that are guaranteed unique and never reused to ensure that you don’t unintentionally grant access because of the presence of an old identifier in a policy.
Where you use a UUID for an entity, we recommend that you follow it with the // comment specifier and the ‘friendly’ name of your entity. This helps to make your policies easier to understand. For example: principal == User::\"a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111\", // alice
Do not include personally identifying, confidential, or sensitive information as part of the unique identifier for your principals or resources. These identifiers are included in log entries shared in CloudTrail trails.
Several operations return structures that appear similar, but have different purposes. As new functionality is added to the product, the structure used in a parameter of one operation might need to change in a way that wouldn't make sense for the same parameter in a different operation. To help you understand the purpose of each, the following naming convention is used for the structures:
Parameter type structures that end in Detail are used in Get operations.
Parameter type structures that end in Item are used in List operations.
Parameter type structures that use neither suffix are used in the mutating (create and update) operations.
Makes a series of decisions about multiple authorization requests for one principal or resource. Each request contains the equivalent content of an IsAuthorized request: principal, action, resource, and context. Either the principal or the resource parameter must be identical across all requests. For example, Verified Permissions won't evaluate a pair of requests where bob views photo1 and alice views photo2. Authorization of bob to view photo1 and photo2, or bob and alice to view photo1, are valid batches.
The request is evaluated against all policies in the specified policy store that match the entities that you declare. The result of the decisions is a series of Allow or Deny responses, along with the IDs of the policies that produced each decision.
The entities of a BatchIsAuthorized API request can contain up to 100 principals and up to 100 resources. The requests of a BatchIsAuthorized API request can contain up to 30 requests.
The BatchIsAuthorized operation doesn't have its own IAM permission. To authorize this operation for Amazon Web Services principals, include the permission verifiedpermissions:IsAuthorized in their IAM policies.
Creates a reference to an Amazon Cognito user pool as an external identity provider (IdP).
After you create an identity source, you can use the identities provided by the IdP as proxies for the principal in authorization queries that use the IsAuthorizedWithToken operation. These identities take the form of tokens that contain claims about the user, such as IDs, attributes and group memberships. Amazon Cognito provides both identity tokens and access tokens, and Verified Permissions can use either or both. Any combination of identity and access tokens results in the same Cedar principal. Verified Permissions automatically translates the information about the identities into the standard Cedar attributes that can be evaluated by your policies. Because the Amazon Cognito identity and access tokens can contain different information, the tokens you choose to use determine which principal attributes are available to access when evaluating Cedar policies.
If you delete a Amazon Cognito user pool or user, tokens from that deleted pool or that deleted user continue to be usable until they expire.
To reference a user from this identity source in your Cedar policies, use the following syntax.
IdentityType::\"<CognitoUserPoolIdentifier>|<CognitoClientId>
Where IdentityType is the string that you provide to the PrincipalEntityType parameter for this operation. The CognitoUserPoolId and CognitoClientId are defined by the Amazon Cognito user pool.
Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to be propagate through the service and be visible in the results of other Verified Permissions operations.
Creates a Cedar policy and saves it in the specified policy store. You can create either a static policy or a policy linked to a policy template.
To create a static policy, provide the Cedar policy text in the StaticPolicy section of the PolicyDefinition.
To create a policy that is dynamically linked to a policy template, specify the policy template ID and the principal and resource to associate with this policy in the templateLinked section of the PolicyDefinition. If the policy template is ever updated, any policies linked to the policy template automatically use the updated template.
Creating a policy causes it to be validated against the schema in the policy store. If the policy doesn't pass validation, the operation fails and the policy isn't stored.
Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to be propagate through the service and be visible in the results of other Verified Permissions operations.
Creates a policy store. A policy store is a container for policy resources.
Although Cedar supports multiple namespaces, Verified Permissions currently supports only one namespace per policy store.
Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to be propagate through the service and be visible in the results of other Verified Permissions operations.
Creates a policy template. A template can use placeholders for the principal and resource. A template must be instantiated into a policy by associating it with specific principals and resources to use for the placeholders. That instantiated policy can then be considered in authorization decisions. The instantiated policy works identically to any other policy, except that it is dynamically linked to the template. If the template changes, then any policies that are linked to that template are immediately updated as well.
Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to be propagate through the service and be visible in the results of other Verified Permissions operations.
Creates a reference to an Amazon Cognito user pool as an external identity provider (IdP).
After you create an identity source, you can use the identities provided by the IdP as proxies for the principal in authorization queries that use the IsAuthorizedWithToken operation. These identities take the form of tokens that contain claims about the user, such as IDs, attributes and group memberships. Amazon Cognito provides both identity tokens and access tokens, and Verified Permissions can use either or both. Any combination of identity and access tokens results in the same Cedar principal. Verified Permissions automatically translates the information about the identities into the standard Cedar attributes that can be evaluated by your policies. Because the Amazon Cognito identity and access tokens can contain different information, the tokens you choose to use determine which principal attributes are available to access when evaluating Cedar policies.
If you delete a Amazon Cognito user pool or user, tokens from that deleted pool or that deleted user continue to be usable until they expire.
To reference a user from this identity source in your Cedar policies, use the following syntax.
IdentityType::\"<CognitoUserPoolIdentifier>|<CognitoClientId>
Where IdentityType is the string that you provide to the PrincipalEntityType parameter for this operation. The CognitoUserPoolId and CognitoClientId are defined by the Amazon Cognito user pool.
Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.
Creates a Cedar policy and saves it in the specified policy store. You can create either a static policy or a policy linked to a policy template.
To create a static policy, provide the Cedar policy text in the StaticPolicy section of the PolicyDefinition.
To create a policy that is dynamically linked to a policy template, specify the policy template ID and the principal and resource to associate with this policy in the templateLinked section of the PolicyDefinition. If the policy template is ever updated, any policies linked to the policy template automatically use the updated template.
Creating a policy causes it to be validated against the schema in the policy store. If the policy doesn't pass validation, the operation fails and the policy isn't stored.
Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.
Creates a policy store. A policy store is a container for policy resources.
Although Cedar supports multiple namespaces, Verified Permissions currently supports only one namespace per policy store.
Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.
Creates a policy template. A template can use placeholders for the principal and resource. A template must be instantiated into a policy by associating it with specific principals and resources to use for the placeholders. That instantiated policy can then be considered in authorization decisions. The instantiated policy works identically to any other policy, except that it is dynamically linked to the template. If the template changes, then any policies that are linked to that template are immediately updated as well.
Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.
Deletes an identity source that references an identity provider (IdP) such as Amazon Cognito. After you delete the identity source, you can no longer use tokens for identities from that identity source to represent principals in authorization queries made using IsAuthorizedWithToken. operations.
", "DeletePolicy": "Deletes the specified policy from the policy store.
This operation is idempotent; if you specify a policy that doesn't exist, the request response returns a successful HTTP 200 status code.
Deletes the specified policy store.
This operation is idempotent. If you specify a policy store that does not exist, the request response will still return a successful HTTP 200 status code.
", @@ -22,11 +22,11 @@ "ListPolicies": "Returns a paginated list of all policies stored in the specified policy store.
", "ListPolicyStores": "Returns a paginated list of all policy stores in the calling Amazon Web Services account.
", "ListPolicyTemplates": "Returns a paginated list of all policy templates in the specified policy store.
", - "PutSchema": "Creates or updates the policy schema in the specified policy store. The schema is used to validate any Cedar policies and policy templates submitted to the policy store. Any changes to the schema validate only policies and templates submitted after the schema change. Existing policies and templates are not re-evaluated against the changed schema. If you later update a policy, then it is evaluated against the new schema at that time.
Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to be propagate through the service and be visible in the results of other Verified Permissions operations.
Updates the specified identity source to use a new identity provider (IdP) source, or to change the mapping of identities from the IdP to a different principal entity type.
Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to be propagate through the service and be visible in the results of other Verified Permissions operations.
Modifies a Cedar static policy in the specified policy store. You can change only certain elements of the UpdatePolicyDefinition parameter. You can directly update only static policies. To change a template-linked policy, you must update the template instead, using UpdatePolicyTemplate.
If policy validation is enabled in the policy store, then updating a static policy causes Verified Permissions to validate the policy against the schema in the policy store. If the updated static policy doesn't pass validation, the operation fails and the update isn't stored.
When you edit a static policy, You can change only certain elements of a static policy:
The action referenced by the policy.
A condition clause, such as when and unless.
You can't change these elements of a static policy:
Changing a policy from a static policy to a template-linked policy.
Changing the effect of a static policy from permit or forbid.
The principal referenced by a static policy.
The resource referenced by a static policy.
To update a template-linked policy, you must update the template instead.
Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to be propagate through the service and be visible in the results of other Verified Permissions operations.
Modifies the validation setting for a policy store.
Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to be propagate through the service and be visible in the results of other Verified Permissions operations.
Updates the specified policy template. You can update only the description and the some elements of the policyBody.
Changes you make to the policy template content are immediately (within the constraints of eventual consistency) reflected in authorization decisions that involve all template-linked policies instantiated from this template.
Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to be propagate through the service and be visible in the results of other Verified Permissions operations.
Creates or updates the policy schema in the specified policy store. The schema is used to validate any Cedar policies and policy templates submitted to the policy store. Any changes to the schema validate only policies and templates submitted after the schema change. Existing policies and templates are not re-evaluated against the changed schema. If you later update a policy, then it is evaluated against the new schema at that time.
Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.
Updates the specified identity source to use a new identity provider (IdP) source, or to change the mapping of identities from the IdP to a different principal entity type.
Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.
Modifies a Cedar static policy in the specified policy store. You can change only certain elements of the UpdatePolicyDefinition parameter. You can directly update only static policies. To change a template-linked policy, you must update the template instead, using UpdatePolicyTemplate.
If policy validation is enabled in the policy store, then updating a static policy causes Verified Permissions to validate the policy against the schema in the policy store. If the updated static policy doesn't pass validation, the operation fails and the update isn't stored.
When you edit a static policy, you can change only certain elements of a static policy:
The action referenced by the policy.
A condition clause, such as when and unless.
You can't change these elements of a static policy:
Changing a policy from a static policy to a template-linked policy.
Changing the effect of a static policy from permit or forbid.
The principal referenced by a static policy.
The resource referenced by a static policy.
To update a template-linked policy, you must update the template instead.
Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.
Modifies the validation setting for a policy store.
Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.
Updates the specified policy template. You can update only the description and the some elements of the policyBody.
Changes you make to the policy template content are immediately (within the constraints of eventual consistency) reflected in authorization decisions that involve all template-linked policies instantiated from this template.
Verified Permissions is eventually consistent . It can take a few seconds for a new or changed element to propagate through the service and be visible in the results of other Verified Permissions operations.
The unique application client IDs that are associated with the specified Amazon Cognito user pool.
Example: \"ClientIds\": [\"&ExampleCogClientId;\"]
The unique application client IDs that are associated with the specified Amazon Cognito user pool.
Example: \"clientIds\": [\"&ExampleCogClientId;\"]
The unique application client IDs that are associated with the specified Amazon Cognito user pool.
Example: \"clientIds\": [\"&ExampleCogClientId;\"]
The application client IDs associated with the specified Amazon Cognito user pool that are enabled for this identity source.
", "IdentitySourceItemDetails$clientIds": "The application client IDs associated with the specified Amazon Cognito user pool that are enabled for this identity source.
", "UpdateCognitoUserPoolConfiguration$clientIds": "The client ID of an app client that is configured for the specified Amazon Cognito user pool.
" } }, "CognitoUserPoolConfiguration": { - "base": "The configuration for an identity source that represents a connection to an Amazon Cognito user pool used as an identity provider for Verified Permissions.
This data type is used as a field that is part of an Configuration structure that is used as a parameter to the Configuration.
Example:\"CognitoUserPoolConfiguration\":{\"UserPoolArn\":\"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5\",\"ClientIds\": [\"a1b2c3d4e5f6g7h8i9j0kalbmc\"]}
The configuration for an identity source that represents a connection to an Amazon Cognito user pool used as an identity provider for Verified Permissions.
This data type is used as a field that is part of an Configuration structure that is used as a parameter to CreateIdentitySource.
Example:\"CognitoUserPoolConfiguration\":{\"UserPoolArn\":\"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5\",\"ClientIds\": [\"a1b2c3d4e5f6g7h8i9j0kalbmc\"]}
Contains configuration details of a Amazon Cognito user pool that Verified Permissions can use as a source of authenticated identities as entities. It specifies the Amazon Resource Name (ARN) of a Amazon Cognito user pool and one or more application client IDs.
Example: \"configuration\":{\"cognitoUserPoolConfiguration\":{\"userPoolArn\":\"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5\",\"clientIds\": [\"a1b2c3d4e5f6g7h8i9j0kalbmc\"]}}
The configuration for an identity source that represents a connection to an Amazon Cognito user pool used as an identity provider for Verified Permissions.
This data type is used as a field that is part of an ConfigurationDetail structure that is part of the response to GetIdentitySource.
Example:\"CognitoUserPoolConfiguration\":{\"UserPoolArn\":\"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5\",\"ClientIds\": [\"a1b2c3d4e5f6g7h8i9j0kalbmc\"]}
Contains configuration details of a Amazon Cognito user pool that Verified Permissions can use as a source of authenticated identities as entities. It specifies the Amazon Resource Name (ARN) of a Amazon Cognito user pool and one or more application client IDs.
Example: \"configuration\":{\"cognitoUserPoolConfiguration\":{\"userPoolArn\":\"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5\",\"clientIds\": [\"a1b2c3d4e5f6g7h8i9j0kalbmc\"]}}
The configuration for an identity source that represents a connection to an Amazon Cognito user pool used as an identity provider for Verified Permissions.
This data type is used as a field that is part of the ConfigurationItem structure that is part of the response to ListIdentitySources.
Example:\"CognitoUserPoolConfiguration\":{\"UserPoolArn\":\"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5\",\"ClientIds\": [\"a1b2c3d4e5f6g7h8i9j0kalbmc\"]}
Contains configuration details of a Amazon Cognito user pool that Verified Permissions can use as a source of authenticated identities as entities. It specifies the Amazon Resource Name (ARN) of a Amazon Cognito user pool and one or more application client IDs.
Example: \"configuration\":{\"cognitoUserPoolConfiguration\":{\"userPoolArn\":\"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5\",\"clientIds\": [\"a1b2c3d4e5f6g7h8i9j0kalbmc\"]}}
Contains configuration information used when creating a new identity source.
At this time, the only valid member of this structure is a Amazon Cognito user pool configuration.
You must specify a userPoolArn, and optionally, a ClientId.
This data type is used as a request parameter for the CreateIdentitySource operation.
", "refs": { "CreateIdentitySourceInput$configuration": "Specifies the details required to communicate with the identity provider (IdP) associated with this identity source.
At this time, the only valid member of this structure is a Amazon Cognito user pool configuration.
You must specify a UserPoolArn, and optionally, a ClientId.
Contains configuration information about an identity source.
This data type is a response parameter to the GetIdentitySource operation.
", + "refs": { + "GetIdentitySourceOutput$configuration": "Contains configuration information about an identity source.
" + } + }, + "ConfigurationItem": { + "base": "Contains configuration information about an identity source.
This data type is a response parameter to the ListIdentitySources operation.
", + "refs": { + "IdentitySourceItem$configuration": "Contains configuration information about an identity source.
" + } + }, "ConflictException": { "base": "The request failed because another request to modify a resource occurred at the same.
", "refs": { @@ -405,20 +431,20 @@ "IdempotencyToken": { "base": null, "refs": { - "CreateIdentitySourceInput$clientToken": "Specifies a unique, case-sensitive ID that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..
If you don't provide this value, then Amazon Web Services generates a random one for you.
If you retry the operation with the same ClientToken, but with different parameters, the retry fails with an IdempotentParameterMismatch error.
Specifies a unique, case-sensitive ID that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..
If you don't provide this value, then Amazon Web Services generates a random one for you.
If you retry the operation with the same ClientToken, but with different parameters, the retry fails with an IdempotentParameterMismatch error.
Specifies a unique, case-sensitive ID that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..
If you don't provide this value, then Amazon Web Services generates a random one for you.
If you retry the operation with the same ClientToken, but with different parameters, the retry fails with an IdempotentParameterMismatch error.
Specifies a unique, case-sensitive ID that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..
If you don't provide this value, then Amazon Web Services generates a random one for you.
If you retry the operation with the same ClientToken, but with different parameters, the retry fails with an IdempotentParameterMismatch error.
Specifies a unique, case-sensitive ID that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..
If you don't provide this value, then Amazon Web Services generates a random one for you.
If you retry the operation with the same ClientToken, but with different parameters, the retry fails with an ConflictException error.
Verified Permissions recognizes a ClientToken for eight hours. After eight hours, the next request with the same parameters performs the operation again regardless of the value of ClientToken.
Specifies a unique, case-sensitive ID that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..
If you don't provide this value, then Amazon Web Services generates a random one for you.
If you retry the operation with the same ClientToken, but with different parameters, the retry fails with an ConflictException error.
Verified Permissions recognizes a ClientToken for eight hours. After eight hours, the next request with the same parameters performs the operation again regardless of the value of ClientToken.
Specifies a unique, case-sensitive ID that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..
If you don't provide this value, then Amazon Web Services generates a random one for you.
If you retry the operation with the same ClientToken, but with different parameters, the retry fails with an ConflictException error.
Verified Permissions recognizes a ClientToken for eight hours. After eight hours, the next request with the same parameters performs the operation again regardless of the value of ClientToken.
Specifies a unique, case-sensitive ID that you provide to ensure the idempotency of the request. This lets you safely retry the request without accidentally performing the same operation a second time. Passing the same value to a later call to an operation requires that you also pass the same value for all other parameters. We recommend that you use a UUID type of value..
If you don't provide this value, then Amazon Web Services generates a random one for you.
If you retry the operation with the same ClientToken, but with different parameters, the retry fails with an ConflictException error.
Verified Permissions recognizes a ClientToken for eight hours. After eight hours, the next request with the same parameters performs the operation again regardless of the value of ClientToken.
A structure that contains configuration of the identity source.
This data type is used as a response parameter for the CreateIdentitySource operation.
", + "base": "A structure that contains configuration of the identity source.
This data type was a response parameter for the GetIdentitySource operation. Replaced by ConfigurationDetail.
", "refs": { "GetIdentitySourceOutput$details": "A structure that describes the configuration of the identity source.
" } }, "IdentitySourceFilter": { - "base": "A structure that defines characteristics of an identity source that you can use to filter.
This data type is used as a request parameter for the ListIdentityStores operation.
", + "base": "A structure that defines characteristics of an identity source that you can use to filter.
This data type is a request parameter for the ListIdentityStores operation.
", "refs": { "IdentitySourceFilters$member": null } @@ -442,13 +468,13 @@ } }, "IdentitySourceItem": { - "base": "A structure that defines an identity source.
This data type is used as a request parameter for the ListIdentityStores operation.
", + "base": "A structure that defines an identity source.
This data type is a response parameter to the ListIdentitySources operation.
", "refs": { "IdentitySources$member": null } }, "IdentitySourceItemDetails": { - "base": "A structure that contains configuration of the identity source.
This data type is used as a response parameter for the CreateIdentitySource operation.
", + "base": "A structure that contains configuration of the identity source.
This data type was a response parameter for the ListIdentitySources operation. Replaced by ConfigurationItem.
", "refs": { "IdentitySourceItem$details": "A structure that contains the details of the associated identity provider (IdP).
" } @@ -484,6 +510,13 @@ "refs": { } }, + "Issuer": { + "base": null, + "refs": { + "CognitoUserPoolConfigurationDetail$issuer": "The OpenID Connect (OIDC) issuer ID of the Amazon Cognito user pool that contains the identities to be authorized.
Example: \"issuer\": \"https://cognito-idp.us-east-1.amazonaws.com/us-east-1_1a2b3c4d5\"
The OpenID Connect (OIDC) issuer ID of the Amazon Cognito user pool that contains the identities to be authorized.
Example: \"issuer\": \"https://cognito-idp.us-east-1.amazonaws.com/us-east-1_1a2b3c4d5\"
Contains information about a policy that was
created by instantiating a policy template.
This
", + "base": "Contains information about a policy that was created by instantiating a policy template.
", "refs": { "PolicyDefinitionDetail$templateLinked": "Information about a template-linked policy that was created by instantiating a policy template.
" } @@ -966,8 +999,8 @@ "Token": { "base": null, "refs": { - "IsAuthorizedWithTokenInput$identityToken": "Specifies an identity token for the principal to be authorized. This token is provided to you by the identity provider (IdP) associated with the specified identity source. You must specify either an AccessToken or an IdentityToken, or both.
Specifies an access token for the principal to be authorized. This token is provided to you by the identity provider (IdP) associated with the specified identity source. You must specify either an AccessToken, or an IdentityToken, or both.
Specifies an identity token for the principal to be authorized. This token is provided to you by the identity provider (IdP) associated with the specified identity source. You must specify either an accessToken, an identityToken, or both.
Must be an ID token. Verified Permissions returns an error if the token_use claim in the submitted token isn't id.
Specifies an access token for the principal to be authorized. This token is provided to you by the identity provider (IdP) associated with the specified identity source. You must specify either an accessToken, an identityToken, or both.
Must be an access token. Verified Permissions returns an error if the token_use claim in the submitted token isn't access.
The Amazon Resource Name (ARN) of the Amazon Cognito user pool that contains the identities to be authorized.
Example: \"UserPoolArn\": \"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5\"
The Amazon Resource Name (ARN) of the Amazon Cognito user pool that contains the identities to be authorized.
Example: \"userPoolArn\": \"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5\"
The Amazon Resource Name (ARN) of the Amazon Cognito user pool that contains the identities to be authorized.
Example: \"userPoolArn\": \"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5\"
The Amazon Resource Name (ARN) of the Amazon Cognito user pool whose identities are accessible to this Verified Permissions policy store.
", "IdentitySourceItemDetails$userPoolArn": "The Amazon Cognito user pool whose identities are accessible to this Verified Permissions policy store.
", "UpdateCognitoUserPoolConfiguration$userPoolArn": "The Amazon Resource Name (ARN) of the Amazon Cognito user pool associated with this identity source.
" diff --git a/service/dynamodb/api.go b/service/dynamodb/api.go index eec4ebfb45b..ddb1a89c572 100644 --- a/service/dynamodb/api.go +++ b/service/dynamodb/api.go @@ -6946,7 +6946,7 @@ func (c *DynamoDB) UpdateGlobalTableRequest(input *UpdateGlobalTableInput) (req // // This operation only applies to Version 2017.11.29 (https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/globaltables.V1.html) // of global tables. If you are using global tables Version 2019.11.21 (https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/globaltables.V2.html) -// you can use DescribeTable (https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_DescribeTable.html) +// you can use UpdateTable (https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_UpdateTable.html) // instead. // // Although you can use UpdateGlobalTable to add replicas and remove replicas @@ -7924,7 +7924,7 @@ func (s *ArchivalSummary) SetArchivalReason(v string) *ArchivalSummary { return s } -// Represents an attribute for describing the key schema for the table and indexes. +// Represents an attribute for describing the schema for the table and indexes. type AttributeDefinition struct { _ struct{} `type:"structure"` @@ -14783,6 +14783,9 @@ type ExportTableToPointInTimeInput struct { // The ID of the Amazon Web Services account that owns the bucket the export // will be stored in. + // + // S3BucketOwner is a required parameter when exporting to a S3 bucket in another + // account. S3BucketOwner *string `type:"string"` // The Amazon S3 bucket prefix to use as the file name and path of the exported @@ -19020,6 +19023,8 @@ type Projection struct { // secondary index will include other non-key attributes that you specify. // // * ALL - All of the table attributes are projected into the index. + // + // When using the DynamoDB console, ALL is selected by default. ProjectionType *string `type:"string" enum:"ProjectionType"` } @@ -19931,7 +19936,7 @@ type QueryInput struct { // A FilterExpression is applied after the items have already been read; the // process of filtering does not consume any additional read capacity units. // - // For more information, see Filter Expressions (https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/QueryAndScan.html#Query.FilterExpression) + // For more information, see Filter Expressions (https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Query.FilterExpression.html) // in the Amazon DynamoDB Developer Guide. FilterExpression *string `type:"string"` diff --git a/service/imagebuilder/api.go b/service/imagebuilder/api.go index 1c240ac6de0..83a40a26eb9 100644 --- a/service/imagebuilder/api.go +++ b/service/imagebuilder/api.go @@ -19417,6 +19417,9 @@ type LifecycleExecutionResource struct { // The action to take for the identified resource. Action *LifecycleExecutionResourceAction `locationName:"action" type:"structure"` + // The ending timestamp from the lifecycle action that was applied to the resource. + EndTime *time.Time `locationName:"endTime" type:"timestamp"` + // For an impacted container image, this identifies a list of URIs for associated // container images distributed to ECR repositories. ImageUris []*string `locationName:"imageUris" type:"list"` @@ -19440,6 +19443,10 @@ type LifecycleExecutionResource struct { // an AMI. Snapshots []*LifecycleExecutionSnapshotResource `locationName:"snapshots" type:"list"` + // The starting timestamp from the lifecycle action that was applied to the + // resource. + StartTime *time.Time `locationName:"startTime" type:"timestamp"` + // The runtime state for the lifecycle execution. State *LifecycleExecutionResourceState `locationName:"state" type:"structure"` } @@ -19474,6 +19481,12 @@ func (s *LifecycleExecutionResource) SetAction(v *LifecycleExecutionResourceActi return s } +// SetEndTime sets the EndTime field's value. +func (s *LifecycleExecutionResource) SetEndTime(v time.Time) *LifecycleExecutionResource { + s.EndTime = &v + return s +} + // SetImageUris sets the ImageUris field's value. func (s *LifecycleExecutionResource) SetImageUris(v []*string) *LifecycleExecutionResource { s.ImageUris = v @@ -19498,6 +19511,12 @@ func (s *LifecycleExecutionResource) SetSnapshots(v []*LifecycleExecutionSnapsho return s } +// SetStartTime sets the StartTime field's value. +func (s *LifecycleExecutionResource) SetStartTime(v time.Time) *LifecycleExecutionResource { + s.StartTime = &v + return s +} + // SetState sets the State field's value. func (s *LifecycleExecutionResource) SetState(v *LifecycleExecutionResourceState) *LifecycleExecutionResource { s.State = v @@ -20039,7 +20058,7 @@ type LifecyclePolicyDetailExclusionRules struct { Amis *LifecyclePolicyDetailExclusionRulesAmis `locationName:"amis" type:"structure"` // Contains a list of tags that Image Builder uses to skip lifecycle actions - // for resources that have them. + // for Image Builder image resources that have them. TagMap map[string]*string `locationName:"tagMap" min:"1" type:"map"` } @@ -20353,8 +20372,8 @@ type LifecyclePolicyResourceSelection struct { // that the lifecycle policy applies to. Recipes []*LifecyclePolicyResourceSelectionRecipe `locationName:"recipes" min:"1" type:"list"` - // A list of tags that are used as selection criteria for the resources that - // the lifecycle policy applies to. + // A list of tags that are used as selection criteria for the Image Builder + // image resources that the lifecycle policy applies to. TagMap map[string]*string `locationName:"tagMap" min:"1" type:"map"` } @@ -28193,6 +28212,9 @@ const ( // LifecycleExecutionStatusSuccess is a LifecycleExecutionStatus enum value LifecycleExecutionStatusSuccess = "SUCCESS" + + // LifecycleExecutionStatusPending is a LifecycleExecutionStatus enum value + LifecycleExecutionStatusPending = "PENDING" ) // LifecycleExecutionStatus_Values returns all elements of the LifecycleExecutionStatus enum @@ -28203,6 +28225,7 @@ func LifecycleExecutionStatus_Values() []string { LifecycleExecutionStatusCancelling, LifecycleExecutionStatusFailed, LifecycleExecutionStatusSuccess, + LifecycleExecutionStatusPending, } } diff --git a/service/mwaa/api.go b/service/mwaa/api.go index dd1dacdfba2..0883da31bbf 100644 --- a/service/mwaa/api.go +++ b/service/mwaa/api.go @@ -1210,7 +1210,7 @@ type CreateEnvironmentInput struct { // it defaults to the latest version. For more information, see Apache Airflow // versions on Amazon Managed Workflows for Apache Airflow (MWAA) (https://docs.aws.amazon.com/mwaa/latest/userguide/airflow-versions.html). // - // Valid values: 1.10.12, 2.0.2, 2.2.2, 2.4.3, 2.5.1, 2.6.3, 2.7.2 + // Valid values: 1.10.12, 2.0.2, 2.2.2, 2.4.3, 2.5.1, 2.6.3, 2.7.2 2.8.1 AirflowVersion *string `min:"1" type:"string"` // The relative path to the DAGs folder on your Amazon S3 bucket. For example, diff --git a/service/rds/api.go b/service/rds/api.go index 3924ac6a894..fa1ab87b12c 100644 --- a/service/rds/api.go +++ b/service/rds/api.go @@ -19534,6 +19534,15 @@ type ClusterPendingModifiedValues struct { // The number of days for which automatic DB snapshots are retained. BackupRetentionPeriod *int64 `type:"integer"` + // Returns the details of the DB instance’s server certificate. + // + // For more information, see Using SSL/TLS to encrypt a connection to a DB instance + // (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html) + // in the Amazon RDS User Guide and Using SSL/TLS to encrypt a connection to + // a DB cluster (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL.html) + // in the Amazon Aurora User Guide. + CertificateDetails *CertificateDetails `type:"structure"` + // The DBClusterIdentifier value for the DB cluster. DBClusterIdentifier *string `type:"string"` @@ -19592,6 +19601,12 @@ func (s *ClusterPendingModifiedValues) SetBackupRetentionPeriod(v int64) *Cluste return s } +// SetCertificateDetails sets the CertificateDetails field's value. +func (s *ClusterPendingModifiedValues) SetCertificateDetails(v *CertificateDetails) *ClusterPendingModifiedValues { + s.CertificateDetails = v + return s +} + // SetDBClusterIdentifier sets the DBClusterIdentifier field's value. func (s *ClusterPendingModifiedValues) SetDBClusterIdentifier(v string) *ClusterPendingModifiedValues { s.DBClusterIdentifier = &v @@ -21904,6 +21919,11 @@ type CreateDBClusterInput struct { // * Must be a value from 1 to 35. BackupRetentionPeriod *int64 `type:"integer"` + // The CA certificate identifier to use for the DB cluster's server certificate. + // + // Valid for Cluster Type: Multi-AZ DB clusters + CACertificateIdentifier *string `type:"string"` + // The name of the character set (CharacterSet) to associate the DB cluster // with. // @@ -22629,6 +22649,12 @@ func (s *CreateDBClusterInput) SetBackupRetentionPeriod(v int64) *CreateDBCluste return s } +// SetCACertificateIdentifier sets the CACertificateIdentifier field's value. +func (s *CreateDBClusterInput) SetCACertificateIdentifier(v string) *CreateDBClusterInput { + s.CACertificateIdentifier = &v + return s +} + // SetCharacterSetName sets the CharacterSetName field's value. func (s *CreateDBClusterInput) SetCharacterSetName(v string) *CreateDBClusterInput { s.CharacterSetName = &v @@ -23275,16 +23301,17 @@ type CreateDBInstanceInput struct { // * General Purpose (SSD) storage (gp2, gp3): Must be an integer from 40 // to 65536 for RDS Custom for Oracle, 16384 for RDS Custom for SQL Server. // - // * Provisioned IOPS storage (io1): Must be an integer from 40 to 65536 + // * Provisioned IOPS storage (io1, io2): Must be an integer from 40 to 65536 // for RDS Custom for Oracle, 16384 for RDS Custom for SQL Server. // // RDS for Db2 // // Constraints to the amount of storage for each storage type are the following: // - // * General Purpose (SSD) storage (gp3): Must be an integer from 20 to 64000. + // * General Purpose (SSD) storage (gp3): Must be an integer from 20 to 65536. // - // * Provisioned IOPS storage (io1): Must be an integer from 100 to 64000. + // * Provisioned IOPS storage (io1, io2): Must be an integer from 100 to + // 65536. // // RDS for MariaDB // @@ -23293,7 +23320,8 @@ type CreateDBInstanceInput struct { // * General Purpose (SSD) storage (gp2, gp3): Must be an integer from 20 // to 65536. // - // * Provisioned IOPS storage (io1): Must be an integer from 100 to 65536. + // * Provisioned IOPS storage (io1, io2): Must be an integer from 100 to + // 65536. // // * Magnetic storage (standard): Must be an integer from 5 to 3072. // @@ -23304,7 +23332,8 @@ type CreateDBInstanceInput struct { // * General Purpose (SSD) storage (gp2, gp3): Must be an integer from 20 // to 65536. // - // * Provisioned IOPS storage (io1): Must be an integer from 100 to 65536. + // * Provisioned IOPS storage (io1, io2): Must be an integer from 100 to + // 65536. // // * Magnetic storage (standard): Must be an integer from 5 to 3072. // @@ -23315,7 +23344,8 @@ type CreateDBInstanceInput struct { // * General Purpose (SSD) storage (gp2, gp3): Must be an integer from 20 // to 65536. // - // * Provisioned IOPS storage (io1): Must be an integer from 100 to 65536. + // * Provisioned IOPS storage (io1, io2): Must be an integer from 100 to + // 65536. // // * Magnetic storage (standard): Must be an integer from 10 to 3072. // @@ -23326,7 +23356,8 @@ type CreateDBInstanceInput struct { // * General Purpose (SSD) storage (gp2, gp3): Must be an integer from 20 // to 65536. // - // * Provisioned IOPS storage (io1): Must be an integer from 100 to 65536. + // * Provisioned IOPS storage (io1, io2): Must be an integer from 100 to + // 65536. // // * Magnetic storage (standard): Must be an integer from 5 to 3072. // @@ -23338,9 +23369,9 @@ type CreateDBInstanceInput struct { // Must be an integer from 20 to 16384. Web and Express editions: Must be // an integer from 20 to 16384. // - // * Provisioned IOPS storage (io1): Enterprise and Standard editions: Must - // be an integer from 100 to 16384. Web and Express editions: Must be an - // integer from 100 to 16384. + // * Provisioned IOPS storage (io1, io2): Enterprise and Standard editions: + // Must be an integer from 100 to 16384. Web and Express editions: Must be + // an integer from 100 to 16384. // // * Magnetic storage (standard): Enterprise and Standard editions: Must // be an integer from 20 to 1024. Web and Express editions: Must be an integer @@ -24299,12 +24330,13 @@ type CreateDBInstanceInput struct { // The storage type to associate with the DB instance. // - // If you specify io1 or gp3, you must also include a value for the Iops parameter. + // If you specify io1, io2, or gp3, you must also include a value for the Iops + // parameter. // // This setting doesn't apply to Amazon Aurora DB instances. Storage is managed // by the DB cluster. // - // Valid Values: gp2 | gp3 | io1 | standard + // Valid Values: gp2 | gp3 | io1 | io2 | standard // // Default: io1, if the Iops parameter is specified. Otherwise, gp2. StorageType *string `type:"string"` @@ -25300,9 +25332,10 @@ type CreateDBInstanceReadReplicaInput struct { // The storage type to associate with the read replica. // - // If you specify io1 or gp3, you must also include a value for the Iops parameter. + // If you specify io1, io2, or gp3, you must also include a value for the Iops + // parameter. // - // Valid Values: gp2 | gp3 | io1 | standard + // Valid Values: gp2 | gp3 | io1 | io2 | standard // // Default: io1 if the Iops parameter is specified. Otherwise, gp2. StorageType *string `type:"string"` @@ -27849,6 +27882,15 @@ type DBCluster struct { // in the Amazon Aurora User Guide. Capacity *int64 `type:"integer"` + // Returns the details of the DB instance’s server certificate. + // + // For more information, see Using SSL/TLS to encrypt a connection to a DB instance + // (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html) + // in the Amazon RDS User Guide and Using SSL/TLS to encrypt a connection to + // a DB cluster (https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL.html) + // in the Amazon Aurora User Guide. + CertificateDetails *CertificateDetails `type:"structure"` + // If present, specifies the name of the character set that this cluster is // associated with. CharacterSetName *string `type:"string"` @@ -28271,6 +28313,12 @@ func (s *DBCluster) SetCapacity(v int64) *DBCluster { return s } +// SetCertificateDetails sets the CertificateDetails field's value. +func (s *DBCluster) SetCertificateDetails(v *CertificateDetails) *DBCluster { + s.CertificateDetails = v + return s +} + // SetCharacterSetName sets the CharacterSetName field's value. func (s *DBCluster) SetCharacterSetName(v string) *DBCluster { s.CharacterSetName = &v @@ -46696,6 +46744,11 @@ type ModifyDBClusterInput struct { // * Must be a value from 1 to 35. BackupRetentionPeriod *int64 `type:"integer"` + // The CA certificate identifier to use for the DB cluster's server certificate. + // + // Valid for Cluster Type: Multi-AZ DB clusters + CACertificateIdentifier *string `type:"string"` + // The configuration setting for the log types to be enabled for export to CloudWatch // Logs for a specific DB cluster. // @@ -47270,6 +47323,12 @@ func (s *ModifyDBClusterInput) SetBackupRetentionPeriod(v int64) *ModifyDBCluste return s } +// SetCACertificateIdentifier sets the CACertificateIdentifier field's value. +func (s *ModifyDBClusterInput) SetCACertificateIdentifier(v string) *ModifyDBClusterInput { + s.CACertificateIdentifier = &v + return s +} + // SetCloudwatchLogsExportConfiguration sets the CloudwatchLogsExportConfiguration field's value. func (s *ModifyDBClusterInput) SetCloudwatchLogsExportConfiguration(v *CloudwatchLogsExportConfiguration) *ModifyDBClusterInput { s.CloudwatchLogsExportConfiguration = v @@ -48591,8 +48650,8 @@ type ModifyDBInstanceInput struct { // The storage type to associate with the DB instance. // - // If you specify Provisioned IOPS (io1), you must also include a value for - // the Iops parameter. + // If you specify io1), io2, or gp3 you must also include a value for the Iops + // parameter. // // If you choose to migrate your DB instance from using standard storage to // using Provisioned IOPS, or from using Provisioned IOPS to using standard @@ -48607,7 +48666,7 @@ type ModifyDBInstanceInput struct { // modifying the instance, rebooting the instance, deleting the instance, creating // a read replica for the instance, and creating a DB snapshot of the instance. // - // Valid Values: gp2 | gp3 | io1 | standard + // Valid Values: gp2 | gp3 | io1 | io2 | standard // // Default: io1, if the Iops parameter is specified. Otherwise, gp2. StorageType *string `type:"string"` @@ -57147,9 +57206,10 @@ type RestoreDBInstanceFromDBSnapshotInput struct { // Specifies the storage type to be associated with the DB instance. // - // Valid Values: gp2 | gp3 | io1 | standard + // Valid Values: gp2 | gp3 | io1 | io2 | standard // - // If you specify io1 or gp3, you must also include a value for the Iops parameter. + // If you specify io1, io2, or gp3, you must also include a value for the Iops + // parameter. // // Default: io1 if the Iops parameter is specified, otherwise gp2 StorageType *string `type:"string"` @@ -57901,9 +57961,10 @@ type RestoreDBInstanceFromS3Input struct { // Specifies the storage type to be associated with the DB instance. // - // Valid Values: gp2 | gp3 | io1 | standard + // Valid Values: gp2 | gp3 | io1 | io2 | standard // - // If you specify io1 or gp3, you must also include a value for the Iops parameter. + // If you specify io1, io2, or gp3, you must also include a value for the Iops + // parameter. // // Default: io1 if the Iops parameter is specified; otherwise gp2 StorageType *string `type:"string"` @@ -58690,14 +58751,14 @@ type RestoreDBInstanceToPointInTimeInput struct { // The storage type to associate with the DB instance. // - // Valid Values: gp2 | gp3 | io1 | standard + // Valid Values: gp2 | gp3 | io1 | io2 | standard // // Default: io1, if the Iops parameter is specified. Otherwise, gp2. // // Constraints: // - // * If you specify io1 or gp3, you must also include a value for the Iops - // parameter. + // * If you specify io1, io2, or gp3, you must also include a value for the + // Iops parameter. StorageType *string `type:"string"` // A list of tags. For more information, see Tagging Amazon RDS Resources (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Tagging.html) @@ -62067,7 +62128,8 @@ type ValidStorageOptions struct { // 0-0.25. StorageThroughputToIopsRatio []*DoubleRange `locationNameList:"DoubleRange" type:"list"` - // The valid storage types for your DB instance. For example: gp2, gp3, io1. + // The valid storage types for your DB instance. For example: gp2, gp3, io1, + // io2. StorageType *string `type:"string"` // Indicates whether or not Amazon RDS can automatically scale storage for DB diff --git a/service/redshift/api.go b/service/redshift/api.go index 51a0e7e5adc..6f59cb801c8 100644 --- a/service/redshift/api.go +++ b/service/redshift/api.go @@ -14826,16 +14826,15 @@ type AssociateDataShareConsumerInput struct { // account. AssociateEntireAccount *bool `type:"boolean"` - // The Amazon Resource Name (ARN) of the consumer that is associated with the - // datashare. + // The Amazon Resource Name (ARN) of the consumer namespace associated with + // the datashare. ConsumerArn *string `type:"string"` // From a datashare consumer account, associates a datashare with all existing // and future namespaces in the specified Amazon Web Services Region. ConsumerRegion *string `type:"string"` - // The Amazon Resource Name (ARN) of the datashare that the consumer is to use - // with the account or the namespace. + // The Amazon Resource Name (ARN) of the datashare that the consumer is to use. // // DataShareArn is a required field DataShareArn *string `type:"string" required:"true"` @@ -14909,10 +14908,7 @@ type AssociateDataShareConsumerOutput struct { // accessible cluster. AllowPubliclyAccessibleConsumers *bool `type:"boolean"` - // An Amazon Resource Name (ARN) that references the datashare that is owned - // by a specific namespace of the producer cluster. A datashare ARN is in the - // arn:aws:redshift:{region}:{account-id}:{datashare}:{namespace-guid}/{datashare-name} - // format. + // The Amazon Resource Name (ARN) of the datashare that the consumer is to use. DataShareArn *string `type:"string"` // A value that specifies when the datashare has an association between producer @@ -14922,7 +14918,7 @@ type AssociateDataShareConsumerOutput struct { // The identifier of a datashare to show its managing entity. ManagedBy *string `type:"string"` - // The Amazon Resource Name (ARN) of the producer. + // The Amazon Resource Name (ARN) of the producer namespace. ProducerArn *string `type:"string"` } @@ -15220,8 +15216,8 @@ type AuthorizeDataShareInput struct { // ConsumerIdentifier is a required field ConsumerIdentifier *string `type:"string" required:"true"` - // The Amazon Resource Name (ARN) of the datashare that producers are to authorize - // sharing for. + // The Amazon Resource Name (ARN) of the datashare namespace that producers + // are to authorize sharing for. // // DataShareArn is a required field DataShareArn *string `type:"string" required:"true"` @@ -15286,10 +15282,7 @@ type AuthorizeDataShareOutput struct { // accessible cluster. AllowPubliclyAccessibleConsumers *bool `type:"boolean"` - // An Amazon Resource Name (ARN) that references the datashare that is owned - // by a specific namespace of the producer cluster. A datashare ARN is in the - // arn:aws:redshift:{region}:{account-id}:{datashare}:{namespace-guid}/{datashare-name} - // format. + // The Amazon Resource Name (ARN) of the datashare that the consumer is to use. DataShareArn *string `type:"string"` // A value that specifies when the datashare has an association between producer @@ -15299,7 +15292,7 @@ type AuthorizeDataShareOutput struct { // The identifier of a datashare to show its managing entity. ManagedBy *string `type:"string"` - // The Amazon Resource Name (ARN) of the producer. + // The Amazon Resource Name (ARN) of the producer namespace. ProducerArn *string `type:"string"` } @@ -15535,9 +15528,14 @@ type AuthorizeSnapshotAccessInput struct { // The Amazon Resource Name (ARN) of the snapshot to authorize access to. SnapshotArn *string `type:"string"` - // The identifier of the cluster the snapshot was created from. This parameter - // is required if your IAM user has a policy containing a snapshot resource - // element that specifies anything other than * for the cluster name. + // The identifier of the cluster the snapshot was created from. + // + // * If the snapshot to access doesn't exist and the associated IAM policy + // doesn't allow access to all (*) snapshots - This parameter is required. + // Otherwise, permissions aren't available to check if the snapshot exists. + // + // * If the snapshot to access exists - This parameter isn't required. Redshift + // can retrieve the cluster identifier and use it to validate snapshot authorization. SnapshotClusterIdentifier *string `type:"string"` // The identifier of the snapshot the account is authorized to restore. @@ -18164,7 +18162,14 @@ type CreateClusterInput struct { // // Default: 5439 // - // Valid Values: 1150-65535 + // Valid Values: + // + // * For clusters with ra3 nodes - Select a port within the ranges 5431-5455 + // or 8191-8215. (If you have an existing cluster with ra3 nodes, it isn't + // required that you change the port to these ranges.) + // + // * For clusters with ds2 or dc2 nodes - Select a port within the range + // 1150-65535. Port *int64 `type:"integer"` // The weekly time range (in UTC) during which automated cluster maintenance @@ -20812,10 +20817,7 @@ type DataShare struct { // accessible cluster. AllowPubliclyAccessibleConsumers *bool `type:"boolean"` - // An Amazon Resource Name (ARN) that references the datashare that is owned - // by a specific namespace of the producer cluster. A datashare ARN is in the - // arn:aws:redshift:{region}:{account-id}:{datashare}:{namespace-guid}/{datashare-name} - // format. + // The Amazon Resource Name (ARN) of the datashare that the consumer is to use. DataShareArn *string `type:"string"` // A value that specifies when the datashare has an association between producer @@ -20825,7 +20827,7 @@ type DataShare struct { // The identifier of a datashare to show its managing entity. ManagedBy *string `type:"string"` - // The Amazon Resource Name (ARN) of the producer. + // The Amazon Resource Name (ARN) of the producer namespace. ProducerArn *string `type:"string"` } @@ -21054,7 +21056,8 @@ type DeauthorizeDataShareInput struct { // ConsumerIdentifier is a required field ConsumerIdentifier *string `type:"string" required:"true"` - // The Amazon Resource Name (ARN) of the datashare to remove authorization from. + // The namespace Amazon Resource Name (ARN) of the datashare to remove authorization + // from. // // DataShareArn is a required field DataShareArn *string `type:"string" required:"true"` @@ -21113,10 +21116,7 @@ type DeauthorizeDataShareOutput struct { // accessible cluster. AllowPubliclyAccessibleConsumers *bool `type:"boolean"` - // An Amazon Resource Name (ARN) that references the datashare that is owned - // by a specific namespace of the producer cluster. A datashare ARN is in the - // arn:aws:redshift:{region}:{account-id}:{datashare}:{namespace-guid}/{datashare-name} - // format. + // The Amazon Resource Name (ARN) of the datashare that the consumer is to use. DataShareArn *string `type:"string"` // A value that specifies when the datashare has an association between producer @@ -21126,7 +21126,7 @@ type DeauthorizeDataShareOutput struct { // The identifier of a datashare to show its managing entity. ManagedBy *string `type:"string"` - // The Amazon Resource Name (ARN) of the producer. + // The Amazon Resource Name (ARN) of the producer namespace. ProducerArn *string `type:"string"` } @@ -24450,8 +24450,8 @@ func (s *DescribeCustomDomainAssociationsOutput) SetMarker(v string) *DescribeCu type DescribeDataSharesForConsumerInput struct { _ struct{} `type:"structure"` - // The Amazon Resource Name (ARN) of the consumer that returns in the list of - // datashares. + // The Amazon Resource Name (ARN) of the consumer namespace that returns in + // the list of datashares. ConsumerArn *string `type:"string"` // An optional parameter that specifies the starting point to return a set of @@ -24578,8 +24578,8 @@ type DescribeDataSharesForProducerInput struct { // set of records by retrying the command with the returned marker value. MaxRecords *int64 `type:"integer"` - // The Amazon Resource Name (ARN) of the producer that returns in the list of - // datashares. + // The Amazon Resource Name (ARN) of the producer namespace that returns in + // the list of datashares. ProducerArn *string `type:"string"` // An identifier giving the status of a datashare in the producer. If this field @@ -24678,7 +24678,7 @@ func (s *DescribeDataSharesForProducerOutput) SetMarker(v string) *DescribeDataS type DescribeDataSharesInput struct { _ struct{} `type:"structure"` - // The identifier of the datashare to describe details of. + // The Amazon resource name (ARN) of the datashare to describe details of. DataShareArn *string `type:"string"` // An optional parameter that specifies the starting point to return a set of @@ -28064,8 +28064,8 @@ func (s *DisableSnapshotCopyOutput) SetCluster(v *Cluster) *DisableSnapshotCopyO type DisassociateDataShareConsumerInput struct { _ struct{} `type:"structure"` - // The Amazon Resource Name (ARN) of the consumer that association for the datashare - // is removed from. + // The Amazon Resource Name (ARN) of the consumer namespace that association + // for the datashare is removed from. ConsumerArn *string `type:"string"` // From a datashare consumer account, removes association of a datashare from @@ -28145,10 +28145,7 @@ type DisassociateDataShareConsumerOutput struct { // accessible cluster. AllowPubliclyAccessibleConsumers *bool `type:"boolean"` - // An Amazon Resource Name (ARN) that references the datashare that is owned - // by a specific namespace of the producer cluster. A datashare ARN is in the - // arn:aws:redshift:{region}:{account-id}:{datashare}:{namespace-guid}/{datashare-name} - // format. + // The Amazon Resource Name (ARN) of the datashare that the consumer is to use. DataShareArn *string `type:"string"` // A value that specifies when the datashare has an association between producer @@ -28158,7 +28155,7 @@ type DisassociateDataShareConsumerOutput struct { // The identifier of a datashare to show its managing entity. ManagedBy *string `type:"string"` - // The Amazon Resource Name (ARN) of the producer. + // The Amazon Resource Name (ARN) of the producer namespace. ProducerArn *string `type:"string"` } @@ -31236,6 +31233,15 @@ type ModifyClusterInput struct { NumberOfNodes *int64 `type:"integer"` // The option to change the port of an Amazon Redshift cluster. + // + // Valid Values: + // + // * For clusters with ra3 nodes - Select a port within the ranges 5431-5455 + // or 8191-8215. (If you have an existing cluster with ra3 nodes, it isn't + // required that you change the port to these ranges.) + // + // * For clusters with ds2 or dc2 nodes - Select a port within the range + // 1150-65535. Port *int64 `type:"integer"` // The weekly time range (in UTC) during which system maintenance can occur, @@ -34683,10 +34689,7 @@ type RejectDataShareOutput struct { // accessible cluster. AllowPubliclyAccessibleConsumers *bool `type:"boolean"` - // An Amazon Resource Name (ARN) that references the datashare that is owned - // by a specific namespace of the producer cluster. A datashare ARN is in the - // arn:aws:redshift:{region}:{account-id}:{datashare}:{namespace-guid}/{datashare-name} - // format. + // The Amazon Resource Name (ARN) of the datashare that the consumer is to use. DataShareArn *string `type:"string"` // A value that specifies when the datashare has an association between producer @@ -34696,7 +34699,7 @@ type RejectDataShareOutput struct { // The identifier of a datashare to show its managing entity. ManagedBy *string `type:"string"` - // The Amazon Resource Name (ARN) of the producer. + // The Amazon Resource Name (ARN) of the producer namespace. ProducerArn *string `type:"string"` } @@ -35762,7 +35765,9 @@ type RestoreFromClusterSnapshotInput struct { // // Default: The same port as the original cluster. // - // Constraints: Must be between 1115 and 65535. + // Valid values: For clusters with ds2 or dc2 nodes, must be within the range + // 1150-65535. For clusters with ra3 nodes, must be within the ranges 5431-5455 + // or 8191-8215. Port *int64 `type:"integer"` // The weekly time range (in UTC) during which automated cluster maintenance diff --git a/service/verifiedpermissions/api.go b/service/verifiedpermissions/api.go index 25ad9f897ab..ca9b9692718 100644 --- a/service/verifiedpermissions/api.go +++ b/service/verifiedpermissions/api.go @@ -240,9 +240,8 @@ func (c *VerifiedPermissions) CreateIdentitySourceRequest(input *CreateIdentityS // defined by the Amazon Cognito user pool. // // Verified Permissions is eventually consistent (https://wikipedia.org/wiki/Eventual_consistency) -// . It can take a few seconds for a new or changed element to be propagate -// through the service and be visible in the results of other Verified Permissions -// operations. +// . It can take a few seconds for a new or changed element to propagate through +// the service and be visible in the results of other Verified Permissions operations. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -401,9 +400,8 @@ func (c *VerifiedPermissions) CreatePolicyRequest(input *CreatePolicyInput) (req // policy isn't stored. // // Verified Permissions is eventually consistent (https://wikipedia.org/wiki/Eventual_consistency) -// . It can take a few seconds for a new or changed element to be propagate -// through the service and be visible in the results of other Verified Permissions -// operations. +// . It can take a few seconds for a new or changed element to propagate through +// the service and be visible in the results of other Verified Permissions operations. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -551,9 +549,8 @@ func (c *VerifiedPermissions) CreatePolicyStoreRequest(input *CreatePolicyStoreI // Verified Permissions currently supports only one namespace per policy store. // // Verified Permissions is eventually consistent (https://wikipedia.org/wiki/Eventual_consistency) -// . It can take a few seconds for a new or changed element to be propagate -// through the service and be visible in the results of other Verified Permissions -// operations. +// . It can take a few seconds for a new or changed element to propagate through +// the service and be visible in the results of other Verified Permissions operations. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -701,9 +698,8 @@ func (c *VerifiedPermissions) CreatePolicyTemplateRequest(input *CreatePolicyTem // policies that are linked to that template are immediately updated as well. // // Verified Permissions is eventually consistent (https://wikipedia.org/wiki/Eventual_consistency) -// . It can take a few seconds for a new or changed element to be propagate -// through the service and be visible in the results of other Verified Permissions -// operations. +// . It can take a few seconds for a new or changed element to propagate through +// the service and be visible in the results of other Verified Permissions operations. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -3163,9 +3159,8 @@ func (c *VerifiedPermissions) PutSchemaRequest(input *PutSchemaInput) (req *requ // it is evaluated against the new schema at that time. // // Verified Permissions is eventually consistent (https://wikipedia.org/wiki/Eventual_consistency) -// . It can take a few seconds for a new or changed element to be propagate -// through the service and be visible in the results of other Verified Permissions -// operations. +// . It can take a few seconds for a new or changed element to propagate through +// the service and be visible in the results of other Verified Permissions operations. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -3312,9 +3307,8 @@ func (c *VerifiedPermissions) UpdateIdentitySourceRequest(input *UpdateIdentityS // principal entity type. // // Verified Permissions is eventually consistent (https://wikipedia.org/wiki/Eventual_consistency) -// . It can take a few seconds for a new or changed element to be propagate -// through the service and be visible in the results of other Verified Permissions -// operations. +// . It can take a few seconds for a new or changed element to propagate through +// the service and be visible in the results of other Verified Permissions operations. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -3464,7 +3458,7 @@ func (c *VerifiedPermissions) UpdatePolicyRequest(input *UpdatePolicyInput) (req // the schema in the policy store. If the updated static policy doesn't pass // validation, the operation fails and the update isn't stored. // -// - When you edit a static policy, You can change only certain elements +// - When you edit a static policy, you can change only certain elements // of a static policy: The action referenced by the policy. A condition clause, // such as when and unless. You can't change these elements of a static policy: // Changing a policy from a static policy to a template-linked policy. Changing @@ -3474,9 +3468,8 @@ func (c *VerifiedPermissions) UpdatePolicyRequest(input *UpdatePolicyInput) (req // - To update a template-linked policy, you must update the template instead. // // Verified Permissions is eventually consistent (https://wikipedia.org/wiki/Eventual_consistency) -// . It can take a few seconds for a new or changed element to be propagate -// through the service and be visible in the results of other Verified Permissions -// operations. +// . It can take a few seconds for a new or changed element to propagate through +// the service and be visible in the results of other Verified Permissions operations. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -3621,9 +3614,8 @@ func (c *VerifiedPermissions) UpdatePolicyStoreRequest(input *UpdatePolicyStoreI // Modifies the validation setting for a policy store. // // Verified Permissions is eventually consistent (https://wikipedia.org/wiki/Eventual_consistency) -// . It can take a few seconds for a new or changed element to be propagate -// through the service and be visible in the results of other Verified Permissions -// operations. +// . It can take a few seconds for a new or changed element to propagate through +// the service and be visible in the results of other Verified Permissions operations. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -3770,9 +3762,8 @@ func (c *VerifiedPermissions) UpdatePolicyTemplateRequest(input *UpdatePolicyTem // that involve all template-linked policies instantiated from this template. // // Verified Permissions is eventually consistent (https://wikipedia.org/wiki/Eventual_consistency) -// . It can take a few seconds for a new or changed element to be propagate -// through the service and be visible in the results of other Verified Permissions -// operations. +// . It can take a few seconds for a new or changed element to propagate through +// the service and be visible in the results of other Verified Permissions operations. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -4466,7 +4457,7 @@ func (s *BatchIsAuthorizedOutputItem) SetRequest(v *BatchIsAuthorizedInputItem) // an Amazon Cognito user pool used as an identity provider for Verified Permissions. // // This data type is used as a field that is part of an Configuration (https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_Configuration.html) -// structure that is used as a parameter to the Configuration (https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_Configuration.html). +// structure that is used as a parameter to CreateIdentitySource (https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html). // // Example:"CognitoUserPoolConfiguration":{"UserPoolArn":"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5","ClientIds": // ["a1b2c3d4e5f6g7h8i9j0kalbmc"]} @@ -4534,6 +4525,151 @@ func (s *CognitoUserPoolConfiguration) SetUserPoolArn(v string) *CognitoUserPool return s } +// The configuration for an identity source that represents a connection to +// an Amazon Cognito user pool used as an identity provider for Verified Permissions. +// +// This data type is used as a field that is part of an ConfigurationDetail +// (https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_ConfigurationDetail.html) +// structure that is part of the response to GetIdentitySource (https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_GetIdentitySource.html). +// +// Example:"CognitoUserPoolConfiguration":{"UserPoolArn":"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5","ClientIds": +// ["a1b2c3d4e5f6g7h8i9j0kalbmc"]} +type CognitoUserPoolConfigurationDetail struct { + _ struct{} `type:"structure"` + + // The unique application client IDs that are associated with the specified + // Amazon Cognito user pool. + // + // Example: "clientIds": ["&ExampleCogClientId;"] + // + // ClientIds is a required field + ClientIds []*string `locationName:"clientIds" type:"list" required:"true"` + + // The OpenID Connect (OIDC) issuer ID of the Amazon Cognito user pool that + // contains the identities to be authorized. + // + // Example: "issuer": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_1a2b3c4d5" + // + // Issuer is a required field + Issuer *string `locationName:"issuer" min:"1" type:"string" required:"true"` + + // The Amazon Resource Name (ARN) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) + // of the Amazon Cognito user pool that contains the identities to be authorized. + // + // Example: "userPoolArn": "arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5" + // + // UserPoolArn is a required field + UserPoolArn *string `locationName:"userPoolArn" min:"1" type:"string" required:"true"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s CognitoUserPoolConfigurationDetail) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s CognitoUserPoolConfigurationDetail) GoString() string { + return s.String() +} + +// SetClientIds sets the ClientIds field's value. +func (s *CognitoUserPoolConfigurationDetail) SetClientIds(v []*string) *CognitoUserPoolConfigurationDetail { + s.ClientIds = v + return s +} + +// SetIssuer sets the Issuer field's value. +func (s *CognitoUserPoolConfigurationDetail) SetIssuer(v string) *CognitoUserPoolConfigurationDetail { + s.Issuer = &v + return s +} + +// SetUserPoolArn sets the UserPoolArn field's value. +func (s *CognitoUserPoolConfigurationDetail) SetUserPoolArn(v string) *CognitoUserPoolConfigurationDetail { + s.UserPoolArn = &v + return s +} + +// The configuration for an identity source that represents a connection to +// an Amazon Cognito user pool used as an identity provider for Verified Permissions. +// +// This data type is used as a field that is part of the ConfigurationItem (https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_ConfigurationItem.html) +// structure that is part of the response to ListIdentitySources (https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_ListIdentitySources.html). +// +// Example:"CognitoUserPoolConfiguration":{"UserPoolArn":"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5","ClientIds": +// ["a1b2c3d4e5f6g7h8i9j0kalbmc"]} +type CognitoUserPoolConfigurationItem struct { + _ struct{} `type:"structure"` + + // The unique application client IDs that are associated with the specified + // Amazon Cognito user pool. + // + // Example: "clientIds": ["&ExampleCogClientId;"] + // + // ClientIds is a required field + ClientIds []*string `locationName:"clientIds" type:"list" required:"true"` + + // The OpenID Connect (OIDC) issuer ID of the Amazon Cognito user pool that + // contains the identities to be authorized. + // + // Example: "issuer": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_1a2b3c4d5" + // + // Issuer is a required field + Issuer *string `locationName:"issuer" min:"1" type:"string" required:"true"` + + // The Amazon Resource Name (ARN) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) + // of the Amazon Cognito user pool that contains the identities to be authorized. + // + // Example: "userPoolArn": "arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5" + // + // UserPoolArn is a required field + UserPoolArn *string `locationName:"userPoolArn" min:"1" type:"string" required:"true"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s CognitoUserPoolConfigurationItem) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s CognitoUserPoolConfigurationItem) GoString() string { + return s.String() +} + +// SetClientIds sets the ClientIds field's value. +func (s *CognitoUserPoolConfigurationItem) SetClientIds(v []*string) *CognitoUserPoolConfigurationItem { + s.ClientIds = v + return s +} + +// SetIssuer sets the Issuer field's value. +func (s *CognitoUserPoolConfigurationItem) SetIssuer(v string) *CognitoUserPoolConfigurationItem { + s.Issuer = &v + return s +} + +// SetUserPoolArn sets the UserPoolArn field's value. +func (s *CognitoUserPoolConfigurationItem) SetUserPoolArn(v string) *CognitoUserPoolConfigurationItem { + s.UserPoolArn = &v + return s +} + // Contains configuration information used when creating a new identity source. // // At this time, the only valid member of this structure is a Amazon Cognito @@ -4596,6 +4732,88 @@ func (s *Configuration) SetCognitoUserPoolConfiguration(v *CognitoUserPoolConfig return s } +// Contains configuration information about an identity source. +// +// This data type is a response parameter to the GetIdentitySource (https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_GetIdentitySource.html) +// operation. +type ConfigurationDetail struct { + _ struct{} `type:"structure"` + + // Contains configuration details of a Amazon Cognito user pool that Verified + // Permissions can use as a source of authenticated identities as entities. + // It specifies the Amazon Resource Name (ARN) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) + // of a Amazon Cognito user pool and one or more application client IDs. + // + // Example: "configuration":{"cognitoUserPoolConfiguration":{"userPoolArn":"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5","clientIds": + // ["a1b2c3d4e5f6g7h8i9j0kalbmc"]}} + CognitoUserPoolConfiguration *CognitoUserPoolConfigurationDetail `locationName:"cognitoUserPoolConfiguration" type:"structure"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s ConfigurationDetail) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s ConfigurationDetail) GoString() string { + return s.String() +} + +// SetCognitoUserPoolConfiguration sets the CognitoUserPoolConfiguration field's value. +func (s *ConfigurationDetail) SetCognitoUserPoolConfiguration(v *CognitoUserPoolConfigurationDetail) *ConfigurationDetail { + s.CognitoUserPoolConfiguration = v + return s +} + +// Contains configuration information about an identity source. +// +// This data type is a response parameter to the ListIdentitySources (https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_ListIdentitySources.html) +// operation. +type ConfigurationItem struct { + _ struct{} `type:"structure"` + + // Contains configuration details of a Amazon Cognito user pool that Verified + // Permissions can use as a source of authenticated identities as entities. + // It specifies the Amazon Resource Name (ARN) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) + // of a Amazon Cognito user pool and one or more application client IDs. + // + // Example: "configuration":{"cognitoUserPoolConfiguration":{"userPoolArn":"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5","clientIds": + // ["a1b2c3d4e5f6g7h8i9j0kalbmc"]}} + CognitoUserPoolConfiguration *CognitoUserPoolConfigurationItem `locationName:"cognitoUserPoolConfiguration" type:"structure"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s ConfigurationItem) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s ConfigurationItem) GoString() string { + return s.String() +} + +// SetCognitoUserPoolConfiguration sets the CognitoUserPoolConfiguration field's value. +func (s *ConfigurationItem) SetCognitoUserPoolConfiguration(v *CognitoUserPoolConfigurationItem) *ConfigurationItem { + s.CognitoUserPoolConfiguration = v + return s +} + // The request failed because another request to modify a resource occurred // at the same. type ConflictException struct { @@ -4744,7 +4962,11 @@ type CreateIdentitySourceInput struct { // one for you. // // If you retry the operation with the same ClientToken, but with different - // parameters, the retry fails with an IdempotentParameterMismatch error. + // parameters, the retry fails with an ConflictException error. + // + // Verified Permissions recognizes a ClientToken for eight hours. After eight + // hours, the next request with the same parameters performs the operation again + // regardless of the value of ClientToken. ClientToken *string `locationName:"clientToken" min:"1" type:"string" idempotencyToken:"true"` // Specifies the details required to communicate with the identity provider @@ -4925,7 +5147,11 @@ type CreatePolicyInput struct { // one for you. // // If you retry the operation with the same ClientToken, but with different - // parameters, the retry fails with an IdempotentParameterMismatch error. + // parameters, the retry fails with an ConflictException error. + // + // Verified Permissions recognizes a ClientToken for eight hours. After eight + // hours, the next request with the same parameters performs the operation again + // regardless of the value of ClientToken. ClientToken *string `locationName:"clientToken" min:"1" type:"string" idempotencyToken:"true"` // A structure that specifies the policy type and content to use for the new @@ -5115,7 +5341,11 @@ type CreatePolicyStoreInput struct { // one for you. // // If you retry the operation with the same ClientToken, but with different - // parameters, the retry fails with an IdempotentParameterMismatch error. + // parameters, the retry fails with an ConflictException error. + // + // Verified Permissions recognizes a ClientToken for eight hours. After eight + // hours, the next request with the same parameters performs the operation again + // regardless of the value of ClientToken. ClientToken *string `locationName:"clientToken" min:"1" type:"string" idempotencyToken:"true"` // Descriptive text that you can provide to help with identification of the @@ -5277,7 +5507,11 @@ type CreatePolicyTemplateInput struct { // one for you. // // If you retry the operation with the same ClientToken, but with different - // parameters, the retry fails with an IdempotentParameterMismatch error. + // parameters, the retry fails with an ConflictException error. + // + // Verified Permissions recognizes a ClientToken for eight hours. After eight + // hours, the next request with the same parameters performs the operation again + // regardless of the value of ClientToken. ClientToken *string `locationName:"clientToken" min:"1" type:"string" idempotencyToken:"true"` // Specifies a description for the policy template. @@ -6237,6 +6471,9 @@ func (s *GetIdentitySourceInput) SetPolicyStoreId(v string) *GetIdentitySourceIn type GetIdentitySourceOutput struct { _ struct{} `type:"structure"` + // Contains configuration information about an identity source. + Configuration *ConfigurationDetail `locationName:"configuration" type:"structure"` + // The date and time that the identity source was originally created. // // CreatedDate is a required field @@ -6244,8 +6481,8 @@ type GetIdentitySourceOutput struct { // A structure that describes the configuration of the identity source. // - // Details is a required field - Details *IdentitySourceDetails `locationName:"details" type:"structure" required:"true"` + // Deprecated: This attribute has been replaced by configuration.cognitoUserPoolConfiguration + Details *IdentitySourceDetails `locationName:"details" deprecated:"true" type:"structure"` // The ID of the identity source. // @@ -6291,6 +6528,12 @@ func (s GetIdentitySourceOutput) GoString() string { return s.String() } +// SetConfiguration sets the Configuration field's value. +func (s *GetIdentitySourceOutput) SetConfiguration(v *ConfigurationDetail) *GetIdentitySourceOutput { + s.Configuration = v + return s +} + // SetCreatedDate sets the CreatedDate field's value. func (s *GetIdentitySourceOutput) SetCreatedDate(v time.Time) *GetIdentitySourceOutput { s.CreatedDate = &v @@ -6935,15 +7178,18 @@ func (s *GetSchemaOutput) SetSchema(v string) *GetSchemaOutput { // A structure that contains configuration of the identity source. // -// This data type is used as a response parameter for the CreateIdentitySource -// (https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html) -// operation. +// This data type was a response parameter for the GetIdentitySource (https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_GetIdentitySource.html) +// operation. Replaced by ConfigurationDetail (https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_ConfigurationDetail.html). +// +// Deprecated: This shape has been replaced by ConfigurationDetail type IdentitySourceDetails struct { - _ struct{} `type:"structure"` + _ struct{} `deprecated:"true" type:"structure"` // The application client IDs associated with the specified Amazon Cognito user // pool that are enabled for this identity source. - ClientIds []*string `locationName:"clientIds" type:"list"` + // + // Deprecated: This attribute has been replaced by configuration.cognitoUserPoolConfiguration.clientIds + ClientIds []*string `locationName:"clientIds" deprecated:"true" type:"list"` // The well-known URL that points to this user pool's OIDC discovery endpoint. // This is a URL string in the following format. This URL replaces the placeholders @@ -6951,18 +7197,24 @@ type IdentitySourceDetails struct { // those appropriate for this user pool. // // https://cognito-idp.