From c9dfef1303fe1b1322114786c2179fe64417325a Mon Sep 17 00:00:00 2001 From: awstools Date: Thu, 14 Nov 2024 19:14:44 +0000 Subject: [PATCH] feat(client-iam): This release includes support for five new APIs and changes to existing APIs that give AWS Organizations customers the ability to use temporary root credentials, targeted to member accounts in the organization. --- clients/client-iam/README.md | 40 + clients/client-iam/src/IAM.ts | 123 +++ clients/client-iam/src/IAMClient.ts | 30 + .../src/commands/CreateLoginProfileCommand.ts | 4 +- .../commands/DeactivateMFADeviceCommand.ts | 2 +- .../src/commands/DeleteLoginProfileCommand.ts | 2 +- ...zationsRootCredentialsManagementCommand.ts | 121 +++ ...DisableOrganizationsRootSessionsCommand.ts | 117 +++ ...zationsRootCredentialsManagementCommand.ts | 137 +++ .../EnableOrganizationsRootSessionsCommand.ts | 132 +++ .../src/commands/GetLoginProfileCommand.ts | 2 +- .../src/commands/ListAccountAliasesCommand.ts | 6 +- .../ListOrganizationsFeaturesCommand.ts | 110 +++ .../commands/SimulateCustomPolicyCommand.ts | 3 +- .../SimulatePrincipalPolicyCommand.ts | 2 +- .../src/commands/TagInstanceProfileCommand.ts | 2 +- .../src/commands/TagMFADeviceCommand.ts | 2 +- .../TagOpenIDConnectProviderCommand.ts | 2 +- .../src/commands/TagPolicyCommand.ts | 2 +- .../client-iam/src/commands/TagRoleCommand.ts | 2 +- .../src/commands/TagSAMLProviderCommand.ts | 2 +- .../commands/TagServerCertificateCommand.ts | 2 +- .../client-iam/src/commands/TagUserCommand.ts | 2 +- clients/client-iam/src/commands/index.ts | 5 + clients/client-iam/src/models/models_0.ts | 930 +++++------------- clients/client-iam/src/models/models_1.ts | 676 ++++++++++++- clients/client-iam/src/protocols/Aws_query.ts | 584 ++++++++++- codegen/sdk-codegen/aws-models/iam.json | 460 ++++++++- 28 files changed, 2788 insertions(+), 714 deletions(-) create mode 100644 clients/client-iam/src/commands/DisableOrganizationsRootCredentialsManagementCommand.ts create mode 100644 clients/client-iam/src/commands/DisableOrganizationsRootSessionsCommand.ts create mode 100644 clients/client-iam/src/commands/EnableOrganizationsRootCredentialsManagementCommand.ts create mode 100644 clients/client-iam/src/commands/EnableOrganizationsRootSessionsCommand.ts create mode 100644 clients/client-iam/src/commands/ListOrganizationsFeaturesCommand.ts diff --git a/clients/client-iam/README.md b/clients/client-iam/README.md index a8ec6c9c0e460..ce4724f4bfff4 100644 --- a/clients/client-iam/README.md +++ b/clients/client-iam/README.md @@ -591,6 +591,22 @@ DetachUserPolicy [Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DetachUserPolicyCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-iam/Interface/DetachUserPolicyCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-iam/Interface/DetachUserPolicyCommandOutput/) + +
+ +DisableOrganizationsRootCredentialsManagement + + +[Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DisableOrganizationsRootCredentialsManagementCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-iam/Interface/DisableOrganizationsRootCredentialsManagementCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-iam/Interface/DisableOrganizationsRootCredentialsManagementCommandOutput/) + +
+
+ +DisableOrganizationsRootSessions + + +[Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DisableOrganizationsRootSessionsCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-iam/Interface/DisableOrganizationsRootSessionsCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-iam/Interface/DisableOrganizationsRootSessionsCommandOutput/) +
@@ -599,6 +615,22 @@ EnableMFADevice [Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/EnableMFADeviceCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-iam/Interface/EnableMFADeviceCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-iam/Interface/EnableMFADeviceCommandOutput/) +
+
+ +EnableOrganizationsRootCredentialsManagement + + +[Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/EnableOrganizationsRootCredentialsManagementCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-iam/Interface/EnableOrganizationsRootCredentialsManagementCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-iam/Interface/EnableOrganizationsRootCredentialsManagementCommandOutput/) + +
+
+ +EnableOrganizationsRootSessions + + +[Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/EnableOrganizationsRootSessionsCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-iam/Interface/EnableOrganizationsRootSessionsCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-iam/Interface/EnableOrganizationsRootSessionsCommandOutput/) +
@@ -959,6 +991,14 @@ ListOpenIDConnectProviderTags [Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/ListOpenIDConnectProviderTagsCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-iam/Interface/ListOpenIDConnectProviderTagsCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-iam/Interface/ListOpenIDConnectProviderTagsCommandOutput/) +
+
+ +ListOrganizationsFeatures + + +[Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/ListOrganizationsFeaturesCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-iam/Interface/ListOrganizationsFeaturesCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-iam/Interface/ListOrganizationsFeaturesCommandOutput/) +
diff --git a/clients/client-iam/src/IAM.ts b/clients/client-iam/src/IAM.ts index fd7b143d94b85..764e9bfd911af 100644 --- a/clients/client-iam/src/IAM.ts +++ b/clients/client-iam/src/IAM.ts @@ -218,11 +218,31 @@ import { DetachUserPolicyCommandInput, DetachUserPolicyCommandOutput, } from "./commands/DetachUserPolicyCommand"; +import { + DisableOrganizationsRootCredentialsManagementCommand, + DisableOrganizationsRootCredentialsManagementCommandInput, + DisableOrganizationsRootCredentialsManagementCommandOutput, +} from "./commands/DisableOrganizationsRootCredentialsManagementCommand"; +import { + DisableOrganizationsRootSessionsCommand, + DisableOrganizationsRootSessionsCommandInput, + DisableOrganizationsRootSessionsCommandOutput, +} from "./commands/DisableOrganizationsRootSessionsCommand"; import { EnableMFADeviceCommand, EnableMFADeviceCommandInput, EnableMFADeviceCommandOutput, } from "./commands/EnableMFADeviceCommand"; +import { + EnableOrganizationsRootCredentialsManagementCommand, + EnableOrganizationsRootCredentialsManagementCommandInput, + EnableOrganizationsRootCredentialsManagementCommandOutput, +} from "./commands/EnableOrganizationsRootCredentialsManagementCommand"; +import { + EnableOrganizationsRootSessionsCommand, + EnableOrganizationsRootSessionsCommandInput, + EnableOrganizationsRootSessionsCommandOutput, +} from "./commands/EnableOrganizationsRootSessionsCommand"; import { GenerateCredentialReportCommand, GenerateCredentialReportCommandInput, @@ -428,6 +448,11 @@ import { ListOpenIDConnectProviderTagsCommandInput, ListOpenIDConnectProviderTagsCommandOutput, } from "./commands/ListOpenIDConnectProviderTagsCommand"; +import { + ListOrganizationsFeaturesCommand, + ListOrganizationsFeaturesCommandInput, + ListOrganizationsFeaturesCommandOutput, +} from "./commands/ListOrganizationsFeaturesCommand"; import { ListPoliciesCommand, ListPoliciesCommandInput, @@ -760,7 +785,11 @@ const commands = { DetachGroupPolicyCommand, DetachRolePolicyCommand, DetachUserPolicyCommand, + DisableOrganizationsRootCredentialsManagementCommand, + DisableOrganizationsRootSessionsCommand, EnableMFADeviceCommand, + EnableOrganizationsRootCredentialsManagementCommand, + EnableOrganizationsRootSessionsCommand, GenerateCredentialReportCommand, GenerateOrganizationsAccessReportCommand, GenerateServiceLastAccessedDetailsCommand, @@ -806,6 +835,7 @@ const commands = { ListMFADeviceTagsCommand, ListOpenIDConnectProvidersCommand, ListOpenIDConnectProviderTagsCommand, + ListOrganizationsFeaturesCommand, ListPoliciesCommand, ListPoliciesGrantingServiceAccessCommand, ListPolicyTagsCommand, @@ -1050,6 +1080,7 @@ export interface IAM { /** * @see {@link CreateLoginProfileCommand} */ + createLoginProfile(): Promise; createLoginProfile( args: CreateLoginProfileCommandInput, options?: __HttpHandlerOptions @@ -1313,6 +1344,7 @@ export interface IAM { /** * @see {@link DeleteLoginProfileCommand} */ + deleteLoginProfile(): Promise; deleteLoginProfile( args: DeleteLoginProfileCommandInput, options?: __HttpHandlerOptions @@ -1632,6 +1664,42 @@ export interface IAM { cb: (err: any, data?: DetachUserPolicyCommandOutput) => void ): void; + /** + * @see {@link DisableOrganizationsRootCredentialsManagementCommand} + */ + disableOrganizationsRootCredentialsManagement(): Promise; + disableOrganizationsRootCredentialsManagement( + args: DisableOrganizationsRootCredentialsManagementCommandInput, + options?: __HttpHandlerOptions + ): Promise; + disableOrganizationsRootCredentialsManagement( + args: DisableOrganizationsRootCredentialsManagementCommandInput, + cb: (err: any, data?: DisableOrganizationsRootCredentialsManagementCommandOutput) => void + ): void; + disableOrganizationsRootCredentialsManagement( + args: DisableOrganizationsRootCredentialsManagementCommandInput, + options: __HttpHandlerOptions, + cb: (err: any, data?: DisableOrganizationsRootCredentialsManagementCommandOutput) => void + ): void; + + /** + * @see {@link DisableOrganizationsRootSessionsCommand} + */ + disableOrganizationsRootSessions(): Promise; + disableOrganizationsRootSessions( + args: DisableOrganizationsRootSessionsCommandInput, + options?: __HttpHandlerOptions + ): Promise; + disableOrganizationsRootSessions( + args: DisableOrganizationsRootSessionsCommandInput, + cb: (err: any, data?: DisableOrganizationsRootSessionsCommandOutput) => void + ): void; + disableOrganizationsRootSessions( + args: DisableOrganizationsRootSessionsCommandInput, + options: __HttpHandlerOptions, + cb: (err: any, data?: DisableOrganizationsRootSessionsCommandOutput) => void + ): void; + /** * @see {@link EnableMFADeviceCommand} */ @@ -1646,6 +1714,42 @@ export interface IAM { cb: (err: any, data?: EnableMFADeviceCommandOutput) => void ): void; + /** + * @see {@link EnableOrganizationsRootCredentialsManagementCommand} + */ + enableOrganizationsRootCredentialsManagement(): Promise; + enableOrganizationsRootCredentialsManagement( + args: EnableOrganizationsRootCredentialsManagementCommandInput, + options?: __HttpHandlerOptions + ): Promise; + enableOrganizationsRootCredentialsManagement( + args: EnableOrganizationsRootCredentialsManagementCommandInput, + cb: (err: any, data?: EnableOrganizationsRootCredentialsManagementCommandOutput) => void + ): void; + enableOrganizationsRootCredentialsManagement( + args: EnableOrganizationsRootCredentialsManagementCommandInput, + options: __HttpHandlerOptions, + cb: (err: any, data?: EnableOrganizationsRootCredentialsManagementCommandOutput) => void + ): void; + + /** + * @see {@link EnableOrganizationsRootSessionsCommand} + */ + enableOrganizationsRootSessions(): Promise; + enableOrganizationsRootSessions( + args: EnableOrganizationsRootSessionsCommandInput, + options?: __HttpHandlerOptions + ): Promise; + enableOrganizationsRootSessions( + args: EnableOrganizationsRootSessionsCommandInput, + cb: (err: any, data?: EnableOrganizationsRootSessionsCommandOutput) => void + ): void; + enableOrganizationsRootSessions( + args: EnableOrganizationsRootSessionsCommandInput, + options: __HttpHandlerOptions, + cb: (err: any, data?: EnableOrganizationsRootSessionsCommandOutput) => void + ): void; + /** * @see {@link GenerateCredentialReportCommand} */ @@ -1866,6 +1970,7 @@ export interface IAM { /** * @see {@link GetLoginProfileCommand} */ + getLoginProfile(): Promise; getLoginProfile( args: GetLoginProfileCommandInput, options?: __HttpHandlerOptions @@ -2357,6 +2462,24 @@ export interface IAM { cb: (err: any, data?: ListOpenIDConnectProviderTagsCommandOutput) => void ): void; + /** + * @see {@link ListOrganizationsFeaturesCommand} + */ + listOrganizationsFeatures(): Promise; + listOrganizationsFeatures( + args: ListOrganizationsFeaturesCommandInput, + options?: __HttpHandlerOptions + ): Promise; + listOrganizationsFeatures( + args: ListOrganizationsFeaturesCommandInput, + cb: (err: any, data?: ListOrganizationsFeaturesCommandOutput) => void + ): void; + listOrganizationsFeatures( + args: ListOrganizationsFeaturesCommandInput, + options: __HttpHandlerOptions, + cb: (err: any, data?: ListOrganizationsFeaturesCommandOutput) => void + ): void; + /** * @see {@link ListPoliciesCommand} */ diff --git a/clients/client-iam/src/IAMClient.ts b/clients/client-iam/src/IAMClient.ts index 79a84daf64e42..eaa3a63430185 100644 --- a/clients/client-iam/src/IAMClient.ts +++ b/clients/client-iam/src/IAMClient.ts @@ -161,7 +161,23 @@ import { import { DetachGroupPolicyCommandInput, DetachGroupPolicyCommandOutput } from "./commands/DetachGroupPolicyCommand"; import { DetachRolePolicyCommandInput, DetachRolePolicyCommandOutput } from "./commands/DetachRolePolicyCommand"; import { DetachUserPolicyCommandInput, DetachUserPolicyCommandOutput } from "./commands/DetachUserPolicyCommand"; +import { + DisableOrganizationsRootCredentialsManagementCommandInput, + DisableOrganizationsRootCredentialsManagementCommandOutput, +} from "./commands/DisableOrganizationsRootCredentialsManagementCommand"; +import { + DisableOrganizationsRootSessionsCommandInput, + DisableOrganizationsRootSessionsCommandOutput, +} from "./commands/DisableOrganizationsRootSessionsCommand"; import { EnableMFADeviceCommandInput, EnableMFADeviceCommandOutput } from "./commands/EnableMFADeviceCommand"; +import { + EnableOrganizationsRootCredentialsManagementCommandInput, + EnableOrganizationsRootCredentialsManagementCommandOutput, +} from "./commands/EnableOrganizationsRootCredentialsManagementCommand"; +import { + EnableOrganizationsRootSessionsCommandInput, + EnableOrganizationsRootSessionsCommandOutput, +} from "./commands/EnableOrganizationsRootSessionsCommand"; import { GenerateCredentialReportCommandInput, GenerateCredentialReportCommandOutput, @@ -279,6 +295,10 @@ import { ListOpenIDConnectProviderTagsCommandInput, ListOpenIDConnectProviderTagsCommandOutput, } from "./commands/ListOpenIDConnectProviderTagsCommand"; +import { + ListOrganizationsFeaturesCommandInput, + ListOrganizationsFeaturesCommandOutput, +} from "./commands/ListOrganizationsFeaturesCommand"; import { ListPoliciesCommandInput, ListPoliciesCommandOutput } from "./commands/ListPoliciesCommand"; import { ListPoliciesGrantingServiceAccessCommandInput, @@ -500,7 +520,11 @@ export type ServiceInputTypes = | DetachGroupPolicyCommandInput | DetachRolePolicyCommandInput | DetachUserPolicyCommandInput + | DisableOrganizationsRootCredentialsManagementCommandInput + | DisableOrganizationsRootSessionsCommandInput | EnableMFADeviceCommandInput + | EnableOrganizationsRootCredentialsManagementCommandInput + | EnableOrganizationsRootSessionsCommandInput | GenerateCredentialReportCommandInput | GenerateOrganizationsAccessReportCommandInput | GenerateServiceLastAccessedDetailsCommandInput @@ -546,6 +570,7 @@ export type ServiceInputTypes = | ListMFADevicesCommandInput | ListOpenIDConnectProviderTagsCommandInput | ListOpenIDConnectProvidersCommandInput + | ListOrganizationsFeaturesCommandInput | ListPoliciesCommandInput | ListPoliciesGrantingServiceAccessCommandInput | ListPolicyTagsCommandInput @@ -664,7 +689,11 @@ export type ServiceOutputTypes = | DetachGroupPolicyCommandOutput | DetachRolePolicyCommandOutput | DetachUserPolicyCommandOutput + | DisableOrganizationsRootCredentialsManagementCommandOutput + | DisableOrganizationsRootSessionsCommandOutput | EnableMFADeviceCommandOutput + | EnableOrganizationsRootCredentialsManagementCommandOutput + | EnableOrganizationsRootSessionsCommandOutput | GenerateCredentialReportCommandOutput | GenerateOrganizationsAccessReportCommandOutput | GenerateServiceLastAccessedDetailsCommandOutput @@ -710,6 +739,7 @@ export type ServiceOutputTypes = | ListMFADevicesCommandOutput | ListOpenIDConnectProviderTagsCommandOutput | ListOpenIDConnectProvidersCommandOutput + | ListOrganizationsFeaturesCommandOutput | ListPoliciesCommandOutput | ListPoliciesGrantingServiceAccessCommandOutput | ListPolicyTagsCommandOutput diff --git a/clients/client-iam/src/commands/CreateLoginProfileCommand.ts b/clients/client-iam/src/commands/CreateLoginProfileCommand.ts index e12954197c94d..98e072d5edf41 100644 --- a/clients/client-iam/src/commands/CreateLoginProfileCommand.ts +++ b/clients/client-iam/src/commands/CreateLoginProfileCommand.ts @@ -45,8 +45,8 @@ export interface CreateLoginProfileCommandOutput extends CreateLoginProfileRespo * // const { IAMClient, CreateLoginProfileCommand } = require("@aws-sdk/client-iam"); // CommonJS import * const client = new IAMClient(config); * const input = { // CreateLoginProfileRequest - * UserName: "STRING_VALUE", // required - * Password: "STRING_VALUE", // required + * UserName: "STRING_VALUE", + * Password: "STRING_VALUE", * PasswordResetRequired: true || false, * }; * const command = new CreateLoginProfileCommand(input); diff --git a/clients/client-iam/src/commands/DeactivateMFADeviceCommand.ts b/clients/client-iam/src/commands/DeactivateMFADeviceCommand.ts index 00c3a552ea233..312e8c0b2f107 100644 --- a/clients/client-iam/src/commands/DeactivateMFADeviceCommand.ts +++ b/clients/client-iam/src/commands/DeactivateMFADeviceCommand.ts @@ -40,7 +40,7 @@ export interface DeactivateMFADeviceCommandOutput extends __MetadataBearer {} * // const { IAMClient, DeactivateMFADeviceCommand } = require("@aws-sdk/client-iam"); // CommonJS import * const client = new IAMClient(config); * const input = { // DeactivateMFADeviceRequest - * UserName: "STRING_VALUE", // required + * UserName: "STRING_VALUE", * SerialNumber: "STRING_VALUE", // required * }; * const command = new DeactivateMFADeviceCommand(input); diff --git a/clients/client-iam/src/commands/DeleteLoginProfileCommand.ts b/clients/client-iam/src/commands/DeleteLoginProfileCommand.ts index cb130b3cd71bf..22ee75554f366 100644 --- a/clients/client-iam/src/commands/DeleteLoginProfileCommand.ts +++ b/clients/client-iam/src/commands/DeleteLoginProfileCommand.ts @@ -48,7 +48,7 @@ export interface DeleteLoginProfileCommandOutput extends __MetadataBearer {} * // const { IAMClient, DeleteLoginProfileCommand } = require("@aws-sdk/client-iam"); // CommonJS import * const client = new IAMClient(config); * const input = { // DeleteLoginProfileRequest - * UserName: "STRING_VALUE", // required + * UserName: "STRING_VALUE", * }; * const command = new DeleteLoginProfileCommand(input); * const response = await client.send(command); diff --git a/clients/client-iam/src/commands/DisableOrganizationsRootCredentialsManagementCommand.ts b/clients/client-iam/src/commands/DisableOrganizationsRootCredentialsManagementCommand.ts new file mode 100644 index 0000000000000..8626c56f5cca3 --- /dev/null +++ b/clients/client-iam/src/commands/DisableOrganizationsRootCredentialsManagementCommand.ts @@ -0,0 +1,121 @@ +// smithy-typescript generated code +import { getEndpointPlugin } from "@smithy/middleware-endpoint"; +import { getSerdePlugin } from "@smithy/middleware-serde"; +import { Command as $Command } from "@smithy/smithy-client"; +import { MetadataBearer as __MetadataBearer } from "@smithy/types"; + +import { commonParams } from "../endpoint/EndpointParameters"; +import { IAMClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../IAMClient"; +import { + DisableOrganizationsRootCredentialsManagementRequest, + DisableOrganizationsRootCredentialsManagementResponse, +} from "../models/models_0"; +import { + de_DisableOrganizationsRootCredentialsManagementCommand, + se_DisableOrganizationsRootCredentialsManagementCommand, +} from "../protocols/Aws_query"; + +/** + * @public + */ +export type { __MetadataBearer }; +export { $Command }; +/** + * @public + * + * The input for {@link DisableOrganizationsRootCredentialsManagementCommand}. + */ +export interface DisableOrganizationsRootCredentialsManagementCommandInput + extends DisableOrganizationsRootCredentialsManagementRequest {} +/** + * @public + * + * The output of {@link DisableOrganizationsRootCredentialsManagementCommand}. + */ +export interface DisableOrganizationsRootCredentialsManagementCommandOutput + extends DisableOrganizationsRootCredentialsManagementResponse, + __MetadataBearer {} + +/** + *

Disables the management of privileged root user credentials across member accounts in + * your organization. When you disable this feature, the management account and the + * delegated admininstrator for IAM can no longer manage root user credentials for member + * accounts in your organization.

+ * @example + * Use a bare-bones client and the command you need to make an API call. + * ```javascript + * import { IAMClient, DisableOrganizationsRootCredentialsManagementCommand } from "@aws-sdk/client-iam"; // ES Modules import + * // const { IAMClient, DisableOrganizationsRootCredentialsManagementCommand } = require("@aws-sdk/client-iam"); // CommonJS import + * const client = new IAMClient(config); + * const input = {}; + * const command = new DisableOrganizationsRootCredentialsManagementCommand(input); + * const response = await client.send(command); + * // { // DisableOrganizationsRootCredentialsManagementResponse + * // OrganizationId: "STRING_VALUE", + * // EnabledFeatures: [ // FeaturesListType + * // "RootCredentialsManagement" || "RootSessions", + * // ], + * // }; + * + * ``` + * + * @param DisableOrganizationsRootCredentialsManagementCommandInput - {@link DisableOrganizationsRootCredentialsManagementCommandInput} + * @returns {@link DisableOrganizationsRootCredentialsManagementCommandOutput} + * @see {@link DisableOrganizationsRootCredentialsManagementCommandInput} for command's `input` shape. + * @see {@link DisableOrganizationsRootCredentialsManagementCommandOutput} for command's `response` shape. + * @see {@link IAMClientResolvedConfig | config} for IAMClient's `config` shape. + * + * @throws {@link AccountNotManagementOrDelegatedAdministratorException} (client fault) + *

The request was rejected because the account making the request is not the management + * account or delegated administrator account for centralized root + * access.

+ * + * @throws {@link OrganizationNotFoundException} (client fault) + *

The request was rejected because no organization is associated with your account.

+ * + * @throws {@link OrganizationNotInAllFeaturesModeException} (client fault) + *

The request was rejected because your organization does not have All features enabled. For + * more information, see Available feature sets in the Organizations User + * Guide.

+ * + * @throws {@link ServiceAccessNotEnabledException} (client fault) + *

The request was rejected because trusted access is not enabled for IAM in Organizations. For details, see IAM and Organizations in the Organizations User Guide.

+ * + * @throws {@link IAMServiceException} + *

Base exception class for all service exceptions from IAM service.

+ * + * @public + */ +export class DisableOrganizationsRootCredentialsManagementCommand extends $Command + .classBuilder< + DisableOrganizationsRootCredentialsManagementCommandInput, + DisableOrganizationsRootCredentialsManagementCommandOutput, + IAMClientResolvedConfig, + ServiceInputTypes, + ServiceOutputTypes + >() + .ep(commonParams) + .m(function (this: any, Command: any, cs: any, config: IAMClientResolvedConfig, o: any) { + return [ + getSerdePlugin(config, this.serialize, this.deserialize), + getEndpointPlugin(config, Command.getEndpointParameterInstructions()), + ]; + }) + .s("AWSIdentityManagementV20100508", "DisableOrganizationsRootCredentialsManagement", {}) + .n("IAMClient", "DisableOrganizationsRootCredentialsManagementCommand") + .f(void 0, void 0) + .ser(se_DisableOrganizationsRootCredentialsManagementCommand) + .de(de_DisableOrganizationsRootCredentialsManagementCommand) + .build() { + /** @internal type navigation helper, not in runtime. */ + protected declare static __types: { + api: { + input: {}; + output: DisableOrganizationsRootCredentialsManagementResponse; + }; + sdk: { + input: DisableOrganizationsRootCredentialsManagementCommandInput; + output: DisableOrganizationsRootCredentialsManagementCommandOutput; + }; + }; +} diff --git a/clients/client-iam/src/commands/DisableOrganizationsRootSessionsCommand.ts b/clients/client-iam/src/commands/DisableOrganizationsRootSessionsCommand.ts new file mode 100644 index 0000000000000..d8059dae4d463 --- /dev/null +++ b/clients/client-iam/src/commands/DisableOrganizationsRootSessionsCommand.ts @@ -0,0 +1,117 @@ +// smithy-typescript generated code +import { getEndpointPlugin } from "@smithy/middleware-endpoint"; +import { getSerdePlugin } from "@smithy/middleware-serde"; +import { Command as $Command } from "@smithy/smithy-client"; +import { MetadataBearer as __MetadataBearer } from "@smithy/types"; + +import { commonParams } from "../endpoint/EndpointParameters"; +import { IAMClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../IAMClient"; +import { DisableOrganizationsRootSessionsRequest, DisableOrganizationsRootSessionsResponse } from "../models/models_0"; +import { + de_DisableOrganizationsRootSessionsCommand, + se_DisableOrganizationsRootSessionsCommand, +} from "../protocols/Aws_query"; + +/** + * @public + */ +export type { __MetadataBearer }; +export { $Command }; +/** + * @public + * + * The input for {@link DisableOrganizationsRootSessionsCommand}. + */ +export interface DisableOrganizationsRootSessionsCommandInput extends DisableOrganizationsRootSessionsRequest {} +/** + * @public + * + * The output of {@link DisableOrganizationsRootSessionsCommand}. + */ +export interface DisableOrganizationsRootSessionsCommandOutput + extends DisableOrganizationsRootSessionsResponse, + __MetadataBearer {} + +/** + *

Disables root user sessions for privileged tasks across member accounts in your + * organization. When you disable this feature, the management account and the delegated + * admininstrator for IAM can no longer perform privileged tasks on member accounts in + * your organization.

+ * @example + * Use a bare-bones client and the command you need to make an API call. + * ```javascript + * import { IAMClient, DisableOrganizationsRootSessionsCommand } from "@aws-sdk/client-iam"; // ES Modules import + * // const { IAMClient, DisableOrganizationsRootSessionsCommand } = require("@aws-sdk/client-iam"); // CommonJS import + * const client = new IAMClient(config); + * const input = {}; + * const command = new DisableOrganizationsRootSessionsCommand(input); + * const response = await client.send(command); + * // { // DisableOrganizationsRootSessionsResponse + * // OrganizationId: "STRING_VALUE", + * // EnabledFeatures: [ // FeaturesListType + * // "RootCredentialsManagement" || "RootSessions", + * // ], + * // }; + * + * ``` + * + * @param DisableOrganizationsRootSessionsCommandInput - {@link DisableOrganizationsRootSessionsCommandInput} + * @returns {@link DisableOrganizationsRootSessionsCommandOutput} + * @see {@link DisableOrganizationsRootSessionsCommandInput} for command's `input` shape. + * @see {@link DisableOrganizationsRootSessionsCommandOutput} for command's `response` shape. + * @see {@link IAMClientResolvedConfig | config} for IAMClient's `config` shape. + * + * @throws {@link AccountNotManagementOrDelegatedAdministratorException} (client fault) + *

The request was rejected because the account making the request is not the management + * account or delegated administrator account for centralized root + * access.

+ * + * @throws {@link OrganizationNotFoundException} (client fault) + *

The request was rejected because no organization is associated with your account.

+ * + * @throws {@link OrganizationNotInAllFeaturesModeException} (client fault) + *

The request was rejected because your organization does not have All features enabled. For + * more information, see Available feature sets in the Organizations User + * Guide.

+ * + * @throws {@link ServiceAccessNotEnabledException} (client fault) + *

The request was rejected because trusted access is not enabled for IAM in Organizations. For details, see IAM and Organizations in the Organizations User Guide.

+ * + * @throws {@link IAMServiceException} + *

Base exception class for all service exceptions from IAM service.

+ * + * @public + */ +export class DisableOrganizationsRootSessionsCommand extends $Command + .classBuilder< + DisableOrganizationsRootSessionsCommandInput, + DisableOrganizationsRootSessionsCommandOutput, + IAMClientResolvedConfig, + ServiceInputTypes, + ServiceOutputTypes + >() + .ep(commonParams) + .m(function (this: any, Command: any, cs: any, config: IAMClientResolvedConfig, o: any) { + return [ + getSerdePlugin(config, this.serialize, this.deserialize), + getEndpointPlugin(config, Command.getEndpointParameterInstructions()), + ]; + }) + .s("AWSIdentityManagementV20100508", "DisableOrganizationsRootSessions", {}) + .n("IAMClient", "DisableOrganizationsRootSessionsCommand") + .f(void 0, void 0) + .ser(se_DisableOrganizationsRootSessionsCommand) + .de(de_DisableOrganizationsRootSessionsCommand) + .build() { + /** @internal type navigation helper, not in runtime. */ + protected declare static __types: { + api: { + input: {}; + output: DisableOrganizationsRootSessionsResponse; + }; + sdk: { + input: DisableOrganizationsRootSessionsCommandInput; + output: DisableOrganizationsRootSessionsCommandOutput; + }; + }; +} diff --git a/clients/client-iam/src/commands/EnableOrganizationsRootCredentialsManagementCommand.ts b/clients/client-iam/src/commands/EnableOrganizationsRootCredentialsManagementCommand.ts new file mode 100644 index 0000000000000..ea8cb7077b4a6 --- /dev/null +++ b/clients/client-iam/src/commands/EnableOrganizationsRootCredentialsManagementCommand.ts @@ -0,0 +1,137 @@ +// smithy-typescript generated code +import { getEndpointPlugin } from "@smithy/middleware-endpoint"; +import { getSerdePlugin } from "@smithy/middleware-serde"; +import { Command as $Command } from "@smithy/smithy-client"; +import { MetadataBearer as __MetadataBearer } from "@smithy/types"; + +import { commonParams } from "../endpoint/EndpointParameters"; +import { IAMClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../IAMClient"; +import { + EnableOrganizationsRootCredentialsManagementRequest, + EnableOrganizationsRootCredentialsManagementResponse, +} from "../models/models_0"; +import { + de_EnableOrganizationsRootCredentialsManagementCommand, + se_EnableOrganizationsRootCredentialsManagementCommand, +} from "../protocols/Aws_query"; + +/** + * @public + */ +export type { __MetadataBearer }; +export { $Command }; +/** + * @public + * + * The input for {@link EnableOrganizationsRootCredentialsManagementCommand}. + */ +export interface EnableOrganizationsRootCredentialsManagementCommandInput + extends EnableOrganizationsRootCredentialsManagementRequest {} +/** + * @public + * + * The output of {@link EnableOrganizationsRootCredentialsManagementCommand}. + */ +export interface EnableOrganizationsRootCredentialsManagementCommandOutput + extends EnableOrganizationsRootCredentialsManagementResponse, + __MetadataBearer {} + +/** + *

Enables the management of privileged root user credentials across member accounts in your + * organization. When you enable root credentials management for centralized root access, the management account and the delegated + * admininstrator for IAM can manage root user credentials for member accounts in your + * organization.

+ *

Before you enable centralized root access, you must have an account configured with + * the following settings:

+ *
    + *
  • + *

    You must manage your Amazon Web Services accounts in Organizations.

    + *
    • + *
  • + *

    Enable trusted access for Identity and Access Management in Organizations. For details, see + * IAM and Organizations in the Organizations User + * Guide.

    + *
    • + *
+ * @example + * Use a bare-bones client and the command you need to make an API call. + * ```javascript + * import { IAMClient, EnableOrganizationsRootCredentialsManagementCommand } from "@aws-sdk/client-iam"; // ES Modules import + * // const { IAMClient, EnableOrganizationsRootCredentialsManagementCommand } = require("@aws-sdk/client-iam"); // CommonJS import + * const client = new IAMClient(config); + * const input = {}; + * const command = new EnableOrganizationsRootCredentialsManagementCommand(input); + * const response = await client.send(command); + * // { // EnableOrganizationsRootCredentialsManagementResponse + * // OrganizationId: "STRING_VALUE", + * // EnabledFeatures: [ // FeaturesListType + * // "RootCredentialsManagement" || "RootSessions", + * // ], + * // }; + * + * ``` + * + * @param EnableOrganizationsRootCredentialsManagementCommandInput - {@link EnableOrganizationsRootCredentialsManagementCommandInput} + * @returns {@link EnableOrganizationsRootCredentialsManagementCommandOutput} + * @see {@link EnableOrganizationsRootCredentialsManagementCommandInput} for command's `input` shape. + * @see {@link EnableOrganizationsRootCredentialsManagementCommandOutput} for command's `response` shape. + * @see {@link IAMClientResolvedConfig | config} for IAMClient's `config` shape. + * + * @throws {@link AccountNotManagementOrDelegatedAdministratorException} (client fault) + *

The request was rejected because the account making the request is not the management + * account or delegated administrator account for centralized root + * access.

+ * + * @throws {@link CallerIsNotManagementAccountException} (client fault) + *

The request was rejected because the account making the request is not the management + * account for the organization.

+ * + * @throws {@link OrganizationNotFoundException} (client fault) + *

The request was rejected because no organization is associated with your account.

+ * + * @throws {@link OrganizationNotInAllFeaturesModeException} (client fault) + *

The request was rejected because your organization does not have All features enabled. For + * more information, see Available feature sets in the Organizations User + * Guide.

+ * + * @throws {@link ServiceAccessNotEnabledException} (client fault) + *

The request was rejected because trusted access is not enabled for IAM in Organizations. For details, see IAM and Organizations in the Organizations User Guide.

+ * + * @throws {@link IAMServiceException} + *

Base exception class for all service exceptions from IAM service.

+ * + * @public + */ +export class EnableOrganizationsRootCredentialsManagementCommand extends $Command + .classBuilder< + EnableOrganizationsRootCredentialsManagementCommandInput, + EnableOrganizationsRootCredentialsManagementCommandOutput, + IAMClientResolvedConfig, + ServiceInputTypes, + ServiceOutputTypes + >() + .ep(commonParams) + .m(function (this: any, Command: any, cs: any, config: IAMClientResolvedConfig, o: any) { + return [ + getSerdePlugin(config, this.serialize, this.deserialize), + getEndpointPlugin(config, Command.getEndpointParameterInstructions()), + ]; + }) + .s("AWSIdentityManagementV20100508", "EnableOrganizationsRootCredentialsManagement", {}) + .n("IAMClient", "EnableOrganizationsRootCredentialsManagementCommand") + .f(void 0, void 0) + .ser(se_EnableOrganizationsRootCredentialsManagementCommand) + .de(de_EnableOrganizationsRootCredentialsManagementCommand) + .build() { + /** @internal type navigation helper, not in runtime. */ + protected declare static __types: { + api: { + input: {}; + output: EnableOrganizationsRootCredentialsManagementResponse; + }; + sdk: { + input: EnableOrganizationsRootCredentialsManagementCommandInput; + output: EnableOrganizationsRootCredentialsManagementCommandOutput; + }; + }; +} diff --git a/clients/client-iam/src/commands/EnableOrganizationsRootSessionsCommand.ts b/clients/client-iam/src/commands/EnableOrganizationsRootSessionsCommand.ts new file mode 100644 index 0000000000000..39f7eb7e82ee5 --- /dev/null +++ b/clients/client-iam/src/commands/EnableOrganizationsRootSessionsCommand.ts @@ -0,0 +1,132 @@ +// smithy-typescript generated code +import { getEndpointPlugin } from "@smithy/middleware-endpoint"; +import { getSerdePlugin } from "@smithy/middleware-serde"; +import { Command as $Command } from "@smithy/smithy-client"; +import { MetadataBearer as __MetadataBearer } from "@smithy/types"; + +import { commonParams } from "../endpoint/EndpointParameters"; +import { IAMClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../IAMClient"; +import { EnableOrganizationsRootSessionsRequest, EnableOrganizationsRootSessionsResponse } from "../models/models_0"; +import { + de_EnableOrganizationsRootSessionsCommand, + se_EnableOrganizationsRootSessionsCommand, +} from "../protocols/Aws_query"; + +/** + * @public + */ +export type { __MetadataBearer }; +export { $Command }; +/** + * @public + * + * The input for {@link EnableOrganizationsRootSessionsCommand}. + */ +export interface EnableOrganizationsRootSessionsCommandInput extends EnableOrganizationsRootSessionsRequest {} +/** + * @public + * + * The output of {@link EnableOrganizationsRootSessionsCommand}. + */ +export interface EnableOrganizationsRootSessionsCommandOutput + extends EnableOrganizationsRootSessionsResponse, + __MetadataBearer {} + +/** + *

Allows the management account or delegated administrator to perform privileged tasks + * on member accounts in your organization. For more information, see Centrally manage root access for member accounts in the Identity and Access Management + * User Guide.

+ *

Before you enable this feature, you must have an account configured with the following + * settings:

+ *
    + *
  • + *

    You must manage your Amazon Web Services accounts in Organizations.

    + *
    • + *
  • + *

    Enable trusted access for Identity and Access Management in Organizations. For details, see + * IAM and Organizations in the Organizations User + * Guide.

    + *
    • + *
+ * @example + * Use a bare-bones client and the command you need to make an API call. + * ```javascript + * import { IAMClient, EnableOrganizationsRootSessionsCommand } from "@aws-sdk/client-iam"; // ES Modules import + * // const { IAMClient, EnableOrganizationsRootSessionsCommand } = require("@aws-sdk/client-iam"); // CommonJS import + * const client = new IAMClient(config); + * const input = {}; + * const command = new EnableOrganizationsRootSessionsCommand(input); + * const response = await client.send(command); + * // { // EnableOrganizationsRootSessionsResponse + * // OrganizationId: "STRING_VALUE", + * // EnabledFeatures: [ // FeaturesListType + * // "RootCredentialsManagement" || "RootSessions", + * // ], + * // }; + * + * ``` + * + * @param EnableOrganizationsRootSessionsCommandInput - {@link EnableOrganizationsRootSessionsCommandInput} + * @returns {@link EnableOrganizationsRootSessionsCommandOutput} + * @see {@link EnableOrganizationsRootSessionsCommandInput} for command's `input` shape. + * @see {@link EnableOrganizationsRootSessionsCommandOutput} for command's `response` shape. + * @see {@link IAMClientResolvedConfig | config} for IAMClient's `config` shape. + * + * @throws {@link AccountNotManagementOrDelegatedAdministratorException} (client fault) + *

The request was rejected because the account making the request is not the management + * account or delegated administrator account for centralized root + * access.

+ * + * @throws {@link CallerIsNotManagementAccountException} (client fault) + *

The request was rejected because the account making the request is not the management + * account for the organization.

+ * + * @throws {@link OrganizationNotFoundException} (client fault) + *

The request was rejected because no organization is associated with your account.

+ * + * @throws {@link OrganizationNotInAllFeaturesModeException} (client fault) + *

The request was rejected because your organization does not have All features enabled. For + * more information, see Available feature sets in the Organizations User + * Guide.

+ * + * @throws {@link ServiceAccessNotEnabledException} (client fault) + *

The request was rejected because trusted access is not enabled for IAM in Organizations. For details, see IAM and Organizations in the Organizations User Guide.

+ * + * @throws {@link IAMServiceException} + *

Base exception class for all service exceptions from IAM service.

+ * + * @public + */ +export class EnableOrganizationsRootSessionsCommand extends $Command + .classBuilder< + EnableOrganizationsRootSessionsCommandInput, + EnableOrganizationsRootSessionsCommandOutput, + IAMClientResolvedConfig, + ServiceInputTypes, + ServiceOutputTypes + >() + .ep(commonParams) + .m(function (this: any, Command: any, cs: any, config: IAMClientResolvedConfig, o: any) { + return [ + getSerdePlugin(config, this.serialize, this.deserialize), + getEndpointPlugin(config, Command.getEndpointParameterInstructions()), + ]; + }) + .s("AWSIdentityManagementV20100508", "EnableOrganizationsRootSessions", {}) + .n("IAMClient", "EnableOrganizationsRootSessionsCommand") + .f(void 0, void 0) + .ser(se_EnableOrganizationsRootSessionsCommand) + .de(de_EnableOrganizationsRootSessionsCommand) + .build() { + /** @internal type navigation helper, not in runtime. */ + protected declare static __types: { + api: { + input: {}; + output: EnableOrganizationsRootSessionsResponse; + }; + sdk: { + input: EnableOrganizationsRootSessionsCommandInput; + output: EnableOrganizationsRootSessionsCommandOutput; + }; + }; +} diff --git a/clients/client-iam/src/commands/GetLoginProfileCommand.ts b/clients/client-iam/src/commands/GetLoginProfileCommand.ts index f723c3a3c5616..3eedab564f02c 100644 --- a/clients/client-iam/src/commands/GetLoginProfileCommand.ts +++ b/clients/client-iam/src/commands/GetLoginProfileCommand.ts @@ -45,7 +45,7 @@ export interface GetLoginProfileCommandOutput extends GetLoginProfileResponse, _ * // const { IAMClient, GetLoginProfileCommand } = require("@aws-sdk/client-iam"); // CommonJS import * const client = new IAMClient(config); * const input = { // GetLoginProfileRequest - * UserName: "STRING_VALUE", // required + * UserName: "STRING_VALUE", * }; * const command = new GetLoginProfileCommand(input); * const response = await client.send(command); diff --git a/clients/client-iam/src/commands/ListAccountAliasesCommand.ts b/clients/client-iam/src/commands/ListAccountAliasesCommand.ts index b2acaf4249aad..001b58477b602 100644 --- a/clients/client-iam/src/commands/ListAccountAliasesCommand.ts +++ b/clients/client-iam/src/commands/ListAccountAliasesCommand.ts @@ -29,9 +29,9 @@ export interface ListAccountAliasesCommandOutput extends ListAccountAliasesRespo /** *

Lists the account alias associated with the Amazon Web Services account (Note: you can have only - * one). For information about using an Amazon Web Services account alias, see Creating, - * deleting, and listing an Amazon Web Services account alias in the - * IAM User Guide.

+ * one). For information about using an Amazon Web Services account alias, see Creating, + * deleting, and listing an Amazon Web Services account alias in the Amazon Web Services Sign-In + * User Guide.

* @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-iam/src/commands/ListOrganizationsFeaturesCommand.ts b/clients/client-iam/src/commands/ListOrganizationsFeaturesCommand.ts new file mode 100644 index 0000000000000..2f27957490b4d --- /dev/null +++ b/clients/client-iam/src/commands/ListOrganizationsFeaturesCommand.ts @@ -0,0 +1,110 @@ +// smithy-typescript generated code +import { getEndpointPlugin } from "@smithy/middleware-endpoint"; +import { getSerdePlugin } from "@smithy/middleware-serde"; +import { Command as $Command } from "@smithy/smithy-client"; +import { MetadataBearer as __MetadataBearer } from "@smithy/types"; + +import { commonParams } from "../endpoint/EndpointParameters"; +import { IAMClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../IAMClient"; +import { ListOrganizationsFeaturesRequest, ListOrganizationsFeaturesResponse } from "../models/models_0"; +import { de_ListOrganizationsFeaturesCommand, se_ListOrganizationsFeaturesCommand } from "../protocols/Aws_query"; + +/** + * @public + */ +export type { __MetadataBearer }; +export { $Command }; +/** + * @public + * + * The input for {@link ListOrganizationsFeaturesCommand}. + */ +export interface ListOrganizationsFeaturesCommandInput extends ListOrganizationsFeaturesRequest {} +/** + * @public + * + * The output of {@link ListOrganizationsFeaturesCommand}. + */ +export interface ListOrganizationsFeaturesCommandOutput extends ListOrganizationsFeaturesResponse, __MetadataBearer {} + +/** + *

Lists the centralized root access features enabled for your organization. For more + * information, see Centrally manage root access for member accounts.

+ * @example + * Use a bare-bones client and the command you need to make an API call. + * ```javascript + * import { IAMClient, ListOrganizationsFeaturesCommand } from "@aws-sdk/client-iam"; // ES Modules import + * // const { IAMClient, ListOrganizationsFeaturesCommand } = require("@aws-sdk/client-iam"); // CommonJS import + * const client = new IAMClient(config); + * const input = {}; + * const command = new ListOrganizationsFeaturesCommand(input); + * const response = await client.send(command); + * // { // ListOrganizationsFeaturesResponse + * // OrganizationId: "STRING_VALUE", + * // EnabledFeatures: [ // FeaturesListType + * // "RootCredentialsManagement" || "RootSessions", + * // ], + * // }; + * + * ``` + * + * @param ListOrganizationsFeaturesCommandInput - {@link ListOrganizationsFeaturesCommandInput} + * @returns {@link ListOrganizationsFeaturesCommandOutput} + * @see {@link ListOrganizationsFeaturesCommandInput} for command's `input` shape. + * @see {@link ListOrganizationsFeaturesCommandOutput} for command's `response` shape. + * @see {@link IAMClientResolvedConfig | config} for IAMClient's `config` shape. + * + * @throws {@link AccountNotManagementOrDelegatedAdministratorException} (client fault) + *

The request was rejected because the account making the request is not the management + * account or delegated administrator account for centralized root + * access.

+ * + * @throws {@link OrganizationNotFoundException} (client fault) + *

The request was rejected because no organization is associated with your account.

+ * + * @throws {@link OrganizationNotInAllFeaturesModeException} (client fault) + *

The request was rejected because your organization does not have All features enabled. For + * more information, see Available feature sets in the Organizations User + * Guide.

+ * + * @throws {@link ServiceAccessNotEnabledException} (client fault) + *

The request was rejected because trusted access is not enabled for IAM in Organizations. For details, see IAM and Organizations in the Organizations User Guide.

+ * + * @throws {@link IAMServiceException} + *

Base exception class for all service exceptions from IAM service.

+ * + * @public + */ +export class ListOrganizationsFeaturesCommand extends $Command + .classBuilder< + ListOrganizationsFeaturesCommandInput, + ListOrganizationsFeaturesCommandOutput, + IAMClientResolvedConfig, + ServiceInputTypes, + ServiceOutputTypes + >() + .ep(commonParams) + .m(function (this: any, Command: any, cs: any, config: IAMClientResolvedConfig, o: any) { + return [ + getSerdePlugin(config, this.serialize, this.deserialize), + getEndpointPlugin(config, Command.getEndpointParameterInstructions()), + ]; + }) + .s("AWSIdentityManagementV20100508", "ListOrganizationsFeatures", {}) + .n("IAMClient", "ListOrganizationsFeaturesCommand") + .f(void 0, void 0) + .ser(se_ListOrganizationsFeaturesCommand) + .de(de_ListOrganizationsFeaturesCommand) + .build() { + /** @internal type navigation helper, not in runtime. */ + protected declare static __types: { + api: { + input: {}; + output: ListOrganizationsFeaturesResponse; + }; + sdk: { + input: ListOrganizationsFeaturesCommandInput; + output: ListOrganizationsFeaturesCommandOutput; + }; + }; +} diff --git a/clients/client-iam/src/commands/SimulateCustomPolicyCommand.ts b/clients/client-iam/src/commands/SimulateCustomPolicyCommand.ts index 873f00044b3e3..cddfa708cb9f7 100644 --- a/clients/client-iam/src/commands/SimulateCustomPolicyCommand.ts +++ b/clients/client-iam/src/commands/SimulateCustomPolicyCommand.ts @@ -6,7 +6,8 @@ import { MetadataBearer as __MetadataBearer } from "@smithy/types"; import { commonParams } from "../endpoint/EndpointParameters"; import { IAMClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../IAMClient"; -import { SimulateCustomPolicyRequest, SimulatePolicyResponse } from "../models/models_0"; +import { SimulateCustomPolicyRequest } from "../models/models_0"; +import { SimulatePolicyResponse } from "../models/models_1"; import { de_SimulateCustomPolicyCommand, se_SimulateCustomPolicyCommand } from "../protocols/Aws_query"; /** diff --git a/clients/client-iam/src/commands/SimulatePrincipalPolicyCommand.ts b/clients/client-iam/src/commands/SimulatePrincipalPolicyCommand.ts index 3c0240432d859..1a7bc0455083e 100644 --- a/clients/client-iam/src/commands/SimulatePrincipalPolicyCommand.ts +++ b/clients/client-iam/src/commands/SimulatePrincipalPolicyCommand.ts @@ -6,7 +6,7 @@ import { MetadataBearer as __MetadataBearer } from "@smithy/types"; import { commonParams } from "../endpoint/EndpointParameters"; import { IAMClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../IAMClient"; -import { SimulatePolicyResponse, SimulatePrincipalPolicyRequest } from "../models/models_0"; +import { SimulatePolicyResponse, SimulatePrincipalPolicyRequest } from "../models/models_1"; import { de_SimulatePrincipalPolicyCommand, se_SimulatePrincipalPolicyCommand } from "../protocols/Aws_query"; /** diff --git a/clients/client-iam/src/commands/TagInstanceProfileCommand.ts b/clients/client-iam/src/commands/TagInstanceProfileCommand.ts index 53b1533a496d8..bc1ab9f2d295f 100644 --- a/clients/client-iam/src/commands/TagInstanceProfileCommand.ts +++ b/clients/client-iam/src/commands/TagInstanceProfileCommand.ts @@ -6,7 +6,7 @@ import { MetadataBearer as __MetadataBearer } from "@smithy/types"; import { commonParams } from "../endpoint/EndpointParameters"; import { IAMClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../IAMClient"; -import { TagInstanceProfileRequest } from "../models/models_0"; +import { TagInstanceProfileRequest } from "../models/models_1"; import { de_TagInstanceProfileCommand, se_TagInstanceProfileCommand } from "../protocols/Aws_query"; /** diff --git a/clients/client-iam/src/commands/TagMFADeviceCommand.ts b/clients/client-iam/src/commands/TagMFADeviceCommand.ts index 733ba925d0e2f..4cc2fa16c7677 100644 --- a/clients/client-iam/src/commands/TagMFADeviceCommand.ts +++ b/clients/client-iam/src/commands/TagMFADeviceCommand.ts @@ -6,7 +6,7 @@ import { MetadataBearer as __MetadataBearer } from "@smithy/types"; import { commonParams } from "../endpoint/EndpointParameters"; import { IAMClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../IAMClient"; -import { TagMFADeviceRequest } from "../models/models_0"; +import { TagMFADeviceRequest } from "../models/models_1"; import { de_TagMFADeviceCommand, se_TagMFADeviceCommand } from "../protocols/Aws_query"; /** diff --git a/clients/client-iam/src/commands/TagOpenIDConnectProviderCommand.ts b/clients/client-iam/src/commands/TagOpenIDConnectProviderCommand.ts index 666fb0a935c1a..c2fcea3de11dc 100644 --- a/clients/client-iam/src/commands/TagOpenIDConnectProviderCommand.ts +++ b/clients/client-iam/src/commands/TagOpenIDConnectProviderCommand.ts @@ -6,7 +6,7 @@ import { MetadataBearer as __MetadataBearer } from "@smithy/types"; import { commonParams } from "../endpoint/EndpointParameters"; import { IAMClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../IAMClient"; -import { TagOpenIDConnectProviderRequest } from "../models/models_0"; +import { TagOpenIDConnectProviderRequest } from "../models/models_1"; import { de_TagOpenIDConnectProviderCommand, se_TagOpenIDConnectProviderCommand } from "../protocols/Aws_query"; /** diff --git a/clients/client-iam/src/commands/TagPolicyCommand.ts b/clients/client-iam/src/commands/TagPolicyCommand.ts index 6e10b94f8158c..1fcacb0613d15 100644 --- a/clients/client-iam/src/commands/TagPolicyCommand.ts +++ b/clients/client-iam/src/commands/TagPolicyCommand.ts @@ -6,7 +6,7 @@ import { MetadataBearer as __MetadataBearer } from "@smithy/types"; import { commonParams } from "../endpoint/EndpointParameters"; import { IAMClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../IAMClient"; -import { TagPolicyRequest } from "../models/models_0"; +import { TagPolicyRequest } from "../models/models_1"; import { de_TagPolicyCommand, se_TagPolicyCommand } from "../protocols/Aws_query"; /** diff --git a/clients/client-iam/src/commands/TagRoleCommand.ts b/clients/client-iam/src/commands/TagRoleCommand.ts index ff5517452fab0..df53d906a7fde 100644 --- a/clients/client-iam/src/commands/TagRoleCommand.ts +++ b/clients/client-iam/src/commands/TagRoleCommand.ts @@ -6,7 +6,7 @@ import { MetadataBearer as __MetadataBearer } from "@smithy/types"; import { commonParams } from "../endpoint/EndpointParameters"; import { IAMClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../IAMClient"; -import { TagRoleRequest } from "../models/models_0"; +import { TagRoleRequest } from "../models/models_1"; import { de_TagRoleCommand, se_TagRoleCommand } from "../protocols/Aws_query"; /** diff --git a/clients/client-iam/src/commands/TagSAMLProviderCommand.ts b/clients/client-iam/src/commands/TagSAMLProviderCommand.ts index 8e8217a8b5366..631ae1142c7e7 100644 --- a/clients/client-iam/src/commands/TagSAMLProviderCommand.ts +++ b/clients/client-iam/src/commands/TagSAMLProviderCommand.ts @@ -6,7 +6,7 @@ import { MetadataBearer as __MetadataBearer } from "@smithy/types"; import { commonParams } from "../endpoint/EndpointParameters"; import { IAMClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../IAMClient"; -import { TagSAMLProviderRequest } from "../models/models_0"; +import { TagSAMLProviderRequest } from "../models/models_1"; import { de_TagSAMLProviderCommand, se_TagSAMLProviderCommand } from "../protocols/Aws_query"; /** diff --git a/clients/client-iam/src/commands/TagServerCertificateCommand.ts b/clients/client-iam/src/commands/TagServerCertificateCommand.ts index 58487070462bc..4daa16573f6c2 100644 --- a/clients/client-iam/src/commands/TagServerCertificateCommand.ts +++ b/clients/client-iam/src/commands/TagServerCertificateCommand.ts @@ -6,7 +6,7 @@ import { MetadataBearer as __MetadataBearer } from "@smithy/types"; import { commonParams } from "../endpoint/EndpointParameters"; import { IAMClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../IAMClient"; -import { TagServerCertificateRequest } from "../models/models_0"; +import { TagServerCertificateRequest } from "../models/models_1"; import { de_TagServerCertificateCommand, se_TagServerCertificateCommand } from "../protocols/Aws_query"; /** diff --git a/clients/client-iam/src/commands/TagUserCommand.ts b/clients/client-iam/src/commands/TagUserCommand.ts index 8f7453254ab8a..bae9904611ac5 100644 --- a/clients/client-iam/src/commands/TagUserCommand.ts +++ b/clients/client-iam/src/commands/TagUserCommand.ts @@ -6,7 +6,7 @@ import { MetadataBearer as __MetadataBearer } from "@smithy/types"; import { commonParams } from "../endpoint/EndpointParameters"; import { IAMClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../IAMClient"; -import { TagUserRequest } from "../models/models_0"; +import { TagUserRequest } from "../models/models_1"; import { de_TagUserCommand, se_TagUserCommand } from "../protocols/Aws_query"; /** diff --git a/clients/client-iam/src/commands/index.ts b/clients/client-iam/src/commands/index.ts index 23d57bc87432d..66196bfceae54 100644 --- a/clients/client-iam/src/commands/index.ts +++ b/clients/client-iam/src/commands/index.ts @@ -47,7 +47,11 @@ export * from "./DeleteVirtualMFADeviceCommand"; export * from "./DetachGroupPolicyCommand"; export * from "./DetachRolePolicyCommand"; export * from "./DetachUserPolicyCommand"; +export * from "./DisableOrganizationsRootCredentialsManagementCommand"; +export * from "./DisableOrganizationsRootSessionsCommand"; export * from "./EnableMFADeviceCommand"; +export * from "./EnableOrganizationsRootCredentialsManagementCommand"; +export * from "./EnableOrganizationsRootSessionsCommand"; export * from "./GenerateCredentialReportCommand"; export * from "./GenerateOrganizationsAccessReportCommand"; export * from "./GenerateServiceLastAccessedDetailsCommand"; @@ -93,6 +97,7 @@ export * from "./ListMFADeviceTagsCommand"; export * from "./ListMFADevicesCommand"; export * from "./ListOpenIDConnectProviderTagsCommand"; export * from "./ListOpenIDConnectProvidersCommand"; +export * from "./ListOrganizationsFeaturesCommand"; export * from "./ListPoliciesCommand"; export * from "./ListPoliciesGrantingServiceAccessCommand"; export * from "./ListPolicyTagsCommand"; diff --git a/clients/client-iam/src/models/models_0.ts b/clients/client-iam/src/models/models_0.ts index f375f2414a019..a54038418f2a3 100644 --- a/clients/client-iam/src/models/models_0.ts +++ b/clients/client-iam/src/models/models_0.ts @@ -239,6 +239,31 @@ export interface AccessKeyMetadata { CreateDate?: Date | undefined; } +/** + *

The request was rejected because the account making the request is not the management + * account or delegated administrator account for centralized root + * access.

+ * @public + */ +export class AccountNotManagementOrDelegatedAdministratorException extends __BaseException { + readonly name: "AccountNotManagementOrDelegatedAdministratorException" = + "AccountNotManagementOrDelegatedAdministratorException"; + readonly $fault: "client" = "client"; + Message?: string | undefined; + /** + * @internal + */ + constructor(opts: __ExceptionOptionType) { + super({ + name: "AccountNotManagementOrDelegatedAdministratorException", + $fault: "client", + ...opts, + }); + Object.setPrototypeOf(this, AccountNotManagementOrDelegatedAdministratorException.prototype); + this.Message = opts.Message; + } +} + /** * @public */ @@ -1118,14 +1143,18 @@ export interface CreateLoginProfileRequest { /** *

The name of the IAM user to create a password for. The user must already * exist.

+ *

This parameter is optional. If no user name is included, it defaults to the principal + * making the request. When you make this request with root user credentials, you must use + * an AssumeRoot session to omit the user name.

*

This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric * characters with no spaces. You can also include any of the following characters: _+=,.@-

* @public */ - UserName: string | undefined; + UserName?: string | undefined; /** *

The new password for the user.

+ *

This parameter must be omitted when you make the request with an AssumeRoot session. It is required in all other cases.

*

The regex pattern * that is used to validate this parameter is a string of characters. That string can include almost any printable * ASCII character from the space (\u0020) through the end of the ASCII character range (\u00FF). @@ -1135,7 +1164,7 @@ export interface CreateLoginProfileRequest { * special meaning within that tool.

* @public */ - Password: string | undefined; + Password?: string | undefined; /** *

Specifies whether the user is required to set a new password on next sign-in.

@@ -2225,11 +2254,14 @@ export interface CreateVirtualMFADeviceResponse { export interface DeactivateMFADeviceRequest { /** *

The name of the user whose MFA device you want to deactivate.

+ *

This parameter is optional. If no user name is included, it defaults to the principal + * making the request. When you make this request with root user credentials, you must use + * an AssumeRoot session to omit the user name.

*

This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric * characters with no spaces. You can also include any of the following characters: _+=,.@-

* @public */ - UserName: string | undefined; + UserName?: string | undefined; /** *

The serial number that uniquely identifies the MFA device. For virtual MFA devices, @@ -2353,11 +2385,14 @@ export interface DeleteInstanceProfileRequest { export interface DeleteLoginProfileRequest { /** *

The name of the user whose password you want to delete.

+ *

This parameter is optional. If no user name is included, it defaults to the principal + * making the request. When you make this request with root user credentials, you must use + * an AssumeRoot session to omit the user name.

*

This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric * characters with no spaces. You can also include any of the following characters: _+=,.@-

* @public */ - UserName: string | undefined; + UserName?: string | undefined; } /** @@ -2691,6 +2726,134 @@ export interface DetachUserPolicyRequest { PolicyArn: string | undefined; } +/** + * @public + */ +export interface DisableOrganizationsRootCredentialsManagementRequest {} + +/** + * @public + * @enum + */ +export const FeatureType = { + ROOT_CREDENTIALS_MANAGEMENT: "RootCredentialsManagement", + ROOT_SESSIONS: "RootSessions", +} as const; + +/** + * @public + */ +export type FeatureType = (typeof FeatureType)[keyof typeof FeatureType]; + +/** + * @public + */ +export interface DisableOrganizationsRootCredentialsManagementResponse { + /** + *

The unique identifier (ID) of an organization.

+ * @public + */ + OrganizationId?: string | undefined; + + /** + *

The features enabled for centralized root access for member accounts in your + * organization.

+ * @public + */ + EnabledFeatures?: FeatureType[] | undefined; +} + +/** + *

The request was rejected because no organization is associated with your account.

+ * @public + */ +export class OrganizationNotFoundException extends __BaseException { + readonly name: "OrganizationNotFoundException" = "OrganizationNotFoundException"; + readonly $fault: "client" = "client"; + Message?: string | undefined; + /** + * @internal + */ + constructor(opts: __ExceptionOptionType) { + super({ + name: "OrganizationNotFoundException", + $fault: "client", + ...opts, + }); + Object.setPrototypeOf(this, OrganizationNotFoundException.prototype); + this.Message = opts.Message; + } +} + +/** + *

The request was rejected because your organization does not have All features enabled. For + * more information, see Available feature sets in the Organizations User + * Guide.

+ * @public + */ +export class OrganizationNotInAllFeaturesModeException extends __BaseException { + readonly name: "OrganizationNotInAllFeaturesModeException" = "OrganizationNotInAllFeaturesModeException"; + readonly $fault: "client" = "client"; + Message?: string | undefined; + /** + * @internal + */ + constructor(opts: __ExceptionOptionType) { + super({ + name: "OrganizationNotInAllFeaturesModeException", + $fault: "client", + ...opts, + }); + Object.setPrototypeOf(this, OrganizationNotInAllFeaturesModeException.prototype); + this.Message = opts.Message; + } +} + +/** + *

The request was rejected because trusted access is not enabled for IAM in Organizations. For details, see IAM and Organizations in the Organizations User Guide.

+ * @public + */ +export class ServiceAccessNotEnabledException extends __BaseException { + readonly name: "ServiceAccessNotEnabledException" = "ServiceAccessNotEnabledException"; + readonly $fault: "client" = "client"; + Message?: string | undefined; + /** + * @internal + */ + constructor(opts: __ExceptionOptionType) { + super({ + name: "ServiceAccessNotEnabledException", + $fault: "client", + ...opts, + }); + Object.setPrototypeOf(this, ServiceAccessNotEnabledException.prototype); + this.Message = opts.Message; + } +} + +/** + * @public + */ +export interface DisableOrganizationsRootSessionsRequest {} + +/** + * @public + */ +export interface DisableOrganizationsRootSessionsResponse { + /** + *

The unique identifier (ID) of an organization.

+ * @public + */ + OrganizationId?: string | undefined; + + /** + *

The features you have enabled for centralized root access of member accounts in your + * organization.

+ * @public + */ + EnabledFeatures?: FeatureType[] | undefined; +} + /** * @public */ @@ -2765,6 +2928,73 @@ export class InvalidAuthenticationCodeException extends __BaseException { } } +/** + *

The request was rejected because the account making the request is not the management + * account for the organization.

+ * @public + */ +export class CallerIsNotManagementAccountException extends __BaseException { + readonly name: "CallerIsNotManagementAccountException" = "CallerIsNotManagementAccountException"; + readonly $fault: "client" = "client"; + Message?: string | undefined; + /** + * @internal + */ + constructor(opts: __ExceptionOptionType) { + super({ + name: "CallerIsNotManagementAccountException", + $fault: "client", + ...opts, + }); + Object.setPrototypeOf(this, CallerIsNotManagementAccountException.prototype); + this.Message = opts.Message; + } +} + +/** + * @public + */ +export interface EnableOrganizationsRootCredentialsManagementRequest {} + +/** + * @public + */ +export interface EnableOrganizationsRootCredentialsManagementResponse { + /** + *

The unique identifier (ID) of an organization.

+ * @public + */ + OrganizationId?: string | undefined; + + /** + *

The features you have enabled for centralized root access.

+ * @public + */ + EnabledFeatures?: FeatureType[] | undefined; +} + +/** + * @public + */ +export interface EnableOrganizationsRootSessionsRequest {} + +/** + * @public + */ +export interface EnableOrganizationsRootSessionsResponse { + /** + *

The unique identifier (ID) of an organization.

+ * @public + */ + OrganizationId?: string | undefined; + + /** + *

The features you have enabled for centralized root access.

+ * @public + */ + EnabledFeatures?: FeatureType[] | undefined; +} + /** * @public * @enum @@ -3481,6 +3711,7 @@ export const SummaryKeyType = { AccessKeysPerUserQuota: "AccessKeysPerUserQuota", AccountAccessKeysPresent: "AccountAccessKeysPresent", AccountMFAEnabled: "AccountMFAEnabled", + AccountPasswordPresent: "AccountPasswordPresent", AccountSigningCertificatesPresent: "AccountSigningCertificatesPresent", AttachedPoliciesPerGroupQuota: "AttachedPoliciesPerGroupQuota", AttachedPoliciesPerRoleQuota: "AttachedPoliciesPerRoleQuota", @@ -3862,11 +4093,14 @@ export interface GetInstanceProfileResponse { export interface GetLoginProfileRequest { /** *

The name of the user whose login profile you want to retrieve.

+ *

This parameter is optional. If no user name is included, it defaults to the principal + * making the request. When you make this request with root user credentials, you must use + * an AssumeRoot session to omit the user name.

*

This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric * characters with no spaces. You can also include any of the following characters: _+=,.@-

* @public */ - UserName: string | undefined; + UserName?: string | undefined; } /** @@ -6374,6 +6608,28 @@ export interface ListOpenIDConnectProviderTagsResponse { Marker?: string | undefined; } +/** + * @public + */ +export interface ListOrganizationsFeaturesRequest {} + +/** + * @public + */ +export interface ListOrganizationsFeaturesResponse { + /** + *

The unique identifier (ID) of an organization.

+ * @public + */ + OrganizationId?: string | undefined; + + /** + *

Specifies the features that are currently available in your organization.

+ * @public + */ + EnabledFeatures?: FeatureType[] | undefined; +} + /** * @public * @enum @@ -8510,670 +8766,6 @@ export interface Position { Column?: number | undefined; } -/** - * @public - * @enum - */ -export const PolicySourceType = { - AWS_MANAGED: "aws-managed", - GROUP: "group", - NONE: "none", - RESOURCE: "resource", - ROLE: "role", - USER: "user", - USER_MANAGED: "user-managed", -} as const; - -/** - * @public - */ -export type PolicySourceType = (typeof PolicySourceType)[keyof typeof PolicySourceType]; - -/** - *

Contains a reference to a Statement element in a policy document that - * determines the result of the simulation.

- *

This data type is used by the MatchedStatements member of the - * EvaluationResult - * type.

- * @public - */ -export interface Statement { - /** - *

The identifier of the policy that was provided as an input.

- * @public - */ - SourcePolicyId?: string | undefined; - - /** - *

The type of the policy.

- * @public - */ - SourcePolicyType?: PolicySourceType | undefined; - - /** - *

The row and column of the beginning of the Statement in an IAM - * policy.

- * @public - */ - StartPosition?: Position | undefined; - - /** - *

The row and column of the end of a Statement in an IAM policy.

- * @public - */ - EndPosition?: Position | undefined; -} - -/** - *

Contains information about the effect that Organizations has on a policy simulation.

- * @public - */ -export interface OrganizationsDecisionDetail { - /** - *

Specifies whether the simulated operation is allowed by the Organizations service control - * policies that impact the simulated user's account.

- * @public - */ - AllowedByOrganizations?: boolean | undefined; -} - -/** - *

Contains information about the effect that a permissions boundary has on a policy - * simulation when the boundary is applied to an IAM entity.

- * @public - */ -export interface PermissionsBoundaryDecisionDetail { - /** - *

Specifies whether an action is allowed by a permissions boundary that is applied to an - * IAM entity (user or role). A value of true means that the permissions - * boundary does not deny the action. This means that the policy includes an - * Allow statement that matches the request. In this case, if an - * identity-based policy also allows the action, the request is allowed. A value of - * false means that either the requested action is not allowed (implicitly - * denied) or that the action is explicitly denied by the permissions boundary. In both of - * these cases, the action is not allowed, regardless of the identity-based policy.

- * @public - */ - AllowedByPermissionsBoundary?: boolean | undefined; -} - -/** - *

Contains the result of the simulation of a single API operation call on a single - * resource.

- *

This data type is used by a member of the EvaluationResult data - * type.

- * @public - */ -export interface ResourceSpecificResult { - /** - *

The name of the simulated resource, in Amazon Resource Name (ARN) format.

- * @public - */ - EvalResourceName: string | undefined; - - /** - *

The result of the simulation of the simulated API operation on the resource specified in - * EvalResourceName.

- * @public - */ - EvalResourceDecision: PolicyEvaluationDecisionType | undefined; - - /** - *

A list of the statements in the input policies that determine the result for this part - * of the simulation. Remember that even if multiple statements allow the operation on the - * resource, if any statement denies that operation, then the explicit - * deny overrides any allow. In addition, the deny statement is the only entry included in the - * result.

- * @public - */ - MatchedStatements?: Statement[] | undefined; - - /** - *

A list of context keys that are required by the included input policies but that were - * not provided by one of the input parameters. This list is used when a list of ARNs is - * included in the ResourceArns parameter instead of "*". If you do not specify - * individual resources, by setting ResourceArns to "*" or by not including the - * ResourceArns parameter, then any missing context values are instead - * included under the EvaluationResults section. To discover the context keys - * used by a set of policies, you can call GetContextKeysForCustomPolicy or - * GetContextKeysForPrincipalPolicy.

- * @public - */ - MissingContextValues?: string[] | undefined; - - /** - *

Additional details about the results of the evaluation decision on a single resource. - * This parameter is returned only for cross-account simulations. This parameter explains how - * each policy type contributes to the resource-specific evaluation decision.

- * @public - */ - EvalDecisionDetails?: Record | undefined; - - /** - *

Contains information about the effect that a permissions boundary has on a policy - * simulation when that boundary is applied to an IAM entity.

- * @public - */ - PermissionsBoundaryDecisionDetail?: PermissionsBoundaryDecisionDetail | undefined; -} - -/** - *

Contains the results of a simulation.

- *

This data type is used by the return parameter of - * SimulateCustomPolicy - * and - * SimulatePrincipalPolicy - * .

- * @public - */ -export interface EvaluationResult { - /** - *

The name of the API operation tested on the indicated resource.

- * @public - */ - EvalActionName: string | undefined; - - /** - *

The ARN of the resource that the indicated API operation was tested on.

- * @public - */ - EvalResourceName?: string | undefined; - - /** - *

The result of the simulation.

- * @public - */ - EvalDecision: PolicyEvaluationDecisionType | undefined; - - /** - *

A list of the statements in the input policies that determine the result for this - * scenario. Remember that even if multiple statements allow the operation on the resource, if - * only one statement denies that operation, then the explicit deny overrides any allow. In - * addition, the deny statement is the only entry included in the result.

- * @public - */ - MatchedStatements?: Statement[] | undefined; - - /** - *

A list of context keys that are required by the included input policies but that were - * not provided by one of the input parameters. This list is used when the resource in a - * simulation is "*", either explicitly, or when the ResourceArns parameter - * blank. If you include a list of resources, then any missing context values are instead - * included under the ResourceSpecificResults section. To discover the context - * keys used by a set of policies, you can call GetContextKeysForCustomPolicy or GetContextKeysForPrincipalPolicy.

- * @public - */ - MissingContextValues?: string[] | undefined; - - /** - *

A structure that details how Organizations and its service control policies affect the results of - * the simulation. Only applies if the simulated user's account is part of an - * organization.

- * @public - */ - OrganizationsDecisionDetail?: OrganizationsDecisionDetail | undefined; - - /** - *

Contains information about the effect that a permissions boundary has on a policy - * simulation when the boundary is applied to an IAM entity.

- * @public - */ - PermissionsBoundaryDecisionDetail?: PermissionsBoundaryDecisionDetail | undefined; - - /** - *

Additional details about the results of the cross-account evaluation decision. This - * parameter is populated for only cross-account simulations. It contains a brief summary of - * how each policy type contributes to the final evaluation decision.

- *

If the simulation evaluates policies within the same account and includes a resource - * ARN, then the parameter is present but the response is empty. If the simulation evaluates - * policies within the same account and specifies all resources (*), then the - * parameter is not returned.

- *

When you make a cross-account request, Amazon Web Services evaluates the request in the trusting - * account and the trusted account. The request is allowed only if both evaluations return - * true. For more information about how policies are evaluated, see Evaluating policies within a single account.

- *

If an Organizations SCP included in the evaluation denies access, the simulation ends. In - * this case, policy evaluation does not proceed any further and this parameter is not - * returned.

- * @public - */ - EvalDecisionDetails?: Record | undefined; - - /** - *

The individual results of the simulation of the API operation specified in - * EvalActionName on each resource.

- * @public - */ - ResourceSpecificResults?: ResourceSpecificResult[] | undefined; -} - -/** - *

Contains the response to a successful SimulatePrincipalPolicy or - * SimulateCustomPolicy request.

- * @public - */ -export interface SimulatePolicyResponse { - /** - *

The results of the simulation.

- * @public - */ - EvaluationResults?: EvaluationResult[] | undefined; - - /** - *

A flag that indicates whether there are more items to return. If your - * results were truncated, you can make a subsequent pagination request using the Marker - * request parameter to retrieve more items. Note that IAM might return fewer than the - * MaxItems number of results even when there are more results available. We recommend - * that you check IsTruncated after every call to ensure that you receive all your - * results.

- * @public - */ - IsTruncated?: boolean | undefined; - - /** - *

When IsTruncated is true, this element - * is present and contains the value to use for the Marker parameter in a subsequent - * pagination request.

- * @public - */ - Marker?: string | undefined; -} - -/** - * @public - */ -export interface SimulatePrincipalPolicyRequest { - /** - *

The Amazon Resource Name (ARN) of a user, group, or role whose policies you want to - * include in the simulation. If you specify a user, group, or role, the simulation - * includes all policies that are associated with that entity. If you specify a user, the - * simulation also includes all policies that are attached to any groups the user belongs - * to.

- *

The maximum length of the policy document that you can pass in this operation, - * including whitespace, is listed below. To view the maximum character counts of a managed policy with no whitespaces, see IAM and STS character quotas.

- *

For more information about ARNs, see Amazon Resource Names (ARNs) in the Amazon Web Services General Reference.

- * @public - */ - PolicySourceArn: string | undefined; - - /** - *

An optional list of additional policy documents to include in the simulation. Each - * document is specified as a string containing the complete, valid JSON text of an IAM - * policy.

- *

The regex pattern - * used to validate this parameter is a string of characters consisting of the following:

- *
    - *
  • - *

    Any printable ASCII - * character ranging from the space character (\u0020) through the end of the ASCII character range

    - *
    • - *
  • - *

    The printable characters in the Basic Latin and Latin-1 Supplement character set - * (through \u00FF)

    - *
    • - *
  • - *

    The special characters tab (\u0009), line feed (\u000A), and - * carriage return (\u000D)

    - *
    • - *
- * @public - */ - PolicyInputList?: string[] | undefined; - - /** - *

The IAM permissions boundary policy to simulate. The permissions boundary sets the - * maximum permissions that the entity can have. You can input only one permissions - * boundary when you pass a policy to this operation. An IAM entity can only have one - * permissions boundary in effect at a time. For example, if a permissions boundary is - * attached to an entity and you pass in a different permissions boundary policy using this - * parameter, then the new permissions boundary policy is used for the simulation. For more - * information about permissions boundaries, see Permissions boundaries for IAM - * entities in the IAM User Guide. The policy input is - * specified as a string containing the complete, valid JSON text of a permissions boundary - * policy.

- *

The maximum length of the policy document that you can pass in this operation, - * including whitespace, is listed below. To view the maximum character counts of a managed policy with no whitespaces, see IAM and STS character quotas.

- *

The regex pattern - * used to validate this parameter is a string of characters consisting of the following:

- *
    - *
  • - *

    Any printable ASCII - * character ranging from the space character (\u0020) through the end of the ASCII character range

    - *
    • - *
  • - *

    The printable characters in the Basic Latin and Latin-1 Supplement character set - * (through \u00FF)

    - *
    • - *
  • - *

    The special characters tab (\u0009), line feed (\u000A), and - * carriage return (\u000D)

    - *
    • - *
- * @public - */ - PermissionsBoundaryPolicyInputList?: string[] | undefined; - - /** - *

A list of names of API operations to evaluate in the simulation. Each operation is - * evaluated for each resource. Each operation must include the service identifier, such as - * iam:CreateUser.

- * @public - */ - ActionNames: string[] | undefined; - - /** - *

A list of ARNs of Amazon Web Services resources to include in the simulation. If this parameter is - * not provided, then the value defaults to * (all resources). Each API in the - * ActionNames parameter is evaluated for each resource in this list. The - * simulation determines the access result (allowed or denied) of each combination and - * reports it in the response. You can simulate resources that don't exist in your - * account.

- *

The simulation does not automatically retrieve policies for the specified resources. - * If you want to include a resource policy in the simulation, then you must include the - * policy as a string in the ResourcePolicy parameter.

- *

For more information about ARNs, see Amazon Resource Names (ARNs) in the Amazon Web Services General Reference.

- * - *

Simulation of resource-based policies isn't supported for IAM roles.

- * - * @public - */ - ResourceArns?: string[] | undefined; - - /** - *

A resource-based policy to include in the simulation provided as a string. Each - * resource in the simulation is treated as if it had this policy attached. You can include - * only one resource-based policy in a simulation.

- *

The maximum length of the policy document that you can pass in this operation, - * including whitespace, is listed below. To view the maximum character counts of a managed policy with no whitespaces, see IAM and STS character quotas.

- *

The regex pattern - * used to validate this parameter is a string of characters consisting of the following:

- *
    - *
  • - *

    Any printable ASCII - * character ranging from the space character (\u0020) through the end of the ASCII character range

    - *
    • - *
  • - *

    The printable characters in the Basic Latin and Latin-1 Supplement character set - * (through \u00FF)

    - *
    • - *
  • - *

    The special characters tab (\u0009), line feed (\u000A), and - * carriage return (\u000D)

    - *
    • - *
- * - *

Simulation of resource-based policies isn't supported for IAM roles.

- * - * @public - */ - ResourcePolicy?: string | undefined; - - /** - *

An Amazon Web Services account ID that specifies the owner of any simulated resource that does not - * identify its owner in the resource ARN. Examples of resource ARNs include an S3 bucket - * or object. If ResourceOwner is specified, it is also used as the account - * owner of any ResourcePolicy included in the simulation. If the - * ResourceOwner parameter is not specified, then the owner of the - * resources and the resource policy defaults to the account of the identity provided in - * CallerArn. This parameter is required only if you specify a - * resource-based policy and account that owns the resource is different from the account - * that owns the simulated calling user CallerArn.

- * @public - */ - ResourceOwner?: string | undefined; - - /** - *

The ARN of the IAM user that you want to specify as the simulated caller of the API - * operations. If you do not specify a CallerArn, it defaults to the ARN of - * the user that you specify in PolicySourceArn, if you specified a user. If - * you include both a PolicySourceArn (for example, - * arn:aws:iam::123456789012:user/David) and a CallerArn (for - * example, arn:aws:iam::123456789012:user/Bob), the result is that you - * simulate calling the API operations as Bob, as if Bob had David's policies.

- *

You can specify only the ARN of an IAM user. You cannot specify the ARN of an - * assumed role, federated user, or a service principal.

- *

- * CallerArn is required if you include a ResourcePolicy and - * the PolicySourceArn is not the ARN for an IAM user. This is required so - * that the resource-based policy's Principal element has a value to use in - * evaluating the policy.

- *

For more information about ARNs, see Amazon Resource Names (ARNs) in the Amazon Web Services General Reference.

- * @public - */ - CallerArn?: string | undefined; - - /** - *

A list of context keys and corresponding values for the simulation to use. Whenever a - * context key is evaluated in one of the simulated IAM permissions policies, the - * corresponding value is supplied.

- * @public - */ - ContextEntries?: ContextEntry[] | undefined; - - /** - *

Specifies the type of simulation to run. Different API operations that support - * resource-based policies require different combinations of resources. By specifying the - * type of simulation to run, you enable the policy simulator to enforce the presence of - * the required resources to ensure reliable simulation results. If your simulation does - * not match one of the following scenarios, then you can omit this parameter. The - * following list shows each of the supported scenario values and the resources that you - * must define to run the simulation.

- *

Each of the Amazon EC2 scenarios requires that you specify instance, image, and security - * group resources. If your scenario includes an EBS volume, then you must specify that - * volume as a resource. If the Amazon EC2 scenario includes VPC, then you must supply the - * network interface resource. If it includes an IP subnet, then you must specify the - * subnet resource. For more information on the Amazon EC2 scenario options, see Supported platforms in the Amazon EC2 User Guide.

- *
    - *
  • - *

    - * EC2-VPC-InstanceStore - *

    - *

    instance, image, security group, network interface

    - *
    • - *
  • - *

    - * EC2-VPC-InstanceStore-Subnet - *

    - *

    instance, image, security group, network interface, subnet

    - *
    • - *
  • - *

    - * EC2-VPC-EBS - *

    - *

    instance, image, security group, network interface, volume

    - *
    • - *
  • - *

    - * EC2-VPC-EBS-Subnet - *

    - *

    instance, image, security group, network interface, subnet, volume

    - *
    • - *
- * @public - */ - ResourceHandlingOption?: string | undefined; - - /** - *

Use this only when paginating results to indicate the - * maximum number of items you want in the response. If additional items exist beyond the maximum - * you specify, the IsTruncated response element is true.

- *

If you do not include this parameter, the number of items defaults to 100. Note that - * IAM might return fewer results, even when there are more results available. In that case, the - * IsTruncated response element returns true, and Marker - * contains a value to include in the subsequent call that tells the service where to continue - * from.

- * @public - */ - MaxItems?: number | undefined; - - /** - *

Use this parameter only when paginating results and only after - * you receive a response indicating that the results are truncated. Set it to the value of the - * Marker element in the response that you received to indicate where the next call - * should start.

- * @public - */ - Marker?: string | undefined; -} - -/** - * @public - */ -export interface TagInstanceProfileRequest { - /** - *

The name of the IAM instance profile to which you want to add tags.

- *

This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric - * characters with no spaces. You can also include any of the following characters: _+=,.@-

- * @public - */ - InstanceProfileName: string | undefined; - - /** - *

The list of tags that you want to attach to the IAM instance profile. - * Each tag consists of a key name and an associated value.

- * @public - */ - Tags: Tag[] | undefined; -} - -/** - * @public - */ -export interface TagMFADeviceRequest { - /** - *

The unique identifier for the IAM virtual MFA device to which you want to add tags. - * For virtual MFA devices, the serial number is the same as the ARN.

- *

This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric - * characters with no spaces. You can also include any of the following characters: _+=,.@-

- * @public - */ - SerialNumber: string | undefined; - - /** - *

The list of tags that you want to attach to the IAM virtual MFA device. - * Each tag consists of a key name and an associated value.

- * @public - */ - Tags: Tag[] | undefined; -} - -/** - * @public - */ -export interface TagOpenIDConnectProviderRequest { - /** - *

The ARN of the OIDC identity provider in IAM to which you want to add tags.

- *

This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric - * characters with no spaces. You can also include any of the following characters: _+=,.@-

- * @public - */ - OpenIDConnectProviderArn: string | undefined; - - /** - *

The list of tags that you want to attach to the OIDC identity provider in IAM. - * Each tag consists of a key name and an associated value.

- * @public - */ - Tags: Tag[] | undefined; -} - -/** - * @public - */ -export interface TagPolicyRequest { - /** - *

The ARN of the IAM customer managed policy to which you want to add tags.

- *

This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric - * characters with no spaces. You can also include any of the following characters: _+=,.@-

- * @public - */ - PolicyArn: string | undefined; - - /** - *

The list of tags that you want to attach to the IAM customer managed policy. - * Each tag consists of a key name and an associated value.

- * @public - */ - Tags: Tag[] | undefined; -} - -/** - * @public - */ -export interface TagRoleRequest { - /** - *

The name of the IAM role to which you want to add tags.

- *

This parameter accepts (through its regex pattern) a string of characters that consist of upper and lowercase alphanumeric - * characters with no spaces. You can also include any of the following characters: _+=,.@-

- * @public - */ - RoleName: string | undefined; - - /** - *

The list of tags that you want to attach to the IAM role. Each tag consists of a key name and an associated value.

- * @public - */ - Tags: Tag[] | undefined; -} - -/** - * @public - */ -export interface TagSAMLProviderRequest { - /** - *

The ARN of the SAML identity provider in IAM to which you want to add tags.

- *

This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric - * characters with no spaces. You can also include any of the following characters: _+=,.@-

- * @public - */ - SAMLProviderArn: string | undefined; - - /** - *

The list of tags that you want to attach to the SAML identity provider in IAM. - * Each tag consists of a key name and an associated value.

- * @public - */ - Tags: Tag[] | undefined; -} - -/** - * @public - */ -export interface TagServerCertificateRequest { - /** - *

The name of the IAM server certificate to which you want to add tags.

- *

This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric - * characters with no spaces. You can also include any of the following characters: _+=,.@-

- * @public - */ - ServerCertificateName: string | undefined; - - /** - *

The list of tags that you want to attach to the IAM server certificate. - * Each tag consists of a key name and an associated value.

- * @public - */ - Tags: Tag[] | undefined; -} - -/** - * @public - */ -export interface TagUserRequest { - /** - *

The name of the IAM user to which you want to add tags.

- *

This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric - * characters with no spaces. You can also include any of the following characters: _+=,.@-

- * @public - */ - UserName: string | undefined; - - /** - *

The list of tags that you want to attach to the IAM user. Each tag consists of a key name and an associated value.

- * @public - */ - Tags: Tag[] | undefined; -} - /** * @internal */ diff --git a/clients/client-iam/src/models/models_1.ts b/clients/client-iam/src/models/models_1.ts index e9f65135bcf70..b718e79bb1c4f 100644 --- a/clients/client-iam/src/models/models_1.ts +++ b/clients/client-iam/src/models/models_1.ts @@ -3,7 +3,681 @@ import { ExceptionOptionType as __ExceptionOptionType, SENSITIVE_STRING } from " import { IAMServiceException as __BaseException } from "./IAMServiceException"; -import { Role, ServerCertificateMetadata, SigningCertificate, SSHPublicKey, StatusType, Tag } from "./models_0"; +import { + ContextEntry, + PolicyEvaluationDecisionType, + Position, + Role, + ServerCertificateMetadata, + SigningCertificate, + SSHPublicKey, + StatusType, + Tag, +} from "./models_0"; + +/** + * @public + * @enum + */ +export const PolicySourceType = { + AWS_MANAGED: "aws-managed", + GROUP: "group", + NONE: "none", + RESOURCE: "resource", + ROLE: "role", + USER: "user", + USER_MANAGED: "user-managed", +} as const; + +/** + * @public + */ +export type PolicySourceType = (typeof PolicySourceType)[keyof typeof PolicySourceType]; + +/** + *

Contains a reference to a Statement element in a policy document that + * determines the result of the simulation.

+ *

This data type is used by the MatchedStatements member of the + * EvaluationResult + * type.

+ * @public + */ +export interface Statement { + /** + *

The identifier of the policy that was provided as an input.

+ * @public + */ + SourcePolicyId?: string | undefined; + + /** + *

The type of the policy.

+ * @public + */ + SourcePolicyType?: PolicySourceType | undefined; + + /** + *

The row and column of the beginning of the Statement in an IAM + * policy.

+ * @public + */ + StartPosition?: Position | undefined; + + /** + *

The row and column of the end of a Statement in an IAM policy.

+ * @public + */ + EndPosition?: Position | undefined; +} + +/** + *

Contains information about the effect that Organizations has on a policy simulation.

+ * @public + */ +export interface OrganizationsDecisionDetail { + /** + *

Specifies whether the simulated operation is allowed by the Organizations service control + * policies that impact the simulated user's account.

+ * @public + */ + AllowedByOrganizations?: boolean | undefined; +} + +/** + *

Contains information about the effect that a permissions boundary has on a policy + * simulation when the boundary is applied to an IAM entity.

+ * @public + */ +export interface PermissionsBoundaryDecisionDetail { + /** + *

Specifies whether an action is allowed by a permissions boundary that is applied to an + * IAM entity (user or role). A value of true means that the permissions + * boundary does not deny the action. This means that the policy includes an + * Allow statement that matches the request. In this case, if an + * identity-based policy also allows the action, the request is allowed. A value of + * false means that either the requested action is not allowed (implicitly + * denied) or that the action is explicitly denied by the permissions boundary. In both of + * these cases, the action is not allowed, regardless of the identity-based policy.

+ * @public + */ + AllowedByPermissionsBoundary?: boolean | undefined; +} + +/** + *

Contains the result of the simulation of a single API operation call on a single + * resource.

+ *

This data type is used by a member of the EvaluationResult data + * type.

+ * @public + */ +export interface ResourceSpecificResult { + /** + *

The name of the simulated resource, in Amazon Resource Name (ARN) format.

+ * @public + */ + EvalResourceName: string | undefined; + + /** + *

The result of the simulation of the simulated API operation on the resource specified in + * EvalResourceName.

+ * @public + */ + EvalResourceDecision: PolicyEvaluationDecisionType | undefined; + + /** + *

A list of the statements in the input policies that determine the result for this part + * of the simulation. Remember that even if multiple statements allow the operation on the + * resource, if any statement denies that operation, then the explicit + * deny overrides any allow. In addition, the deny statement is the only entry included in the + * result.

+ * @public + */ + MatchedStatements?: Statement[] | undefined; + + /** + *

A list of context keys that are required by the included input policies but that were + * not provided by one of the input parameters. This list is used when a list of ARNs is + * included in the ResourceArns parameter instead of "*". If you do not specify + * individual resources, by setting ResourceArns to "*" or by not including the + * ResourceArns parameter, then any missing context values are instead + * included under the EvaluationResults section. To discover the context keys + * used by a set of policies, you can call GetContextKeysForCustomPolicy or + * GetContextKeysForPrincipalPolicy.

+ * @public + */ + MissingContextValues?: string[] | undefined; + + /** + *

Additional details about the results of the evaluation decision on a single resource. + * This parameter is returned only for cross-account simulations. This parameter explains how + * each policy type contributes to the resource-specific evaluation decision.

+ * @public + */ + EvalDecisionDetails?: Record | undefined; + + /** + *

Contains information about the effect that a permissions boundary has on a policy + * simulation when that boundary is applied to an IAM entity.

+ * @public + */ + PermissionsBoundaryDecisionDetail?: PermissionsBoundaryDecisionDetail | undefined; +} + +/** + *

Contains the results of a simulation.

+ *

This data type is used by the return parameter of + * SimulateCustomPolicy + * and + * SimulatePrincipalPolicy + * .

+ * @public + */ +export interface EvaluationResult { + /** + *

The name of the API operation tested on the indicated resource.

+ * @public + */ + EvalActionName: string | undefined; + + /** + *

The ARN of the resource that the indicated API operation was tested on.

+ * @public + */ + EvalResourceName?: string | undefined; + + /** + *

The result of the simulation.

+ * @public + */ + EvalDecision: PolicyEvaluationDecisionType | undefined; + + /** + *

A list of the statements in the input policies that determine the result for this + * scenario. Remember that even if multiple statements allow the operation on the resource, if + * only one statement denies that operation, then the explicit deny overrides any allow. In + * addition, the deny statement is the only entry included in the result.

+ * @public + */ + MatchedStatements?: Statement[] | undefined; + + /** + *

A list of context keys that are required by the included input policies but that were + * not provided by one of the input parameters. This list is used when the resource in a + * simulation is "*", either explicitly, or when the ResourceArns parameter + * blank. If you include a list of resources, then any missing context values are instead + * included under the ResourceSpecificResults section. To discover the context + * keys used by a set of policies, you can call GetContextKeysForCustomPolicy or GetContextKeysForPrincipalPolicy.

+ * @public + */ + MissingContextValues?: string[] | undefined; + + /** + *

A structure that details how Organizations and its service control policies affect the results of + * the simulation. Only applies if the simulated user's account is part of an + * organization.

+ * @public + */ + OrganizationsDecisionDetail?: OrganizationsDecisionDetail | undefined; + + /** + *

Contains information about the effect that a permissions boundary has on a policy + * simulation when the boundary is applied to an IAM entity.

+ * @public + */ + PermissionsBoundaryDecisionDetail?: PermissionsBoundaryDecisionDetail | undefined; + + /** + *

Additional details about the results of the cross-account evaluation decision. This + * parameter is populated for only cross-account simulations. It contains a brief summary of + * how each policy type contributes to the final evaluation decision.

+ *

If the simulation evaluates policies within the same account and includes a resource + * ARN, then the parameter is present but the response is empty. If the simulation evaluates + * policies within the same account and specifies all resources (*), then the + * parameter is not returned.

+ *

When you make a cross-account request, Amazon Web Services evaluates the request in the trusting + * account and the trusted account. The request is allowed only if both evaluations return + * true. For more information about how policies are evaluated, see Evaluating policies within a single account.

+ *

If an Organizations SCP included in the evaluation denies access, the simulation ends. In + * this case, policy evaluation does not proceed any further and this parameter is not + * returned.

+ * @public + */ + EvalDecisionDetails?: Record | undefined; + + /** + *

The individual results of the simulation of the API operation specified in + * EvalActionName on each resource.

+ * @public + */ + ResourceSpecificResults?: ResourceSpecificResult[] | undefined; +} + +/** + *

Contains the response to a successful SimulatePrincipalPolicy or + * SimulateCustomPolicy request.

+ * @public + */ +export interface SimulatePolicyResponse { + /** + *

The results of the simulation.

+ * @public + */ + EvaluationResults?: EvaluationResult[] | undefined; + + /** + *

A flag that indicates whether there are more items to return. If your + * results were truncated, you can make a subsequent pagination request using the Marker + * request parameter to retrieve more items. Note that IAM might return fewer than the + * MaxItems number of results even when there are more results available. We recommend + * that you check IsTruncated after every call to ensure that you receive all your + * results.

+ * @public + */ + IsTruncated?: boolean | undefined; + + /** + *

When IsTruncated is true, this element + * is present and contains the value to use for the Marker parameter in a subsequent + * pagination request.

+ * @public + */ + Marker?: string | undefined; +} + +/** + * @public + */ +export interface SimulatePrincipalPolicyRequest { + /** + *

The Amazon Resource Name (ARN) of a user, group, or role whose policies you want to + * include in the simulation. If you specify a user, group, or role, the simulation + * includes all policies that are associated with that entity. If you specify a user, the + * simulation also includes all policies that are attached to any groups the user belongs + * to.

+ *

The maximum length of the policy document that you can pass in this operation, + * including whitespace, is listed below. To view the maximum character counts of a managed policy with no whitespaces, see IAM and STS character quotas.

+ *

For more information about ARNs, see Amazon Resource Names (ARNs) in the Amazon Web Services General Reference.

+ * @public + */ + PolicySourceArn: string | undefined; + + /** + *

An optional list of additional policy documents to include in the simulation. Each + * document is specified as a string containing the complete, valid JSON text of an IAM + * policy.

+ *

The regex pattern + * used to validate this parameter is a string of characters consisting of the following:

+ *
    + *
  • + *

    Any printable ASCII + * character ranging from the space character (\u0020) through the end of the ASCII character range

    + *
    • + *
  • + *

    The printable characters in the Basic Latin and Latin-1 Supplement character set + * (through \u00FF)

    + *
    • + *
  • + *

    The special characters tab (\u0009), line feed (\u000A), and + * carriage return (\u000D)

    + *
    • + *
+ * @public + */ + PolicyInputList?: string[] | undefined; + + /** + *

The IAM permissions boundary policy to simulate. The permissions boundary sets the + * maximum permissions that the entity can have. You can input only one permissions + * boundary when you pass a policy to this operation. An IAM entity can only have one + * permissions boundary in effect at a time. For example, if a permissions boundary is + * attached to an entity and you pass in a different permissions boundary policy using this + * parameter, then the new permissions boundary policy is used for the simulation. For more + * information about permissions boundaries, see Permissions boundaries for IAM + * entities in the IAM User Guide. The policy input is + * specified as a string containing the complete, valid JSON text of a permissions boundary + * policy.

+ *

The maximum length of the policy document that you can pass in this operation, + * including whitespace, is listed below. To view the maximum character counts of a managed policy with no whitespaces, see IAM and STS character quotas.

+ *

The regex pattern + * used to validate this parameter is a string of characters consisting of the following:

+ *
    + *
  • + *

    Any printable ASCII + * character ranging from the space character (\u0020) through the end of the ASCII character range

    + *
    • + *
  • + *

    The printable characters in the Basic Latin and Latin-1 Supplement character set + * (through \u00FF)

    + *
    • + *
  • + *

    The special characters tab (\u0009), line feed (\u000A), and + * carriage return (\u000D)

    + *
    • + *
+ * @public + */ + PermissionsBoundaryPolicyInputList?: string[] | undefined; + + /** + *

A list of names of API operations to evaluate in the simulation. Each operation is + * evaluated for each resource. Each operation must include the service identifier, such as + * iam:CreateUser.

+ * @public + */ + ActionNames: string[] | undefined; + + /** + *

A list of ARNs of Amazon Web Services resources to include in the simulation. If this parameter is + * not provided, then the value defaults to * (all resources). Each API in the + * ActionNames parameter is evaluated for each resource in this list. The + * simulation determines the access result (allowed or denied) of each combination and + * reports it in the response. You can simulate resources that don't exist in your + * account.

+ *

The simulation does not automatically retrieve policies for the specified resources. + * If you want to include a resource policy in the simulation, then you must include the + * policy as a string in the ResourcePolicy parameter.

+ *

For more information about ARNs, see Amazon Resource Names (ARNs) in the Amazon Web Services General Reference.

+ * + *

Simulation of resource-based policies isn't supported for IAM roles.

+ * + * @public + */ + ResourceArns?: string[] | undefined; + + /** + *

A resource-based policy to include in the simulation provided as a string. Each + * resource in the simulation is treated as if it had this policy attached. You can include + * only one resource-based policy in a simulation.

+ *

The maximum length of the policy document that you can pass in this operation, + * including whitespace, is listed below. To view the maximum character counts of a managed policy with no whitespaces, see IAM and STS character quotas.

+ *

The regex pattern + * used to validate this parameter is a string of characters consisting of the following:

+ *
    + *
  • + *

    Any printable ASCII + * character ranging from the space character (\u0020) through the end of the ASCII character range

    + *
    • + *
  • + *

    The printable characters in the Basic Latin and Latin-1 Supplement character set + * (through \u00FF)

    + *
    • + *
  • + *

    The special characters tab (\u0009), line feed (\u000A), and + * carriage return (\u000D)

    + *
    • + *
+ * + *

Simulation of resource-based policies isn't supported for IAM roles.

+ * + * @public + */ + ResourcePolicy?: string | undefined; + + /** + *

An Amazon Web Services account ID that specifies the owner of any simulated resource that does not + * identify its owner in the resource ARN. Examples of resource ARNs include an S3 bucket + * or object. If ResourceOwner is specified, it is also used as the account + * owner of any ResourcePolicy included in the simulation. If the + * ResourceOwner parameter is not specified, then the owner of the + * resources and the resource policy defaults to the account of the identity provided in + * CallerArn. This parameter is required only if you specify a + * resource-based policy and account that owns the resource is different from the account + * that owns the simulated calling user CallerArn.

+ * @public + */ + ResourceOwner?: string | undefined; + + /** + *

The ARN of the IAM user that you want to specify as the simulated caller of the API + * operations. If you do not specify a CallerArn, it defaults to the ARN of + * the user that you specify in PolicySourceArn, if you specified a user. If + * you include both a PolicySourceArn (for example, + * arn:aws:iam::123456789012:user/David) and a CallerArn (for + * example, arn:aws:iam::123456789012:user/Bob), the result is that you + * simulate calling the API operations as Bob, as if Bob had David's policies.

+ *

You can specify only the ARN of an IAM user. You cannot specify the ARN of an + * assumed role, federated user, or a service principal.

+ *

+ * CallerArn is required if you include a ResourcePolicy and + * the PolicySourceArn is not the ARN for an IAM user. This is required so + * that the resource-based policy's Principal element has a value to use in + * evaluating the policy.

+ *

For more information about ARNs, see Amazon Resource Names (ARNs) in the Amazon Web Services General Reference.

+ * @public + */ + CallerArn?: string | undefined; + + /** + *

A list of context keys and corresponding values for the simulation to use. Whenever a + * context key is evaluated in one of the simulated IAM permissions policies, the + * corresponding value is supplied.

+ * @public + */ + ContextEntries?: ContextEntry[] | undefined; + + /** + *

Specifies the type of simulation to run. Different API operations that support + * resource-based policies require different combinations of resources. By specifying the + * type of simulation to run, you enable the policy simulator to enforce the presence of + * the required resources to ensure reliable simulation results. If your simulation does + * not match one of the following scenarios, then you can omit this parameter. The + * following list shows each of the supported scenario values and the resources that you + * must define to run the simulation.

+ *

Each of the Amazon EC2 scenarios requires that you specify instance, image, and security + * group resources. If your scenario includes an EBS volume, then you must specify that + * volume as a resource. If the Amazon EC2 scenario includes VPC, then you must supply the + * network interface resource. If it includes an IP subnet, then you must specify the + * subnet resource. For more information on the Amazon EC2 scenario options, see Supported platforms in the Amazon EC2 User Guide.

+ *
    + *
  • + *

    + * EC2-VPC-InstanceStore + *

    + *

    instance, image, security group, network interface

    + *
    • + *
  • + *

    + * EC2-VPC-InstanceStore-Subnet + *

    + *

    instance, image, security group, network interface, subnet

    + *
    • + *
  • + *

    + * EC2-VPC-EBS + *

    + *

    instance, image, security group, network interface, volume

    + *
    • + *
  • + *

    + * EC2-VPC-EBS-Subnet + *

    + *

    instance, image, security group, network interface, subnet, volume

    + *
    • + *
+ * @public + */ + ResourceHandlingOption?: string | undefined; + + /** + *

Use this only when paginating results to indicate the + * maximum number of items you want in the response. If additional items exist beyond the maximum + * you specify, the IsTruncated response element is true.

+ *

If you do not include this parameter, the number of items defaults to 100. Note that + * IAM might return fewer results, even when there are more results available. In that case, the + * IsTruncated response element returns true, and Marker + * contains a value to include in the subsequent call that tells the service where to continue + * from.

+ * @public + */ + MaxItems?: number | undefined; + + /** + *

Use this parameter only when paginating results and only after + * you receive a response indicating that the results are truncated. Set it to the value of the + * Marker element in the response that you received to indicate where the next call + * should start.

+ * @public + */ + Marker?: string | undefined; +} + +/** + * @public + */ +export interface TagInstanceProfileRequest { + /** + *

The name of the IAM instance profile to which you want to add tags.

+ *

This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric + * characters with no spaces. You can also include any of the following characters: _+=,.@-

+ * @public + */ + InstanceProfileName: string | undefined; + + /** + *

The list of tags that you want to attach to the IAM instance profile. + * Each tag consists of a key name and an associated value.

+ * @public + */ + Tags: Tag[] | undefined; +} + +/** + * @public + */ +export interface TagMFADeviceRequest { + /** + *

The unique identifier for the IAM virtual MFA device to which you want to add tags. + * For virtual MFA devices, the serial number is the same as the ARN.

+ *

This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric + * characters with no spaces. You can also include any of the following characters: _+=,.@-

+ * @public + */ + SerialNumber: string | undefined; + + /** + *

The list of tags that you want to attach to the IAM virtual MFA device. + * Each tag consists of a key name and an associated value.

+ * @public + */ + Tags: Tag[] | undefined; +} + +/** + * @public + */ +export interface TagOpenIDConnectProviderRequest { + /** + *

The ARN of the OIDC identity provider in IAM to which you want to add tags.

+ *

This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric + * characters with no spaces. You can also include any of the following characters: _+=,.@-

+ * @public + */ + OpenIDConnectProviderArn: string | undefined; + + /** + *

The list of tags that you want to attach to the OIDC identity provider in IAM. + * Each tag consists of a key name and an associated value.

+ * @public + */ + Tags: Tag[] | undefined; +} + +/** + * @public + */ +export interface TagPolicyRequest { + /** + *

The ARN of the IAM customer managed policy to which you want to add tags.

+ *

This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric + * characters with no spaces. You can also include any of the following characters: _+=,.@-

+ * @public + */ + PolicyArn: string | undefined; + + /** + *

The list of tags that you want to attach to the IAM customer managed policy. + * Each tag consists of a key name and an associated value.

+ * @public + */ + Tags: Tag[] | undefined; +} + +/** + * @public + */ +export interface TagRoleRequest { + /** + *

The name of the IAM role to which you want to add tags.

+ *

This parameter accepts (through its regex pattern) a string of characters that consist of upper and lowercase alphanumeric + * characters with no spaces. You can also include any of the following characters: _+=,.@-

+ * @public + */ + RoleName: string | undefined; + + /** + *

The list of tags that you want to attach to the IAM role. Each tag consists of a key name and an associated value.

+ * @public + */ + Tags: Tag[] | undefined; +} + +/** + * @public + */ +export interface TagSAMLProviderRequest { + /** + *

The ARN of the SAML identity provider in IAM to which you want to add tags.

+ *

This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric + * characters with no spaces. You can also include any of the following characters: _+=,.@-

+ * @public + */ + SAMLProviderArn: string | undefined; + + /** + *

The list of tags that you want to attach to the SAML identity provider in IAM. + * Each tag consists of a key name and an associated value.

+ * @public + */ + Tags: Tag[] | undefined; +} + +/** + * @public + */ +export interface TagServerCertificateRequest { + /** + *

The name of the IAM server certificate to which you want to add tags.

+ *

This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric + * characters with no spaces. You can also include any of the following characters: _+=,.@-

+ * @public + */ + ServerCertificateName: string | undefined; + + /** + *

The list of tags that you want to attach to the IAM server certificate. + * Each tag consists of a key name and an associated value.

+ * @public + */ + Tags: Tag[] | undefined; +} + +/** + * @public + */ +export interface TagUserRequest { + /** + *

The name of the IAM user to which you want to add tags.

+ *

This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric + * characters with no spaces. You can also include any of the following characters: _+=,.@-

+ * @public + */ + UserName: string | undefined; + + /** + *

The list of tags that you want to attach to the IAM user. Each tag consists of a key name and an associated value.

+ * @public + */ + Tags: Tag[] | undefined; +} /** * @public diff --git a/clients/client-iam/src/protocols/Aws_query.ts b/clients/client-iam/src/protocols/Aws_query.ts index 78ee560581ce0..0828956878175 100644 --- a/clients/client-iam/src/protocols/Aws_query.ts +++ b/clients/client-iam/src/protocols/Aws_query.ts @@ -128,7 +128,23 @@ import { import { DetachGroupPolicyCommandInput, DetachGroupPolicyCommandOutput } from "../commands/DetachGroupPolicyCommand"; import { DetachRolePolicyCommandInput, DetachRolePolicyCommandOutput } from "../commands/DetachRolePolicyCommand"; import { DetachUserPolicyCommandInput, DetachUserPolicyCommandOutput } from "../commands/DetachUserPolicyCommand"; +import { + DisableOrganizationsRootCredentialsManagementCommandInput, + DisableOrganizationsRootCredentialsManagementCommandOutput, +} from "../commands/DisableOrganizationsRootCredentialsManagementCommand"; +import { + DisableOrganizationsRootSessionsCommandInput, + DisableOrganizationsRootSessionsCommandOutput, +} from "../commands/DisableOrganizationsRootSessionsCommand"; import { EnableMFADeviceCommandInput, EnableMFADeviceCommandOutput } from "../commands/EnableMFADeviceCommand"; +import { + EnableOrganizationsRootCredentialsManagementCommandInput, + EnableOrganizationsRootCredentialsManagementCommandOutput, +} from "../commands/EnableOrganizationsRootCredentialsManagementCommand"; +import { + EnableOrganizationsRootSessionsCommandInput, + EnableOrganizationsRootSessionsCommandOutput, +} from "../commands/EnableOrganizationsRootSessionsCommand"; import { GenerateCredentialReportCommandInput, GenerateCredentialReportCommandOutput, @@ -246,6 +262,10 @@ import { ListOpenIDConnectProviderTagsCommandInput, ListOpenIDConnectProviderTagsCommandOutput, } from "../commands/ListOpenIDConnectProviderTagsCommand"; +import { + ListOrganizationsFeaturesCommandInput, + ListOrganizationsFeaturesCommandOutput, +} from "../commands/ListOrganizationsFeaturesCommand"; import { ListPoliciesCommandInput, ListPoliciesCommandOutput } from "../commands/ListPoliciesCommand"; import { ListPoliciesGrantingServiceAccessCommandInput, @@ -410,6 +430,7 @@ import { AccessKey, AccessKeyLastUsed, AccessKeyMetadata, + AccountNotManagementOrDelegatedAdministratorException, AddClientIDToOpenIDConnectProviderRequest, AddRoleToInstanceProfileRequest, AddUserToGroupRequest, @@ -418,6 +439,7 @@ import { AttachGroupPolicyRequest, AttachRolePolicyRequest, AttachUserPolicyRequest, + CallerIsNotManagementAccountException, ChangePasswordRequest, ConcurrentModificationException, ContextEntry, @@ -480,14 +502,22 @@ import { DetachGroupPolicyRequest, DetachRolePolicyRequest, DetachUserPolicyRequest, + DisableOrganizationsRootCredentialsManagementRequest, + DisableOrganizationsRootCredentialsManagementResponse, + DisableOrganizationsRootSessionsRequest, + DisableOrganizationsRootSessionsResponse, EnableMFADeviceRequest, + EnableOrganizationsRootCredentialsManagementRequest, + EnableOrganizationsRootCredentialsManagementResponse, + EnableOrganizationsRootSessionsRequest, + EnableOrganizationsRootSessionsResponse, EntityAlreadyExistsException, EntityDetails, EntityInfo, EntityTemporarilyUnmodifiableException, EntityType, ErrorDetails, - EvaluationResult, + FeatureType, GenerateCredentialReportResponse, GenerateOrganizationsAccessReportRequest, GenerateOrganizationsAccessReportResponse, @@ -580,6 +610,8 @@ import { ListOpenIDConnectProvidersResponse, ListOpenIDConnectProviderTagsRequest, ListOpenIDConnectProviderTagsResponse, + ListOrganizationsFeaturesRequest, + ListOrganizationsFeaturesResponse, ListPoliciesGrantingServiceAccessEntry, ListPoliciesGrantingServiceAccessRequest, ListPoliciesGrantingServiceAccessResponse, @@ -624,10 +656,10 @@ import { NoSuchEntityException, OpenIDConnectProviderListEntry, OpenIdIdpCommunicationErrorException, - OrganizationsDecisionDetail, + OrganizationNotFoundException, + OrganizationNotInAllFeaturesModeException, PasswordPolicy, PasswordPolicyViolationException, - PermissionsBoundaryDecisionDetail, Policy, PolicyDetail, PolicyEvaluationDecisionType, @@ -650,7 +682,6 @@ import { ReportGenerationLimitExceededException, ResetServiceSpecificCredentialRequest, ResetServiceSpecificCredentialResponse, - ResourceSpecificResult, ResyncMFADeviceRequest, Role, RoleDetail, @@ -659,6 +690,7 @@ import { SAMLProviderListEntry, ServerCertificate, ServerCertificateMetadata, + ServiceAccessNotEnabledException, ServiceFailureException, ServiceLastAccessed, ServiceNotSupportedException, @@ -668,21 +700,10 @@ import { SetSecurityTokenServicePreferencesRequest, SigningCertificate, SimulateCustomPolicyRequest, - SimulatePolicyResponse, - SimulatePrincipalPolicyRequest, SSHPublicKey, SSHPublicKeyMetadata, - Statement, SummaryKeyType, Tag, - TagInstanceProfileRequest, - TagMFADeviceRequest, - TagOpenIDConnectProviderRequest, - TagPolicyRequest, - TagRoleRequest, - TagSAMLProviderRequest, - TagServerCertificateRequest, - TagUserRequest, TrackedActionLastAccessed, UnmodifiableEntityException, UnrecognizedPublicKeyEncodingException, @@ -693,10 +714,25 @@ import { import { DuplicateCertificateException, DuplicateSSHPublicKeyException, + EvaluationResult, InvalidCertificateException, InvalidPublicKeyException, KeyPairMismatchException, MalformedCertificateException, + OrganizationsDecisionDetail, + PermissionsBoundaryDecisionDetail, + ResourceSpecificResult, + SimulatePolicyResponse, + SimulatePrincipalPolicyRequest, + Statement, + TagInstanceProfileRequest, + TagMFADeviceRequest, + TagOpenIDConnectProviderRequest, + TagPolicyRequest, + TagRoleRequest, + TagSAMLProviderRequest, + TagServerCertificateRequest, + TagUserRequest, UntagInstanceProfileRequest, UntagMFADeviceRequest, UntagOpenIDConnectProviderRequest, @@ -1544,6 +1580,40 @@ export const se_DetachUserPolicyCommand = async ( return buildHttpRpcRequest(context, headers, "/", undefined, body); }; +/** + * serializeAws_queryDisableOrganizationsRootCredentialsManagementCommand + */ +export const se_DisableOrganizationsRootCredentialsManagementCommand = async ( + input: DisableOrganizationsRootCredentialsManagementCommandInput, + context: __SerdeContext +): Promise<__HttpRequest> => { + const headers: __HeaderBag = SHARED_HEADERS; + let body: any; + body = buildFormUrlencodedString({ + ...se_DisableOrganizationsRootCredentialsManagementRequest(input, context), + [_A]: _DORCM, + [_V]: _, + }); + return buildHttpRpcRequest(context, headers, "/", undefined, body); +}; + +/** + * serializeAws_queryDisableOrganizationsRootSessionsCommand + */ +export const se_DisableOrganizationsRootSessionsCommand = async ( + input: DisableOrganizationsRootSessionsCommandInput, + context: __SerdeContext +): Promise<__HttpRequest> => { + const headers: __HeaderBag = SHARED_HEADERS; + let body: any; + body = buildFormUrlencodedString({ + ...se_DisableOrganizationsRootSessionsRequest(input, context), + [_A]: _DORS, + [_V]: _, + }); + return buildHttpRpcRequest(context, headers, "/", undefined, body); +}; + /** * serializeAws_queryEnableMFADeviceCommand */ @@ -1561,6 +1631,40 @@ export const se_EnableMFADeviceCommand = async ( return buildHttpRpcRequest(context, headers, "/", undefined, body); }; +/** + * serializeAws_queryEnableOrganizationsRootCredentialsManagementCommand + */ +export const se_EnableOrganizationsRootCredentialsManagementCommand = async ( + input: EnableOrganizationsRootCredentialsManagementCommandInput, + context: __SerdeContext +): Promise<__HttpRequest> => { + const headers: __HeaderBag = SHARED_HEADERS; + let body: any; + body = buildFormUrlencodedString({ + ...se_EnableOrganizationsRootCredentialsManagementRequest(input, context), + [_A]: _EORCM, + [_V]: _, + }); + return buildHttpRpcRequest(context, headers, "/", undefined, body); +}; + +/** + * serializeAws_queryEnableOrganizationsRootSessionsCommand + */ +export const se_EnableOrganizationsRootSessionsCommand = async ( + input: EnableOrganizationsRootSessionsCommandInput, + context: __SerdeContext +): Promise<__HttpRequest> => { + const headers: __HeaderBag = SHARED_HEADERS; + let body: any; + body = buildFormUrlencodedString({ + ...se_EnableOrganizationsRootSessionsRequest(input, context), + [_A]: _EORS, + [_V]: _, + }); + return buildHttpRpcRequest(context, headers, "/", undefined, body); +}; + /** * serializeAws_queryGenerateCredentialReportCommand */ @@ -2318,6 +2422,23 @@ export const se_ListOpenIDConnectProviderTagsCommand = async ( return buildHttpRpcRequest(context, headers, "/", undefined, body); }; +/** + * serializeAws_queryListOrganizationsFeaturesCommand + */ +export const se_ListOrganizationsFeaturesCommand = async ( + input: ListOrganizationsFeaturesCommandInput, + context: __SerdeContext +): Promise<__HttpRequest> => { + const headers: __HeaderBag = SHARED_HEADERS; + let body: any; + body = buildFormUrlencodedString({ + ...se_ListOrganizationsFeaturesRequest(input, context), + [_A]: _LOF, + [_V]: _, + }); + return buildHttpRpcRequest(context, headers, "/", undefined, body); +}; + /** * serializeAws_queryListPoliciesCommand */ @@ -4281,6 +4402,49 @@ export const de_DetachUserPolicyCommand = async ( return response; }; +/** + * deserializeAws_queryDisableOrganizationsRootCredentialsManagementCommand + */ +export const de_DisableOrganizationsRootCredentialsManagementCommand = async ( + output: __HttpResponse, + context: __SerdeContext +): Promise => { + if (output.statusCode >= 300) { + return de_CommandError(output, context); + } + const data: any = await parseBody(output.body, context); + let contents: any = {}; + contents = de_DisableOrganizationsRootCredentialsManagementResponse( + data.DisableOrganizationsRootCredentialsManagementResult, + context + ); + const response: DisableOrganizationsRootCredentialsManagementCommandOutput = { + $metadata: deserializeMetadata(output), + ...contents, + }; + return response; +}; + +/** + * deserializeAws_queryDisableOrganizationsRootSessionsCommand + */ +export const de_DisableOrganizationsRootSessionsCommand = async ( + output: __HttpResponse, + context: __SerdeContext +): Promise => { + if (output.statusCode >= 300) { + return de_CommandError(output, context); + } + const data: any = await parseBody(output.body, context); + let contents: any = {}; + contents = de_DisableOrganizationsRootSessionsResponse(data.DisableOrganizationsRootSessionsResult, context); + const response: DisableOrganizationsRootSessionsCommandOutput = { + $metadata: deserializeMetadata(output), + ...contents, + }; + return response; +}; + /** * deserializeAws_queryEnableMFADeviceCommand */ @@ -4298,6 +4462,49 @@ export const de_EnableMFADeviceCommand = async ( return response; }; +/** + * deserializeAws_queryEnableOrganizationsRootCredentialsManagementCommand + */ +export const de_EnableOrganizationsRootCredentialsManagementCommand = async ( + output: __HttpResponse, + context: __SerdeContext +): Promise => { + if (output.statusCode >= 300) { + return de_CommandError(output, context); + } + const data: any = await parseBody(output.body, context); + let contents: any = {}; + contents = de_EnableOrganizationsRootCredentialsManagementResponse( + data.EnableOrganizationsRootCredentialsManagementResult, + context + ); + const response: EnableOrganizationsRootCredentialsManagementCommandOutput = { + $metadata: deserializeMetadata(output), + ...contents, + }; + return response; +}; + +/** + * deserializeAws_queryEnableOrganizationsRootSessionsCommand + */ +export const de_EnableOrganizationsRootSessionsCommand = async ( + output: __HttpResponse, + context: __SerdeContext +): Promise => { + if (output.statusCode >= 300) { + return de_CommandError(output, context); + } + const data: any = await parseBody(output.body, context); + let contents: any = {}; + contents = de_EnableOrganizationsRootSessionsResponse(data.EnableOrganizationsRootSessionsResult, context); + const response: EnableOrganizationsRootSessionsCommandOutput = { + $metadata: deserializeMetadata(output), + ...contents, + }; + return response; +}; + /** * deserializeAws_queryGenerateCredentialReportCommand */ @@ -5201,6 +5408,26 @@ export const de_ListOpenIDConnectProviderTagsCommand = async ( return response; }; +/** + * deserializeAws_queryListOrganizationsFeaturesCommand + */ +export const de_ListOrganizationsFeaturesCommand = async ( + output: __HttpResponse, + context: __SerdeContext +): Promise => { + if (output.statusCode >= 300) { + return de_CommandError(output, context); + } + const data: any = await parseBody(output.body, context); + let contents: any = {}; + contents = de_ListOrganizationsFeaturesResponse(data.ListOrganizationsFeaturesResult, context); + const response: ListOrganizationsFeaturesCommandOutput = { + $metadata: deserializeMetadata(output), + ...contents, + }; + return response; +}; + /** * deserializeAws_queryListPoliciesCommand */ @@ -6442,9 +6669,24 @@ const de_CommandError = async (output: __HttpResponse, context: __SerdeContext): case "DeleteConflict": case "com.amazonaws.iam#DeleteConflictException": throw await de_DeleteConflictExceptionRes(parsedOutput, context); + case "AccountNotManagementOrDelegatedAdministratorException": + case "com.amazonaws.iam#AccountNotManagementOrDelegatedAdministratorException": + throw await de_AccountNotManagementOrDelegatedAdministratorExceptionRes(parsedOutput, context); + case "OrganizationNotFoundException": + case "com.amazonaws.iam#OrganizationNotFoundException": + throw await de_OrganizationNotFoundExceptionRes(parsedOutput, context); + case "OrganizationNotInAllFeaturesModeException": + case "com.amazonaws.iam#OrganizationNotInAllFeaturesModeException": + throw await de_OrganizationNotInAllFeaturesModeExceptionRes(parsedOutput, context); + case "ServiceAccessNotEnabledException": + case "com.amazonaws.iam#ServiceAccessNotEnabledException": + throw await de_ServiceAccessNotEnabledExceptionRes(parsedOutput, context); case "InvalidAuthenticationCode": case "com.amazonaws.iam#InvalidAuthenticationCodeException": throw await de_InvalidAuthenticationCodeExceptionRes(parsedOutput, context); + case "CallerIsNotManagementAccountException": + case "com.amazonaws.iam#CallerIsNotManagementAccountException": + throw await de_CallerIsNotManagementAccountExceptionRes(parsedOutput, context); case "ReportGenerationLimitExceeded": case "com.amazonaws.iam#ReportGenerationLimitExceededException": throw await de_ReportGenerationLimitExceededExceptionRes(parsedOutput, context); @@ -6491,6 +6733,38 @@ const de_CommandError = async (output: __HttpResponse, context: __SerdeContext): } }; +/** + * deserializeAws_queryAccountNotManagementOrDelegatedAdministratorExceptionRes + */ +const de_AccountNotManagementOrDelegatedAdministratorExceptionRes = async ( + parsedOutput: any, + context: __SerdeContext +): Promise => { + const body = parsedOutput.body; + const deserialized: any = de_AccountNotManagementOrDelegatedAdministratorException(body.Error, context); + const exception = new AccountNotManagementOrDelegatedAdministratorException({ + $metadata: deserializeMetadata(parsedOutput), + ...deserialized, + }); + return __decorateServiceException(exception, body); +}; + +/** + * deserializeAws_queryCallerIsNotManagementAccountExceptionRes + */ +const de_CallerIsNotManagementAccountExceptionRes = async ( + parsedOutput: any, + context: __SerdeContext +): Promise => { + const body = parsedOutput.body; + const deserialized: any = de_CallerIsNotManagementAccountException(body.Error, context); + const exception = new CallerIsNotManagementAccountException({ + $metadata: deserializeMetadata(parsedOutput), + ...deserialized, + }); + return __decorateServiceException(exception, body); +}; + /** * deserializeAws_queryConcurrentModificationExceptionRes */ @@ -6811,6 +7085,38 @@ const de_OpenIdIdpCommunicationErrorExceptionRes = async ( return __decorateServiceException(exception, body); }; +/** + * deserializeAws_queryOrganizationNotFoundExceptionRes + */ +const de_OrganizationNotFoundExceptionRes = async ( + parsedOutput: any, + context: __SerdeContext +): Promise => { + const body = parsedOutput.body; + const deserialized: any = de_OrganizationNotFoundException(body.Error, context); + const exception = new OrganizationNotFoundException({ + $metadata: deserializeMetadata(parsedOutput), + ...deserialized, + }); + return __decorateServiceException(exception, body); +}; + +/** + * deserializeAws_queryOrganizationNotInAllFeaturesModeExceptionRes + */ +const de_OrganizationNotInAllFeaturesModeExceptionRes = async ( + parsedOutput: any, + context: __SerdeContext +): Promise => { + const body = parsedOutput.body; + const deserialized: any = de_OrganizationNotInAllFeaturesModeException(body.Error, context); + const exception = new OrganizationNotInAllFeaturesModeException({ + $metadata: deserializeMetadata(parsedOutput), + ...deserialized, + }); + return __decorateServiceException(exception, body); +}; + /** * deserializeAws_queryPasswordPolicyViolationExceptionRes */ @@ -6875,6 +7181,22 @@ const de_ReportGenerationLimitExceededExceptionRes = async ( return __decorateServiceException(exception, body); }; +/** + * deserializeAws_queryServiceAccessNotEnabledExceptionRes + */ +const de_ServiceAccessNotEnabledExceptionRes = async ( + parsedOutput: any, + context: __SerdeContext +): Promise => { + const body = parsedOutput.body; + const deserialized: any = de_ServiceAccessNotEnabledException(body.Error, context); + const exception = new ServiceAccessNotEnabledException({ + $metadata: deserializeMetadata(parsedOutput), + ...deserialized, + }); + return __decorateServiceException(exception, body); +}; + /** * deserializeAws_queryServiceFailureExceptionRes */ @@ -7778,6 +8100,28 @@ const se_DetachUserPolicyRequest = (input: DetachUserPolicyRequest, context: __S return entries; }; +/** + * serializeAws_queryDisableOrganizationsRootCredentialsManagementRequest + */ +const se_DisableOrganizationsRootCredentialsManagementRequest = ( + input: DisableOrganizationsRootCredentialsManagementRequest, + context: __SerdeContext +): any => { + const entries: any = {}; + return entries; +}; + +/** + * serializeAws_queryDisableOrganizationsRootSessionsRequest + */ +const se_DisableOrganizationsRootSessionsRequest = ( + input: DisableOrganizationsRootSessionsRequest, + context: __SerdeContext +): any => { + const entries: any = {}; + return entries; +}; + /** * serializeAws_queryEnableMFADeviceRequest */ @@ -7798,6 +8142,28 @@ const se_EnableMFADeviceRequest = (input: EnableMFADeviceRequest, context: __Ser return entries; }; +/** + * serializeAws_queryEnableOrganizationsRootCredentialsManagementRequest + */ +const se_EnableOrganizationsRootCredentialsManagementRequest = ( + input: EnableOrganizationsRootCredentialsManagementRequest, + context: __SerdeContext +): any => { + const entries: any = {}; + return entries; +}; + +/** + * serializeAws_queryEnableOrganizationsRootSessionsRequest + */ +const se_EnableOrganizationsRootSessionsRequest = ( + input: EnableOrganizationsRootSessionsRequest, + context: __SerdeContext +): any => { + const entries: any = {}; + return entries; +}; + /** * serializeAws_queryentityListType */ @@ -8490,6 +8856,14 @@ const se_ListOpenIDConnectProviderTagsRequest = ( return entries; }; +/** + * serializeAws_queryListOrganizationsFeaturesRequest + */ +const se_ListOrganizationsFeaturesRequest = (input: ListOrganizationsFeaturesRequest, context: __SerdeContext): any => { + const entries: any = {}; + return entries; +}; + /** * serializeAws_queryListPoliciesGrantingServiceAccessRequest */ @@ -10051,6 +10425,20 @@ const de_accountAliasListType = (output: any, context: __SerdeContext): string[] }); }; +/** + * deserializeAws_queryAccountNotManagementOrDelegatedAdministratorException + */ +const de_AccountNotManagementOrDelegatedAdministratorException = ( + output: any, + context: __SerdeContext +): AccountNotManagementOrDelegatedAdministratorException => { + const contents: any = {}; + if (output[_Me] != null) { + contents[_Me] = __expectString(output[_Me]); + } + return contents; +}; + /** * deserializeAws_queryArnListType */ @@ -10101,6 +10489,20 @@ const de_AttachedPolicy = (output: any, context: __SerdeContext): AttachedPolicy return contents; }; +/** + * deserializeAws_queryCallerIsNotManagementAccountException + */ +const de_CallerIsNotManagementAccountException = ( + output: any, + context: __SerdeContext +): CallerIsNotManagementAccountException => { + const contents: any = {}; + if (output[_Me] != null) { + contents[_Me] = __expectString(output[_Me]); + } + return contents; +}; + /** * deserializeAws_querycertificateListType */ @@ -10397,6 +10799,44 @@ const de_DeletionTaskFailureReasonType = (output: any, context: __SerdeContext): return contents; }; +/** + * deserializeAws_queryDisableOrganizationsRootCredentialsManagementResponse + */ +const de_DisableOrganizationsRootCredentialsManagementResponse = ( + output: any, + context: __SerdeContext +): DisableOrganizationsRootCredentialsManagementResponse => { + const contents: any = {}; + if (output[_OI] != null) { + contents[_OI] = __expectString(output[_OI]); + } + if (output.EnabledFeatures === "") { + contents[_EFn] = []; + } else if (output[_EFn] != null && output[_EFn][_me] != null) { + contents[_EFn] = de_FeaturesListType(__getArrayIfSingleItem(output[_EFn][_me]), context); + } + return contents; +}; + +/** + * deserializeAws_queryDisableOrganizationsRootSessionsResponse + */ +const de_DisableOrganizationsRootSessionsResponse = ( + output: any, + context: __SerdeContext +): DisableOrganizationsRootSessionsResponse => { + const contents: any = {}; + if (output[_OI] != null) { + contents[_OI] = __expectString(output[_OI]); + } + if (output.EnabledFeatures === "") { + contents[_EFn] = []; + } else if (output[_EFn] != null && output[_EFn][_me] != null) { + contents[_EFn] = de_FeaturesListType(__getArrayIfSingleItem(output[_EFn][_me]), context); + } + return contents; +}; + /** * deserializeAws_queryDuplicateCertificateException */ @@ -10419,6 +10859,44 @@ const de_DuplicateSSHPublicKeyException = (output: any, context: __SerdeContext) return contents; }; +/** + * deserializeAws_queryEnableOrganizationsRootCredentialsManagementResponse + */ +const de_EnableOrganizationsRootCredentialsManagementResponse = ( + output: any, + context: __SerdeContext +): EnableOrganizationsRootCredentialsManagementResponse => { + const contents: any = {}; + if (output[_OI] != null) { + contents[_OI] = __expectString(output[_OI]); + } + if (output.EnabledFeatures === "") { + contents[_EFn] = []; + } else if (output[_EFn] != null && output[_EFn][_me] != null) { + contents[_EFn] = de_FeaturesListType(__getArrayIfSingleItem(output[_EFn][_me]), context); + } + return contents; +}; + +/** + * deserializeAws_queryEnableOrganizationsRootSessionsResponse + */ +const de_EnableOrganizationsRootSessionsResponse = ( + output: any, + context: __SerdeContext +): EnableOrganizationsRootSessionsResponse => { + const contents: any = {}; + if (output[_OI] != null) { + contents[_OI] = __expectString(output[_OI]); + } + if (output.EnabledFeatures === "") { + contents[_EFn] = []; + } else if (output[_EFn] != null && output[_EFn][_me] != null) { + contents[_EFn] = de_FeaturesListType(__getArrayIfSingleItem(output[_EFn][_me]), context); + } + return contents; +}; + /** * deserializeAws_queryEntityAlreadyExistsException */ @@ -10576,6 +11054,17 @@ const de_EvaluationResultsListType = (output: any, context: __SerdeContext): Eva }); }; +/** + * deserializeAws_queryFeaturesListType + */ +const de_FeaturesListType = (output: any, context: __SerdeContext): FeatureType[] => { + return (output || []) + .filter((e: any) => e != null) + .map((entry: any) => { + return __expectString(entry) as any; + }); +}; + /** * deserializeAws_queryGenerateCredentialReportResponse */ @@ -11633,6 +12122,25 @@ const de_ListOpenIDConnectProviderTagsResponse = ( return contents; }; +/** + * deserializeAws_queryListOrganizationsFeaturesResponse + */ +const de_ListOrganizationsFeaturesResponse = ( + output: any, + context: __SerdeContext +): ListOrganizationsFeaturesResponse => { + const contents: any = {}; + if (output[_OI] != null) { + contents[_OI] = __expectString(output[_OI]); + } + if (output.EnabledFeatures === "") { + contents[_EFn] = []; + } else if (output[_EFn] != null && output[_EFn][_me] != null) { + contents[_EFn] = de_FeaturesListType(__getArrayIfSingleItem(output[_EFn][_me]), context); + } + return contents; +}; + /** * deserializeAws_queryListPoliciesGrantingServiceAccessEntry */ @@ -12182,6 +12690,31 @@ const de_OpenIdIdpCommunicationErrorException = ( return contents; }; +/** + * deserializeAws_queryOrganizationNotFoundException + */ +const de_OrganizationNotFoundException = (output: any, context: __SerdeContext): OrganizationNotFoundException => { + const contents: any = {}; + if (output[_Me] != null) { + contents[_Me] = __expectString(output[_Me]); + } + return contents; +}; + +/** + * deserializeAws_queryOrganizationNotInAllFeaturesModeException + */ +const de_OrganizationNotInAllFeaturesModeException = ( + output: any, + context: __SerdeContext +): OrganizationNotInAllFeaturesModeException => { + const contents: any = {}; + if (output[_Me] != null) { + contents[_Me] = __expectString(output[_Me]); + } + return contents; +}; + /** * deserializeAws_queryOrganizationsDecisionDetail */ @@ -12847,6 +13380,20 @@ const de_serverCertificateMetadataListType = (output: any, context: __SerdeConte }); }; +/** + * deserializeAws_queryServiceAccessNotEnabledException + */ +const de_ServiceAccessNotEnabledException = ( + output: any, + context: __SerdeContext +): ServiceAccessNotEnabledException => { + const contents: any = {}; + if (output[_Me] != null) { + contents[_Me] = __expectString(output[_Me]); + } + return contents; +}; + /** * deserializeAws_queryServiceFailureException */ @@ -13546,6 +14093,8 @@ const _DIP = "DeleteInstanceProfile"; const _DLP = "DeleteLoginProfile"; const _DMFAD = "DeactivateMFADevice"; const _DOIDCP = "DeleteOpenIDConnectProvider"; +const _DORCM = "DisableOrganizationsRootCredentialsManagement"; +const _DORS = "DisableOrganizationsRootSessions"; const _DP = "DeletePolicy"; const _DPV = "DeletePolicyVersion"; const _DR = "DeleteRole"; @@ -13574,9 +14123,12 @@ const _EDL = "EntityDetailsList"; const _EDn = "EnableDate"; const _EDr = "ErrorDetails"; const _EF = "EntityFilter"; +const _EFn = "EnabledFeatures"; const _EI = "EntityInfo"; const _EMFAD = "EnableMFADevice"; const _EN = "EntityName"; +const _EORCM = "EnableOrganizationsRootCredentialsManagement"; +const _EORS = "EnableOrganizationsRootSessions"; const _EP = "EntityPath"; const _EPn = "EndPosition"; const _EPx = "ExpirePasswords"; @@ -13665,6 +14217,7 @@ const _LIPFR = "ListInstanceProfilesForRole"; const _LIPT = "ListInstanceProfileTags"; const _LMFAD = "ListMFADevices"; const _LMFADT = "ListMFADeviceTags"; +const _LOF = "ListOrganizationsFeatures"; const _LOIDCP = "ListOpenIDConnectProviders"; const _LOIDCPT = "ListOpenIDConnectProviderTags"; const _LP = "ListPolicies"; @@ -13706,6 +14259,7 @@ const _NSCN = "NewServerCertificateName"; const _NUN = "NewUserName"; const _OA = "OnlyAttached"; const _ODD = "OrganizationsDecisionDetail"; +const _OI = "OrganizationId"; const _OIDCPA = "OpenIDConnectProviderArn"; const _OIDCPL = "OpenIDConnectProviderList"; const _OP = "OldPassword"; diff --git a/codegen/sdk-codegen/aws-models/iam.json b/codegen/sdk-codegen/aws-models/iam.json index a868a045d15fa..8fdd85e3113d1 100644 --- a/codegen/sdk-codegen/aws-models/iam.json +++ b/codegen/sdk-codegen/aws-models/iam.json @@ -177,9 +177,21 @@ { "target": "com.amazonaws.iam#DetachUserPolicy" }, + { + "target": "com.amazonaws.iam#DisableOrganizationsRootCredentialsManagement" + }, + { + "target": "com.amazonaws.iam#DisableOrganizationsRootSessions" + }, { "target": "com.amazonaws.iam#EnableMFADevice" }, + { + "target": "com.amazonaws.iam#EnableOrganizationsRootCredentialsManagement" + }, + { + "target": "com.amazonaws.iam#EnableOrganizationsRootSessions" + }, { "target": "com.amazonaws.iam#GenerateCredentialReport" }, @@ -315,6 +327,9 @@ { "target": "com.amazonaws.iam#ListOpenIDConnectProviderTags" }, + { + "target": "com.amazonaws.iam#ListOrganizationsFeatures" + }, { "target": "com.amazonaws.iam#ListPolicies" }, @@ -2049,6 +2064,19 @@ "smithy.api#documentation": "

Contains information about an Amazon Web Services access key, without its secret key.

\n

This data type is used as a response element in the ListAccessKeys\n operation.

" } }, + "com.amazonaws.iam#AccountNotManagementOrDelegatedAdministratorException": { + "type": "structure", + "members": { + "Message": { + "target": "com.amazonaws.iam#ExceptionMessage" + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected because the account making the request is not the management\n account or delegated administrator account for centralized root\n access.

", + "smithy.api#error": "client", + "smithy.api#httpError": 400 + } + }, "com.amazonaws.iam#ActionNameListType": { "type": "list", "member": { @@ -2473,6 +2501,19 @@ "smithy.api#sensitive": {} } }, + "com.amazonaws.iam#CallerIsNotManagementAccountException": { + "type": "structure", + "members": { + "Message": { + "target": "com.amazonaws.iam#ExceptionMessage" + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected because the account making the request is not the management\n account for the organization.

", + "smithy.api#error": "client", + "smithy.api#httpError": 400 + } + }, "com.amazonaws.iam#CertificationKeyType": { "type": "string", "traits": { @@ -3071,15 +3112,13 @@ "UserName": { "target": "com.amazonaws.iam#userNameType", "traits": { - "smithy.api#documentation": "

The name of the IAM user to create a password for. The user must already\n exist.

\n

This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric \n characters with no spaces. You can also include any of the following characters: _+=,.@-

", - "smithy.api#required": {} + "smithy.api#documentation": "

The name of the IAM user to create a password for. The user must already\n exist.

\n

This parameter is optional. If no user name is included, it defaults to the principal\n making the request. When you make this request with root user credentials, you must use\n an AssumeRoot session to omit the user name.

\n

This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric \n characters with no spaces. You can also include any of the following characters: _+=,.@-

" } }, "Password": { "target": "com.amazonaws.iam#passwordType", "traits": { - "smithy.api#documentation": "

The new password for the user.

\n

The regex pattern \n that is used to validate this parameter is a string of characters. That string can include almost any printable \n ASCII character from the space (\\u0020) through the end of the ASCII character range (\\u00FF). \n You can also include the tab (\\u0009), line feed (\\u000A), and carriage return (\\u000D) \n characters. Any of these characters are valid in a password. However, many tools, such \n as the Amazon Web Services Management Console, might restrict the ability to type certain characters because they have \n special meaning within that tool.

", - "smithy.api#required": {} + "smithy.api#documentation": "

The new password for the user.

\n

This parameter must be omitted when you make the request with an AssumeRoot session. It is required in all other cases.

\n

The regex pattern \n that is used to validate this parameter is a string of characters. That string can include almost any printable \n ASCII character from the space (\\u0020) through the end of the ASCII character range (\\u00FF). \n You can also include the tab (\\u0009), line feed (\\u000A), and carriage return (\\u000D) \n characters. Any of these characters are valid in a password. However, many tools, such \n as the Amazon Web Services Management Console, might restrict the ability to type certain characters because they have \n special meaning within that tool.

" } }, "PasswordResetRequired": { @@ -3951,8 +3990,7 @@ "UserName": { "target": "com.amazonaws.iam#existingUserNameType", "traits": { - "smithy.api#documentation": "

The name of the user whose MFA device you want to deactivate.

\n

This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric \n characters with no spaces. You can also include any of the following characters: _+=,.@-

", - "smithy.api#required": {} + "smithy.api#documentation": "

The name of the user whose MFA device you want to deactivate.

\n

This parameter is optional. If no user name is included, it defaults to the principal\n making the request. When you make this request with root user credentials, you must use\n an AssumeRoot session to omit the user name.

\n

This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric \n characters with no spaces. You can also include any of the following characters: _+=,.@-

" } }, "SerialNumber": { @@ -4304,8 +4342,7 @@ "UserName": { "target": "com.amazonaws.iam#userNameType", "traits": { - "smithy.api#documentation": "

The name of the user whose password you want to delete.

\n

This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric \n characters with no spaces. You can also include any of the following characters: _+=,.@-

", - "smithy.api#required": {} + "smithy.api#documentation": "

The name of the user whose password you want to delete.

\n

This parameter is optional. If no user name is included, it defaults to the principal\n making the request. When you make this request with root user credentials, you must use\n an AssumeRoot session to omit the user name.

\n

This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric \n characters with no spaces. You can also include any of the following characters: _+=,.@-

" } } }, @@ -5268,6 +5305,132 @@ "smithy.api#input": {} } }, + "com.amazonaws.iam#DisableOrganizationsRootCredentialsManagement": { + "type": "operation", + "input": { + "target": "com.amazonaws.iam#DisableOrganizationsRootCredentialsManagementRequest" + }, + "output": { + "target": "com.amazonaws.iam#DisableOrganizationsRootCredentialsManagementResponse" + }, + "errors": [ + { + "target": "com.amazonaws.iam#AccountNotManagementOrDelegatedAdministratorException" + }, + { + "target": "com.amazonaws.iam#OrganizationNotFoundException" + }, + { + "target": "com.amazonaws.iam#OrganizationNotInAllFeaturesModeException" + }, + { + "target": "com.amazonaws.iam#ServiceAccessNotEnabledException" + } + ], + "traits": { + "smithy.api#documentation": "

Disables the management of privileged root user credentials across member accounts in\n your organization. When you disable this feature, the management account and the\n delegated admininstrator for IAM can no longer manage root user credentials for member\n accounts in your organization.

", + "smithy.api#examples": [ + { + "title": "To disable the RootCredentialsManagement feature in your organization", + "documentation": "The following command disables the management of privileged root user credentials across member accounts in your organization.", + "output": { + "OrganizationId": "o-aa111bb222", + "EnabledFeatures": ["RootSessions"] + } + } + ] + } + }, + "com.amazonaws.iam#DisableOrganizationsRootCredentialsManagementRequest": { + "type": "structure", + "members": {}, + "traits": { + "smithy.api#input": {} + } + }, + "com.amazonaws.iam#DisableOrganizationsRootCredentialsManagementResponse": { + "type": "structure", + "members": { + "OrganizationId": { + "target": "com.amazonaws.iam#OrganizationIdType", + "traits": { + "smithy.api#documentation": "

The unique identifier (ID) of an organization.

" + } + }, + "EnabledFeatures": { + "target": "com.amazonaws.iam#FeaturesListType", + "traits": { + "smithy.api#documentation": "

The features enabled for centralized root access for member accounts in your\n organization.

" + } + } + }, + "traits": { + "smithy.api#output": {} + } + }, + "com.amazonaws.iam#DisableOrganizationsRootSessions": { + "type": "operation", + "input": { + "target": "com.amazonaws.iam#DisableOrganizationsRootSessionsRequest" + }, + "output": { + "target": "com.amazonaws.iam#DisableOrganizationsRootSessionsResponse" + }, + "errors": [ + { + "target": "com.amazonaws.iam#AccountNotManagementOrDelegatedAdministratorException" + }, + { + "target": "com.amazonaws.iam#OrganizationNotFoundException" + }, + { + "target": "com.amazonaws.iam#OrganizationNotInAllFeaturesModeException" + }, + { + "target": "com.amazonaws.iam#ServiceAccessNotEnabledException" + } + ], + "traits": { + "smithy.api#documentation": "

Disables root user sessions for privileged tasks across member accounts in your\n organization. When you disable this feature, the management account and the delegated\n admininstrator for IAM can no longer perform privileged tasks on member accounts in\n your organization.

", + "smithy.api#examples": [ + { + "title": "To disable the RootSessions feature in your organization", + "documentation": "The following command disables root user sessions for privileged tasks across member accounts in your organization.", + "output": { + "OrganizationId": "o-aa111bb222", + "EnabledFeatures": ["RootCredentialsManagement"] + } + } + ] + } + }, + "com.amazonaws.iam#DisableOrganizationsRootSessionsRequest": { + "type": "structure", + "members": {}, + "traits": { + "smithy.api#input": {} + } + }, + "com.amazonaws.iam#DisableOrganizationsRootSessionsResponse": { + "type": "structure", + "members": { + "OrganizationId": { + "target": "com.amazonaws.iam#OrganizationIdType", + "traits": { + "smithy.api#documentation": "

The unique identifier (ID) of an organization.

" + } + }, + "EnabledFeatures": { + "target": "com.amazonaws.iam#FeaturesListType", + "traits": { + "smithy.api#documentation": "

The features you have enabled for centralized root access of member accounts in your\n organization.

" + } + } + }, + "traits": { + "smithy.api#output": {} + } + }, "com.amazonaws.iam#DuplicateCertificateException": { "type": "structure", "members": { @@ -5373,6 +5536,138 @@ "smithy.api#input": {} } }, + "com.amazonaws.iam#EnableOrganizationsRootCredentialsManagement": { + "type": "operation", + "input": { + "target": "com.amazonaws.iam#EnableOrganizationsRootCredentialsManagementRequest" + }, + "output": { + "target": "com.amazonaws.iam#EnableOrganizationsRootCredentialsManagementResponse" + }, + "errors": [ + { + "target": "com.amazonaws.iam#AccountNotManagementOrDelegatedAdministratorException" + }, + { + "target": "com.amazonaws.iam#CallerIsNotManagementAccountException" + }, + { + "target": "com.amazonaws.iam#OrganizationNotFoundException" + }, + { + "target": "com.amazonaws.iam#OrganizationNotInAllFeaturesModeException" + }, + { + "target": "com.amazonaws.iam#ServiceAccessNotEnabledException" + } + ], + "traits": { + "smithy.api#documentation": "

Enables the management of privileged root user credentials across member accounts in your\n organization. When you enable root credentials management for centralized root access, the management account and the delegated\n admininstrator for IAM can manage root user credentials for member accounts in your\n organization.

\n

Before you enable centralized root access, you must have an account configured with\n the following settings:

\n
    \n
  • \n

    You must manage your Amazon Web Services accounts in Organizations.

    \n
    • \n
  • \n

    Enable trusted access for Identity and Access Management in Organizations. For details, see\n IAM and Organizations in the Organizations User\n Guide.

    \n
    • \n
", + "smithy.api#examples": [ + { + "title": "To enable the RootCredentialsManagement feature in your organization", + "documentation": "The following command enables the management of privileged root user credentials across member accounts in your organization.", + "output": { + "OrganizationId": "o-aa111bb222", + "EnabledFeatures": ["RootCredentialsManagement"] + } + } + ] + } + }, + "com.amazonaws.iam#EnableOrganizationsRootCredentialsManagementRequest": { + "type": "structure", + "members": {}, + "traits": { + "smithy.api#input": {} + } + }, + "com.amazonaws.iam#EnableOrganizationsRootCredentialsManagementResponse": { + "type": "structure", + "members": { + "OrganizationId": { + "target": "com.amazonaws.iam#OrganizationIdType", + "traits": { + "smithy.api#documentation": "

The unique identifier (ID) of an organization.

" + } + }, + "EnabledFeatures": { + "target": "com.amazonaws.iam#FeaturesListType", + "traits": { + "smithy.api#documentation": "

The features you have enabled for centralized root access.

" + } + } + }, + "traits": { + "smithy.api#output": {} + } + }, + "com.amazonaws.iam#EnableOrganizationsRootSessions": { + "type": "operation", + "input": { + "target": "com.amazonaws.iam#EnableOrganizationsRootSessionsRequest" + }, + "output": { + "target": "com.amazonaws.iam#EnableOrganizationsRootSessionsResponse" + }, + "errors": [ + { + "target": "com.amazonaws.iam#AccountNotManagementOrDelegatedAdministratorException" + }, + { + "target": "com.amazonaws.iam#CallerIsNotManagementAccountException" + }, + { + "target": "com.amazonaws.iam#OrganizationNotFoundException" + }, + { + "target": "com.amazonaws.iam#OrganizationNotInAllFeaturesModeException" + }, + { + "target": "com.amazonaws.iam#ServiceAccessNotEnabledException" + } + ], + "traits": { + "smithy.api#documentation": "

Allows the management account or delegated administrator to perform privileged tasks\n on member accounts in your organization. For more information, see Centrally manage root access for member accounts in the Identity and Access Management\n User Guide.

\n

Before you enable this feature, you must have an account configured with the following\n settings:

\n
    \n
  • \n

    You must manage your Amazon Web Services accounts in Organizations.

    \n
    • \n
  • \n

    Enable trusted access for Identity and Access Management in Organizations. For details, see\n IAM and Organizations in the Organizations User\n Guide.

    \n
    • \n
", + "smithy.api#examples": [ + { + "title": "To enable the RootSessions feature in your organization", + "documentation": "The following command allows the management account or delegated administrator to perform privileged tasks on member accounts in your organization.", + "output": { + "OrganizationId": "o-aa111bb222", + "EnabledFeatures": ["RootCredentialsManagement", "RootSessions"] + } + } + ] + } + }, + "com.amazonaws.iam#EnableOrganizationsRootSessionsRequest": { + "type": "structure", + "members": {}, + "traits": { + "smithy.api#input": {} + } + }, + "com.amazonaws.iam#EnableOrganizationsRootSessionsResponse": { + "type": "structure", + "members": { + "OrganizationId": { + "target": "com.amazonaws.iam#OrganizationIdType", + "traits": { + "smithy.api#documentation": "

The unique identifier (ID) of an organization.

" + } + }, + "EnabledFeatures": { + "target": "com.amazonaws.iam#FeaturesListType", + "traits": { + "smithy.api#documentation": "

The features you have enabled for centralized root access.

" + } + } + }, + "traits": { + "smithy.api#output": {} + } + }, "com.amazonaws.iam#EntityAlreadyExistsException": { "type": "structure", "members": { @@ -5614,6 +5909,32 @@ "target": "com.amazonaws.iam#EvaluationResult" } }, + "com.amazonaws.iam#ExceptionMessage": { + "type": "string" + }, + "com.amazonaws.iam#FeatureType": { + "type": "enum", + "members": { + "ROOT_CREDENTIALS_MANAGEMENT": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "RootCredentialsManagement" + } + }, + "ROOT_SESSIONS": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "RootSessions" + } + } + } + }, + "com.amazonaws.iam#FeaturesListType": { + "type": "list", + "member": { + "target": "com.amazonaws.iam#FeatureType" + } + }, "com.amazonaws.iam#GenerateCredentialReport": { "type": "operation", "input": { @@ -6492,8 +6813,7 @@ "UserName": { "target": "com.amazonaws.iam#userNameType", "traits": { - "smithy.api#documentation": "

The name of the user whose login profile you want to retrieve.

\n

This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric \n characters with no spaces. You can also include any of the following characters: _+=,.@-

", - "smithy.api#required": {} + "smithy.api#documentation": "

The name of the user whose login profile you want to retrieve.

\n

This parameter is optional. If no user name is included, it defaults to the principal\n making the request. When you make this request with root user credentials, you must use\n an AssumeRoot session to omit the user name.

\n

This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric \n characters with no spaces. You can also include any of the following characters: _+=,.@-

" } } }, @@ -8214,7 +8534,7 @@ } ], "traits": { - "smithy.api#documentation": "

Lists the account alias associated with the Amazon Web Services account (Note: you can have only\n one). For information about using an Amazon Web Services account alias, see Creating,\n deleting, and listing an Amazon Web Services account alias in the\n IAM User Guide.

", + "smithy.api#documentation": "

Lists the account alias associated with the Amazon Web Services account (Note: you can have only\n one). For information about using an Amazon Web Services account alias, see Creating,\n deleting, and listing an Amazon Web Services account alias in the Amazon Web Services Sign-In\n User Guide.

", "smithy.api#examples": [ { "title": "To list account aliases", @@ -9505,6 +9825,69 @@ "smithy.api#output": {} } }, + "com.amazonaws.iam#ListOrganizationsFeatures": { + "type": "operation", + "input": { + "target": "com.amazonaws.iam#ListOrganizationsFeaturesRequest" + }, + "output": { + "target": "com.amazonaws.iam#ListOrganizationsFeaturesResponse" + }, + "errors": [ + { + "target": "com.amazonaws.iam#AccountNotManagementOrDelegatedAdministratorException" + }, + { + "target": "com.amazonaws.iam#OrganizationNotFoundException" + }, + { + "target": "com.amazonaws.iam#OrganizationNotInAllFeaturesModeException" + }, + { + "target": "com.amazonaws.iam#ServiceAccessNotEnabledException" + } + ], + "traits": { + "smithy.api#documentation": "

Lists the centralized root access features enabled for your organization. For more\n information, see Centrally manage root access for member accounts.

", + "smithy.api#examples": [ + { + "title": "To list the centralized root access features enabled for your organization", + "documentation": "he following command lists the centralized root access features enabled for your organization.", + "output": { + "OrganizationId": "o-aa111bb222", + "EnabledFeatures": ["RootCredentialsManagement"] + } + } + ] + } + }, + "com.amazonaws.iam#ListOrganizationsFeaturesRequest": { + "type": "structure", + "members": {}, + "traits": { + "smithy.api#input": {} + } + }, + "com.amazonaws.iam#ListOrganizationsFeaturesResponse": { + "type": "structure", + "members": { + "OrganizationId": { + "target": "com.amazonaws.iam#OrganizationIdType", + "traits": { + "smithy.api#documentation": "

The unique identifier (ID) of an organization.

" + } + }, + "EnabledFeatures": { + "target": "com.amazonaws.iam#FeaturesListType", + "traits": { + "smithy.api#documentation": "

Specifies the features that are currently available in your organization.

" + } + } + }, + "traits": { + "smithy.api#output": {} + } + }, "com.amazonaws.iam#ListPolicies": { "type": "operation", "input": { @@ -11314,6 +11697,42 @@ "smithy.api#httpError": 400 } }, + "com.amazonaws.iam#OrganizationIdType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 0, + "max": 34 + }, + "smithy.api#pattern": "^o-[a-z0-9]{10,32}$" + } + }, + "com.amazonaws.iam#OrganizationNotFoundException": { + "type": "structure", + "members": { + "Message": { + "target": "com.amazonaws.iam#ExceptionMessage" + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected because no organization is associated with your account.

", + "smithy.api#error": "client", + "smithy.api#httpError": 400 + } + }, + "com.amazonaws.iam#OrganizationNotInAllFeaturesModeException": { + "type": "structure", + "members": { + "Message": { + "target": "com.amazonaws.iam#ExceptionMessage" + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected because your organization does not have All features enabled. For\n more information, see Available feature sets in the Organizations User\n Guide.

", + "smithy.api#error": "client", + "smithy.api#httpError": 400 + } + }, "com.amazonaws.iam#OrganizationsDecisionDetail": { "type": "structure", "members": { @@ -12993,6 +13412,19 @@ "smithy.api#documentation": "

Contains information about a server certificate without its certificate body,\n certificate chain, and private key.

\n

This data type is used as a response element in the UploadServerCertificate and ListServerCertificates\n operations.

" } }, + "com.amazonaws.iam#ServiceAccessNotEnabledException": { + "type": "structure", + "members": { + "Message": { + "target": "com.amazonaws.iam#ExceptionMessage" + } + }, + "traits": { + "smithy.api#documentation": "

The request was rejected because trusted access is not enabled for IAM in Organizations. For details, see IAM and Organizations in the Organizations User Guide.

", + "smithy.api#error": "client", + "smithy.api#httpError": 400 + } + }, "com.amazonaws.iam#ServiceFailureException": { "type": "structure", "members": { @@ -16822,6 +17254,12 @@ "smithy.api#enumValue": "AccountAccessKeysPresent" } }, + "AccountPasswordPresent": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "AccountPasswordPresent" + } + }, "AccountSigningCertificatesPresent": { "target": "smithy.api#Unit", "traits": {