Retrieves a list of resources of the specified type that have been analyzed by the specified external access analyzer. This action is not supported for unused access analyzers.
" + "documentation":"Retrieves a list of resources of the specified type that have been analyzed by the specified analyzer.
" }, "ListAnalyzers":{ "name":"ListAnalyzers", @@ -597,6 +597,26 @@ "documentation":"Removes a tag from the specified resource.
", "idempotent":true }, + "UpdateAnalyzer":{ + "name":"UpdateAnalyzer", + "http":{ + "method":"PUT", + "requestUri":"/analyzer/{analyzerName}", + "responseCode":200 + }, + "input":{"shape":"UpdateAnalyzerRequest"}, + "output":{"shape":"UpdateAnalyzerResponse"}, + "errors":[ + {"shape":"ResourceNotFoundException"}, + {"shape":"ConflictException"}, + {"shape":"ValidationException"}, + {"shape":"InternalServerException"}, + {"shape":"ThrottlingException"}, + {"shape":"AccessDeniedException"} + ], + "documentation":"Modifies the configuration of an existing analyzer.
", + "idempotent":true + }, "UpdateArchiveRule":{ "name":"UpdateArchiveRule", "http":{ @@ -913,6 +933,10 @@ "max":100, "min":0 }, + "AccountIdsList":{ + "type":"list", + "member":{"shape":"String"} + }, "AclCanonicalId":{"type":"string"}, "AclGrantee":{ "type":"structure", @@ -945,6 +969,34 @@ "type":"list", "member":{"shape":"String"} }, + "AnalysisRule":{ + "type":"structure", + "members":{ + "exclusions":{ + "shape":"AnalysisRuleCriteriaList", + "documentation":"A list of rules for the analyzer containing criteria to exclude from analysis. Entities that meet the rule criteria will not generate findings.
" + } + }, + "documentation":"Contains information about analysis rules for the analyzer. Analysis rules determine which entities will generate findings based on the criteria you define when you create the rule.
" + }, + "AnalysisRuleCriteria":{ + "type":"structure", + "members":{ + "accountIds":{ + "shape":"AccountIdsList", + "documentation":"A list of Amazon Web Services account IDs to apply to the analysis rule criteria. The accounts cannot include the organization analyzer owner account. Account IDs can only be applied to the analysis rule criteria for organization-level analyzers. The list cannot include more than 2,000 account IDs.
" + }, + "resourceTags":{ + "shape":"TagsList", + "documentation":"An array of key-value pairs to match for your resources. You can use the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.
For the tag key, you can specify a value that is 1 to 128 characters in length and cannot be prefixed with aws:.
For the tag value, you can specify a value that is 0 to 256 characters in length. If the specified tag value is 0 characters, the rule is applied to all principals with the specified tag key.
" + } + }, + "documentation":"The criteria for an analysis rule for an analyzer. The criteria determine which entities will generate findings.
" + }, + "AnalysisRuleCriteriaList":{ + "type":"list", + "member":{"shape":"AnalysisRuleCriteria"} + }, "AnalyzedResource":{ "type":"structure", "required":[ @@ -1040,10 +1092,10 @@ "members":{ "unusedAccess":{ "shape":"UnusedAccessConfiguration", - "documentation":"Specifies the configuration of an unused access analyzer for an Amazon Web Services organization or account. External access analyzers do not support any configuration.
" + "documentation":"Specifies the configuration of an unused access analyzer for an Amazon Web Services organization or account.
" } }, - "documentation":"Contains information about the configuration of an unused access analyzer for an Amazon Web Services organization or account.
", + "documentation":"Contains information about the configuration of an analyzer for an Amazon Web Services organization or account.
", "union":true }, "AnalyzerStatus":{ @@ -1161,7 +1213,7 @@ "documentation":"The time at which the archive rule was last updated.
" } }, - "documentation":"Contains information about an archive rule.
" + "documentation":"Contains information about an archive rule. Archive rules automatically archive new findings that meet the criteria you define when you create the rule.
" }, "ArchiveRulesList":{ "type":"list", @@ -1533,7 +1585,7 @@ }, "tags":{ "shape":"TagsMap", - "documentation":"An array of key-value pairs to apply to the analyzer.
" + "documentation":"An array of key-value pairs to apply to the analyzer. You can use the set of Unicode letters, digits, whitespace, _, ., /, =, +, and -.
For the tag key, you can specify a value that is 1 to 128 characters in length and cannot be prefixed with aws:.
For the tag value, you can specify a value that is 0 to 256 characters in length.
" }, "clientToken":{ "shape":"String", @@ -1542,7 +1594,7 @@ }, "configuration":{ "shape":"AnalyzerConfiguration", - "documentation":"Specifies the configuration of the analyzer. If the analyzer is an unused access analyzer, the specified scope of unused access is used for the configuration. If the analyzer is an external access analyzer, this field is not used.
" + "documentation":"Specifies the configuration of the analyzer. If the analyzer is an unused access analyzer, the specified scope of unused access is used for the configuration.
" } }, "documentation":"Creates an analyzer.
" @@ -3522,7 +3574,8 @@ "AWS::SNS::Topic", "AWS::S3Express::DirectoryBucket", "AWS::DynamoDB::Table", - "AWS::DynamoDB::Stream" + "AWS::DynamoDB::Stream", + "AWS::IAM::User" ] }, "RetiringPrincipal":{"type":"string"}, @@ -3849,6 +3902,10 @@ }, "documentation":"The response to the request.
" }, + "TagsList":{ + "type":"list", + "member":{"shape":"TagsMap"} + }, "TagsMap":{ "type":"map", "key":{"shape":"String"}, @@ -3981,8 +4038,9 @@ "members":{ "unusedAccessAge":{ "shape":"Integer", - "documentation":"The specified access age in days for which to generate findings for unused access. For example, if you specify 90 days, the analyzer will generate findings for IAM entities within the accounts of the selected organization for any access that hasn't been used in 90 or more days since the analyzer's last scan. You can choose a value between 1 and 180 days.
" - } + "documentation":"The specified access age in days for which to generate findings for unused access. For example, if you specify 90 days, the analyzer will generate findings for IAM entities within the accounts of the selected organization for any access that hasn't been used in 90 or more days since the analyzer's last scan. You can choose a value between 1 and 365 days.
" + }, + "analysisRule":{"shape":"AnalysisRule"} }, "documentation":"Contains information about an unused access analyzer.
" }, @@ -4082,6 +4140,25 @@ }, "documentation":"Contains information about the action to take for a policy in an unused permissions finding.
" }, + "UpdateAnalyzerRequest":{ + "type":"structure", + "required":["analyzerName"], + "members":{ + "analyzerName":{ + "shape":"Name", + "documentation":"The name of the analyzer to modify.
", + "location":"uri", + "locationName":"analyzerName" + }, + "configuration":{"shape":"AnalyzerConfiguration"} + } + }, + "UpdateAnalyzerResponse":{ + "type":"structure", + "members":{ + "configuration":{"shape":"AnalyzerConfiguration"} + } + }, "UpdateArchiveRuleRequest":{ "type":"structure", "required":[ diff --git a/services/account/pom.xml b/services/account/pom.xml index 1249a9149ab8..5d29370c976d 100644 --- a/services/account/pom.xml +++ b/services/account/pom.xml @@ -21,7 +21,7 @@Represents the current status of the resource operation request.
" + }, + "HooksProgressEvent":{ + "shape":"HooksProgressEvent", + "documentation":"Lists Hook invocations for the specified target in the request. This is a list since the same target can invoke multiple Hooks.
" } } }, @@ -412,6 +418,7 @@ "NotUpdatable", "InvalidRequest", "AccessDenied", + "UnauthorizedTaggingOperation", "InvalidCredentials", "AlreadyExists", "NotFound", @@ -446,10 +453,76 @@ }, "HandlerNextToken":{ "type":"string", - "max":2048, + "max":4096, "min":1, "pattern":".+" }, + "HookFailureMode":{ + "type":"string", + "max":128, + "min":1, + "pattern":"[-A-Za-z_]+" + }, + "HookInvocationPoint":{ + "type":"string", + "max":128, + "min":1, + "pattern":"[-A-Za-z_]+" + }, + "HookProgressEvent":{ + "type":"structure", + "members":{ + "HookTypeName":{ + "shape":"TypeName", + "documentation":"The type name of the Hook being invoked.
" + }, + "HookTypeVersionId":{ + "shape":"TypeVersionId", + "documentation":"The type version of the Hook being invoked.
" + }, + "HookTypeArn":{ + "shape":"HookTypeArn", + "documentation":"The ARN of the Hook being invoked.
" + }, + "InvocationPoint":{ + "shape":"HookInvocationPoint", + "documentation":"States whether the Hook is invoked before or after resource provisioning.
" + }, + "HookStatus":{ + "shape":"HookStatus", + "documentation":"The status of the Hook invocation. The following are potential statuses:
HOOK_PENDING: The Hook was added to the invocation plan, but not yet invoked.
HOOK_IN_PROGRESS: The Hook was invoked, but hasn't completed.
HOOK_COMPLETE_SUCCEEDED: The Hook invocation is complete with a successful result.
HOOK_COMPLETE_FAILED: The Hook invocation is complete with a failed result.
HOOK_FAILED: The Hook invocation didn't complete successfully.
The time that the Hook invocation request initiated.
" + }, + "HookStatusMessage":{ + "shape":"StatusMessage", + "documentation":"The message explaining the current Hook status.
" + }, + "FailureMode":{ + "shape":"HookFailureMode", + "documentation":"The failure mode of the invocation. The following are the potential statuses:
FAIL: This will fail the Hook invocation and the request associated with it.
WARN: This will fail the Hook invocation, but not the request associated with it.
Represents the current status of applicable Hooks for a resource operation request. It contains list of Hook invocation information for the resource specified in the request since the same target can invoke multiple Hooks. For more information, see Managing resource operation requests with Amazon Web Services Cloud Control API .
" + }, + "HookStatus":{ + "type":"string", + "max":128, + "min":1, + "pattern":"[-A-Za-z_]+" + }, + "HookTypeArn":{ + "type":"string", + "max":2048, + "min":1, + "pattern":"arn:aws.*:.+:.*:.*:.+" + }, + "HooksProgressEvent":{ + "type":"list", + "member":{"shape":"HookProgressEvent"} + }, "Identifier":{ "type":"string", "max":1024, @@ -615,7 +688,8 @@ }, "PatchDocument":{ "type":"string", - "max":65536, + "documentation":"Allow up to 256K length of Resource properties
", + "max":262144, "min":1, "pattern":"[\\s\\S]*", "sensitive":true @@ -643,6 +717,10 @@ "shape":"RequestToken", "documentation":"The unique token representing this resource operation request.
Use the RequestToken with GetResourceRequestStatus to return the current status of a resource operation request.
The unique token representing the Hooks operation for the request.
" + }, "Operation":{ "shape":"Operation", "documentation":"The resource operation type.
" @@ -676,7 +754,8 @@ }, "Properties":{ "type":"string", - "max":65536, + "documentation":"Allow up to 256K length of Resource properties
", + "max":262144, "min":1, "pattern":"[\\s\\S]*", "sensitive":true @@ -772,7 +851,7 @@ }, "StatusMessage":{ "type":"string", - "max":1024, + "max":2048, "min":0, "pattern":"[\\s\\S]*" }, diff --git a/services/clouddirectory/pom.xml b/services/clouddirectory/pom.xml index dab32f95ed91..7cbcf2270496 100644 --- a/services/clouddirectory/pom.xml +++ b/services/clouddirectory/pom.xml @@ -21,7 +21,7 @@A list of objects that contain the GPU name of the accelerator and driver for the instance types that support the accelerator.
" + }, + "count":{ + "shape":"AcceleratorCountRange", + "documentation":"The number of GPUs on each worker. The default is 1.
" + } + }, + "documentation":"Provides information about the GPU accelerators and drivers for the instance types in a fleet. If you include the acceleratorCapabilities property in the ServiceManagedEc2InstanceCapabilities object, all of the Amazon EC2 instances will have at least one accelerator.
The minimum GPU for the accelerator.
" + "documentation":"The minimum number of GPUs for the accelerator. If you set the value to 0, a worker will still have 1 GPU.
" }, "max":{ "shape":"MinZeroMaxInteger", - "documentation":"The maximum GPU for the accelerator.
" + "documentation":"The maximum number of GPUs for the accelerator.
" } }, "documentation":"The range for the GPU fleet acceleration.
" }, + "AcceleratorName":{ + "type":"string", + "enum":[ + "t4", + "a10g", + "l4", + "l40s" + ] + }, + "AcceleratorRuntime":{ + "type":"string", + "max":100, + "min":1 + }, + "AcceleratorSelection":{ + "type":"structure", + "required":["name"], + "members":{ + "name":{ + "shape":"AcceleratorName", + "documentation":"The name of the GPU accelerator.
" + }, + "runtime":{ + "shape":"AcceleratorRuntime", + "documentation":"The driver version that the GPU accelerator uses.
" + } + }, + "documentation":"Values that you can use to select a particular Amazon EC2 instance type.
" + }, + "AcceleratorSelections":{ + "type":"list", + "member":{"shape":"AcceleratorSelection"} + }, "AcceleratorTotalMemoryMiBRange":{ "type":"structure", "required":["min"], @@ -9537,6 +9585,10 @@ "shape":"Ec2EbsVolume", "documentation":"The root EBS volume.
" }, + "acceleratorCapabilities":{ + "shape":"AcceleratorCapabilities", + "documentation":"The GPU accelerator capabilities required for the Amazon EC2 instances. If you include the acceleratorCapabilities property in the ServiceManagedEc2InstanceCapabilities object, all of the Amazon EC2 instances will have at least one accelerator.
The allowable Amazon EC2 instance types.
" @@ -10030,7 +10082,9 @@ }, "StepAmountCapabilities":{ "type":"list", - "member":{"shape":"StepAmountCapability"} + "member":{"shape":"StepAmountCapability"}, + "max":25, + "min":1 }, "StepAmountCapability":{ "type":"structure", @@ -10057,7 +10111,9 @@ }, "StepAttributeCapabilities":{ "type":"list", - "member":{"shape":"StepAttributeCapability"} + "member":{"shape":"StepAttributeCapability"}, + "max":25, + "min":1 }, "StepAttributeCapability":{ "type":"structure", diff --git a/services/detective/pom.xml b/services/detective/pom.xml index 14c357e917b2..3b4bae0a4326 100644 --- a/services/detective/pom.xml +++ b/services/detective/pom.xml @@ -21,7 +21,7 @@Removes the specified managed policy from the specified user.
A user can also have inline policies embedded with it. To delete an inline policy, use DeleteUserPolicy. For information about policies, see Managed policies and inline policies in the IAM User Guide.
" }, + "DisableOrganizationsRootCredentialsManagement":{ + "name":"DisableOrganizationsRootCredentialsManagement", + "http":{ + "method":"POST", + "requestUri":"/" + }, + "input":{"shape":"DisableOrganizationsRootCredentialsManagementRequest"}, + "output":{ + "shape":"DisableOrganizationsRootCredentialsManagementResponse", + "resultWrapper":"DisableOrganizationsRootCredentialsManagementResult" + }, + "errors":[ + {"shape":"ServiceAccessNotEnabledException"}, + {"shape":"AccountNotManagementOrDelegatedAdministratorException"}, + {"shape":"OrganizationNotFoundException"}, + {"shape":"OrganizationNotInAllFeaturesModeException"} + ], + "documentation":"Disables the management of privileged root user credentials across member accounts in your organization. When you disable this feature, the management account and the delegated admininstrator for IAM can no longer manage root user credentials for member accounts in your organization.
" + }, + "DisableOrganizationsRootSessions":{ + "name":"DisableOrganizationsRootSessions", + "http":{ + "method":"POST", + "requestUri":"/" + }, + "input":{"shape":"DisableOrganizationsRootSessionsRequest"}, + "output":{ + "shape":"DisableOrganizationsRootSessionsResponse", + "resultWrapper":"DisableOrganizationsRootSessionsResult" + }, + "errors":[ + {"shape":"ServiceAccessNotEnabledException"}, + {"shape":"AccountNotManagementOrDelegatedAdministratorException"}, + {"shape":"OrganizationNotFoundException"}, + {"shape":"OrganizationNotInAllFeaturesModeException"} + ], + "documentation":"Disables root user sessions for privileged tasks across member accounts in your organization. When you disable this feature, the management account and the delegated admininstrator for IAM can no longer perform privileged tasks on member accounts in your organization.
" + }, "EnableMFADevice":{ "name":"EnableMFADevice", "http":{ @@ -818,6 +856,46 @@ ], "documentation":"Enables the specified MFA device and associates it with the specified IAM user. When enabled, the MFA device is required for every subsequent login by the IAM user associated with the device.
" }, + "EnableOrganizationsRootCredentialsManagement":{ + "name":"EnableOrganizationsRootCredentialsManagement", + "http":{ + "method":"POST", + "requestUri":"/" + }, + "input":{"shape":"EnableOrganizationsRootCredentialsManagementRequest"}, + "output":{ + "shape":"EnableOrganizationsRootCredentialsManagementResponse", + "resultWrapper":"EnableOrganizationsRootCredentialsManagementResult" + }, + "errors":[ + {"shape":"ServiceAccessNotEnabledException"}, + {"shape":"AccountNotManagementOrDelegatedAdministratorException"}, + {"shape":"OrganizationNotFoundException"}, + {"shape":"OrganizationNotInAllFeaturesModeException"}, + {"shape":"CallerIsNotManagementAccountException"} + ], + "documentation":"Enables the management of privileged root user credentials across member accounts in your organization. When you enable root credentials management for centralized root access, the management account and the delegated admininstrator for IAM can manage root user credentials for member accounts in your organization.
Before you enable centralized root access, you must have an account configured with the following settings:
You must manage your Amazon Web Services accounts in Organizations.
Enable trusted access for Identity and Access Management in Organizations. For details, see IAM and Organizations in the Organizations User Guide.
Allows the management account or delegated administrator to perform privileged tasks on member accounts in your organization. For more information, see Centrally manage root access for member accounts in the Identity and Access Management User Guide.
Before you enable this feature, you must have an account configured with the following settings:
You must manage your Amazon Web Services accounts in Organizations.
Enable trusted access for Identity and Access Management in Organizations. For details, see IAM and Organizations in the Organizations User Guide.
Lists the account alias associated with the Amazon Web Services account (Note: you can have only one). For information about using an Amazon Web Services account alias, see Creating, deleting, and listing an Amazon Web Services account alias in the IAM User Guide.
" + "documentation":"Lists the account alias associated with the Amazon Web Services account (Note: you can have only one). For information about using an Amazon Web Services account alias, see Creating, deleting, and listing an Amazon Web Services account alias in the Amazon Web Services Sign-In User Guide.
" }, "ListAttachedGroupPolicies":{ "name":"ListAttachedGroupPolicies", @@ -1579,6 +1657,25 @@ ], "documentation":"Lists information about the IAM OpenID Connect (OIDC) provider resource objects defined in the Amazon Web Services account.
IAM resource-listing operations return a subset of the available attributes for the resource. For example, this operation does not return tags, even though they are an attribute of the returned object. To view all of the information for an OIDC provider, see GetOpenIDConnectProvider.
Lists the centralized root access features enabled for your organization. For more information, see Centrally manage root access for member accounts.
" + }, "ListPolicies":{ "name":"ListPolicies", "http":{ @@ -2741,6 +2838,13 @@ }, "documentation":"Contains information about an Amazon Web Services access key, without its secret key.
This data type is used as a response element in the ListAccessKeys operation.
" }, + "AccountNotManagementOrDelegatedAdministratorException":{ + "type":"structure", + "members":{ + }, + "documentation":"The request was rejected because the account making the request is not the management account or delegated administrator account for centralized root access.
", + "exception":true + }, "ActionNameListType":{ "type":"list", "member":{"shape":"ActionNameType"} @@ -2885,6 +2989,13 @@ "type":"blob", "sensitive":true }, + "CallerIsNotManagementAccountException":{ + "type":"structure", + "members":{ + }, + "documentation":"The request was rejected because the account making the request is not the management account for the organization.
", + "exception":true + }, "CertificationKeyType":{ "type":"string", "max":128, @@ -3073,18 +3184,14 @@ }, "CreateLoginProfileRequest":{ "type":"structure", - "required":[ - "UserName", - "Password" - ], "members":{ "UserName":{ "shape":"userNameType", - "documentation":"The name of the IAM user to create a password for. The user must already exist.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
" + "documentation":"The name of the IAM user to create a password for. The user must already exist.
This parameter is optional. If no user name is included, it defaults to the principal making the request. When you make this request with root user credentials, you must use an AssumeRoot session to omit the user name.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
" }, "Password":{ "shape":"passwordType", - "documentation":"The new password for the user.
The regex pattern that is used to validate this parameter is a string of characters. That string can include almost any printable ASCII character from the space (\\u0020) through the end of the ASCII character range (\\u00FF). You can also include the tab (\\u0009), line feed (\\u000A), and carriage return (\\u000D) characters. Any of these characters are valid in a password. However, many tools, such as the Amazon Web Services Management Console, might restrict the ability to type certain characters because they have special meaning within that tool.
The new password for the user.
This parameter must be omitted when you make the request with an AssumeRoot session. It is required in all other cases.
The regex pattern that is used to validate this parameter is a string of characters. That string can include almost any printable ASCII character from the space (\\u0020) through the end of the ASCII character range (\\u00FF). You can also include the tab (\\u0009), line feed (\\u000A), and carriage return (\\u000D) characters. Any of these characters are valid in a password. However, many tools, such as the Amazon Web Services Management Console, might restrict the ability to type certain characters because they have special meaning within that tool.
The name of the user whose MFA device you want to deactivate.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
" + "documentation":"The name of the user whose MFA device you want to deactivate.
This parameter is optional. If no user name is included, it defaults to the principal making the request. When you make this request with root user credentials, you must use an AssumeRoot session to omit the user name.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
" }, "SerialNumber":{ "shape":"serialNumberType", @@ -3538,11 +3642,10 @@ }, "DeleteLoginProfileRequest":{ "type":"structure", - "required":["UserName"], "members":{ "UserName":{ "shape":"userNameType", - "documentation":"The name of the user whose password you want to delete.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
" + "documentation":"The name of the user whose password you want to delete.
This parameter is optional. If no user name is included, it defaults to the principal making the request. When you make this request with root user credentials, you must use an AssumeRoot session to omit the user name.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
" } } }, @@ -3831,6 +3934,42 @@ } } }, + "DisableOrganizationsRootCredentialsManagementRequest":{ + "type":"structure", + "members":{ + } + }, + "DisableOrganizationsRootCredentialsManagementResponse":{ + "type":"structure", + "members":{ + "OrganizationId":{ + "shape":"OrganizationIdType", + "documentation":"The unique identifier (ID) of an organization.
" + }, + "EnabledFeatures":{ + "shape":"FeaturesListType", + "documentation":"The features enabled for centralized root access for member accounts in your organization.
" + } + } + }, + "DisableOrganizationsRootSessionsRequest":{ + "type":"structure", + "members":{ + } + }, + "DisableOrganizationsRootSessionsResponse":{ + "type":"structure", + "members":{ + "OrganizationId":{ + "shape":"OrganizationIdType", + "documentation":"The unique identifier (ID) of an organization.
" + }, + "EnabledFeatures":{ + "shape":"FeaturesListType", + "documentation":"The features you have enabled for centralized root access of member accounts in your organization.
" + } + } + }, "DuplicateCertificateException":{ "type":"structure", "members":{ @@ -3884,6 +4023,42 @@ } } }, + "EnableOrganizationsRootCredentialsManagementRequest":{ + "type":"structure", + "members":{ + } + }, + "EnableOrganizationsRootCredentialsManagementResponse":{ + "type":"structure", + "members":{ + "OrganizationId":{ + "shape":"OrganizationIdType", + "documentation":"The unique identifier (ID) of an organization.
" + }, + "EnabledFeatures":{ + "shape":"FeaturesListType", + "documentation":"The features you have enabled for centralized root access.
" + } + } + }, + "EnableOrganizationsRootSessionsRequest":{ + "type":"structure", + "members":{ + } + }, + "EnableOrganizationsRootSessionsResponse":{ + "type":"structure", + "members":{ + "OrganizationId":{ + "shape":"OrganizationIdType", + "documentation":"The unique identifier (ID) of an organization.
" + }, + "EnabledFeatures":{ + "shape":"FeaturesListType", + "documentation":"The features you have enabled for centralized root access.
" + } + } + }, "EntityAlreadyExistsException":{ "type":"structure", "members":{ @@ -4042,6 +4217,17 @@ "type":"list", "member":{"shape":"EvaluationResult"} }, + "FeatureType":{ + "type":"string", + "enum":[ + "RootCredentialsManagement", + "RootSessions" + ] + }, + "FeaturesListType":{ + "type":"list", + "member":{"shape":"FeatureType"} + }, "GenerateCredentialReportResponse":{ "type":"structure", "members":{ @@ -4353,11 +4539,10 @@ }, "GetLoginProfileRequest":{ "type":"structure", - "required":["UserName"], "members":{ "UserName":{ "shape":"userNameType", - "documentation":"The name of the user whose login profile you want to retrieve.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
" + "documentation":"The name of the user whose login profile you want to retrieve.
This parameter is optional. If no user name is included, it defaults to the principal making the request. When you make this request with root user credentials, you must use an AssumeRoot session to omit the user name.
This parameter allows (through its regex pattern) a string of characters consisting of upper and lowercase alphanumeric characters with no spaces. You can also include any of the following characters: _+=,.@-
" } } }, @@ -5694,6 +5879,24 @@ }, "documentation":"Contains the response to a successful ListOpenIDConnectProviders request.
" }, + "ListOrganizationsFeaturesRequest":{ + "type":"structure", + "members":{ + } + }, + "ListOrganizationsFeaturesResponse":{ + "type":"structure", + "members":{ + "OrganizationId":{ + "shape":"OrganizationIdType", + "documentation":"The unique identifier (ID) of an organization.
" + }, + "EnabledFeatures":{ + "shape":"FeaturesListType", + "documentation":"Specifies the features that are currently available in your organization.
" + } + } + }, "ListPoliciesGrantingServiceAccessEntry":{ "type":"structure", "members":{ @@ -6506,6 +6709,25 @@ }, "exception":true }, + "OrganizationIdType":{ + "type":"string", + "max":34, + "pattern":"^o-[a-z0-9]{10,32}$" + }, + "OrganizationNotFoundException":{ + "type":"structure", + "members":{ + }, + "documentation":"The request was rejected because no organization is associated with your account.
", + "exception":true + }, + "OrganizationNotInAllFeaturesModeException":{ + "type":"structure", + "members":{ + }, + "documentation":"The request was rejected because your organization does not have All features enabled. For more information, see Available feature sets in the Organizations User Guide.
", + "exception":true + }, "OrganizationsDecisionDetail":{ "type":"structure", "members":{ @@ -7418,6 +7640,13 @@ }, "documentation":"Contains information about a server certificate without its certificate body, certificate chain, and private key.
This data type is used as a response element in the UploadServerCertificate and ListServerCertificates operations.
" }, + "ServiceAccessNotEnabledException":{ + "type":"structure", + "members":{ + }, + "documentation":"The request was rejected because trusted access is not enabled for IAM in Organizations. For details, see IAM and Organizations in the Organizations User Guide.
", + "exception":true + }, "ServiceFailureException":{ "type":"structure", "members":{ @@ -9124,6 +9353,7 @@ "MFADevicesInUse", "AccountMFAEnabled", "AccountAccessKeysPresent", + "AccountPasswordPresent", "AccountSigningCertificatesPresent", "AttachedPoliciesPerGroupQuota", "AttachedPoliciesPerRoleQuota", diff --git a/services/identitystore/pom.xml b/services/identitystore/pom.xml index ecb3ef410c3e..3dda476c6ba0 100644 --- a/services/identitystore/pom.xml +++ b/services/identitystore/pom.xml @@ -21,7 +21,7 @@Fetches the log-level override, if any, for a given resource-ID and resource-type. It can be used for a wireless device or a wireless gateway.
" + "documentation":"Fetches the log-level override, if any, for a given resource-ID and resource-type. It can be used for a wireless device, wireless gateway or fuota task.
" }, "GetResourcePosition":{ "name":"GetResourcePosition", @@ -1538,7 +1538,7 @@ {"shape":"ThrottlingException"}, {"shape":"ValidationException"} ], - "documentation":"Removes the log-level overrides for all resources; both wireless devices and wireless gateways.
" + "documentation":"Removes the log-level overrides for all resources; wireless devices, wireless gateways, and fuota tasks.
" }, "ResetResourceLogLevel":{ "name":"ResetResourceLogLevel", @@ -1556,7 +1556,7 @@ {"shape":"ThrottlingException"}, {"shape":"ValidationException"} ], - "documentation":"Removes the log-level override, if any, for a specific resource-ID and resource-type. It can be used for a wireless device or a wireless gateway.
" + "documentation":"Removes the log-level override, if any, for a specific resource-ID and resource-type. It can be used for a wireless device, a wireless gateway, or a fuota task.
" }, "SendDataToMulticastGroup":{ "name":"SendDataToMulticastGroup", @@ -2770,7 +2770,8 @@ "Tags":{"shape":"TagList"}, "RedundancyPercent":{"shape":"RedundancyPercent"}, "FragmentSizeBytes":{"shape":"FragmentSizeBytes"}, - "FragmentIntervalMS":{"shape":"FragmentIntervalMS"} + "FragmentIntervalMS":{"shape":"FragmentIntervalMS"}, + "Descriptor":{"shape":"FileDescriptor"} } }, "CreateFuotaTaskResponse":{ @@ -3832,6 +3833,7 @@ "EventNotificationResourceType":{ "type":"string", "enum":[ + "FuotaTask", "SidewalkAccount", "WirelessDevice", "WirelessGateway" @@ -3895,6 +3897,12 @@ "min":0 }, "FactorySupport":{"type":"boolean"}, + "FileDescriptor":{ + "type":"string", + "documentation":"The Descriptor specifies some metadata about the File being transferred using FUOTA e.g. the software version. It is sent transparently to the device. It is a binary field encoded in base64
", + "max":332, + "pattern":"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" + }, "Fingerprint":{ "type":"string", "max":64, @@ -3956,6 +3964,28 @@ "documentation":"The arn of a FUOTA task.
", "max":128 }, + "FuotaTaskEvent":{ + "type":"string", + "documentation":"The event for a log message, if the log message is tied to a fuota task.
", + "enum":["Fuota"] + }, + "FuotaTaskEventLogOption":{ + "type":"structure", + "required":[ + "Event", + "LogLevel" + ], + "members":{ + "Event":{"shape":"FuotaTaskEvent"}, + "LogLevel":{"shape":"LogLevel"} + }, + "documentation":"The log options for a FUOTA task event and can be used to set log levels for a specific fuota task event.
For a LoRaWAN FuotaTask type, possible event for a log message is Fuota.
The list of FUOTA task event log options.
" + }, "FuotaTaskId":{ "type":"string", "documentation":"The ID of a FUOTA task.
", @@ -3966,6 +3996,27 @@ "member":{"shape":"FuotaTask"}, "documentation":"Lists the FUOTA tasks registered to your AWS account.
" }, + "FuotaTaskLogOption":{ + "type":"structure", + "required":[ + "Type", + "LogLevel" + ], + "members":{ + "Type":{ + "shape":"FuotaTaskType", + "documentation":"The fuota task type.
" + }, + "LogLevel":{"shape":"LogLevel"}, + "Events":{"shape":"FuotaTaskEventLogOptionList"} + }, + "documentation":"The log options for fuota tasks and can be used to set log levels for a specific type of fuota task.
" + }, + "FuotaTaskLogOptionList":{ + "type":"list", + "member":{"shape":"FuotaTaskLogOption"}, + "documentation":"The list of fuota task log options.
" + }, "FuotaTaskName":{ "type":"string", "documentation":"The name of a FUOTA task.
", @@ -3982,6 +4033,11 @@ "Delete_Waiting" ] }, + "FuotaTaskType":{ + "type":"string", + "documentation":"The fuota task type.
", + "enum":["LoRaWAN"] + }, "GPST":{"type":"float"}, "GatewayEui":{ "type":"string", @@ -4009,6 +4065,11 @@ }, "documentation":"Gateway list item object that specifies the frequency and list of gateways for which the downlink message should be sent.
" }, + "GatewayListMulticast":{ + "type":"list", + "member":{"shape":"WirelessGatewayId"}, + "max":20 + }, "GatewayMaxEirp":{ "type":"float", "max":30, @@ -4157,7 +4218,8 @@ "CreatedAt":{"shape":"CreatedAt"}, "RedundancyPercent":{"shape":"RedundancyPercent"}, "FragmentSizeBytes":{"shape":"FragmentSizeBytes"}, - "FragmentIntervalMS":{"shape":"FragmentIntervalMS"} + "FragmentIntervalMS":{"shape":"FragmentIntervalMS"}, + "Descriptor":{"shape":"FileDescriptor"} } }, "GetLogLevelsByResourceTypesRequest":{ @@ -4170,7 +4232,8 @@ "members":{ "DefaultLogLevel":{"shape":"LogLevel"}, "WirelessGatewayLogOptions":{"shape":"WirelessGatewayLogOptionList"}, - "WirelessDeviceLogOptions":{"shape":"WirelessDeviceLogOptionList"} + "WirelessDeviceLogOptions":{"shape":"WirelessDeviceLogOptionList"}, + "FuotaTaskLogOptions":{"shape":"FuotaTaskLogOptionList"} } }, "GetMetricConfigurationRequest":{ @@ -4507,7 +4570,7 @@ }, "ResourceType":{ "shape":"ResourceType", - "documentation":"The type of the resource, which can be WirelessDevice or WirelessGateway.
The type of the resource, which can be WirelessDevice, WirelessGateway or FuotaTask.
The LoRaWAN information that is to be used with the multicast group.
" }, @@ -6263,7 +6328,8 @@ "RfRegion":{"shape":"SupportedRfRegion"}, "DlClass":{"shape":"DlClass"}, "NumberOfDevicesRequested":{"shape":"NumberOfDevicesRequested"}, - "NumberOfDevicesInGroup":{"shape":"NumberOfDevicesInGroup"} + "NumberOfDevicesInGroup":{"shape":"NumberOfDevicesInGroup"}, + "ParticipatingGateways":{"shape":"ParticipatingGatewaysMulticast"} }, "documentation":"The LoRaWAN information that is to be returned from getting multicast group information.
" }, @@ -6971,6 +7037,20 @@ }, "documentation":"Specify the list of gateways to which you want to send downlink data traffic when the wireless device is running in class B or class C mode.
" }, + "ParticipatingGatewaysMulticast":{ + "type":"structure", + "members":{ + "GatewayList":{ + "shape":"GatewayListMulticast", + "documentation":"The list of gateways that you want to use for sending the multicast downlink. Each downlink will be sent to all the gateways in the list with transmission interval between them. If list is empty the gateway list will be dynamically selected similar to the case of no ParticipatingGateways
" + }, + "TransmissionInterval":{ + "shape":"TransmissionIntervalMulticast", + "documentation":"The duration of time for which AWS IoT Core for LoRaWAN will wait before transmitting the multicast payload to the next gateway in the list.
" + } + }, + "documentation":"Specify the list of gateways to which you want to send the multicast downlink messages. The multicast message will be sent to each gateway in the sequence provided in the list.
" + }, "PartnerAccountArn":{"type":"string"}, "PartnerAccountId":{ "type":"string", @@ -7212,7 +7292,7 @@ }, "ResourceType":{ "shape":"ResourceType", - "documentation":"The type of the resource, which can be WirelessDevice or WirelessGateway.
The type of the resource, which can be WirelessDevice, WirelessGateway, or FuotaTask.
The type of the resource, which can be WirelessDevice or WirelessGateway.
The type of the resource, which can be WirelessDevice, WirelessGateway, or FuotaTask.
The expected ingest bitrate (bits per second). This is configured in the encoder.
" + }, + "track":{ + "shape":"String", + "documentation":"Name of the audio track (if the stream has an audio track). If multitrack is not enabled, this is track0 (the sole track).
" } }, - "documentation":"Object specifying a stream’s audio configuration, as set up by the broadcaster (usually in an encoder). This is part of the IngestConfiguration object and used for monitoring stream health.
" + "documentation":"Object specifying a stream’s audio configuration, as set up by the broadcaster (usually in an encoder). This is part of the IngestConfigurations object and the deprecated IngestConfiguration object. It is used for monitoring stream health.
" + }, + "AudioConfigurationList":{ + "type":"list", + "member":{"shape":"AudioConfiguration"} }, "BatchError":{ "type":"structure", @@ -790,6 +798,10 @@ "shape":"IsAuthorized", "documentation":"Whether the channel is private (enabled for playback authorization). Default: false.
Indicates which content-packaging format is used (MPEG-TS or fMP4). If multitrackInputConfiguration is specified and enabled is true, then containerFormat is required and must be set to FRAGMENTED_MP4. Otherwise, containerFormat may be set to TS or FRAGMENTED_MP4. Default: TS.
Channel ingest endpoint, part of the definition of an ingest server, used when you set up streaming software.
" @@ -802,6 +814,10 @@ "shape":"ChannelLatencyMode", "documentation":"Channel latency mode. Use NORMAL to broadcast and deliver live video up to Full HD. Use LOW for near-real-time interaction with viewers. Default: LOW.
Object specifying multitrack input configuration. Default: no multitrack input configuration is specified.
" + }, "name":{ "shape":"ChannelName", "documentation":"Channel name.
" @@ -967,6 +983,13 @@ }, "exception":true }, + "ContainerFormat":{ + "type":"string", + "enum":[ + "TS", + "FRAGMENTED_MP4" + ] + }, "CreateChannelRequest":{ "type":"structure", "members":{ @@ -974,6 +997,10 @@ "shape":"Boolean", "documentation":"Whether the channel is private (enabled for playback authorization). Default: false.
Indicates which content-packaging format is used (MPEG-TS or fMP4). If multitrackInputConfiguration is specified and enabled is true, then containerFormat is required and must be set to FRAGMENTED_MP4. Otherwise, containerFormat may be set to TS or FRAGMENTED_MP4. Default: TS.
Whether the channel allows insecure RTMP and SRT ingest. Default: false.
Channel latency mode. Use NORMAL to broadcast and deliver live video up to Full HD. Use LOW for near-real-time interaction with viewers. Default: LOW.
Object specifying multitrack input configuration. Default: no multitrack input configuration is specified.
" + }, "name":{ "shape":"ChannelName", "documentation":"Channel name.
" @@ -1358,7 +1389,25 @@ "documentation":"Encoder settings for video.
" } }, - "documentation":"Object specifying the ingest configuration set up by the broadcaster, usually in an encoder.
" + "documentation":"Object specifying the ingest configuration set up by the broadcaster, usually in an encoder.
Note: IngestConfiguration is deprecated in favor of IngestConfigurations but retained to ensure backward compatibility. If multitrack is not enabled, IngestConfiguration and IngestConfigurations contain the same data, namely information about track0 (the sole track). If multitrack is enabled, IngestConfiguration contains data for only the first track (track0) and IngestConfigurations contains data for all tracks.
" + }, + "IngestConfigurations":{ + "type":"structure", + "required":[ + "audioConfigurations", + "videoConfigurations" + ], + "members":{ + "audioConfigurations":{ + "shape":"AudioConfigurationList", + "documentation":"Encoder settings for audio.
" + }, + "videoConfigurations":{ + "shape":"VideoConfigurationList", + "documentation":"Encoder settings for video
" + } + }, + "documentation":"Object specifying the ingest configuration set up by the broadcaster, usually in an encoder.
Note: Use IngestConfigurations instead of IngestConfiguration (which is deprecated). If multitrack is not enabled, IngestConfiguration and IngestConfigurations contain the same data, namely information about track0 (the sole track). If multitrack is enabled, IngestConfiguration contains data for only the first track (track0) and IngestConfigurations contains data for all tracks.
" }, "IngestEndpoint":{"type":"string"}, "InsecureIngest":{"type":"boolean"}, @@ -1377,6 +1426,7 @@ "fault":true }, "IsAuthorized":{"type":"boolean"}, + "IsMultitrackInputEnabled":{"type":"boolean"}, "ListChannelsRequest":{ "type":"structure", "members":{ @@ -1650,6 +1700,39 @@ "max":100, "min":1 }, + "MultitrackInputConfiguration":{ + "type":"structure", + "members":{ + "enabled":{ + "shape":"IsMultitrackInputEnabled", + "documentation":"Indicates whether multitrack input is enabled. Can be set to true only if channel type is STANDARD. Setting enabled to true with any other channel type will cause an exception. If true, then policy, maximumResolution, and containerFormat are required, and containerFormat must be set to FRAGMENTED_MP4. Default: false.
Maximum resolution for multitrack input. Required if enabled is true.
Indicates whether multitrack input is allowed or required. Required if enabled is true.
A complex type that specifies multitrack input configuration.
" + }, + "MultitrackMaximumResolution":{ + "type":"string", + "enum":[ + "SD", + "HD", + "FULL_HD" + ] + }, + "MultitrackPolicy":{ + "type":"string", + "enum":[ + "ALLOW", + "REQUIRE" + ] + }, "PaginationToken":{ "type":"string", "max":1024, @@ -2152,7 +2235,7 @@ "members":{ "code":{ "shape":"String", - "documentation":"Provides additional details about the stream event. There are several values; note that the long descriptions are provided in the IVS console but not delivered through the IVS API or EventBridge:
StreamTakeoverMediaMismatch — The broadcast client attempted to take over with different media properties (e.g., codec, resolution, or video track type) from the original stream.
StreamTakeoverInvalidPriority — The broadcast client attempted a takeover with either a priority integer value equal to or lower than the original stream's value or a value outside the allowed range of 1 to 2,147,483,647.
StreamTakeoverLimitBreached — The broadcast client reached the maximum allowed takeover attempts for this stream.
Provides additional details about the stream event. There are several values; the long descriptions are provided in the IVS console but not delivered through the IVS API or EventBridge. Multitrack-related codes are used only for certain Session Ended events.
MultitrackInputNotAllowed — The broadcast client attempted to connect with multitrack input, but multitrack input was not enabled on the channel. Check your broadcast software settings or set MultitrackInputConfiguration.Policy to ALLOW or REQUIRE.
MultitrackInputRequired — The broadcast client attempted to connect with single-track video, but multitrack input is required on this channel. Enable multitrack video in your broadcast software or configure the channel’s MultitrackInputConfiguration.Policy to ALLOW.
InvalidGetClientConfigurationStreamKey — The broadcast client attempted to connect with an invalid, expired, or corrupt stream key.
GetClientConfigurationStreamKeyRequired — The broadcast client attempted to stream multitrack video without providing an authenticated stream key from GetClientConfiguration.
InvalidMultitrackInputTrackCount — The multitrack input stream contained an invalid number of tracks.
InvalidMultitrackInputVideoTrackMediaProperties — The multitrack input stream contained one or more tracks with an invalid codec, resolution, bitrate, or framerate.
StreamTakeoverMediaMismatch — The broadcast client attempted to take over with different media properties (e.g., codec, resolution, or video track type) from the original stream.
StreamTakeoverInvalidPriority — The broadcast client attempted a takeover with either a priority integer value equal to or lower than the original stream's value or a value outside the allowed range of 1 to 2,147,483,647.
StreamTakeoverLimitBreached — The broadcast client reached the maximum allowed takeover attempts for this stream.
The properties of the incoming RTMP stream for the stream.
" + "documentation":"The properties of the incoming RTMP stream.
Note: ingestConfiguration is deprecated in favor of ingestConfigurations but retained to ensure backward compatibility. If multitrack is not enabled, ingestConfiguration and ingestConfigurations contain the same data, namely information about track0 (the sole track). If multitrack is enabled, ingestConfiguration contains data for only the first track (track0) and ingestConfigurations contains data for all tracks.
The properties of the incoming RTMP stream. If multitrack is enabled, ingestConfigurations contains data for all tracks; otherwise, it contains data only for track0 (the sole track).
The targeted thumbnail-generation interval in seconds. This is configurable (and required) only if recordingMode is INTERVAL. Default: 60.
Important: For the BASIC channel type, setting a value for targetIntervalSeconds does not guarantee that thumbnails are generated at the specified interval. For thumbnails to be generated at the targetIntervalSeconds interval, the IDR/Keyframe value for the input video must be less than the targetIntervalSeconds value. See Amazon IVS Streaming Configuration for information on setting IDR/Keyframe to the recommended value in video-encoder settings.
The targeted thumbnail-generation interval in seconds. This is configurable (and required) only if recordingMode is INTERVAL. Default: 60.
Important: For the BASIC channel type, or the STANDARD channel type with multitrack input, setting a value for targetIntervalSeconds does not guarantee that thumbnails are generated at the specified interval. For thumbnails to be generated at the targetIntervalSeconds interval, the IDR/Keyframe value for the input video must be less than the targetIntervalSeconds value. See Amazon IVS Streaming Configuration for information on setting IDR/Keyframe to the recommended value in video-encoder settings.
An object representing a configuration of thumbnails for recorded video.
" @@ -2547,6 +2634,10 @@ "shape":"Boolean", "documentation":"Whether the channel is private (enabled for playback authorization).
" }, + "containerFormat":{ + "shape":"ContainerFormat", + "documentation":"Indicates which content-packaging format is used (MPEG-TS or fMP4). If multitrackInputConfiguration is specified and enabled is true, then containerFormat is required and must be set to FRAGMENTED_MP4. Otherwise, containerFormat may be set to TS or FRAGMENTED_MP4. Default: TS.
Whether the channel allows insecure RTMP and SRT ingest. Default: false.
Channel latency mode. Use NORMAL to broadcast and deliver live video up to Full HD. Use LOW for near-real-time interaction with viewers.
Object specifying multitrack input configuration. Default: no multitrack input configuration is specified.
" + }, "name":{ "shape":"ChannelName", "documentation":"Channel name.
" @@ -2655,6 +2750,14 @@ "shape":"String", "documentation":"Software or hardware used to encode the video.
" }, + "level":{ + "shape":"String", + "documentation":"Indicates the degree of required decoder performance for a profile. Normally this is set automatically by the encoder. When an AVC codec is used, this field has the same value as avcLevel.
Indicates to the decoder the requirements for decoding the stream. When an AVC codec is used, this field has the same value as avcProfile.
The expected ingest bitrate (bits per second). This is configured in the encoder.
" @@ -2663,6 +2766,10 @@ "shape":"Integer", "documentation":"The expected ingest framerate. This is configured in the encoder.
" }, + "track":{ + "shape":"String", + "documentation":"Name of the video track. If multitrack is not enabled, this is track0 (the sole track).
" + }, "videoHeight":{ "shape":"Integer", "documentation":"Video-resolution height in pixels.
" @@ -2672,7 +2779,11 @@ "documentation":"Video-resolution width in pixels.
" } }, - "documentation":"Object specifying a stream’s video configuration, as set up by the broadcaster (usually in an encoder). This is part of the IngestConfiguration object and used for monitoring stream health.
" + "documentation":"Object specifying a stream’s video configuration, as set up by the broadcaster (usually in an encoder). This is part of the IngestConfigurations object and the deprecated IngestConfiguration object. It is used for monitoring stream health.
" + }, + "VideoConfigurationList":{ + "type":"list", + "member":{"shape":"VideoConfiguration"} }, "ViewerId":{ "type":"string", diff --git a/services/ivschat/pom.xml b/services/ivschat/pom.xml index 2056933704a1..481407829294 100644 --- a/services/ivschat/pom.xml +++ b/services/ivschat/pom.xml @@ -21,7 +21,7 @@Associates the user to an EC2 instance to utilize user-based subscriptions.
Your estimated bill for charges on the number of users and related costs will take 48 hours to appear for billing periods that haven't closed (marked as Pending billing status) in Amazon Web Services Billing. For more information, see Viewing your monthly charges in the Amazon Web Services Billing User Guide.
Creates a network endpoint for the Remote Desktop Services (RDS) license server.
", + "idempotent":true + }, + "DeleteLicenseServerEndpoint":{ + "name":"DeleteLicenseServerEndpoint", + "http":{ + "method":"POST", + "requestUri":"/license-server/DeleteLicenseServerEndpoint", + "responseCode":200 + }, + "input":{"shape":"DeleteLicenseServerEndpointRequest"}, + "output":{"shape":"DeleteLicenseServerEndpointResponse"}, + "errors":[ + {"shape":"ServiceQuotaExceededException"}, + {"shape":"ConflictException"}, + {"shape":"ValidationException"}, + {"shape":"ThrottlingException"}, + {"shape":"InternalServerException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"AccessDeniedException"} + ], + "documentation":"Deletes a LicenseServerEndpoint resource.
Deregisters the identity provider from providing user-based subscriptions.
", + "documentation":"Deregisters the Active Directory identity provider from License Manager user-based subscriptions.
", "idempotent":true }, "DisassociateUser":{ @@ -93,7 +137,7 @@ {"shape":"ResourceNotFoundException"}, {"shape":"AccessDeniedException"} ], - "documentation":"Lists the identity providers for user-based subscriptions.
" + "documentation":"Lists the Active Directory identity providers for user-based subscriptions.
" }, "ListInstances":{ "name":"ListInstances", @@ -115,6 +159,25 @@ ], "documentation":"Lists the EC2 instances providing user-based subscriptions.
" }, + "ListLicenseServerEndpoints":{ + "name":"ListLicenseServerEndpoints", + "http":{ + "method":"POST", + "requestUri":"/license-server/ListLicenseServerEndpoints", + "responseCode":200 + }, + "input":{"shape":"ListLicenseServerEndpointsRequest"}, + "output":{"shape":"ListLicenseServerEndpointsResponse"}, + "errors":[ + {"shape":"ServiceQuotaExceededException"}, + {"shape":"ConflictException"}, + {"shape":"ValidationException"}, + {"shape":"ThrottlingException"}, + {"shape":"InternalServerException"}, + {"shape":"AccessDeniedException"} + ], + "documentation":"List the Remote Desktop Services (RDS) License Server endpoints
" + }, "ListProductSubscriptions":{ "name":"ListProductSubscriptions", "http":{ @@ -135,6 +198,22 @@ ], "documentation":"Lists the user-based subscription products available from an identity provider.
" }, + "ListTagsForResource":{ + "name":"ListTagsForResource", + "http":{ + "method":"GET", + "requestUri":"/tags/{ResourceArn}", + "responseCode":200 + }, + "input":{"shape":"ListTagsForResourceRequest"}, + "output":{"shape":"ListTagsForResourceResponse"}, + "errors":[ + {"shape":"ValidationException"}, + {"shape":"InternalServerException"}, + {"shape":"ResourceNotFoundException"} + ], + "documentation":"Returns the list of tags for the specified resource.
" + }, "ListUserAssociations":{ "name":"ListUserAssociations", "http":{ @@ -216,6 +295,39 @@ ], "documentation":"Stops a product subscription for a user with the specified identity provider.
" }, + "TagResource":{ + "name":"TagResource", + "http":{ + "method":"PUT", + "requestUri":"/tags/{ResourceArn}", + "responseCode":200 + }, + "input":{"shape":"TagResourceRequest"}, + "output":{"shape":"TagResourceResponse"}, + "errors":[ + {"shape":"ValidationException"}, + {"shape":"InternalServerException"}, + {"shape":"ResourceNotFoundException"} + ], + "documentation":"Adds tags to a resource.
", + "idempotent":true + }, + "UntagResource":{ + "name":"UntagResource", + "http":{ + "method":"DELETE", + "requestUri":"/tags/{ResourceArn}", + "responseCode":200 + }, + "input":{"shape":"UntagResourceRequest"}, + "output":{"shape":"UntagResourceResponse"}, + "errors":[ + {"shape":"InternalServerException"}, + {"shape":"ResourceNotFoundException"} + ], + "documentation":"Removes tags from a resource.
", + "idempotent":true + }, "UpdateIdentityProviderSettings":{ "name":"UpdateIdentityProviderSettings", "http":{ @@ -247,13 +359,60 @@ "ActiveDirectoryIdentityProvider":{ "type":"structure", "members":{ + "ActiveDirectorySettings":{ + "shape":"ActiveDirectorySettings", + "documentation":"The ActiveDirectorySettings resource contains details about the Active Directory, including network access details such as domain name and IP addresses, and the credential provider for user administration.
The type of Active Directory – either a self-managed Active Directory or an Amazon Web Services Managed Active Directory.
" + }, "DirectoryId":{ - "shape":"String", + "shape":"Directory", "documentation":"The directory ID for an Active Directory identity provider.
" } }, "documentation":"Details about an Active Directory identity provider.
" }, + "ActiveDirectorySettings":{ + "type":"structure", + "members":{ + "DomainCredentialsProvider":{ + "shape":"CredentialsProvider", + "documentation":"Points to the CredentialsProvider resource that contains information about the credential provider for user administration.
A list of domain IPv4 addresses that are used for the Active Directory.
" + }, + "DomainName":{ + "shape":"String", + "documentation":"The domain name for the Active Directory.
" + }, + "DomainNetworkSettings":{ + "shape":"DomainNetworkSettings", + "documentation":"The DomainNetworkSettings resource contains an array of subnets that apply for the Active Directory.
Contains network access and credential details that are needed for user administration in the Active Directory.
" + }, + "ActiveDirectorySettingsDomainIpv4ListList":{ + "type":"list", + "member":{"shape":"IpV4"}, + "max":2, + "min":1 + }, + "ActiveDirectoryType":{ + "type":"string", + "enum":[ + "SELF_MANAGED", + "AWS_MANAGED" + ] + }, + "Arn":{ + "type":"string", + "pattern":"^arn:[a-z0-9-\\.]{1,63}:[a-z0-9-\\.]{1,63}:[a-z0-9-\\.]{1,63}:[a-z0-9-\\.]{1,63}:[a-zA-Z0-9-\\.]{1,510}/[a-zA-Z0-9-\\.]{1,510}$" + }, "AssociateUserRequest":{ "type":"structure", "required":[ @@ -264,19 +423,23 @@ "members":{ "Domain":{ "shape":"String", - "documentation":"The domain name of the user.
" + "documentation":"The domain name of the Active Directory that contains information for the user to associate.
" }, "IdentityProvider":{ "shape":"IdentityProvider", - "documentation":"The identity provider of the user.
" + "documentation":"The identity provider for the user.
" }, "InstanceId":{ "shape":"String", - "documentation":"The ID of the EC2 instance, which provides user-based subscriptions.
" + "documentation":"The ID of the EC2 instance that provides the user-based subscription.
" + }, + "Tags":{ + "shape":"Tags", + "documentation":"The tags that apply for the user association.
" }, "Username":{ "shape":"String", - "documentation":"The user name from the identity provider for the user.
" + "documentation":"The user name from the identity provider.
" } } }, @@ -303,20 +466,91 @@ "exception":true, "fault":true }, - "DeregisterIdentityProviderRequest":{ + "CreateLicenseServerEndpointRequest":{ "type":"structure", "required":[ - "IdentityProvider", - "Product" + "IdentityProviderArn", + "LicenseServerSettings" ], + "members":{ + "IdentityProviderArn":{ + "shape":"Arn", + "documentation":"The Amazon Resource Name (ARN) that identifies the IdentityProvider resource that contains details about a registered identity provider. In the case of Active Directory, that can be a self-managed Active Directory or an Amazon Web Services Managed Active Directory that contains user identity details.
The LicenseServerSettings resource to create for the endpoint. The settings include the type of license server and the Secrets Manager secret that enables administrators to add or remove users associated with the license server.
The tags that apply for the license server endpoint.
" + } + } + }, + "CreateLicenseServerEndpointResponse":{ + "type":"structure", + "members":{ + "IdentityProviderArn":{ + "shape":"Arn", + "documentation":"The Amazon Resource Name (ARN) of the identity provider specified in the request.
" + }, + "LicenseServerEndpointArn":{ + "shape":"Arn", + "documentation":"The ARN of the LicenseServerEndpoint resource.
Identifies the Secrets Manager secret that contains credentials needed for user administration in the Active Directory.
" + } + }, + "documentation":"Contains information about the credential provider for user administration.
", + "union":true + }, + "DeleteLicenseServerEndpointRequest":{ + "type":"structure", + "required":[ + "LicenseServerEndpointArn", + "ServerType" + ], + "members":{ + "LicenseServerEndpointArn":{ + "shape":"Arn", + "documentation":"The Amazon Resource Name (ARN) that identifies the LicenseServerEndpoint resource to delete.
The type of License Server that the delete request refers to.
" + } + } + }, + "DeleteLicenseServerEndpointResponse":{ + "type":"structure", + "members":{ + "LicenseServerEndpoint":{ + "shape":"LicenseServerEndpoint", + "documentation":"Shows details from the LicenseServerEndpoint resource that was deleted.
An object that specifies details for the identity provider.
" + "documentation":"An object that specifies details for the Active Directory identity provider.
" + }, + "IdentityProviderArn":{ + "shape":"Arn", + "documentation":"The Amazon Resource Name (ARN) that identifies the identity provider to deregister.
" }, "Product":{ "shape":"String", - "documentation":"The name of the user-based subscription product.
" + "documentation":"The name of the user-based subscription product.
Valid values: VISUAL_STUDIO_ENTERPRISE | VISUAL_STUDIO_PROFESSIONAL | OFFICE_PROFESSIONAL_PLUS
The domain name of the user.
" + "documentation":"The domain name of the Active Directory that contains information for the user to disassociate.
" }, "IdentityProvider":{ "shape":"IdentityProvider", - "documentation":"An object that specifies details for the identity provider.
" + "documentation":"An object that specifies details for the Active Directory identity provider.
" }, "InstanceId":{ "shape":"String", - "documentation":"The ID of the EC2 instance, which provides user-based subscriptions.
" + "documentation":"The ID of the EC2 instance which provides user-based subscriptions.
" + }, + "InstanceUserArn":{ + "shape":"Arn", + "documentation":"The Amazon Resource Name (ARN) of the user to disassociate from the EC2 instance.
" }, "Username":{ "shape":"String", - "documentation":"The user name from the identity provider for the user.
" + "documentation":"The user name from the Active Directory identity provider for the user.
" } } }, @@ -366,6 +603,22 @@ } } }, + "DomainNetworkSettings":{ + "type":"structure", + "required":["Subnets"], + "members":{ + "Subnets":{ + "shape":"DomainNetworkSettingsSubnetsList", + "documentation":"Contains a list of subnets that apply for the Active Directory domain.
" + } + }, + "documentation":"Contains network settings for the Active Directory domain.
" + }, + "DomainNetworkSettingsSubnetsList":{ + "type":"list", + "member":{"shape":"Subnet"}, + "min":1 + }, "Filter":{ "type":"structure", "members":{ @@ -382,7 +635,7 @@ "documentation":"Value of the filter.
" } }, - "documentation":"A filter name and value pair that is used to return more specific results from a describe operation. Filters can be used to match a set of resources by specific criteria, such as tags, attributes, or IDs.
" + "documentation":"A filter name and value pair that is used to return more specific results from a describe or list operation. You can use filters can be used to match a set of resources by specific criteria, such as tags, attributes, or IDs.
" }, "FilterList":{ "type":"list", @@ -393,10 +646,10 @@ "members":{ "ActiveDirectoryIdentityProvider":{ "shape":"ActiveDirectoryIdentityProvider", - "documentation":"An object that details an Active Directory identity provider.
" + "documentation":"The ActiveDirectoryIdentityProvider resource contains settings and other details about a specific Active Directory identity provider.
Details about an identity provider.
", + "documentation":"Refers to an identity provider.
", "union":true }, "IdentityProviderSummary":{ @@ -414,7 +667,11 @@ }, "IdentityProvider":{ "shape":"IdentityProvider", - "documentation":"An object that specifies details for the identity provider.
" + "documentation":"The IdentityProvider resource contains information about an identity provider.
The Amazon Resource Name (ARN) of the identity provider.
" }, "Product":{ "shape":"String", @@ -422,11 +679,11 @@ }, "Settings":{ "shape":"Settings", - "documentation":"An object that details the registered identity provider’s product related configuration settings such as the subnets to provision VPC endpoints.
" + "documentation":"The Settings resource contains details about the registered identity provider’s product related configuration settings, such as the subnets to provision VPC endpoints.
The status of an identity provider.
" + "documentation":"The status of the identity provider.
" } }, "documentation":"Describes an identity provider.
" @@ -489,15 +746,19 @@ }, "Domain":{ "shape":"String", - "documentation":"The domain name of the user.
" + "documentation":"The domain name of the Active Directory that contains the user information for the product subscription.
" }, "IdentityProvider":{ "shape":"IdentityProvider", - "documentation":"An object that specifies details for the identity provider.
" + "documentation":"The IdentityProvider resource specifies details about the identity provider.
The ID of the EC2 instance, which provides user-based subscriptions.
" + "documentation":"The ID of the EC2 instance that provides user-based subscriptions.
" + }, + "InstanceUserArn":{ + "shape":"Arn", + "documentation":"The Amazon Resource Name (ARN) that identifies the instance user.
" }, "Status":{ "shape":"String", @@ -524,19 +785,134 @@ "message":{"shape":"String"} }, "documentation":"An exception occurred with the service.
", + "error":{"httpStatusCode":500}, "exception":true, "fault":true }, + "IpV4":{ + "type":"string", + "pattern":"^(?:(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])(\\.(?!$)|$)){4}$" + }, + "LicenseServer":{ + "type":"structure", + "members":{ + "HealthStatus":{ + "shape":"LicenseServerHealthStatus", + "documentation":"The health status of the RDS license server.
" + }, + "Ipv4Address":{ + "shape":"String", + "documentation":"A list of domain IPv4 addresses that are used for the RDS license server.
" + }, + "ProvisioningStatus":{ + "shape":"LicenseServerEndpointProvisioningStatus", + "documentation":"The current state of the provisioning process for the RDS license server.
" + } + }, + "documentation":"Information about a Remote Desktop Services (RDS) license server.
" + }, + "LicenseServerEndpoint":{ + "type":"structure", + "members":{ + "CreationTime":{ + "shape":"Timestamp", + "documentation":"The timestamp when License Manager created the license server endpoint.
" + }, + "IdentityProviderArn":{ + "shape":"String", + "documentation":"The Amazon Resource Name (ARN) of the identity provider that's associated with the RDS license server endpoint.
" + }, + "LicenseServerEndpointArn":{ + "shape":"Arn", + "documentation":"The ARN of the ServerEndpoint resource for the RDS license server.
The ID of the license server endpoint.
" + }, + "LicenseServerEndpointProvisioningStatus":{ + "shape":"LicenseServerEndpointProvisioningStatus", + "documentation":"The current state of the provisioning process for the RDS license server endpoint
" + }, + "LicenseServers":{ + "shape":"LicenseServerList", + "documentation":"An array of LicenseServer resources that represent the license servers that are accessed through this endpoint.
The ServerEndpoint resource contains the network address of the RDS license server endpoint.
The type of license server.
" + }, + "StatusMessage":{ + "shape":"String", + "documentation":"The message associated with the provisioning status, if there is one.
" + } + }, + "documentation":"Contains details about a network endpoint for a Remote Desktop Services (RDS) license server.
" + }, + "LicenseServerEndpointId":{"type":"string"}, + "LicenseServerEndpointList":{ + "type":"list", + "member":{"shape":"LicenseServerEndpoint"} + }, + "LicenseServerEndpointProvisioningStatus":{ + "type":"string", + "enum":[ + "PROVISIONING", + "PROVISIONING_FAILED", + "PROVISIONED", + "DELETING", + "DELETION_FAILED", + "DELETED" + ] + }, + "LicenseServerHealthStatus":{ + "type":"string", + "enum":[ + "HEALTHY", + "UNHEALTHY", + "NOT_APPLICABLE" + ] + }, + "LicenseServerList":{ + "type":"list", + "member":{"shape":"LicenseServer"} + }, + "LicenseServerSettings":{ + "type":"structure", + "required":[ + "ServerSettings", + "ServerType" + ], + "members":{ + "ServerSettings":{ + "shape":"ServerSettings", + "documentation":"The ServerSettings resource contains the settings for your server.
The type of license server.
" + } + }, + "documentation":"The settings to configure your license server.
" + }, "ListIdentityProvidersRequest":{ "type":"structure", "members":{ + "Filters":{ + "shape":"FilterList", + "documentation":"You can use the following filters to streamline results:
Product
DirectoryId
Maximum number of results to return in a single call.
" + "documentation":"The maximum number of results to return from a single request.
" }, "NextToken":{ "shape":"String", - "documentation":"Token for the next set of results.
" + "documentation":"A token to specify where to start paginating. This is the nextToken from a previously truncated response.
" } } }, @@ -546,11 +922,11 @@ "members":{ "IdentityProviderSummaries":{ "shape":"IdentityProviderSummaryList", - "documentation":"Metadata that describes the list identity providers operation.
" + "documentation":"An array of IdentityProviderSummary resources that contain details about the Active Directory identity providers that meet the request criteria.
Token for the next set of results.
" + "documentation":"The next token used for paginated responses. When this field isn't empty, there are additional elements that the service hasn't included in this request. Use this token with the next request to retrieve additional objects.
" } } }, @@ -559,15 +935,15 @@ "members":{ "Filters":{ "shape":"FilterList", - "documentation":"An array of structures that you can use to filter the results to those that match one or more sets of key-value pairs that you specify.
" + "documentation":"You can use the following filters to streamline results:
Status
InstanceId
Maximum number of results to return in a single call.
" + "documentation":"The maximum number of results to return from a single request.
" }, "NextToken":{ "shape":"String", - "documentation":"Token for the next set of results.
" + "documentation":"A token to specify where to start paginating. This is the nextToken from a previously truncated response.
" } } }, @@ -576,24 +952,57 @@ "members":{ "InstanceSummaries":{ "shape":"InstanceSummaryList", - "documentation":"Metadata that describes the list instances operation.
" + "documentation":"An array of InstanceSummary resources that contain details about the instances that provide user-based subscriptions and also meet the request criteria.
The next token used for paginated responses. When this field isn't empty, there are additional elements that the service hasn't included in this request. Use this token with the next request to retrieve additional objects.
" + } + } + }, + "ListLicenseServerEndpointsRequest":{ + "type":"structure", + "members":{ + "Filters":{ + "shape":"FilterList", + "documentation":"You can use the following filters to streamline results:
IdentityProviderArn
The maximum number of results to return from a single request.
" }, "NextToken":{ "shape":"String", - "documentation":"Token for the next set of results.
" + "documentation":"A token to specify where to start paginating. This is the nextToken from a previously truncated response.
" + } + } + }, + "ListLicenseServerEndpointsRequestMaxResultsInteger":{ + "type":"integer", + "box":true, + "max":100, + "min":1 + }, + "ListLicenseServerEndpointsResponse":{ + "type":"structure", + "members":{ + "LicenseServerEndpoints":{ + "shape":"LicenseServerEndpointList", + "documentation":"An array of LicenseServerEndpoint resources that contain detailed information about the RDS License Servers that meet the request criteria.
The next token used for paginated responses. When this field isn't empty, there are additional elements that the service hasn't included in this request. Use this token with the next request to retrieve additional objects.
" } } }, "ListProductSubscriptionsRequest":{ "type":"structure", - "required":[ - "IdentityProvider", - "Product" - ], + "required":["IdentityProvider"], "members":{ "Filters":{ "shape":"FilterList", - "documentation":"An array of structures that you can use to filter the results to those that match one or more sets of key-value pairs that you specify.
" + "documentation":"You can use the following filters to streamline results:
Status
Username
Domain
Maximum number of results to return in a single call.
" + "documentation":"The maximum number of results to return from a single request.
" }, "NextToken":{ "shape":"String", - "documentation":"Token for the next set of results.
" + "documentation":"A token to specify where to start paginating. This is the nextToken from a previously truncated response.
" }, "Product":{ "shape":"String", - "documentation":"The name of the user-based subscription product.
" + "documentation":"The name of the user-based subscription product.
Valid values: VISUAL_STUDIO_ENTERPRISE | VISUAL_STUDIO_PROFESSIONAL | OFFICE_PROFESSIONAL_PLUS
Token for the next set of results.
" + "documentation":"The next token used for paginated responses. When this field isn't empty, there are additional elements that the service hasn't included in this request. Use this token with the next request to retrieve additional objects.
" }, "ProductUserSummaries":{ "shape":"ProductUserSummaryList", @@ -626,6 +1035,27 @@ } } }, + "ListTagsForResourceRequest":{ + "type":"structure", + "required":["ResourceArn"], + "members":{ + "ResourceArn":{ + "shape":"ResourceArn", + "documentation":"The Amazon Resource Name (ARN) of the resource whose tags you want to retrieve.
", + "location":"uri", + "locationName":"ResourceArn" + } + } + }, + "ListTagsForResourceResponse":{ + "type":"structure", + "members":{ + "Tags":{ + "shape":"Tags", + "documentation":"The tags for the specified resource.
" + } + } + }, "ListUserAssociationsRequest":{ "type":"structure", "required":[ @@ -635,7 +1065,7 @@ "members":{ "Filters":{ "shape":"FilterList", - "documentation":"An array of structures that you can use to filter the results to those that match one or more sets of key-value pairs that you specify.
" + "documentation":"You can use the following filters to streamline results:
Status
Username
Domain
Maximum number of results to return in a single call.
" + "documentation":"The maximum number of results to return from a single request.
" }, "NextToken":{ "shape":"String", - "documentation":"Token for the next set of results.
" + "documentation":"A token to specify where to start paginating. This is the nextToken from a previously truncated response.
" } } }, @@ -664,7 +1094,7 @@ }, "NextToken":{ "shape":"String", - "documentation":"Token for the next set of results.
" + "documentation":"The next token used for paginated responses. When this field isn't empty, there are additional elements that the service hasn't included in this request. Use this token with the next request to retrieve additional objects.
" } } }, @@ -679,7 +1109,7 @@ "members":{ "Domain":{ "shape":"String", - "documentation":"The domain name of the user.
" + "documentation":"The domain name of the Active Directory that contains the user information for the product subscription.
" }, "IdentityProvider":{ "shape":"IdentityProvider", @@ -689,13 +1119,17 @@ "shape":"String", "documentation":"The name of the user-based subscription product.
" }, + "ProductUserArn":{ + "shape":"Arn", + "documentation":"The Amazon Resource Name (ARN) for this product user.
" + }, "Status":{ "shape":"String", - "documentation":"The status of a product for a user.
" + "documentation":"The status of a product for this user.
" }, "StatusMessage":{ "shape":"String", - "documentation":"The status message for a product for a user.
" + "documentation":"The status message for a product for this user.
" }, "SubscriptionEndDate":{ "shape":"String", @@ -707,15 +1141,26 @@ }, "Username":{ "shape":"String", - "documentation":"The user name from the identity provider of the user.
" + "documentation":"The user name from the identity provider for this product user.
" } }, - "documentation":"The summary of the user-based subscription products for a user.
" + "documentation":"A summary of the user-based subscription products for a specific user.
" }, "ProductUserSummaryList":{ "type":"list", "member":{"shape":"ProductUserSummary"} }, + "RdsSalSettings":{ + "type":"structure", + "required":["RdsSalCredentialsProvider"], + "members":{ + "RdsSalCredentialsProvider":{ + "shape":"CredentialsProvider", + "documentation":"The CredentialsProvider resource contains a reference to the credentials provider that's used for RDS license server user administration.
Server settings that are specific to a Remote Desktop Services (RDS) license server.
" + }, "RegisterIdentityProviderRequest":{ "type":"structure", "required":[ @@ -725,15 +1170,19 @@ "members":{ "IdentityProvider":{ "shape":"IdentityProvider", - "documentation":"An object that specifies details for the identity provider.
" + "documentation":"An object that specifies details for the identity provider to register.
" }, "Product":{ "shape":"String", - "documentation":"The name of the user-based subscription product.
" + "documentation":"The name of the user-based subscription product.
Valid values: VISUAL_STUDIO_ENTERPRISE | VISUAL_STUDIO_PROFESSIONAL | OFFICE_PROFESSIONAL_PLUS
The registered identity provider’s product related configuration settings such as the subnets to provision VPC endpoints.
" + }, + "Tags":{ + "shape":"Tags", + "documentation":"The tags that apply to the identity provider's registration.
" } } }, @@ -747,6 +1196,10 @@ } } }, + "ResourceArn":{ + "type":"string", + "pattern":"^arn:([a-z0-9-\\.]{1,63}):([a-z0-9-\\.]{1,63}):([a-z0-9-\\.]{1,63}):([a-z0-9-\\.]{1,63}):([a-z0-9-\\.]{1,510})/([a-z0-9-\\.]{1,510})$" + }, "ResourceNotFoundException":{ "type":"structure", "members":{ @@ -759,12 +1212,51 @@ }, "exception":true }, + "SecretsManagerCredentialsProvider":{ + "type":"structure", + "members":{ + "SecretId":{ + "shape":"SecretsManagerCredentialsProviderSecretIdString", + "documentation":"The ID of the Secrets Manager secret that contains credentials.
" + } + }, + "documentation":"Contains a credentials secret that's stored in Secrets Manager.
" + }, + "SecretsManagerCredentialsProviderSecretIdString":{ + "type":"string", + "min":1 + }, "SecurityGroup":{ "type":"string", "max":200, "min":5, "pattern":"^sg-(([0-9a-z]{8})|([0-9a-z]{17}))$" }, + "ServerEndpoint":{ + "type":"structure", + "members":{ + "Endpoint":{ + "shape":"String", + "documentation":"The network address of the endpoint.
" + } + }, + "documentation":"A network endpoint through which you can access one or more servers.
" + }, + "ServerSettings":{ + "type":"structure", + "members":{ + "RdsSalSettings":{ + "shape":"RdsSalSettings", + "documentation":"The RdsSalSettings resource contains settings to configure a specific Remote Desktop Services (RDS) license server.
Contains settings for a specific server.
", + "union":true + }, + "ServerType":{ + "type":"string", + "enum":["RDS_SAL"] + }, "ServiceQuotaExceededException":{ "type":"structure", "members":{ @@ -806,7 +1298,7 @@ "members":{ "Domain":{ "shape":"String", - "documentation":"The domain name of the user.
" + "documentation":"The domain name of the Active Directory that contains the user for whom to start the product subscription.
" }, "IdentityProvider":{ "shape":"IdentityProvider", @@ -814,7 +1306,11 @@ }, "Product":{ "shape":"String", - "documentation":"The name of the user-based subscription product.
" + "documentation":"The name of the user-based subscription product.
Valid values: VISUAL_STUDIO_ENTERPRISE | VISUAL_STUDIO_PROFESSIONAL | OFFICE_PROFESSIONAL_PLUS
The tags that apply to the product subscription.
" }, "Username":{ "shape":"String", @@ -834,15 +1330,10 @@ }, "StopProductSubscriptionRequest":{ "type":"structure", - "required":[ - "IdentityProvider", - "Product", - "Username" - ], "members":{ "Domain":{ "shape":"String", - "documentation":"The domain name of the user.
" + "documentation":"The domain name of the Active Directory that contains the user for whom to stop the product subscription.
" }, "IdentityProvider":{ "shape":"IdentityProvider", @@ -850,7 +1341,11 @@ }, "Product":{ "shape":"String", - "documentation":"The name of the user-based subscription product.
" + "documentation":"The name of the user-based subscription product.
Valid values: VISUAL_STUDIO_ENTERPRISE | VISUAL_STUDIO_PROFESSIONAL | OFFICE_PROFESSIONAL_PLUS
The Amazon Resource Name (ARN) of the product user.
" }, "Username":{ "shape":"String", @@ -875,12 +1370,51 @@ }, "Subnet":{ "type":"string", - "pattern":"subnet-[a-z0-9]{8,17}" + "pattern":"^subnet-[a-z0-9]{8,17}" }, "Subnets":{ "type":"list", "member":{"shape":"Subnet"} }, + "TagKeyList":{ + "type":"list", + "member":{"shape":"String"}, + "max":50, + "min":0, + "sensitive":true + }, + "TagResourceRequest":{ + "type":"structure", + "required":[ + "ResourceArn", + "Tags" + ], + "members":{ + "ResourceArn":{ + "shape":"ResourceArn", + "documentation":"The Amazon Resource Name (ARN) of the resource that you want to tag.
", + "location":"uri", + "locationName":"ResourceArn" + }, + "Tags":{ + "shape":"Tags", + "documentation":"The tags to apply to the specified resource.
" + } + } + }, + "TagResourceResponse":{ + "type":"structure", + "members":{ + } + }, + "Tags":{ + "type":"map", + "key":{"shape":"String"}, + "value":{"shape":"String"}, + "max":50, + "min":0, + "sensitive":true + }, "ThrottlingException":{ "type":"structure", "members":{ @@ -889,18 +1423,45 @@ "documentation":"The request was denied because of request throttling. Retry the request.
", "exception":true }, - "UpdateIdentityProviderSettingsRequest":{ + "Timestamp":{"type":"timestamp"}, + "UntagResourceRequest":{ "type":"structure", "required":[ - "IdentityProvider", - "Product", - "UpdateSettings" + "ResourceArn", + "TagKeys" ], + "members":{ + "ResourceArn":{ + "shape":"ResourceArn", + "documentation":"The Amazon Resource Name (ARN) of the resource that you want to remove tags from.
", + "location":"uri", + "locationName":"ResourceArn" + }, + "TagKeys":{ + "shape":"TagKeyList", + "documentation":"The tag keys to remove from the resource.
", + "location":"querystring", + "locationName":"tagKeys" + } + } + }, + "UntagResourceResponse":{ + "type":"structure", + "members":{ + } + }, + "UpdateIdentityProviderSettingsRequest":{ + "type":"structure", + "required":["UpdateSettings"], "members":{ "IdentityProvider":{"shape":"IdentityProvider"}, + "IdentityProviderArn":{ + "shape":"Arn", + "documentation":"The Amazon Resource Name (ARN) of the identity provider to update.
" + }, "Product":{ "shape":"String", - "documentation":"The name of the user-based subscription product.
" + "documentation":"The name of the user-based subscription product.
Valid values: VISUAL_STUDIO_ENTERPRISE | VISUAL_STUDIO_PROFESSIONAL | OFFICE_PROFESSIONAL_PLUS
Enables you to reassign an existing Opportunity to another user within your Partner Central account. The specified user receives the opportunity, and it appears on their Partner Central dashboard, allowing them to take necessary actions or proceed with the opportunity.
This is useful for distributing opportunities to the appropriate team members or departments within your organization, ensuring that each opportunity is handled by the right person. By default, the opportunity owner is the one who creates it. Currently, there's no API to enumerate the list of available users.
" + }, + "AssociateOpportunity":{ + "name":"AssociateOpportunity", + "http":{ + "method":"POST", + "requestUri":"/" + }, + "input":{"shape":"AssociateOpportunityRequest"}, + "errors":[ + {"shape":"ThrottlingException"}, + {"shape":"AccessDeniedException"}, + {"shape":"InternalServerException"}, + {"shape":"ValidationException"}, + {"shape":"ResourceNotFoundException"} + ], + "documentation":" Enables you to create a formal association between an Opportunity and various related entities, enriching the context and details of the opportunity for better collaboration and decision-making. You can associate an opportunity with the following types of entities:
Partner Solution: A software product or consulting practice created and delivered by Partners. Partner Solutions help customers address specific business challenges or achieve particular goals using Amazon Web Services services.
Amazon Web Services Product: Amazon Web Services offers a wide range of products and services designed to provide scalable, reliable, and cost-effective infrastructure solutions. For the latest list of Amazon Web Services products, refer to Amazon Web Services products.
Amazon Web Services Marketplace private offer: Allows Amazon Web Services Marketplace sellers to extend custom pricing and terms to individual Amazon Web Services customers. Sellers can negotiate custom prices, payment schedules, and end user license terms through private offers, enabling Amazon Web Services customers to acquire software solutions tailored to their specific needs. For more information, refer to Private offers in Amazon Web Services Marketplace.
To obtain identifiers for these entities, use the following methods:
Solution: Use the ListSolutions operation.
AWS products: For the latest list of Amazon Web Services products, refer to the Amazon Web Services products list.
Amazon Web Services Marketplace private offer: Use the AWS Marketplace Catalog API to list entities. Specifically, use the ListEntities operation to retrieve a list of private offers. The request to the ListEntities API returns the details of the private offers available to you. For more information, refer to ListEntities.
Creates an Opportunity record in Partner Central. Use this operation to create a potential business opportunity intended to be submitted to Amazon Web Services. Creating an opportunity sets its Lifecycle.ReviewStatus to Pending Submission.
To fully submit an opportunity, follow these steps:
To create the opportunity, use CreateOpportunity.
To associate a solution with the opportunity, use AssociateOpportunity.
To submit the opportunity, use SubmitOpportunity.
After submission, you can't edit the opportunity until the review is complete. However, opportunities in the Pending Submission state still need all details completed. You can update the opportunity while it's in the Pending Submission state.
There's a set of mandatory fields required to create opportunities, but consider providing optional fields to enrich the opportunity record.
", + "idempotent":true + }, + "DisassociateOpportunity":{ + "name":"DisassociateOpportunity", + "http":{ + "method":"POST", + "requestUri":"/" + }, + "input":{"shape":"DisassociateOpportunityRequest"}, + "errors":[ + {"shape":"ThrottlingException"}, + {"shape":"AccessDeniedException"}, + {"shape":"InternalServerException"}, + {"shape":"ValidationException"}, + {"shape":"ResourceNotFoundException"} + ], + "documentation":" Allows you to remove an existing association between an Opportunity and related entities such as a Partner Solution, Amazon Web Services product, or an Amazon Web Services Marketplace offer. This operation is the counterpart to AssociateOpportunity, and it provides flexibility to manage associations as business needs change.
Use this operation to update the associations of an Opportunity due to changes in the related entities, or if an association was made in error. Ensuring accurate associations helps maintain clarity and accuracy to track and manage business opportunities. When you replace an entity, first attach the new entity and then disassociate the one to be removed, especially if it's the last remaining related entity that's required.
Retrieves a summary of an AWS Opportunity. This summary includes high-level details about the opportunity sourced from AWS, such as lifecycle information, customer details, and involvement type. It is useful for tracking updates on the AWS opportunity corresponding to an opportunity in the partner's account.
" + }, + "GetEngagementInvitation":{ + "name":"GetEngagementInvitation", + "http":{ + "method":"POST", + "requestUri":"/" + }, + "input":{"shape":"GetEngagementInvitationRequest"}, + "output":{"shape":"GetEngagementInvitationResponse"}, + "errors":[ + {"shape":"ThrottlingException"}, + {"shape":"AccessDeniedException"}, + {"shape":"InternalServerException"}, + {"shape":"ValidationException"}, + {"shape":"ResourceNotFoundException"} + ], + "documentation":"Retrieves the details of an engagement invitation shared by AWS with a partner. The information includes key aspects such as the customer, project details, and lifecycle information related to the engagement.
" + }, + "GetOpportunity":{ + "name":"GetOpportunity", + "http":{ + "method":"POST", + "requestUri":"/" + }, + "input":{"shape":"GetOpportunityRequest"}, + "output":{"shape":"GetOpportunityResponse"}, + "errors":[ + {"shape":"ThrottlingException"}, + {"shape":"AccessDeniedException"}, + {"shape":"InternalServerException"}, + {"shape":"ValidationException"}, + {"shape":"ResourceNotFoundException"} + ], + "documentation":" Fetches the Opportunity record from Partner Central by a given Identifier.
Use the ListOpportunities action or the event notification (from Amazon EventBridge) to obtain this identifier.
Retrieves a list of engagement invitations sent to the partner. This allows partners to view all pending or past engagement invitations, helping them track opportunities shared by AWS.
" + }, + "ListOpportunities":{ + "name":"ListOpportunities", + "http":{ + "method":"POST", + "requestUri":"/" + }, + "input":{"shape":"ListOpportunitiesRequest"}, + "output":{"shape":"ListOpportunitiesResponse"}, + "errors":[ + {"shape":"ThrottlingException"}, + {"shape":"AccessDeniedException"}, + {"shape":"InternalServerException"}, + {"shape":"ValidationException"}, + {"shape":"ResourceNotFoundException"} + ], + "documentation":"This request accepts a list of filters to use to retrieve a specific subset of opportunities, as well as sort options. This feature is available to partners from Partner Central using the ListOpportunities API action.
To synchronize your system with Amazon Web Services, only list the opportunities that were newly created or updated. We recommend you rely on events emitted by the service into your Amazon Web Services account’s Amazon EventBridge default event bus, you can also use the ListOpportunities action.
We recommend the following approach:
Find the latest LastModifiedDate that you stored, and only use the values that came from Amazon Web Services. Don’t use values generated by your system.
When you send a ListOpportunities request, submit the date in ISO 8601 format in the AfterLastModifiedDate filter.
Amazon Web Services only returns opportunities created or updated on or after that date and time. Use NextToken to iterate over all pages.
Retrieves a list of Partner Solutions that the partner registered on Partner Central. This API is used to generate a list of solutions that an end user selects from for association with an opportunity.
" + }, + "RejectEngagementInvitation":{ + "name":"RejectEngagementInvitation", + "http":{ + "method":"POST", + "requestUri":"/" + }, + "input":{"shape":"RejectEngagementInvitationRequest"}, + "errors":[ + {"shape":"ThrottlingException"}, + {"shape":"AccessDeniedException"}, + {"shape":"InternalServerException"}, + {"shape":"ValidationException"}, + {"shape":"ResourceNotFoundException"} + ], + "documentation":"Use this action to reject an EngagementInvitation that has been shared by AWS. Rejecting the engagement invitation indicates that the partner does not wish to pursue the opportunity, and all related data will be inaccessible after the rejection.
This action starts the engagement by accepting an EngagementInvitation. The task is asynchronous and involves several steps: accepting the invitation, creating an opportunity in the partner’s account from the AWS Opportunity, and copying over key details for tracking. Once completed, an Opportunity Created event is generated, indicating that the opportunity has been successfully created in the partner's account.
This action initiates the engagement process from an existing opportunity by accepting the engagement invitation and creating a corresponding opportunity in the partner’s system. Similar to StartEngagementByAcceptingInvitationTask, this action is asynchronous and performs multiple steps before completion.
Updates the Opportunity record identified by a given Identifier. This operation allows you to modify the details of an existing opportunity to reflect the latest information and progress. Use this action to keep the opportunity record up-to-date and accurate.
When you perform updates, include the entire payload with each request. If any field is omitted, the API assumes that the field is set to null. The best practice is to always perform a GetOpportunity to retrieve the latest values, then send the complete payload with the updated values to be changed.
This error occurs when you don't have permission to perform the requested action.
You don’t have access to this action or resource. Review IAM policies or contact your AWS administrator for assistance.
", + "exception":true + }, + "Account":{ + "type":"structure", + "required":["CompanyName"], + "members":{ + "Address":{ + "shape":"Address", + "documentation":"Specifies the end Customer's address details associated with the Opportunity.
Specifies the Customer Amazon Web Services account ID associated with the Opportunity.
Specifies the end Customer's company name associated with the Opportunity.
Indicates the Customer DUNS number, if available.
Specifies the industry the end Customer belongs to that's associated with the Opportunity . It refers to the category or sector where the customer's business operates. This is a required field.
Specifies the end Customer's industry associated with the Opportunity, when the selected value in the Industry field is Other.
Specifies the end customer's company website URL associated with the Opportunity. This value is crucial to map the customer within the Amazon Web Services CRM system. This field is required in all cases except when the opportunity is related to national security.
Specifies the Customer's account details associated with the Opportunity.
Represents the alias of the partner account receiving the Engagement Invitation, making it easier to identify and track the recipient in reports or logs.
" + }, + "AwsAccountId":{ + "shape":"AwsAccount", + "documentation":"Indicates the AWS account ID of the partner who received the Engagement Invitation. This is a unique identifier for managing engagements with specific AWS accounts.
" + } + }, + "documentation":"Contains the account details of the partner who received the Engagement Invitation, including the AWS account ID and company name.
" + }, + "AccountSummary":{ + "type":"structure", + "required":["CompanyName"], + "members":{ + "Address":{ + "shape":"AddressSummary", + "documentation":"Specifies the end Customer's address details associated with the Opportunity.
Specifies the end Customer's company name associated with the Opportunity.
Specifies which industry the end Customer belongs to associated with the Opportunity . It refers to the category or sector that the customer's business operates in.
To submit a value outside the picklist, use Other.
Conditionally mandatory if Other is selected for Industry Vertical in LOVs.
Specifies the end Customer's industry associated with the Opportunity, when the selected value in the Industry field is Other. This field is relevant when the customer's industry doesn't fall under the predefined picklist values and requires a custom description.
Specifies the end customer's company website URL associated with the Opportunity. This value is crucial to map the customer within the Amazon Web Services CRM system.
An object that contains an Account's subset of fields.
Specifies the end Customer's city associated with the Opportunity.
Specifies the end Customer's country associated with the Opportunity.
Specifies the end Customer's postal code associated with the Opportunity.
Specifies the end Customer's state or region associated with the Opportunity.
Valid values: Alabama | Alaska | American Samoa | Arizona | Arkansas | California | Colorado | Connecticut | Delaware | Dist. of Columbia | Federated States of Micronesia | Florida | Georgia | Guam | Hawaii | Idaho | Illinois | Indiana | Iowa | Kansas | Kentucky | Louisiana | Maine | Marshall Islands | Maryland | Massachusetts | Michigan | Minnesota | Mississippi | Missouri | Montana | Nebraska | Nevada | New Hampshire | New Jersey | New Mexico | New York | North Carolina | North Dakota | Northern Mariana Islands | Ohio | Oklahoma | Oregon | Palau | Pennsylvania | Puerto Rico | Rhode Island | South Carolina | South Dakota | Tennessee | Texas | Utah | Vermont | Virginia | Virgin Islands | Washington | West Virginia | Wisconsin | Wyoming | APO/AE | AFO/FPO | FPO, AP
Specifies the end Customer's street address associated with the Opportunity.
Specifies the end Customer's address details associated with the Opportunity.
Specifies the end Customer's city associated with the Opportunity.
Specifies the end Customer's country associated with the Opportunity.
Specifies the end Customer's postal code associated with the Opportunity.
Specifies the end Customer's state or region associated with the Opportunity.
Valid values: Alabama | Alaska | American Samoa | Arizona | Arkansas | California | Colorado | Connecticut | Delaware | Dist. of Columbia | Federated States of Micronesia | Florida | Georgia | Guam | Hawaii | Idaho | Illinois | Indiana | Iowa | Kansas | Kentucky | Louisiana | Maine | Marshall Islands | Maryland | Massachusetts | Michigan | Minnesota | Mississippi | Missouri | Montana | Nebraska | Nevada | New Hampshire | New Jersey | New Mexico | New York | North Carolina | North Dakota | Northern Mariana Islands | Ohio | Oklahoma | Oregon | Palau | Pennsylvania | Puerto Rico | Rhode Island | South Carolina | South Dakota | Tennessee | Texas | Utah | Vermont | Virginia | Virgin Islands | Washington | West Virginia | Wisconsin | Wyoming | APO/AE | AFO/FPO | FPO, AP
An object that contains an Address object's subset of fields.
Specifies the user or team member responsible for managing the assigned opportunity. This field identifies the Assignee based on the partner's internal team structure. Ensure that the email address is associated with a registered user in your Partner Central account.
" + }, + "Catalog":{ + "shape":"CatalogIdentifier", + "documentation":" Specifies the catalog associated with the request. This field takes a string value from a predefined list: AWS or Sandbox. The catalog determines which environment the opportunity is assigned in. Use AWS to assign real opportunities in the Amazon Web Services catalog, and Sandbox to test in a secure and isolated environment.
Requires the Opportunity's unique identifier when you want to assign it to another user. Provide the correct identifier so the intended opportunity is reassigned.
Specifies the business title of the assignee managing the opportunity. This helps clarify the individual's role and responsibilities within the organization.
" + }, + "Email":{ + "shape":"Email", + "documentation":"Provides the email address of the assignee. This email is used for communications and notifications related to the opportunity.
" + }, + "FirstName":{ + "shape":"AssigneeContactFirstNameString", + "documentation":"Specifies the first name of the assignee managing the opportunity.
" + }, + "LastName":{ + "shape":"AssigneeContactLastNameString", + "documentation":"Specifies the last name of the assignee managing the opportunity.
" + } + }, + "documentation":"Represents the contact details of the individual assigned to manage the opportunity within the partner organization. This ensures that there is a clear point of contact for the opportunity's progress and updates.
" + }, + "AssigneeContactFirstNameString":{ + "type":"string", + "max":80, + "min":0, + "sensitive":true + }, + "AssigneeContactLastNameString":{ + "type":"string", + "max":80, + "min":0, + "sensitive":true + }, + "AssociateOpportunityRequest":{ + "type":"structure", + "required":[ + "Catalog", + "OpportunityIdentifier", + "RelatedEntityIdentifier", + "RelatedEntityType" + ], + "members":{ + "Catalog":{ + "shape":"CatalogIdentifier", + "documentation":" Specifies the catalog associated with the request. This field takes a string value from a predefined list: AWS or Sandbox. The catalog determines whichenvironment the opportunity association is made in. Use AWS to associate opportunities in the Amazon Web Services catalog, and Sandbox to test in a secure and isolated environment.
Requires the Opportunity's unique identifier when you want to associate it with a related entity. Provide the correct identifier so the intended opportunity is updated with the association.
Requires the related entity's unique identifier when you want to associate it with the Opportunity. For Amazon Web Services Marketplace entities, provide the Amazon Resource Name (ARN). Use the Amazon Web Services Marketplace API to obtain the ARN.
Specifies the type of the related entity you're associating with the Opportunity. This helps to categorize and properly process the association.
Provides a list of customer contacts involved in the opportunity. These contacts may include decision-makers, influencers, and other key stakeholders within the customer's organization.
" + } + }, + "documentation":"Represents the customer associated with the AWS opportunity. This field captures key details about the customer that are necessary for managing the opportunity.
" + }, + "AwsOpportunityInsights":{ + "type":"structure", + "members":{ + "EngagementScore":{ + "shape":"EngagementScore", + "documentation":"Represents a score assigned by AWS to indicate the level of engagement and potential success for the opportunity. This score helps partners prioritize their efforts.
" + }, + "NextBestActions":{ + "shape":"String", + "documentation":"Provides recommendations from AWS on the next best actions to take in order to move the opportunity forward and increase the likelihood of success.
" + } + }, + "documentation":"Contains insights provided by AWS for the opportunity, offering recommendations and analysis that can help the partner optimize their engagement and strategy.
" + }, + "AwsOpportunityLifeCycle":{ + "type":"structure", + "members":{ + "ClosedLostReason":{ + "shape":"AwsClosedLostReason", + "documentation":"Indicates the reason why an opportunity was marked as Closed Lost. This helps in understanding the context behind the lost opportunity and aids in refining future strategies.
Specifies the immediate next steps required to progress the opportunity. These steps are based on AWS's guidance and the current stage of the opportunity.
" + }, + "NextStepsHistory":{ + "shape":"AwsOpportunityLifeCycleNextStepsHistoryList", + "documentation":"Provides a historical log of previous next steps that were taken to move the opportunity forward. This helps in tracking the decision-making process and identifying any delays or obstacles encountered.
" + }, + "Stage":{ + "shape":"AwsOpportunityStage", + "documentation":"Represents the current stage of the opportunity in its lifecycle, such as Qualification, Validation, or Closed Won. This helps in understanding the opportunity's progress.
Indicates the expected date by which the opportunity is projected to close. This field helps in planning resources and timelines for both the partner and AWS.
" + } + }, + "documentation":"Tracks the lifecycle of the AWS opportunity, including stages such as qualification, validation, and closure. This field helps partners understand the current status and progression of the opportunity.
" + }, + "AwsOpportunityLifeCycleNextStepsHistoryList":{ + "type":"list", + "member":{"shape":"ProfileNextStepsHistory"}, + "max":50, + "min":0 + }, + "AwsOpportunityLifeCycleNextStepsString":{ + "type":"string", + "max":255, + "min":0, + "sensitive":true + }, + "AwsOpportunityProject":{ + "type":"structure", + "members":{ + "ExpectedCustomerSpend":{ + "shape":"ExpectedCustomerSpendList", + "documentation":"Indicates the expected spending by the customer over the course of the project. This value helps partners and AWS estimate the financial impact of the opportunity. Use the AWS Pricing Calculator to create an estimate of the customer’s total spend. If only annual recurring revenue (ARR) is available, distribute it across 12 months to provide an average monthly value.
" + } + }, + "documentation":"Captures details about the project associated with the opportunity, including objectives, scope, and customer requirements.
" + }, + "AwsOpportunityRelatedEntities":{ + "type":"structure", + "members":{ + "AwsProducts":{ + "shape":"AwsProductIdentifiers", + "documentation":"Specifies the AWS products associated with the opportunity. This field helps track the specific products that are part of the proposed solution.
" + }, + "Solutions":{ + "shape":"SolutionIdentifiers", + "documentation":"Specifies the partner solutions related to the opportunity. These solutions represent the partner's offerings that are being positioned as part of the overall AWS opportunity.
" + } + }, + "documentation":"Represents other entities related to the AWS opportunity, such as AWS products, partner solutions, and marketplace offers. These associations help build a complete picture of the solution being sold.
" + }, + "AwsOpportunityStage":{ + "type":"string", + "enum":[ + "Not Started", + "In Progress", + "Prospect", + "Engaged", + "Identified", + "Qualify", + "Research", + "Seller Engaged", + "Evaluating", + "Seller Registered", + "Term Sheet Negotiation", + "Contract Negotiation", + "Onboarding", + "Building Integration", + "Qualified", + "On-hold", + "Technical Validation", + "Business Validation", + "Committed", + "Launched", + "Deferred to Partner", + "Closed Lost", + "Completed", + "Closed Incomplete" + ] + }, + "AwsOpportunityTeamMembersList":{ + "type":"list", + "member":{"shape":"AwsTeamMember"} + }, + "AwsProductIdentifier":{"type":"string"}, + "AwsProductIdentifiers":{ + "type":"list", + "member":{"shape":"AwsProductIdentifier"} + }, + "AwsSubmission":{ + "type":"structure", + "required":["InvolvementType"], + "members":{ + "InvolvementType":{ + "shape":"SalesInvolvementType", + "documentation":"Specifies the type of AWS involvement in the opportunity, such as co-selling, deal support, or technical consultation. This helps categorize the nature of AWS's participation.
" + }, + "Visibility":{ + "shape":"Visibility", + "documentation":"Determines who can view AWS's involvement in the opportunity. Typically, this field is set to Full for most cases, but it may be restricted based on special program requirements or confidentiality needs.
Indicates the level of AWS involvement in the opportunity. This field helps track AWS's role and participation throughout the engagement, such as providing technical support, deal assistance, or sales support.
" + }, + "AwsTeamMember":{ + "type":"structure", + "members":{ + "BusinessTitle":{ + "shape":"AwsMemberBusinessTitle", + "documentation":"Specifies the Amazon Web Services team member's business title and indicates their organizational role.
" + }, + "Email":{ + "shape":"Email", + "documentation":"Provides the Amazon Web Services team member's email address.
" + }, + "FirstName":{ + "shape":"AwsTeamMemberFirstNameString", + "documentation":"Provides the Amazon Web Services team member's first name.
" + }, + "LastName":{ + "shape":"AwsTeamMemberLastNameString", + "documentation":"Provides the Amazon Web Services team member's last name.
" + } + }, + "documentation":"Represents an Amazon Web Services team member for the engagement. This structure includes details such as name, email, and business title.
" + }, + "AwsTeamMemberFirstNameString":{ + "type":"string", + "max":80, + "min":0, + "sensitive":true + }, + "AwsTeamMemberLastNameString":{ + "type":"string", + "max":80, + "min":0, + "sensitive":true + }, + "CatalogIdentifier":{ + "type":"string", + "pattern":"^[a-zA-Z]+$" + }, + "Channel":{ + "type":"string", + "enum":[ + "AWS Marketing Central", + "Content Syndication", + "Display", + "Email", + "Live Event", + "Out Of Home (OOH)", + "Print", + "Search", + "Social", + "Telemarketing", + "TV", + "Video", + "Virtual Event" + ] + }, + "Channels":{ + "type":"list", + "member":{"shape":"Channel"} + }, + "ClosedLostReason":{ + "type":"string", + "enum":[ + "Customer Deficiency", + "Delay / Cancellation of Project", + "Legal / Tax / Regulatory", + "Lost to Competitor - Google", + "Lost to Competitor - Microsoft", + "Lost to Competitor - SoftLayer", + "Lost to Competitor - VMWare", + "Lost to Competitor - Other", + "No Opportunity", + "On Premises Deployment", + "Partner Gap", + "Price", + "Security / Compliance", + "Technical Limitations", + "Customer Experience", + "Other", + "People/Relationship/Governance", + "Product/Technology", + "Financial/Commercial" + ] + }, + "CompanyName":{ + "type":"string", + "max":120, + "min":1, + "pattern":"^[\\p{L}\\p{N}\\p{P}\\p{Z}]+$" + }, + "CompanyWebsiteUrl":{ + "type":"string", + "max":255, + "min":4, + "pattern":"^((http|https)://)??(www[.])??([a-zA-Z0-9]|-)+?([.][a-zA-Z0-9(-|/|=|?)??]+?)+?$", + "sensitive":true + }, + "CompetitorName":{ + "type":"string", + "enum":[ + "Oracle Cloud", + "On-Prem", + "Co-location", + "Akamai", + "AliCloud", + "Google Cloud Platform", + "IBM Softlayer", + "Microsoft Azure", + "Other- Cost Optimization", + "No Competition", + "*Other" + ] + }, + "ConflictException":{ + "type":"structure", + "members":{ + "Message":{"shape":"String"} + }, + "documentation":"This error occurs when the request can’t be processed due to a conflict with the target resource's current state, which could result from updating or deleting the resource.
Suggested action: Fetch the latest state of the resource, verify the state, and retry the request.
", + "exception":true + }, + "Contact":{ + "type":"structure", + "members":{ + "BusinessTitle":{ + "shape":"JobTitle", + "documentation":"The partner contact's title (job title or role) associated with the Opportunity.
The contact's email address associated with the Opportunity.
The contact's first name associated with the Opportunity.
The contact's last name associated with the Opportunity.
The contact's phone number associated with the Opportunity.
An object that contains a Customer Partner's contact details.
Specifies the catalog associated with the request. This field takes a string value from a predefined list: AWS or Sandbox. The catalog determines which environment the opportunity is created in. Use AWS to create opportunities in the Amazon Web Services catalog, and Sandbox to test in a secure and isolated environment.
Required to be unique, and should be unchanging, it can be randomly generated or a meaningful string.
Default: None
Best practice: To ensure uniqueness and avoid collisions, we recommend you use a UUID (Universally Unique Identifier) as the ClientToken. You can use standard libraries available in most programming languages to generated this. If you use the same client token, the API throws this error: \"Conflicting client token submitted for a new request body\".
Specifies customer details associated with the Opportunity.
An object that contains lifecycle details for the Opportunity.
This object contains marketing details and is optional for an opportunity.
" + }, + "NationalSecurity":{ + "shape":"NationalSecurity", + "documentation":"Indicates whether the Opportunity pertains to a national security project. This field must be set to true only when the customer's industry is Government. Additional privacy and security measures apply during the review and management process for opportunities marked as NationalSecurity.
Represents the internal team handling the opportunity. Specify the members involved in collaborating on this opportunity within the partner's organization.
" + }, + "OpportunityType":{ + "shape":"OpportunityType", + "documentation":"Specifies the opportunity type as a renewal, new, or expansion.
Opportunity types:
New opportunity: Represents a new business opportunity with a potential customer that's not previously engaged with your solutions or services.
Renewal opportunity: Represents an opportunity to renew an existing contract or subscription with a current customer, ensuring continuity of service.
Expansion opportunity: Represents an opportunity to expand the scope of an existing contract or subscription, either by adding new services or increasing the volume of existing services for a current customer.
Specifies the origin of the opportunity, indicating if it was sourced from Amazon Web Services or the partner. For all opportunities created with Catalog: AWS, this field must only be Partner Referral. However, when using Catalog: Sandbox, you can set this field to AWS Referral to simulate Amazon Web Services referral creation. This allows Amazon Web Services-originated flows testing in the sandbox catalog.
Specifies the opportunity's unique identifier in the partner's CRM system. This value is essential to track and reconcile because it's included in the outbound payload sent back to the partner.
This field allows partners to link an opportunity to their CRM, to ensure seamless integration and accurate synchronization between the Partner Central API and the partner's internal systems.
" + }, + "PrimaryNeedsFromAws":{ + "shape":"PrimaryNeedsFromAws", + "documentation":"Identifies the type of support the partner needs from Amazon Web Services.
Valid values:
Co-Sell - Architectural Validation: Confirmation from Amazon Web Services that the partner's proposed solution architecture is aligned with Amazon Web Services best practices and poses minimal architectural risks.
Co-Sell - Business Presentation: Request Amazon Web Services seller's participation in a joint customer presentation.
Co-Sell - Competitive Information: Access to Amazon Web Services competitive resources and support for the partner's proposed solution.
Co-Sell - Pricing Assistance: Connect with an Amazon Web Services seller for support situations where a partner may be receiving an upfront discount on a service (for example: EDP deals).
Co-Sell - Technical Consultation: Connect with an Amazon Web Services Solutions Architect to address the partner's questions about the proposed solution.
Co-Sell - Total Cost of Ownership Evaluation: Assistance with quoting different cost savings of proposed solutions on Amazon Web Services versus on-premises or a traditional hosting environment.
Co-Sell - Deal Support: Request Amazon Web Services seller's support to progress the opportunity (for example: joint customer call, strategic positioning).
Co-Sell - Support for Public Tender / RFx: Opportunity related to the public sector where the partner needs Amazon Web Services RFx support.
Do Not Need Support from AWS Sales Rep: Indicates that a partner doesn't need support from an Amazon Web Services sales representative, and the partner solely manages the opportunity. It's possible to request co-selling support on these opportunities at any stage during their lifecycle. Also known as, for-visibility-only (FVO) opportunity.
An object that contains project details for the Opportunity.
Specifies details of a customer's procurement terms. Required only for partners in eligible programs.
" + } + } + }, + "CreateOpportunityRequestClientTokenString":{ + "type":"string", + "min":1 + }, + "CreateOpportunityRequestPartnerOpportunityIdentifierString":{ + "type":"string", + "max":64, + "min":0 + }, + "CreateOpportunityResponse":{ + "type":"structure", + "required":["Id"], + "members":{ + "Id":{ + "shape":"OpportunityIdentifier", + "documentation":" Read-only, system-generated Opportunity unique identifier. Amazon Web Services creates this identifier, and it's used for all subsequent actions on the opportunity, such as updates, associations, and submissions. It ensures that each opportunity can be accurately tracked and managed within the system.
DateTime when the opportunity was last modified. When the Opportunity is created, its value is equal to CreatedDate.
Specifies the opportunity's unique identifier in the partner's CRM system. This value is essential to track and reconcile because it's included in the outbound payload sent back to the partner.
" + } + } + }, + "CurrencyCode":{ + "type":"string", + "enum":[ + "USD", + "EUR", + "GBP", + "AUD", + "CAD", + "CNY", + "NZD", + "INR", + "JPY", + "CHF", + "SEK", + "AED", + "AFN", + "ALL", + "AMD", + "ANG", + "AOA", + "ARS", + "AWG", + "AZN", + "BAM", + "BBD", + "BDT", + "BGN", + "BHD", + "BIF", + "BMD", + "BND", + "BOB", + "BOV", + "BRL", + "BSD", + "BTN", + "BWP", + "BYN", + "BZD", + "CDF", + "CHE", + "CHW", + "CLF", + "CLP", + "COP", + "COU", + "CRC", + "CUC", + "CUP", + "CVE", + "CZK", + "DJF", + "DKK", + "DOP", + "DZD", + "EGP", + "ERN", + "ETB", + "FJD", + "FKP", + "GEL", + "GHS", + "GIP", + "GMD", + "GNF", + "GTQ", + "GYD", + "HKD", + "HNL", + "HRK", + "HTG", + "HUF", + "IDR", + "ILS", + "IQD", + "IRR", + "ISK", + "JMD", + "JOD", + "KES", + "KGS", + "KHR", + "KMF", + "KPW", + "KRW", + "KWD", + "KYD", + "KZT", + "LAK", + "LBP", + "LKR", + "LRD", + "LSL", + "LYD", + "MAD", + "MDL", + "MGA", + "MKD", + "MMK", + "MNT", + "MOP", + "MRU", + "MUR", + "MVR", + "MWK", + "MXN", + "MXV", + "MYR", + "MZN", + "NAD", + "NGN", + "NIO", + "NOK", + "NPR", + "OMR", + "PAB", + "PEN", + "PGK", + "PHP", + "PKR", + "PLN", + "PYG", + "QAR", + "RON", + "RSD", + "RUB", + "RWF", + "SAR", + "SBD", + "SCR", + "SDG", + "SGD", + "SHP", + "SLL", + "SOS", + "SRD", + "SSP", + "STN", + "SVC", + "SYP", + "SZL", + "THB", + "TJS", + "TMT", + "TND", + "TOP", + "TRY", + "TTD", + "TWD", + "TZS", + "UAH", + "UGX", + "USN", + "UYI", + "UYU", + "UZS", + "VEF", + "VND", + "VUV", + "WST", + "XAF", + "XCD", + "XDR", + "XOF", + "XPF", + "XSU", + "XUA", + "YER", + "ZAR", + "ZMW", + "ZWL" + ] + }, + "Customer":{ + "type":"structure", + "members":{ + "Account":{ + "shape":"Account", + "documentation":"An object that contains the customer's account details.
" + }, + "Contacts":{ + "shape":"CustomerContactsList", + "documentation":"Represents the contact details for individuals associated with the customer of the Opportunity. This field captures relevant contacts, including decision-makers, influencers, and technical stakeholders within the customer organization. These contacts are key to progressing the opportunity.
An object that contains the customer's Account and Contact.
An object that contains a customer's account details.
" + } + }, + "documentation":"An object that contains a Customer object's subset of fields.
Specifies the catalog associated with the request. This field takes a string value from a predefined list: AWS or Sandbox. The catalog determines which environment the opportunity disassociation is made in. Use AWS to disassociate opportunities in the Amazon Web Services catalog, and Sandbox to test in a secure and isolated environment.
The opportunity's unique identifier for when you want to disassociate it from related entities. This identifier is crucial to ensure the correct opportunity is updated, especially in environments with numerous opportunities.
Validation: Ensure that the identifier provided corresponds to an existing opportunity in the Amazon Web Services system because incorrect identifiers result in an error and no changes are made.
" + }, + "RelatedEntityIdentifier":{ + "shape":"DisassociateOpportunityRequestRelatedEntityIdentifierString", + "documentation":"The related entity's identifier that you want to disassociate from the opportunity. Depending on the type of entity, this could be a simple identifier or an Amazon Resource Name (ARN) for entities managed through Amazon Web Services Marketplace.
For Amazon Web Services Marketplace entities, use the Amazon Web Services Marketplace API to obtain the necessary ARNs. For guidance on retrieving these ARNs, refer to Amazon Web Services Marketplace Catalog API .
Validation: Ensure the identifier or ARN is valid and corresponds to an existing related entity. An incorrect or invalid identifier results in an error.
" + }, + "RelatedEntityType":{ + "shape":"RelatedEntityType", + "documentation":"The type of the entity that you're disassociating from the opportunity. When you specify the entity type, it helps the system correctly process the disassociation request and ensures that the right connections are removed.
Examples of entity types include Partner Solution, Amazon Web Services product, and Amazon Web Services Marketplace offer. Ensure that the value matches one of the expected entity types.
Validation: Provide a valid entity type to ensure successful disassociation. Invalid or incorrect entity types result in an error.
" + } + } + }, + "DisassociateOpportunityRequestRelatedEntityIdentifierString":{ + "type":"string", + "max":255, + "min":1 + }, + "DunsNumber":{ + "type":"string", + "pattern":"^[0-9]{9}$", + "sensitive":true + }, + "Email":{ + "type":"string", + "max":80, + "min":0, + "pattern":"^[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?$", + "sensitive":true + }, + "EngagementCustomer":{ + "type":"structure", + "required":[ + "CompanyName", + "CountryCode", + "Industry", + "WebsiteUrl" + ], + "members":{ + "CompanyName":{ + "shape":"CompanyName", + "documentation":"Represents the name of the customer’s company associated with the Engagement Invitation. This field is used to identify the customer.
" + }, + "CountryCode":{ + "shape":"CountryCode", + "documentation":"Indicates the country in which the customer’s company operates. This field is useful for understanding regional requirements or compliance needs.
" + }, + "Industry":{ + "shape":"Industry", + "documentation":"Specifies the industry to which the customer’s company belongs. This field helps categorize the opportunity based on the customer’s business sector.
" + }, + "WebsiteUrl":{ + "shape":"CompanyWebsiteUrl", + "documentation":"Provides the website URL of the customer’s company. This field helps partners verify the legitimacy and size of the customer organization.
" + } + }, + "documentation":"Contains details about the customer associated with the Engagement Invitation, including key company information and industry.
" + }, + "EngagementCustomerBusinessProblem":{ + "type":"string", + "max":255, + "min":20, + "sensitive":true + }, + "EngagementInvitationArnOrIdentifier":{ + "type":"string", + "max":255, + "min":1, + "pattern":"^(arn:.*|engi-[0-9a-z]{13})$" + }, + "EngagementInvitationIdentifier":{ + "type":"string", + "pattern":"^engi-[0-9,a-z]{13}$" + }, + "EngagementInvitationPayloadType":{ + "type":"string", + "enum":["OpportunityInvitation"] + }, + "EngagementInvitationSummaries":{ + "type":"list", + "member":{"shape":"EngagementInvitationSummary"} + }, + "EngagementInvitationSummary":{ + "type":"structure", + "required":[ + "Catalog", + "Id" + ], + "members":{ + "Arn":{ + "shape":"String", + "documentation":"The Amazon Resource Name (ARN) of the Engagement Invitation. The ARN is a unique identifier that allows partners to reference the invitation in their system and manage its lifecycle.
" + }, + "Catalog":{ + "shape":"CatalogIdentifier", + "documentation":"Specifies the catalog in which the Engagement Invitation resides. This can be either the AWS or Sandbox catalog, indicating whether the opportunity is live or being tested.
Provides a short title or description of the Engagement Invitation. This title helps partners quickly identify and differentiate between multiple engagement opportunities.
" + }, + "ExpirationDate":{ + "shape":"DateTime", + "documentation":"Indicates the date and time when the Engagement Invitation will expire. After this date, the invitation can no longer be accepted, and the opportunity will no longer be available for the partner to engage.
" + }, + "Id":{ + "shape":"EngagementInvitationArnOrIdentifier", + "documentation":"Represents the unique identifier of the Engagement Invitation. This identifier is used to track the invitation and to manage responses like acceptance or rejection.
" + }, + "InvitationDate":{ + "shape":"DateTime", + "documentation":"Indicates the date when the Engagement Invitation was sent to the partner. This provides context for when the opportunity was shared and helps in tracking the timeline for engagement.
" + }, + "PayloadType":{ + "shape":"EngagementInvitationPayloadType", + "documentation":"Describes the type of payload associated with the Engagement Invitation, such as Opportunity or MarketplaceOffer. This helps partners understand the nature of the engagement request from AWS.
Specifies the partner company or individual that received the Engagement Invitation. This field is important for tracking who the invitation was sent to within the partner organization.
" + }, + "SenderAwsAccountId":{ + "shape":"AwsAccountIdOrLabel", + "documentation":"Specifies the AWS account ID of the sender who initiated the Engagement Invitation. This allows the partner to identify the AWS entity or representative responsible for sharing the opportunity.
" + }, + "SenderCompanyName":{ + "shape":"EngagementInvitationSummarySenderCompanyNameString", + "documentation":"Indicates the name of the company or AWS division that sent the Engagement Invitation. This information is useful for partners to know which part of AWS is requesting engagement.
" + }, + "Status":{ + "shape":"InvitationStatus", + "documentation":"Represents the current status of the Engagement Invitation, such as Pending, Accepted, or Rejected. The status helps track the progress and response to the invitation.
Provides a summarized view of the Engagement Invitation, including key details like the identifier, status, and sender information. This summary helps partners track and manage AWS-originated opportunities.
" + }, + "EngagementInvitationSummarySenderCompanyNameString":{ + "type":"string", + "max":120, + "min":0 + }, + "EngagementInvitationsPayloadType":{ + "type":"list", + "member":{"shape":"EngagementInvitationPayloadType"} + }, + "EngagementScore":{ + "type":"string", + "enum":[ + "High", + "Medium", + "Low" + ] + }, + "EngagementTitle":{ + "type":"string", + "max":40, + "min":1 + }, + "ExpectedCustomerSpend":{ + "type":"structure", + "required":[ + "Amount", + "CurrencyCode", + "Frequency", + "TargetCompany" + ], + "members":{ + "Amount":{ + "shape":"ExpectedCustomerSpendAmountString", + "documentation":"Represents the estimated monthly revenue that the partner expects to earn from the opportunity. This helps in forecasting financial returns.
" + }, + "CurrencyCode":{ + "shape":"ExpectedCustomerSpendCurrencyCodeEnum", + "documentation":"Indicates the currency in which the revenue estimate is provided. This helps in understanding the financial impact across different markets.
" + }, + "Frequency":{ + "shape":"PaymentFrequency", + "documentation":"Indicates how frequently the customer is expected to spend the projected amount. This can include values such as Monthly, Quarterly, or Annually. The default value is Monthly, representing recurring monthly spend.
Specifies the name of the partner company that is expected to generate revenue from the opportunity. This field helps track the partner’s involvement in the opportunity.
" + } + }, + "documentation":"Provides an estimate of the revenue that the partner is expected to generate from the opportunity. This information helps partners assess the financial value of the project.
" + }, + "ExpectedCustomerSpendAmountString":{ + "type":"string", + "pattern":"^(0|([1-9][0-9]{0,30}))(\\.[0-9]{0,2})?$" + }, + "ExpectedCustomerSpendCurrencyCodeEnum":{ + "type":"string", + "enum":[ + "USD", + "EUR", + "GBP", + "AUD", + "CAD", + "CNY", + "NZD", + "INR", + "JPY", + "CHF", + "SEK", + "AED", + "AFN", + "ALL", + "AMD", + "ANG", + "AOA", + "ARS", + "AWG", + "AZN", + "BAM", + "BBD", + "BDT", + "BGN", + "BHD", + "BIF", + "BMD", + "BND", + "BOB", + "BOV", + "BRL", + "BSD", + "BTN", + "BWP", + "BYN", + "BZD", + "CDF", + "CHE", + "CHW", + "CLF", + "CLP", + "COP", + "COU", + "CRC", + "CUC", + "CUP", + "CVE", + "CZK", + "DJF", + "DKK", + "DOP", + "DZD", + "EGP", + "ERN", + "ETB", + "FJD", + "FKP", + "GEL", + "GHS", + "GIP", + "GMD", + "GNF", + "GTQ", + "GYD", + "HKD", + "HNL", + "HRK", + "HTG", + "HUF", + "IDR", + "ILS", + "IQD", + "IRR", + "ISK", + "JMD", + "JOD", + "KES", + "KGS", + "KHR", + "KMF", + "KPW", + "KRW", + "KWD", + "KYD", + "KZT", + "LAK", + "LBP", + "LKR", + "LRD", + "LSL", + "LYD", + "MAD", + "MDL", + "MGA", + "MKD", + "MMK", + "MNT", + "MOP", + "MRU", + "MUR", + "MVR", + "MWK", + "MXN", + "MXV", + "MYR", + "MZN", + "NAD", + "NGN", + "NIO", + "NOK", + "NPR", + "OMR", + "PAB", + "PEN", + "PGK", + "PHP", + "PKR", + "PLN", + "PYG", + "QAR", + "RON", + "RSD", + "RUB", + "RWF", + "SAR", + "SBD", + "SCR", + "SDG", + "SGD", + "SHP", + "SLL", + "SOS", + "SRD", + "SSP", + "STN", + "SVC", + "SYP", + "SZL", + "THB", + "TJS", + "TMT", + "TND", + "TOP", + "TRY", + "TTD", + "TWD", + "TZS", + "UAH", + "UGX", + "USN", + "UYI", + "UYU", + "UZS", + "VEF", + "VND", + "VUV", + "WST", + "XAF", + "XCD", + "XDR", + "XOF", + "XPF", + "XSU", + "XUA", + "YER", + "ZAR", + "ZMW", + "ZWL" + ], + "pattern":"^USD$" + }, + "ExpectedCustomerSpendList":{ + "type":"list", + "member":{"shape":"ExpectedCustomerSpend"}, + "min":1 + }, + "ExpectedCustomerSpendTargetCompanyString":{ + "type":"string", + "max":80, + "min":1 + }, + "GetAwsOpportunitySummaryRequest":{ + "type":"structure", + "required":[ + "Catalog", + "RelatedOpportunityIdentifier" + ], + "members":{ + "Catalog":{ + "shape":"CatalogIdentifier", + "documentation":" Specifies the catalog in which the AWS Opportunity is located. Accepted values include AWS for production opportunities or Sandbox for testing purposes. The catalog determines which environment the opportunity data is pulled from.
The unique identifier for the related partner opportunity. Use this field to correlate an AWS opportunity with its corresponding partner opportunity in your CRM system.
" + } + } + }, + "GetAwsOpportunitySummaryResponse":{ + "type":"structure", + "required":["Catalog"], + "members":{ + "Catalog":{ + "shape":"CatalogIdentifier", + "documentation":" Specifies the catalog in which the AWS Opportunity exists. This is the environment (e.g., AWS or Sandbox) where the opportunity is being managed.
Provides details about the customer associated with the AWS Opportunity, including account information, industry, and other key customer data. These details help partners understand the business context of the opportunity.
" + }, + "Insights":{ + "shape":"AwsOpportunityInsights", + "documentation":"Provides insights into the AWS Opportunity, including engagement score and recommended actions that AWS suggests for the partner.
" + }, + "InvolvementType":{ + "shape":"SalesInvolvementType", + "documentation":"Specifies the type of involvement AWS has in the opportunity, such as direct co-sell or advisory support. This field helps partners understand the role AWS will play in advancing the opportunity.
" + }, + "InvolvementTypeChangeReason":{ + "shape":"InvolvementTypeChangeReason", + "documentation":" Provides a reason for any changes in the involvement type of AWS in the opportunity. This field is used to track why the level of AWS engagement has changed from For Visibility Only to Co-sell offering transparency into the partnership dynamics.
Contains lifecycle information for the AWS Opportunity, including review status, stage, and target close date. This field is crucial for partners to monitor the progression of the opportunity.
" + }, + "OpportunityTeam":{ + "shape":"AwsOpportunityTeamMembersList", + "documentation":"Details the AWS Opportunity team, including key members involved in the opportunity. This information helps partners know who from AWS is engaged and their roles in the opportunity.
" + }, + "Origin":{ + "shape":"OpportunityOrigin", + "documentation":"Specifies whether the AWS Opportunity originated from AWS or the partner. This helps distinguish between opportunities that were sourced by AWS and those referred by the partner.
" + }, + "Project":{ + "shape":"AwsOpportunityProject", + "documentation":"Provides details about the project associated with the AWS Opportunity, including the customer’s business problem, expected outcomes, and project scope. This information is crucial for understanding the broader context of the opportunity.
" + }, + "RelatedEntityIds":{ + "shape":"AwsOpportunityRelatedEntities", + "documentation":"Lists related entity identifiers, such as AWS products or partner solutions, associated with the AWS Opportunity. These identifiers provide additional context and help partners understand which AWS services are involved.
" + }, + "RelatedOpportunityId":{ + "shape":"OpportunityIdentifier", + "documentation":"Provides the unique identifier of the related partner opportunity, allowing partners to link the AWS Opportunity to their corresponding opportunity in their CRM system.
" + }, + "Visibility":{ + "shape":"Visibility", + "documentation":" Defines the visibility level for the AWS Opportunity. Use Full visibility for most cases, while Limited visibility is reserved for special programs or sensitive opportunities.
Specifies the catalog associated with the request. The field accepts values from the predefined set: AWS for live operations or Sandbox for testing environments.
Specifies the unique identifier for the engagement invitation being retrieved.
" + } + } + }, + "GetEngagementInvitationResponse":{ + "type":"structure", + "required":[ + "Catalog", + "Id" + ], + "members":{ + "Arn":{ + "shape":"String", + "documentation":"The Amazon Resource Name (ARN) that uniquely identifies the engagement invitation.
" + }, + "Catalog":{ + "shape":"CatalogIdentifier", + "documentation":"Indicates the catalog from which the engagement invitation details are retrieved. This field helps in identifying the appropriate catalog (e.g., AWS or Sandbox) used in the request.
The title of the engagement invitation, summarizing the purpose or key objectives of the opportunity shared by AWS.
" + }, + "ExpirationDate":{ + "shape":"DateTime", + "documentation":"Indicates the date on which the engagement invitation will expire if not accepted by the partner.
" + }, + "Id":{ + "shape":"EngagementInvitationArnOrIdentifier", + "documentation":"Unique identifier assigned to the engagement invitation being retrieved.
" + }, + "InvitationDate":{ + "shape":"DateTime", + "documentation":"The date when the engagement invitation was sent to the partner.
" + }, + "Payload":{ + "shape":"Payload", + "documentation":"Details of the engagement invitation payload, including specific data relevant to the invitation's contents, such as customer information and opportunity insights.
" + }, + "PayloadType":{ + "shape":"EngagementInvitationPayloadType", + "documentation":"The type of payload contained in the engagement invitation, indicating what data or context the payload covers.
" + }, + "Receiver":{ + "shape":"Receiver", + "documentation":"Information about the partner organization or team that received the engagement invitation, including contact details and identifiers.
" + }, + "RejectionReason":{ + "shape":"RejectionReasonString", + "documentation":"If the engagement invitation was rejected, this field specifies the reason provided by the partner for the rejection.
" + }, + "SenderAwsAccountId":{ + "shape":"AwsAccountIdOrLabel", + "documentation":"Specifies the AWS Account ID of the sender, which identifies the AWS team responsible for sharing the engagement invitation.
" + }, + "SenderCompanyName":{ + "shape":"GetEngagementInvitationResponseSenderCompanyNameString", + "documentation":"The name of the AWS organization or team that sent the engagement invitation.
" + }, + "Status":{ + "shape":"InvitationStatus", + "documentation":"The current status of the engagement invitation (e.g., Accepted, Pending, or Rejected).
Specifies the catalog associated with the request. This field takes a string value from a predefined list: AWS or Sandbox. The catalog determines which environment the opportunity is fetched from. Use AWS to retrieve opportunities in the Amazon Web Services catalog, and Sandbox to retrieve opportunities in a secure and isolated testing environment.
Read-only, system generated Opportunity unique identifier.
Specifies the catalog associated with the request. This field takes a string value from a predefined list: AWS or Sandbox. The catalog determines which environment the opportunity information is retrieved from. Use AWS to retrieve opportunities in the Amazon Web Services catalog, and Sandbox to retrieve opportunities in a secure and isolated testing environment.
DateTime when the Opportunity was last created.
Specifies details of the customer associated with the Opportunity.
Read-only, system generated Opportunity unique identifier.
DateTime when the opportunity was last modified.
An object that contains lifecycle details for the Opportunity.
An object that contains marketing details for the Opportunity.
Indicates whether the Opportunity pertains to a national security project. This field must be set to true only when the customer's industry is Government. Additional privacy and security measures apply during the review and management process for opportunities marked as NationalSecurity.
Represents the internal team handling the opportunity. Specify the members involved in collaborating on this opportunity within the partner's organization.
" + }, + "OpportunityType":{ + "shape":"OpportunityType", + "documentation":"Specifies the opportunity type as renewal, new, or expansion.
Opportunity types:
New opportunity: Represents a new business opportunity with a potential customer that's not previously engaged with your solutions or services.
Renewal opportunity: Represents an opportunity to renew an existing contract or subscription with a current customer, ensuring continuity of service.
Expansion opportunity: Represents an opportunity to expand the scope of an existing contract or subscription, either by adding new services or increasing the volume of existing services for a current customer.
Specifies the opportunity's unique identifier in the partner's CRM system. This value is essential to track and reconcile because it's included in the outbound payload sent back to the partner.
" + }, + "PrimaryNeedsFromAws":{ + "shape":"PrimaryNeedsFromAws", + "documentation":"Identifies the type of support the partner needs from Amazon Web Services.
Valid values:
Co-Sell - Architectural Validation: Confirmation from Amazon Web Services that the partner's proposed solution architecture is aligned with Amazon Web Services best practices and poses minimal architectural risks.
Co-Sell - Business Presentation: Request Amazon Web Services seller's participation in a joint customer presentation.
Co-Sell - Competitive Information: Access to Amazon Web Services competitive resources and support for the partner's proposed solution.
Co-Sell - Pricing Assistance: Connect with an Amazon Web Services seller for support situations where a partner may be receiving an upfront discount on a service (for example: EDP deals).
Co-Sell - Technical Consultation: Connect with an Amazon Web Services Solutions Architect to address the partner's questions about the proposed solution.
Co-Sell - Total Cost of Ownership Evaluation: Assistance with quoting different cost savings of proposed solutions on Amazon Web Services versus on-premises or a traditional hosting environment.
Co-Sell - Deal Support: Request Amazon Web Services seller's support to progress the opportunity (for example: joint customer call, strategic positioning).
Co-Sell - Support for Public Tender / RFx: Opportunity related to the public sector where the partner needs Amazon Web Services RFx support.
Do Not Need Support from Amazon Web Services Sales Rep: Indicates that a partner doesn't need support from an Amazon Web Services sales representative, and the partner solely manages the opportunity. It's possible to request co-selling support on these opportunities at any stage during their lifecycle. Also known as, for-visibility-only (FVO) opportunity.
An object that contains project details summary for the Opportunity.
Provides information about the associations of other entities with the opportunity. These entities include identifiers for AWSProducts, Partner Solutions, and AWSMarketplaceOffers.
Specifies details of a customer's procurement terms. Required only for partners in eligible programs.
" + } + } + }, + "GetOpportunityResponsePartnerOpportunityIdentifierString":{ + "type":"string", + "max":64, + "min":0 + }, + "Industry":{ + "type":"string", + "enum":[ + "Aerospace", + "Agriculture", + "Automotive", + "Computers and Electronics", + "Consumer Goods", + "Education", + "Energy - Oil and Gas", + "Energy - Power and Utilities", + "Financial Services", + "Gaming", + "Government", + "Healthcare", + "Hospitality", + "Life Sciences", + "Manufacturing", + "Marketing and Advertising", + "Media and Entertainment", + "Mining", + "Non-Profit Organization", + "Professional Services", + "Real Estate and Construction", + "Retail", + "Software and Internet", + "Telecommunications", + "Transportation and Logistics", + "Travel", + "Wholesale and Distribution", + "Other" + ] + }, + "InternalServerException":{ + "type":"structure", + "members":{ + "Message":{"shape":"String"} + }, + "documentation":"This error occurs when the specified resource can’t be found or doesn't exist. Resource ID and type might be incorrect.
Suggested action: This is usually a transient error. Retry after the provided retry delay or a short interval. If the problem persists, contact AWS support.
", + "exception":true, + "fault":true + }, + "InvitationStatus":{ + "type":"string", + "enum":[ + "ACCEPTED", + "PENDING", + "REJECTED", + "EXPIRED" + ] + }, + "InvolvementTypeChangeReason":{ + "type":"string", + "enum":[ + "Expansion Opportunity", + "Change in Deal Information", + "Customer Requested", + "Technical Complexity", + "Risk Mitigation" + ] + }, + "JobTitle":{ + "type":"string", + "max":80, + "min":0, + "sensitive":true + }, + "LastModifiedDate":{ + "type":"structure", + "members":{ + "AfterLastModifiedDate":{ + "shape":"DateTime", + "documentation":"Specifies the date after which the opportunities were modified. Use this filter to retrieve only those opportunities that were modified after a given timestamp.
" + }, + "BeforeLastModifiedDate":{ + "shape":"DateTime", + "documentation":"Specifies the date before which the opportunities were modified. Use this filter to retrieve only those opportunities that were modified before a given timestamp.
" + } + }, + "documentation":"Defines a filter to retrieve opportunities based on the last modified date. This filter is useful for tracking changes or updates to opportunities over time.
" + }, + "LifeCycle":{ + "type":"structure", + "members":{ + "ClosedLostReason":{ + "shape":"ClosedLostReason", + "documentation":" Specifies the reason code when an opportunity is marked as Closed Lost. When you select an appropriate reason code, you communicate the context for closing the Opportunity, and aid in accurate reports and analysis of opportunity outcomes. The possible values are:
Customer Deficiency: The customer lacked necessary resources or capabilities.
Delay/Cancellation of Project: The project was delayed or canceled.
Legal/Tax/Regulatory: Legal, tax, or regulatory issues prevented progress.
Lost to Competitor - Google: The opportunity was lost to Google.
Lost to Competitor - Microsoft: The opportunity was lost to Microsoft.
Lost to Competitor - SoftLayer: The opportunity was lost to SoftLayer.
Lost to Competitor - VMWare: The opportunity was lost to VMWare.
Lost to Competitor - Other: The opportunity was lost to a competitor not listed above.
No Opportunity: There was no opportunity to pursue.
On Premises Deployment: The customer chose an on-premises solution.
Partner Gap: The partner lacked necessary resources or capabilities.
Price: The price was not competitive or acceptable to the customer.
Security/Compliance: Security or compliance issues prevented progress.
Technical Limitations: Technical limitations prevented progress.
Customer Experience: Issues related to the customer's experience impacted the decision.
Other: Any reason not covered by the other values.
People/Relationship/Governance: Issues related to people, relationships, or governance.
Product/Technology: Issues related to the product or technology.
Financial/Commercial: Financial or commercial issues impacted the decision.
Specifies the upcoming actions or tasks for the Opportunity. This field is utilized to communicate to Amazon Web Services the next actions required for the Opportunity.
Captures a chronological record of the next steps or actions planned or taken for the current opportunity, along with the timestamp.
" + }, + "ReviewComments":{ + "shape":"String", + "documentation":"Indicates why an opportuntiy was sent back for further details. Partners must take corrective action based on the ReviewComments.
Indicates the review status of an opportunity referred by a partner. This field is read-only and only applicable for partner referrals. The possible values are:
Pending Submission: Not submitted for validation (editable).
Submitted: Submitted for validation, and Amazon Web Services hasn't reviewed it (read-only).
In Review: Amazon Web Services is validating (read-only).
Action Required: Issues that Amazon Web Services highlights need to be addressed. Partners should use the UpdateOpportunity API action to update the opportunity, and ensure all required changes are made. Only these fields are editable when the Lifecycle.ReviewStatus is Action Required:
Customer.Account.Address.City
Customer.Account.Address.CountryCode
Customer.Account.Address.PostalCode
Customer.Account.Address.StateOrRegion
Customer.Account.Address.StreetAddress
Customer.Account.WebsiteUrl
LifeCycle.TargetCloseDate
Project.ExpectedMonthlyAWSRevenue.Amount
Project.ExpectedMonthlyAWSRevenue.CurrencyCode
Project.CustomerBusinessProblem
PartnerOpportunityIdentifier
After updates, the opportunity re-enters the validation phase. This process repeats until all issues are resolved, and the opportunity's Lifecycle.ReviewStatus is set to Approved or Rejected.
Approved: Validated and converted into the Amazon Web Services seller's pipeline (editable).
Rejected: Disqualified (read-only).
Indicates the reason a decision was made during the opportunity review process. This field combines the reasons for both disqualified and action required statuses, and provide clarity for why an opportunity was disqualified or requires further action.
" + }, + "Stage":{ + "shape":"Stage", + "documentation":" Specifies the current stage of the Opportunity's lifecycle as it maps to Amazon Web Services stages from the current stage in the partner CRM. This field provides a translated value of the stage, and offers insight into the Opportunity's progression in the sales cycle, according to Amazon Web Services definitions.
A lead and a prospect must be further matured to a Qualified opportunity before submission. Opportunities that were closed/lost before submission aren't suitable for submission.
The descriptions of each sales stage are:
Prospect: Amazon Web Services identifies the opportunity. It can be active (Comes directly from the end customer through a lead) or latent (Your account team believes it exists based on research, account plans, sales plays).
Qualified: Your account team engaged with the prospect/end customer to discuss viability and understand requirements. The prospect/end customer agreed that the opportunity is real, of interest, and may solve key business/technical needs.
Technical Validation: All parties understand the implementation plan.
Business Validation: Pricing was proposed, and all parties agree to the steps to close.
Committed: The customer signed the contract, but Amazon Web Services hasn't started billing.
Launched: The workload is complete, and Amazon Web Services has started billing.
Closed Lost: The opportunity is lost, and there are no steps to move forward.
Specifies the date when Amazon Web Services expects to start significant billing, when the project finishes, and when it moves into production. This field informs the Amazon Web Services seller about when the opportunity launches and starts to incur Amazon Web Services usage.
Ensure the Target Close Date isn't in the past.
An object that contains the Opportunity lifecycle's details.
Specifies the reason code when an opportunity is marked as Closed Lost. When you select an appropriate reason code, you communicate the context for closing the Opportunity, and aid in accurate reports and analysis of opportunity outcomes.
Specifies the upcoming actions or tasks for the Opportunity. This field is utilized to communicate to Amazon Web Services the next actions required for the Opportunity.
Indicates why an opportuntiy was sent back for further details. Partners must take corrective action based on the ReviewComments.
Indicates the review status of a partner referred opportunity. This field is read-only and only applicable for partner referrals. Valid values:
Pending Submission: Not submitted for validation (editable).
Submitted: Submitted for validation and not yet Amazon Web Services reviewed (read-only).
In Review: Undergoing Amazon Web Services validation (read-only).
Action Required: Address any issues Amazon Web Services highlights. Use the UpdateOpportunity API action to update the opportunity, and ensure you make all required changes. Only these fields are editable when the Lifecycle.ReviewStatus is Action Required:
Customer.Account.Address.City
Customer.Account.Address.CountryCode
Customer.Account.Address.PostalCode
Customer.Account.Address.StateOrRegion
Customer.Account.Address.StreetAddress
Customer.Account.WebsiteUrl
LifeCycle.TargetCloseDate
Project.ExpectedCustomerSpend.Amount
Project.ExpectedCustomerSpend.CurrencyCode
Project.CustomerBusinessProblem
PartnerOpportunityIdentifier
After updates, the opportunity re-enters the validation phase. This process repeats until all issues are resolved, and the opportunity's Lifecycle.ReviewStatus is set to Approved or Rejected.
Approved: Validated and converted into the Amazon Web Services seller's pipeline (editable).
Rejected: Disqualified (read-only).
Indicates the reason a specific decision was taken during the opportunity review process. This field combines the reasons for both disqualified and action required statuses, and provides clarity for why an opportunity was disqualified or required further action.
" + }, + "Stage":{ + "shape":"Stage", + "documentation":" Specifies the current stage of the Opportunity's lifecycle as it maps to Amazon Web Services stages from the current stage in the partner CRM. This field provides a translated value of the stage, and offers insight into the Opportunity's progression in the sales cycle, according to Amazon Web Services definitions.
A lead and a prospect must be further matured to a Qualified opportunity before submission. Opportunities that were closed/lost before submission aren't suitable for submission.
The descriptions of each sales stage are:
Prospect: Amazon Web Services identifies the opportunity. It can be active (Comes directly from the end customer through a lead) or latent (Your account team believes it exists based on research, account plans, sales plays).
Qualified: Your account team engaged with the prospect/end customer to discuss viability and understand requirements. The prospect/end customer agreed that the opportunity is real, of interest, and may solve key business/technical needs.
Technical Validation: All parties understand the implementation plan.
Business Validation: Pricing has been proposed, Pricing was proposed, and all parties agree to the steps to close.
Committed: The customer signed the contract, but Amazon Web Services hasn't started billing.
Launched: The workload is complete, and Amazon Web Services has started billing.
Closed Lost: The opportunity is lost, and there are no steps to move forward.
Specifies the date when Amazon Web Services expects to start significant billing, when the project finishes, and when it moves into production. This field informs the Amazon Web Services seller about when the opportunity launches and starts to incur Amazon Web Services usage.
Ensure the Target Close Date isn't in the past.
An object that contains a LifeCycle object's subset of fields.
Specifies the catalog from which to list the engagement invitations. Use AWS for production invitations or Sandbox for testing environments.
Specifies the maximum number of engagement invitations to return in the response. If more results are available, a pagination token will be provided.
" + }, + "NextToken":{ + "shape":"String", + "documentation":"A pagination token used to retrieve additional pages of results when the response to a previous request was truncated. Pass this token to continue listing invitations from where the previous call left off.
" + }, + "ParticipantType":{ + "shape":"ParticipantType", + "documentation":"Specifies the type of participant for which to list engagement invitations. Identifies the role of the participant.
" + }, + "PayloadType":{ + "shape":"EngagementInvitationsPayloadType", + "documentation":"Defines the type of payload associated with the engagement invitations to be listed. The attributes in this payload help decide on acceptance or rejection of the invitation.
" + }, + "Sort":{ + "shape":"OpportunityEngagementInvitationSort", + "documentation":"Specifies the sorting options for listing engagement invitations. Invitations can be sorted by fields such as InvitationDate or Status to help partners view results in their preferred order.
An array containing summaries of engagement invitations. Each summary includes key information such as the invitation title, invitation date, and the current status of the invitation.
" + }, + "NextToken":{ + "shape":"String", + "documentation":"A pagination token returned when there are more results available than can be returned in a single call. Use this token to retrieve additional pages of engagement invitation summaries.
" + } + } + }, + "ListOpportunitiesRequest":{ + "type":"structure", + "required":["Catalog"], + "members":{ + "Catalog":{ + "shape":"CatalogIdentifier", + "documentation":" Specifies the catalog associated with the request. This field takes a string value from a predefined list: AWS or Sandbox. The catalog determines which environment the opportunities are listed in. Use AWS for listing real opportunities in the Amazon Web Services catalog, and Sandbox for to test in a secure and isolated environment.
Filters the opportunities based on the customer's company name. This allows partners to search for opportunities associated with a specific customer by matching the provided company name string.
" + }, + "Identifier":{ + "shape":"ListOpportunitiesRequestIdentifierList", + "documentation":"Filters the opportunities based on the opportunity identifier. This allows partners to retrieve specific opportunities by providing their unique identifiers, ensuring precise results.
" + }, + "LastModifiedDate":{ + "shape":"LastModifiedDate", + "documentation":"Filters the opportunities based on their last modified date. This filter helps retrieve opportunities that were updated after the specified date, allowing partners to track recent changes or updates.
" + }, + "LifeCycleReviewStatus":{ + "shape":"ListOpportunitiesRequestLifeCycleReviewStatusList", + "documentation":"Filters the opportunities based on their current lifecycle approval status. Use this filter to retrieve opportunities with statuses such as Pending Submission, In Review, Action Required, or Approved.
Filters the opportunities based on their lifecycle stage. This filter allows partners to retrieve opportunities at various stages in the sales cycle, such as Qualified, Technical Validation, Business Validation, or Closed Won.
Specifies the maximum number of results to return in a single call. This limits the number of opportunities returned in the response to avoid overloading with too many results at once.
Default: 20
" + }, + "NextToken":{ + "shape":"String", + "documentation":"A pagination token used to retrieve the next set of results in subsequent calls. This token is included in the response only if there are additional result pages available.
" + }, + "Sort":{ + "shape":"OpportunitySort", + "documentation":" An object that specifies how the response is sorted. The default Sort.SortBy value is LastModifiedDate.
A pagination token used to retrieve the next set of results in subsequent calls. This token is included in the response only if there are additional result pages available.
" + }, + "OpportunitySummaries":{ + "shape":"OpportunitySummaries", + "documentation":"An array that contains minimal details for opportunities that match the request criteria. This summary view provides a quick overview of relevant opportunities.
" + } + } + }, + "ListSolutionsRequest":{ + "type":"structure", + "required":["Catalog"], + "members":{ + "Catalog":{ + "shape":"CatalogIdentifier", + "documentation":" Specifies the catalog associated with the request. This field takes a string value from a predefined list: AWS or Sandbox. The catalog determines which environment the solutions are listed in. Use AWS to list solutions in the Amazon Web Services catalog, and Sandbox to list solutions in a secure and isolated testing environment.
Filters the solutions based on the category to which they belong. This allows partners to search for solutions within specific categories, such as Software, Consulting, or Managed Services.
Filters the solutions based on their unique identifier. Use this filter to retrieve specific solutions by providing the solution's identifier for accurate results.
" + }, + "MaxResults":{ + "shape":"PageSize", + "documentation":"The maximum number of results returned by a single call. This value must be provided in the next call to retrieve the next set of results.
Default: 20
" + }, + "NextToken":{ + "shape":"String", + "documentation":"A pagination token used to retrieve the next set of results in subsequent calls. This token is included in the response only if there are additional result pages available.
" + }, + "Sort":{ + "shape":"SolutionSort", + "documentation":"Object that configures sorting done on the response. Default Sort.SortBy is Identifier.
Filters the solutions based on their status. This filter helps retrieve solutions with statuses such as Active, Inactive, or Pending Approval, allowing partners to manage their solution portfolios effectively.
A pagination token used to retrieve the next set of results in subsequent calls. This token is included in the response only if there are additional result pages available.
" + }, + "SolutionSummaries":{ + "shape":"SolutionList", + "documentation":"An array with minimal details for solutions matching the request criteria.
" + } + } + }, + "Marketing":{ + "type":"structure", + "members":{ + "AwsFundingUsed":{ + "shape":"AwsFundingUsed", + "documentation":"Indicates if the Opportunity is a marketing development fund (MDF) funded activity.
Specifies the Opportunity's unique marketing campaign name. The Amazon Web Services campaign name serves as a reference to specific marketing initiatives, promotions, or activities related to the Opportunity. This field captures the identifier used to track and categorize the Opportunity within Amazon Web Services's marketing campaigns. If you don't have a campaign name, reach out to your Amazon Web Services point of contact to obtain one.
Specifies the Opportunity's channel that the marketing activity is associated with or was contacted through. This field provides information about the specific marketing channel that contributed to the generation of the lead or contact.
Indicates if the Opportunity was sourced from an Amazon Web Services marketing activity. Use the value Marketing Activity. Use None if it's not associated with an Amazon Web Services marketing activity. This field helps Amazon Web Services track the return on marketing investments and enables better distribution of marketing budgets among partners.
Specifies the marketing activity use case or purpose that led to the Opportunity's creation or contact. This field captures the context or marketing activity's execution's intention and the direct correlation to the generated opportunity or contact. Must be empty when Marketing.AWSFundingUsed = No.
Valid values: AI/ML | Analytics | Application Integration | Blockchain | Business Applications | Cloud Financial Management | Compute | Containers | Customer Engagement | Databases | Developer Tools | End User Computing | Front End Web & Mobile | Game Tech | IoT | Management & Governance | Media Services | Migration & Transfer | Networking & Content Delivery | Quantum Technologies | Robotics | Satellite | Security | Serverless | Storage | VR & AR
An object that contains marketing details for the Opportunity.
Specifies the payment amount.
" + }, + "CurrencyCode":{ + "shape":"CurrencyCode", + "documentation":"Specifies the payment currency.
" + } + }, + "documentation":"Specifies payments details.
" + }, + "MonetaryValueAmountString":{ + "type":"string", + "pattern":"^(0|([1-9][0-9]{0,30}))(\\.[0-9]{0,2})?$" + }, + "Name":{ + "type":"string", + "max":80, + "min":0, + "sensitive":true + }, + "NationalSecurity":{ + "type":"string", + "enum":[ + "Yes", + "No" + ] + }, + "NextStepsHistory":{ + "type":"structure", + "required":[ + "Time", + "Value" + ], + "members":{ + "Time":{ + "shape":"DateTime", + "documentation":"Indicates the step execution time.
" + }, + "Value":{ + "shape":"String", + "documentation":"Indicates the step's execution details.
" + } + }, + "documentation":"Read-only; shows the last 50 values and change dates for the NextSteps field.
Specifies the field by which the Engagement Invitations are sorted. Common values include InvitationDate and Status.
Defines the order in which the Engagement Invitations are sorted. The values can be ASC (ascending) or DESC (descending).
Defines sorting options for retrieving Engagement Invitations. Sorting can be done based on various criteria like the invitation date or status.
" + }, + "OpportunityEngagementInvitationSortName":{ + "type":"string", + "enum":["InvitationDate"] + }, + "OpportunityIdentifier":{ + "type":"string", + "pattern":"^O[0-9]{1,19}$" + }, + "OpportunityInvitationPayload":{ + "type":"structure", + "required":[ + "Customer", + "Project", + "ReceiverResponsibilities" + ], + "members":{ + "Customer":{ + "shape":"EngagementCustomer", + "documentation":"Contains information about the customer related to the opportunity in the Engagement Invitation. This data helps partners understand the customer’s profile and requirements.
" + }, + "Project":{ + "shape":"ProjectDetails", + "documentation":"Describes the project details associated with the opportunity, including the customer’s needs and the scope of work expected to be performed.
" + }, + "ReceiverResponsibilities":{ + "shape":"ReceiverResponsibilityList", + "documentation":"Outlines the responsibilities or expectations of the receiver in the context of the invitation.
" + }, + "SenderContacts":{ + "shape":"SenderContactList", + "documentation":"Represents the contact details of the AWS representatives involved in sending the Engagement Invitation. These contacts are key stakeholders for the opportunity.
" + } + }, + "documentation":"Represents the data payload of an Engagement Invitation for a specific opportunity. This contains detailed information that partners use to evaluate the engagement.
" + }, + "OpportunityOrigin":{ + "type":"string", + "enum":[ + "AWS Referral", + "Partner Referral" + ] + }, + "OpportunitySort":{ + "type":"structure", + "required":[ + "SortBy", + "SortOrder" + ], + "members":{ + "SortBy":{ + "shape":"OpportunitySortName", + "documentation":"Field name to sort by.
" + }, + "SortOrder":{ + "shape":"SortOrder", + "documentation":"Sort order.
Default: Descending
Object that configures response sorting.
" + }, + "OpportunitySortName":{ + "type":"string", + "enum":[ + "LastModifiedDate", + "Identifier", + "CustomerCompanyName" + ] + }, + "OpportunitySummaries":{ + "type":"list", + "member":{"shape":"OpportunitySummary"} + }, + "OpportunitySummary":{ + "type":"structure", + "required":["Catalog"], + "members":{ + "Catalog":{ + "shape":"CatalogIdentifier", + "documentation":"Specifies the catalog associated with the opportunity, either AWS or Sandbox. This indicates the environment in which the opportunity is managed.
DateTime when the Opportunity was last created.
An object that contains the Opportunity's customer details.
Read-only, system-generated Opportunity unique identifier.
DateTime when the Opportunity was last modified.
An object that contains the Opportunity's lifecycle details.
Specifies opportunity type as a renewal, new, or expansion.
Opportunity types:
New Opportunity: Represents a new business opportunity with a potential customer that's not previously engaged with your solutions or services.
Renewal Opportunity: Represents an opportunity to renew an existing contract or subscription with a current customer, ensuring continuity of service.
Expansion Opportunity: Represents an opportunity to expand the scope of an existing contract or subscription, either by adding new services or increasing the volume of existing services for a current customer.
Specifies the Opportunity's unique identifier in the partner's CRM system. This value is essential to track and reconcile because it's included in the outbound payload sent back to the partner. It allows partners to link an opportunity to their CRM.
An object that contains the Opportunity's project details summary.
An object that contains an Opportunity's subset of fields.
Specifies the details of the opportunity invitation within the Engagement Invitation payload. This data helps partners understand the context, scope, and expected involvement for the opportunity from AWS.
" + } + }, + "documentation":"Contains the data payload associated with the Engagement Invitation. This payload includes essential details related to the AWS opportunity and is used by partners to evaluate whether to accept or reject the engagement.
", + "union":true + }, + "PaymentFrequency":{ + "type":"string", + "enum":["Monthly"] + }, + "PhoneNumber":{ + "type":"string", + "max":40, + "min":0, + "pattern":"^\\+[1-9]\\d{1,14}$", + "sensitive":true + }, + "PrimaryNeedFromAws":{ + "type":"string", + "enum":[ + "Co-Sell - Architectural Validation", + "Co-Sell - Business Presentation", + "Co-Sell - Competitive Information", + "Co-Sell - Pricing Assistance", + "Co-Sell - Technical Consultation", + "Co-Sell - Total Cost of Ownership Evaluation", + "Co-Sell - Deal Support", + "Co-Sell - Support for Public Tender / RFx" + ] + }, + "PrimaryNeedsFromAws":{ + "type":"list", + "member":{"shape":"PrimaryNeedFromAws"} + }, + "ProfileNextStepsHistory":{ + "type":"structure", + "required":[ + "Time", + "Value" + ], + "members":{ + "Time":{ + "shape":"DateTime", + "documentation":"Indicates the date and time when a particular next step was recorded or planned. This helps in managing the timeline for the opportunity.
" + }, + "Value":{ + "shape":"String", + "documentation":"Represents the details of the next step recorded, such as follow-up actions or decisions made. This field helps in tracking progress and ensuring alignment with project goals.
" + } + }, + "documentation":"Tracks the history of next steps associated with the opportunity. This field captures the actions planned for the future and their timeline.
" + }, + "Project":{ + "type":"structure", + "members":{ + "AdditionalComments":{ + "shape":"ProjectAdditionalCommentsString", + "documentation":"Captures additional comments or information for the Opportunity that weren't captured in other fields.
Specifies the Amazon Partner Network (APN) program that influenced the Opportunity. APN programs refer to specific partner programs or initiatives that can impact the Opportunity.
Valid values: APN Immersion Days | APN Solution Space | ATO (Authority to Operate) | AWS Marketplace Campaign | IS Immersion Day SFID Program | ISV Workload Migration | Migration Acceleration Program | P3 | Partner Launch Initiative | Partner Opportunity Acceleration Funded | The Next Smart | VMware Cloud on AWS | Well-Architected | Windows | Workspaces/AppStream Accelerator Program | WWPS NDPP
Name of the Opportunity's competitor (if any). Use Other to submit a value not in the picklist.
Describes the problem the end customer has, and how the partner is helping. Utilize this field to provide a clear and concise narrative that outlines the specific business challenge or issue the customer has. Elaborate on how the partner's solution or offerings align to resolve the customer's business problem. Include relevant information about the partner's value proposition, unique selling points, and expertise to tackle the issue. Offer insights on how the proposed solution meets the customer's needs and provides value. Use concise language and precise descriptions to convey the context and significance of the Opportunity. The content in this field helps Amazon Web Services understand the nature of the Opportunity and the strategic fit of the partner's solution.
Specifies the proposed solution focus or type of workload for the Opportunity. This field captures the primary use case or objective of the proposed solution, and provides context and clarity to the addressed workload.
Valid values: AI Machine Learning and Analytics | Archiving | Big Data: Data Warehouse / Data Integration / ETL / Data Lake / BI | Blockchain | Business Applications: Mainframe Modernization | Business Applications & Contact Center | Business Applications & SAP Production | Centralized Operations Management | Cloud Management Tools | Cloud Management Tools & DevOps with Continuous Integration & Continuous Delivery (CICD) | Configuration, Compliance & Auditing | Connected Services | Containers & Serverless | Content Delivery & Edge Services | Database | Edge Computing / End User Computing | Energy | Enterprise Governance & Controls | Enterprise Resource Planning | Financial Services | Healthcare and Life Sciences | High Performance Computing | Hybrid Application Platform | Industrial Software | IOT | Manufacturing, Supply Chain and Operations | Media & High performance computing (HPC) | Migration / Database Migration | Monitoring, logging and performance | Monitoring & Observability | Networking | Outpost | SAP | Security & Compliance | Storage & Backup | Training | VMC | VMWare | Web development & DevOps
Specifies the deployment or consumption model for your solution or service in the Opportunity's context. You can select multiple options.
Options' descriptions from the Delivery Model field are:
SaaS or PaaS: Your Amazon Web Services based solution deployed as SaaS or PaaS in your Amazon Web Services environment.
BYOL or AMI: Your Amazon Web Services based solution deployed as BYOL or AMI in the end customer's Amazon Web Services environment.
Managed Services: The end customer's Amazon Web Services business management (For example: Consulting, design, implementation, billing support, cost optimization, technical support).
Professional Services: Offerings to help enterprise end customers achieve specific business outcomes for enterprise cloud adoption (For example: Advisory or transformation planning).
Resell: Amazon Web Services accounts and billing management for your customers.
Other: Delivery model not described above.
Represents the estimated amount that the customer is expected to spend on AWS services related to the opportunity. This helps in evaluating the potential financial value of the opportunity for AWS.
" + }, + "OtherCompetitorNames":{ + "shape":"ProjectOtherCompetitorNamesString", + "documentation":"Only allowed when CompetitorNames has Other selected.
Specifies the offered solution for the customer's business problem when the RelatedEntityIdentifiers.Solutions field value is Other.
Specifies the current opportunity's parent opportunity identifier.
" + }, + "SalesActivities":{ + "shape":"SalesActivities", + "documentation":" Specifies the Opportunity's sales activities conducted with the end customer. These activities help drive Amazon Web Services assignment priority.
Valid values:
Initialized discussions with customer: Initial conversations with the customer to understand their needs and introduce your solution.
Customer has shown interest in solution: After initial discussions, the customer is interested in your solution.
Conducted POC / Demo: You conducted a proof of concept (POC) or demonstration of the solution for the customer.
In evaluation / planning stage: The customer is evaluating the solution and planning potential implementation.
Agreed on solution to Business Problem: Both parties agree on how the solution addresses the customer's business problem.
Completed Action Plan: A detailed action plan is complete and outlines the steps for implementation.
Finalized Deployment Need: Both parties agree with and finalized the deployment needs.
SOW Signed: Both parties signed a statement of work (SOW), and formalize the agreement and detail the project scope and deliverables.
Specifies the Opportunity's title or name.
An object that contains the Opportunity's project details.
Describes the business problem that the project aims to solve. This information is crucial for understanding the project’s goals and objectives.
" + }, + "ExpectedCustomerSpend":{ + "shape":"ExpectedCustomerSpendList", + "documentation":"Contains revenue estimates for the partner related to the project. This field provides an idea of the financial potential of the opportunity for the partner.
" + }, + "TargetCompletionDate":{ + "shape":"Date", + "documentation":"Specifies the estimated date of project completion. This field helps track the project timeline and manage expectations.
" + }, + "Title":{ + "shape":"ProjectDetailsTitleString", + "documentation":"Specifies the title of the project. This title helps partners quickly identify and understand the focus of the project.
" + } + }, + "documentation":"Contains details about the project associated with the Engagement Invitation, including the business problem and expected outcomes.
" + }, + "ProjectDetailsTitleString":{ + "type":"string", + "max":255, + "min":1 + }, + "ProjectOtherCompetitorNamesString":{ + "type":"string", + "max":255, + "min":0 + }, + "ProjectOtherSolutionDescriptionString":{ + "type":"string", + "max":255, + "min":0, + "sensitive":true + }, + "ProjectSummary":{ + "type":"structure", + "members":{ + "DeliveryModels":{ + "shape":"DeliveryModels", + "documentation":" Specifies your solution or service's deployment or consumption model in the Opportunity's context. You can select multiple options.
Options' descriptions from the Delivery Model field are:
SaaS or PaaS: Your Amazon Web Services based solution deployed as SaaS or PaaS in your Amazon Web Services environment.
BYOL or AMI: Your Amazon Web Services based solution deployed as BYOL or AMI in the end customer's Amazon Web Services environment.
Managed Services: The end customer's Amazon Web Services business management (For example: Consulting, design, implementation, billing support, cost optimization, technical support).
Professional Services: Offerings to help enterprise end customers achieve specific business outcomes for enterprise cloud adoption (For example: Advisory or transformation planning).
Resell: Amazon Web Services accounts and billing management for your customers.
Other: Delivery model not described above.
Provides a summary of the expected customer spend for the project, offering a high-level view of the potential financial impact.
" + } + }, + "documentation":"An object that contains a Project object's subset of fields.
Specifies the AWS account of the partner who received the Engagement Invitation. This field is used to track the invitation recipient within the AWS ecosystem.
" + } + }, + "documentation":"Represents the entity that received the Engagement Invitation, including account and company details. This field is essential for tracking the partner who is being invited to collaborate.
", + "union":true + }, + "ReceiverResponsibility":{ + "type":"string", + "enum":[ + "Distributor", + "Reseller", + "Hardware Partner", + "Managed Service Provider", + "Software Partner", + "Services Partner", + "Training Partner", + "Co-Sell Facilitator", + "Facilitator" + ] + }, + "ReceiverResponsibilityList":{ + "type":"list", + "member":{"shape":"ReceiverResponsibility"} + }, + "RejectEngagementInvitationRequest":{ + "type":"structure", + "required":[ + "Catalog", + "Identifier" + ], + "members":{ + "Catalog":{ + "shape":"CatalogIdentifier", + "documentation":"Specifies the catalog related to the engagement invitation. Accepted values are AWS and Sandbox, which determine the environment in which the opportunity is managed.
Specifies the unique identifier of the EngagementInvitation to be rejected. Providing the correct identifier ensures that the intended invitation is rejected.
Specifies the reason for rejecting the engagement invitation. Providing a reason helps document the rationale behind the rejection and assists AWS in tracking patterns or issues. Possible values include:
Customer problem unclear: The customer's problem is not clearly defined.
Next steps unclear: The next steps required to proceed are not clear.
Unable to support: The partner is unable to provide support due to resource or capability constraints.
Duplicate of Partner Referral: The opportunity is a duplicate of an existing referral.
Other: Any other reason not covered by the specified values.
Takes one value per opportunity. Each value is an Amazon Resource Name (ARN), in this format: \"offers\": [\"arn:aws:aws-marketplace:us-east-1:999999999999:AWSMarketplace/Offer/offer-sampleOffer32\"].
Use the ListEntities action in the Marketplace Catalog APIs for a list of offers in the associated Marketplace seller account.
" + }, + "AwsProducts":{ + "shape":"AwsProductIdentifiers", + "documentation":" Enables the association of specific Amazon Web Services products with the Opportunity. Partners can indicate the relevant Amazon Web Services products for the Opportunity's solution and align with the customer's needs. Returns multiple values separated by commas. For example, \"AWSProducts\" : [\"AmazonRedshift\", \"AWSAppFabric\", \"AWSCleanRooms\"].
Use the file with the list of Amazon Web Services products hosted on GitHub: Amazon Web Services products.
" + }, + "Solutions":{ + "shape":"SolutionIdentifiers", + "documentation":" Enables partner solutions or offerings' association with an opportunity. To associate a solution, provide the solution's unique identifier, which you can obtain with the ListSolutions operation.
If the specific solution identifier is not available, you can use the value Other and provide details about the solution in the otherSolutionOffered field. However, once the opportunity reaches the Committed stage or beyond, the Other value cannot be used, and a valid solution identifier must be provided.
By associating the relevant solutions with the opportunity, you can clearly communicate the offerings that are being considered or implemented to address the customer's business problem.
" + } + }, + "documentation":" This field provides the associations' information for other entities with the opportunity. These entities include identifiers for AWSProducts, Partner Solutions, and AWSMarketplaceOffers.
This error occurs when the specified resource can't be found. The resource might not exist, or isn't visible with the current credentials.
Suggested action: Verify that the resource ID is correct and the resource is in the expected AWS region. Check IAM permissions for accessing the resource.
", + "exception":true + }, + "RevenueModel":{ + "type":"string", + "enum":[ + "Contract", + "Pay-as-you-go", + "Subscription" + ] + }, + "ReviewStatus":{ + "type":"string", + "enum":[ + "Pending Submission", + "Submitted", + "In review", + "Approved", + "Rejected", + "Action Required" + ] + }, + "SalesActivities":{ + "type":"list", + "member":{"shape":"SalesActivity"} + }, + "SalesActivity":{ + "type":"string", + "enum":[ + "Initialized discussions with customer", + "Customer has shown interest in solution", + "Conducted POC / Demo", + "In evaluation / planning stage", + "Agreed on solution to Business Problem", + "Completed Action Plan", + "Finalized Deployment Need", + "SOW Signed" + ] + }, + "SalesInvolvementType":{ + "type":"string", + "enum":[ + "For Visibility Only", + "Co-Sell" + ] + }, + "SenderContact":{ + "type":"structure", + "required":["Email"], + "members":{ + "BusinessTitle":{ + "shape":"JobTitle", + "documentation":"The sender-provided contact's title (job title or role) associated with the EngagementInvitation.
The sender-provided contact's email address associated with the EngagementInvitation.
The sender-provided contact's last name associated with the EngagementInvitation.
The sender-provided contact's first name associated with the EngagementInvitation.
The sender-provided contact's phone number associated with the EngagementInvitation.
An object that contains the details of the sender-provided contact person for the EngagementInvitation.
This error occurs when the request would cause a service quota to be exceeded. Service quotas represent the maximum allowed use of a specific resource, and this error indicates that the request would surpass that limit.
Suggested action: Review the service quotas for the specific resource, and reduce the usage or request a quota increase through support if necessary.
", + "exception":true + }, + "SoftwareRevenue":{ + "type":"structure", + "members":{ + "DeliveryModel":{ + "shape":"RevenueModel", + "documentation":"Specifies the customer's intended payment type agreement or procurement method to acquire the solution or service outlined in the Opportunity.
Specifies the Opportunity's customer engagement start date for the contract's effectiveness.
Specifies the expiration date for the contract between the customer and Amazon Web Services partner. It signifies the termination date of the agreed-upon engagement period between both parties.
" + }, + "Value":{ + "shape":"MonetaryValue", + "documentation":"Specifies the payment value (amount and currency).
" + } + }, + "documentation":"Specifies a customer's procurement terms details. Required only for partners in eligible programs.
" + }, + "SolutionBase":{ + "type":"structure", + "required":[ + "Catalog", + "Category", + "CreatedDate", + "Id", + "Name", + "Status" + ], + "members":{ + "Catalog":{ + "shape":"CatalogIdentifier", + "documentation":"Specifies the catalog in which the solution is hosted, either AWS or Sandbox. This helps partners differentiate between live solutions and those in testing environments.
Specifies the solution category, which helps to categorize and organize the solutions partners offer. Valid values: Software Product | Consulting Service | Hardware Product | Communications Product | Professional Service | Managed Service | Value-Added Resale Amazon Web Services Service | Distribution Service | Training Service | Merger and Acquisition Advising Service.
Indicates the solution creation date. This is useful to track and audit.
" + }, + "Id":{ + "shape":"SolutionIdentifier", + "documentation":"Enables the association of solutions (offerings) to opportunities.
" + }, + "Name":{ + "shape":"String", + "documentation":"Specifies the solution name.
" + }, + "Status":{ + "shape":"SolutionStatus", + "documentation":" Specifies the solution's current status, which indicates its state in the system. Valid values: Active | Inactive | Draft. The status helps partners and Amazon Web Services track the solution's lifecycle and availability. Filter for Active solutions for association to an opportunity.
Specifies minimal information for the solution offered to solve the customer's business problem.
" + }, + "SolutionIdentifier":{ + "type":"string", + "pattern":"^S-[0-9]{1,19}$" + }, + "SolutionIdentifiers":{ + "type":"list", + "member":{"shape":"SolutionIdentifier"} + }, + "SolutionList":{ + "type":"list", + "member":{"shape":"SolutionBase"} + }, + "SolutionSort":{ + "type":"structure", + "required":[ + "SortBy", + "SortOrder" + ], + "members":{ + "SortBy":{ + "shape":"SolutionSortName", + "documentation":" Specifies the attribute to sort by, such as Name, CreatedDate, or Status.
Specifies the sorting order, either Ascending or Descending. The default is Descending.
Configures the solutions' response sorting that enables partners to order solutions based on specified attributes.
" + }, + "SolutionSortName":{ + "type":"string", + "enum":[ + "Identifier", + "Name", + "Status", + "Category", + "CreatedDate" + ] + }, + "SolutionStatus":{ + "type":"string", + "enum":[ + "Active", + "Inactive", + "Draft" + ] + }, + "SortOrder":{ + "type":"string", + "enum":[ + "ASCENDING", + "DESCENDING" + ] + }, + "Stage":{ + "type":"string", + "enum":[ + "Prospect", + "Qualified", + "Technical Validation", + "Business Validation", + "Committed", + "Launched", + "Closed Lost" + ] + }, + "StartEngagementByAcceptingInvitationTaskRequest":{ + "type":"structure", + "required":[ + "Catalog", + "ClientToken", + "Identifier" + ], + "members":{ + "Catalog":{ + "shape":"CatalogIdentifier", + "documentation":"Specifies the catalog related to the task. Use AWS for production engagements and Sandbox for testing scenarios.
A unique, case-sensitive identifier provided by the client to ensure the idempotency of the request. Can be a random or meaningful string, but must be unique for each request.
", + "idempotencyToken":true + }, + "Identifier":{ + "shape":"EngagementInvitationArnOrIdentifier", + "documentation":"Specifies the unique identifier of the EngagementInvitation to be accepted. Providing the correct identifier ensures the right engagement invitation is processed.
Returns the identifier of the engagement invitation that was accepted and used to create the opportunity.
" + }, + "Message":{ + "shape":"String", + "documentation":"If the task fails, this field contains a detailed message describing the failure and possible recovery steps.
" + }, + "OpportunityId":{ + "shape":"OpportunityIdentifier", + "documentation":"Returns the original opportunity identifier passed in the request. This is the unique identifier for the opportunity.
" + }, + "ReasonCode":{ + "shape":"ReasonCode", + "documentation":"Indicates the reason for task failure using an enumerated code. Possible values are: ACCEPT_ENGAGEMENT_INVITATION_FAILED, GET_ENGAGEMENT_INVITATION_FAILED, CREATE_OPPORTUNITY_FAILED, CREATE_RESOURCE_VIEW_AUTOMATION_FAILED, SUBMIT_OPPORTUNITY_FAILED.
The timestamp indicating when the task was initiated. The format follows RFC 3339 section 5.6.
" + }, + "TaskArn":{ + "shape":"TaskArn", + "documentation":"The Amazon Resource Name (ARN) of the task, used for tracking and managing the task within AWS.
" + }, + "TaskId":{ + "shape":"TaskIdentifier", + "documentation":"The unique identifier of the task, used to track the task’s progress. This value follows a specific pattern: ^oit-[0-9a-z]{13}$.
Indicates the current status of the task. Valid values include IN_PROGRESS, COMPLETE, and FAILED.
Specifies the catalog in which the engagement is tracked. Acceptable values include AWS for production and Sandbox for testing environments.
A unique token provided by the client to ensure the idempotency of the request. It helps prevent the same task from being performed multiple times.
", + "idempotencyToken":true + }, + "Identifier":{ + "shape":"OpportunityIdentifier", + "documentation":"The unique identifier of the opportunity from which the engagement task is to be initiated. This ensures the task is applied to the correct opportunity.
" + } + } + }, + "StartEngagementFromOpportunityTaskRequestClientTokenString":{ + "type":"string", + "min":1 + }, + "StartEngagementFromOpportunityTaskResponse":{ + "type":"structure", + "members":{ + "Message":{ + "shape":"String", + "documentation":"If the task fails, this field contains a detailed message describing the failure and possible recovery steps.
" + }, + "OpportunityId":{ + "shape":"OpportunityIdentifier", + "documentation":"Returns the original opportunity identifier passed in the request, which is the unique identifier for the opportunity created in the partner’s system.
" + }, + "ReasonCode":{ + "shape":"ReasonCode", + "documentation":"Indicates the reason for task failure using an enumerated code. Possible values are: ACCEPT_ENGAGEMENT_INVITATION_FAILED, GET_ENGAGEMENT_INVITATION_FAILED, CREATE_OPPORTUNITY_FAILED, CREATE_RESOURCE_VIEW_AUTOMATION_FAILED, SUBMIT_OPPORTUNITY_FAILED.
The timestamp indicating when the task was initiated. The format follows RFC 3339 section 5.6.
" + }, + "TaskArn":{ + "shape":"TaskArn", + "documentation":"The Amazon Resource Name (ARN) of the task, used for tracking and managing the task within AWS.
" + }, + "TaskId":{ + "shape":"TaskIdentifier", + "documentation":"The unique identifier of the task, used to track the task’s progress. This value follows a specific pattern: ^oit-[0-9a-z]{13}$.
Indicates the current status of the task. Valid values include IN_PROGRESS, COMPLETE, and FAILED.
This error occurs when there are too many requests sent. Review the provided quotas and adapt your usage to avoid throttling.
This error occurs when there are too many requests sent. Review the provided quotas and retry after the provided delay.
", + "exception":true + }, + "UpdateOpportunityRequest":{ + "type":"structure", + "required":[ + "Catalog", + "Identifier", + "LastModifiedDate" + ], + "members":{ + "Catalog":{ + "shape":"CatalogIdentifier", + "documentation":" Specifies the catalog associated with the request. This field takes a string value from a predefined list: AWS or Sandbox. The catalog determines which environment the opportunity is updated in. Use AWS to update real opportunities in the production environment, and Sandbox to test in a secure and isolated environment. When you use the Sandbox catalog, it allows you to simulate and validate your interactions with Amazon Web Services services without affecting live data or operations.
Specifies details of the customer associated with the Opportunity .
Read-only, system generated Opportunity unique identifier.
DateTime when the opportunity was last modified.
An object that contains lifecycle details for the Opportunity.
An object that contains marketing details for the Opportunity.
Specifies if the opportunity is associated with national security concerns. This flag is only applicable when the industry is Government. For national security-related opportunities, specific validation and compliance rules may apply, impacting the opportunity's visibility and processing.
Specifies the opportunity type as a renewal, new, or expansion.
Opportunity types:
New opportunity: Represents a new business opportunity with a potential customer that's not previously engaged with your solutions or services.
Renewal opportunity: Represents an opportunity to renew an existing contract or subscription with a current customer, ensuring continuity of service.
Expansion opportunity: Represents an opportunity to expand the scope of an existing contract or subscription, either by adding new services or increasing the volume of existing services for a current customer.
Specifies the opportunity's unique identifier in the partner's CRM system. This value is essential to track and reconcile because it's included in the outbound payload sent back to the partner.
" + }, + "PrimaryNeedsFromAws":{ + "shape":"PrimaryNeedsFromAws", + "documentation":"Identifies the type of support the partner needs from Amazon Web Services.
Valid values:
Co-Sell - Architectural Validation: Confirmation from Amazon Web Services that the partner's proposed solution architecture is aligned with Amazon Web Services best practices and poses minimal architectural risks.
Co-Sell - Business Presentation: Request Amazon Web Services seller's participation in a joint customer presentation.
Co-Sell - Competitive Information: Access to Amazon Web Services competitive resources and support for the partner's proposed solution.
Co-Sell - Pricing Assistance: Connect with an AWS seller for support situations where a partner may be receiving an upfront discount on a service (for example: EDP deals).
Co-Sell - Technical Consultation: Connection with an Amazon Web Services Solutions Architect to address the partner's questions about the proposed solution.
Co-Sell - Total Cost of Ownership Evaluation: Assistance with quoting different cost savings of proposed solutions on Amazon Web Services versus on-premises or a traditional hosting environment.
Co-Sell - Deal Support: Request Amazon Web Services seller's support to progress the opportunity (for example: joint customer call, strategic positioning).
Co-Sell - Support for Public Tender / RFx: Opportunity related to the public sector where the partner needs RFx support from Amazon Web Services.
Do Not Need Support from AWS Sales Rep: Indicates that a partner doesn't need support from an Amazon Web Services Sales representative. The opportunity is managed solely by the partner. It's possible to request co-selling support on these opportunities at any stage during their lifecycle. Also known as, for-visibility-only (FVO) opportunity.
An object that contains project details summary for the Opportunity.
Specifies details of a customer's procurement terms. Required only for partners in eligible programs.
" + } + } + }, + "UpdateOpportunityRequestPartnerOpportunityIdentifierString":{ + "type":"string", + "max":64, + "min":0 + }, + "UpdateOpportunityResponse":{ + "type":"structure", + "required":[ + "Id", + "LastModifiedDate" + ], + "members":{ + "Id":{ + "shape":"OpportunityIdentifier", + "documentation":"Read-only, system generated Opportunity unique identifier.
DateTime when the opportunity was last modified.
A list of issues that were discovered in the submitted request or the resource state.
" + }, + "Message":{"shape":"String"}, + "Reason":{ + "shape":"ValidationExceptionReason", + "documentation":"The primary reason for this validation exception to occur.
REQUEST_VALIDATION_FAILED: The request format is not valid.
Fix: Verify your request payload includes all required fields, uses correct data types and string formats.
BUSINESS_VALIDATION_FAILED: The requested change doesn't pass the business validation rules.
Fix: Check that your change aligns with the business rules defined by AWS Partner Central.
The input fails to satisfy the constraints specified by the service or business validation rules.
Suggested action: Review the error message, including the failed fields and reasons, to correct the request payload.
", + "exception":true + }, + "ValidationExceptionError":{ + "type":"structure", + "required":[ + "Code", + "Message" + ], + "members":{ + "Code":{ + "shape":"ValidationExceptionErrorCode", + "documentation":"Specifies the error code for the invalid field value.
" + }, + "FieldName":{ + "shape":"String", + "documentation":"Specifies the field name with the invalid value.
" + }, + "Message":{ + "shape":"String", + "documentation":"Specifies the detailed error message for the invalid field value.
" + } + }, + "documentation":"Indicates an invalid value for a field.
REQUIRED_FIELD_MISSING: The request is missing a required field.
Fix: Verify your request payload includes all required fields.
INVALID_ENUM_VALUE: The enum field value isn't an accepted values.
Fix: Check the documentation for the list of valid enum values, and update your request with a valid value.
INVALID_STRING_FORMAT: The string format is invalid.
Fix: Confirm that the string is in the expected format (For example: email address, date).
INVALID_VALUE: The value isn't valid.
Fix: Confirm that the value meets the expected criteria and is within the allowable range or set.
TOO_MANY_VALUES: There are too many values in a field that expects fewer entries.
Fix: Reduce the number of values to match the expected limit.
ACTION_NOT_PERMITTED: The action isn't permitted due to current state or permissions.
Fix: Verify that the action is appropriate for the current state, and that you have the necessary permissions to perform it.
DUPLICATE_KEY_VALUE: The value in a field duplicates a value that must be unique.
Fix: Verify that the value is unique and doesn't duplicate an existing value in the system.
AWS Partner Central API for Selling Reference Guide
Amazon Web Services (AWS) Partner Central API reference guide is designed to help AWS Partners programmatically integrate their Customer Relationship Management (CRM) systems with AWS Partner Central. Through the Partner Central APIs, partners can automate and streamline their interactions with AWS Partner Central, ensuring a more efficient and effective engagement in joint business activities.
The AWS Partner Central API service provides standard AWS API functionality. You can directly use the API Actions, or you can use an AWS SDK to access an API that's tailored to the programming language or platform that you're using. For more information about AWS application development, see Getting Started with AWS. For more information about using AWS SDKs, see AWS SDKs.
Features offered by AWS Partner Central API
Opportunity management: Facilitates the management of co-selling opportunities with AWS using API actions such as CreateOpportunity, UpdateOpportunity, ListOpportunities, GetOpportunity, and AssignOpportunity.
AWS referral management: Facilitates receiving referrals shared by AWS using actions like ListEngagementInvitations, GetEngagementInvitation, StartEngagementByAcceptingInvitation, and RejectEngagementInvitation.
Entity association: Associate related entities such as AWS Products, Partner Solutions, and AWS Marketplace Private Offers with opportunities using the actions AssociateOpportunity and DisassociateOpportunity.
View AWS opportunity details: Use the GetAWSOpportunitySummary action to retrieve real-time summaries of AWS opportunities that are linked to your opportunities.
List solutions: Provides list APIs for listing solutions partners offer using ListSolutions.
Event subscription: Partners can subscribe to real-time updates on opportunities by listening to events such as Opportunity Created, Opportunity Updated, Engagement Invitation Accepted, Engagement Invitation Rejected and Engagement Invitation Created using AWS EventBridge.
Creates an analysis in Amazon QuickSight. Analyses can be created either from a template or from an AnalysisDefinition.
Creates an Amazon QuickSight brand.
" + }, + "CreateCustomPermissions":{ + "name":"CreateCustomPermissions", + "http":{ + "method":"POST", + "requestUri":"/accounts/{AwsAccountId}/custom-permissions" + }, + "input":{"shape":"CreateCustomPermissionsRequest"}, + "output":{"shape":"CreateCustomPermissionsResponse"}, + "errors":[ + {"shape":"ConflictException"}, + {"shape":"AccessDeniedException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"ResourceExistsException"}, + {"shape":"InvalidParameterValueException"}, + {"shape":"ThrottlingException"}, + {"shape":"PreconditionNotMetException"}, + {"shape":"LimitExceededException"}, + {"shape":"InternalFailureException"}, + {"shape":"ResourceUnavailableException"} + ], + "documentation":"Creates a custom permissions profile.
" + }, "CreateDashboard":{ "name":"CreateDashboard", "http":{ @@ -568,6 +609,67 @@ ], "documentation":"Deletes an analysis from Amazon QuickSight. You can optionally include a recovery window during which you can restore the analysis. If you don't specify a recovery window value, the operation defaults to 30 days. Amazon QuickSight attaches a DeletionTime stamp to the response that specifies the end of the recovery window. At the end of the recovery window, Amazon QuickSight deletes the analysis permanently.
At any time before recovery window ends, you can use the RestoreAnalysis API operation to remove the DeletionTime stamp and cancel the deletion of the analysis. The analysis remains visible in the API until it's deleted, so you can describe it but you can't make a template from it.
An analysis that's scheduled for deletion isn't accessible in the Amazon QuickSight console. To access it in the console, restore it. Deleting an analysis doesn't delete the dashboards that you publish from it.
" }, + "DeleteBrand":{ + "name":"DeleteBrand", + "http":{ + "method":"DELETE", + "requestUri":"/accounts/{AwsAccountId}/brands/{BrandId}", + "responseCode":200 + }, + "input":{"shape":"DeleteBrandRequest"}, + "output":{"shape":"DeleteBrandResponse"}, + "errors":[ + {"shape":"ThrottlingException"}, + {"shape":"InvalidRequestException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"AccessDeniedException"}, + {"shape":"ConflictException"}, + {"shape":"InternalServerException"} + ], + "documentation":"Deletes an Amazon QuickSight brand.
", + "idempotent":true + }, + "DeleteBrandAssignment":{ + "name":"DeleteBrandAssignment", + "http":{ + "method":"DELETE", + "requestUri":"/accounts/{AwsAccountId}/brandassignments", + "responseCode":200 + }, + "input":{"shape":"DeleteBrandAssignmentRequest"}, + "output":{"shape":"DeleteBrandAssignmentResponse"}, + "errors":[ + {"shape":"ThrottlingException"}, + {"shape":"InvalidRequestException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"AccessDeniedException"}, + {"shape":"ConflictException"}, + {"shape":"InternalServerException"} + ], + "documentation":"Deletes a brand assignment.
", + "idempotent":true + }, + "DeleteCustomPermissions":{ + "name":"DeleteCustomPermissions", + "http":{ + "method":"DELETE", + "requestUri":"/accounts/{AwsAccountId}/custom-permissions/{CustomPermissionsName}" + }, + "input":{"shape":"DeleteCustomPermissionsRequest"}, + "output":{"shape":"DeleteCustomPermissionsResponse"}, + "errors":[ + {"shape":"ConflictException"}, + {"shape":"AccessDeniedException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"ResourceExistsException"}, + {"shape":"InvalidParameterValueException"}, + {"shape":"ThrottlingException"}, + {"shape":"PreconditionNotMetException"}, + {"shape":"InternalFailureException"}, + {"shape":"ResourceUnavailableException"} + ], + "documentation":"Deletes a custom permissions profile.
" + }, "DeleteDashboard":{ "name":"DeleteDashboard", "http":{ @@ -975,6 +1077,26 @@ ], "documentation":"Deletes a user identified by its principal ID.
" }, + "DeleteUserCustomPermission":{ + "name":"DeleteUserCustomPermission", + "http":{ + "method":"DELETE", + "requestUri":"/accounts/{AwsAccountId}/namespaces/{Namespace}/users/{UserName}/custom-permission" + }, + "input":{"shape":"DeleteUserCustomPermissionRequest"}, + "output":{"shape":"DeleteUserCustomPermissionResponse"}, + "errors":[ + {"shape":"ConflictException"}, + {"shape":"AccessDeniedException"}, + {"shape":"InvalidParameterValueException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"ThrottlingException"}, + {"shape":"PreconditionNotMetException"}, + {"shape":"InternalFailureException"}, + {"shape":"ResourceUnavailableException"} + ], + "documentation":"Deletes a custom permissions profile from a user.
" + }, "DeleteVPCConnection":{ "name":"DeleteVPCConnection", "http":{ @@ -1133,6 +1255,82 @@ ], "documentation":"Describes an existing import job.
Poll job descriptions after starting a job to know when it has succeeded or failed. Job descriptions are available for 14 days after job starts.
" }, + "DescribeBrand":{ + "name":"DescribeBrand", + "http":{ + "method":"GET", + "requestUri":"/accounts/{AwsAccountId}/brands/{BrandId}", + "responseCode":200 + }, + "input":{"shape":"DescribeBrandRequest"}, + "output":{"shape":"DescribeBrandResponse"}, + "errors":[ + {"shape":"ThrottlingException"}, + {"shape":"InvalidRequestException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"AccessDeniedException"}, + {"shape":"ConflictException"}, + {"shape":"InternalServerException"} + ], + "documentation":"Describes a brand.
" + }, + "DescribeBrandAssignment":{ + "name":"DescribeBrandAssignment", + "http":{ + "method":"GET", + "requestUri":"/accounts/{AwsAccountId}/brandassignments", + "responseCode":200 + }, + "input":{"shape":"DescribeBrandAssignmentRequest"}, + "output":{"shape":"DescribeBrandAssignmentResponse"}, + "errors":[ + {"shape":"ThrottlingException"}, + {"shape":"InvalidRequestException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"AccessDeniedException"}, + {"shape":"ConflictException"}, + {"shape":"InternalServerException"} + ], + "documentation":"Describes a brand assignment.
" + }, + "DescribeBrandPublishedVersion":{ + "name":"DescribeBrandPublishedVersion", + "http":{ + "method":"GET", + "requestUri":"/accounts/{AwsAccountId}/brands/{BrandId}/publishedversion", + "responseCode":200 + }, + "input":{"shape":"DescribeBrandPublishedVersionRequest"}, + "output":{"shape":"DescribeBrandPublishedVersionResponse"}, + "errors":[ + {"shape":"ThrottlingException"}, + {"shape":"InvalidRequestException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"AccessDeniedException"}, + {"shape":"ConflictException"}, + {"shape":"InternalServerException"} + ], + "documentation":"Describes the published version of the brand.
" + }, + "DescribeCustomPermissions":{ + "name":"DescribeCustomPermissions", + "http":{ + "method":"GET", + "requestUri":"/accounts/{AwsAccountId}/custom-permissions/{CustomPermissionsName}" + }, + "input":{"shape":"DescribeCustomPermissionsRequest"}, + "output":{"shape":"DescribeCustomPermissionsResponse"}, + "errors":[ + {"shape":"AccessDeniedException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"InvalidParameterValueException"}, + {"shape":"ThrottlingException"}, + {"shape":"PreconditionNotMetException"}, + {"shape":"InternalFailureException"}, + {"shape":"ResourceUnavailableException"} + ], + "documentation":"Describes a custom permissions profile.
" + }, "DescribeDashboard":{ "name":"DescribeDashboard", "http":{ @@ -1920,6 +2118,42 @@ ], "documentation":"Lists all asset bundle import jobs that have taken place in the last 14 days. Jobs created more than 14 days ago are deleted forever and are not returned. If you are using the same job ID for multiple jobs, ListAssetBundleImportJobs only returns the most recent job that uses the repeated job ID.
Lists all brands in an Amazon QuickSight account.
" + }, + "ListCustomPermissions":{ + "name":"ListCustomPermissions", + "http":{ + "method":"GET", + "requestUri":"/accounts/{AwsAccountId}/custom-permissions" + }, + "input":{"shape":"ListCustomPermissionsRequest"}, + "output":{"shape":"ListCustomPermissionsResponse"}, + "errors":[ + {"shape":"AccessDeniedException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"InvalidParameterValueException"}, + {"shape":"ThrottlingException"}, + {"shape":"PreconditionNotMetException"}, + {"shape":"InternalFailureException"}, + {"shape":"ResourceUnavailableException"} + ], + "documentation":"Returns a list of all the custom permissions profiles.
" + }, "ListDashboardVersions":{ "name":"ListDashboardVersions", "http":{ @@ -2816,6 +3050,86 @@ ], "documentation":"Updates the read and write permissions for an analysis.
" }, + "UpdateBrand":{ + "name":"UpdateBrand", + "http":{ + "method":"PUT", + "requestUri":"/accounts/{AwsAccountId}/brands/{BrandId}", + "responseCode":200 + }, + "input":{"shape":"UpdateBrandRequest"}, + "output":{"shape":"UpdateBrandResponse"}, + "errors":[ + {"shape":"ThrottlingException"}, + {"shape":"InvalidRequestException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"AccessDeniedException"}, + {"shape":"ConflictException"}, + {"shape":"InternalServerException"} + ], + "documentation":"Updates a brand.
", + "idempotent":true + }, + "UpdateBrandAssignment":{ + "name":"UpdateBrandAssignment", + "http":{ + "method":"PUT", + "requestUri":"/accounts/{AwsAccountId}/brandassignments", + "responseCode":200 + }, + "input":{"shape":"UpdateBrandAssignmentRequest"}, + "output":{"shape":"UpdateBrandAssignmentResponse"}, + "errors":[ + {"shape":"ThrottlingException"}, + {"shape":"InvalidRequestException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"AccessDeniedException"}, + {"shape":"ConflictException"}, + {"shape":"InternalServerException"} + ], + "documentation":"Updates a brand assignment.
", + "idempotent":true + }, + "UpdateBrandPublishedVersion":{ + "name":"UpdateBrandPublishedVersion", + "http":{ + "method":"PUT", + "requestUri":"/accounts/{AwsAccountId}/brands/{BrandId}/publishedversion", + "responseCode":200 + }, + "input":{"shape":"UpdateBrandPublishedVersionRequest"}, + "output":{"shape":"UpdateBrandPublishedVersionResponse"}, + "errors":[ + {"shape":"ThrottlingException"}, + {"shape":"InvalidRequestException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"AccessDeniedException"}, + {"shape":"ConflictException"}, + {"shape":"InternalServerException"} + ], + "documentation":"Updates the published version of a brand.
", + "idempotent":true + }, + "UpdateCustomPermissions":{ + "name":"UpdateCustomPermissions", + "http":{ + "method":"PUT", + "requestUri":"/accounts/{AwsAccountId}/custom-permissions/{CustomPermissionsName}" + }, + "input":{"shape":"UpdateCustomPermissionsRequest"}, + "output":{"shape":"UpdateCustomPermissionsResponse"}, + "errors":[ + {"shape":"ConflictException"}, + {"shape":"AccessDeniedException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"InvalidParameterValueException"}, + {"shape":"ThrottlingException"}, + {"shape":"PreconditionNotMetException"}, + {"shape":"InternalFailureException"}, + {"shape":"ResourceUnavailableException"} + ], + "documentation":"Updates a custom permissions profile.
" + }, "UpdateDashboard":{ "name":"UpdateDashboard", "http":{ @@ -3380,6 +3694,26 @@ ], "documentation":"Updates an Amazon QuickSight user.
" }, + "UpdateUserCustomPermission":{ + "name":"UpdateUserCustomPermission", + "http":{ + "method":"PUT", + "requestUri":"/accounts/{AwsAccountId}/namespaces/{Namespace}/users/{UserName}/custom-permission" + }, + "input":{"shape":"UpdateUserCustomPermissionRequest"}, + "output":{"shape":"UpdateUserCustomPermissionResponse"}, + "errors":[ + {"shape":"ConflictException"}, + {"shape":"AccessDeniedException"}, + {"shape":"InvalidParameterValueException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"ThrottlingException"}, + {"shape":"PreconditionNotMetException"}, + {"shape":"InternalFailureException"}, + {"shape":"ResourceUnavailableException"} + ], + "documentation":"Updates a custom permissions profile for a user.
" + }, "UpdateVPCConnection":{ "name":"UpdateVPCConnection", "http":{ @@ -3681,6 +4015,12 @@ }, "documentation":"An empty object that represents that the AllSheets option is the chosen value for the FilterScopeConfiguration parameter. This structure applies the filter to all visuals on all sheets of an Analysis, Dashboard, or Template.
This is a union type structure. For this structure to be valid, only one of the attributes can be defined.
" }, + "AltText":{ + "type":"string", + "max":512, + "min":1, + "pattern":"[ -ÿ]+" + }, "AmazonElasticsearchParameters":{ "type":"structure", "required":["Domain"], @@ -4106,6 +4446,20 @@ "type":"list", "member":{"shape":"AnswerId"} }, + "ApplicationTheme":{ + "type":"structure", + "members":{ + "BrandColorPalette":{ + "shape":"BrandColorPalette", + "documentation":"The color palette.
" + }, + "BrandElementStyle":{ + "shape":"BrandElementStyle", + "documentation":"The element style.
" + } + }, + "documentation":"The application theme.
" + }, "ArcAxisConfiguration":{ "type":"structure", "members":{ @@ -6519,6 +6873,180 @@ }, "documentation":"A box plot.
For more information, see Using box plots in the Amazon QuickSight User Guide.
" }, + "BrandColorPalette":{ + "type":"structure", + "members":{ + "Primary":{ + "shape":"Palette", + "documentation":"The primary color.
" + }, + "Secondary":{ + "shape":"Palette", + "documentation":"The secondary color.
" + }, + "Accent":{ + "shape":"Palette", + "documentation":"The color that is used for accent elements.
" + }, + "Measure":{ + "shape":"Palette", + "documentation":"The color that is used for measure elements.
" + }, + "Dimension":{ + "shape":"Palette", + "documentation":"The color that is used for dimension elements.
" + }, + "Success":{ + "shape":"Palette", + "documentation":"The color that is used for success elements.
" + }, + "Info":{ + "shape":"Palette", + "documentation":"The color that is used for info elements.
" + }, + "Warning":{ + "shape":"Palette", + "documentation":"The color that is used for warning elements.
" + }, + "Danger":{ + "shape":"Palette", + "documentation":"The color that is used for danger elements.
" + } + }, + "documentation":"The color palette.
" + }, + "BrandDefinition":{ + "type":"structure", + "required":["BrandName"], + "members":{ + "BrandName":{ + "shape":"Name", + "documentation":"The name of the brand.
" + }, + "Description":{ + "shape":"Description", + "documentation":"The description of the brand.
" + }, + "ApplicationTheme":{ + "shape":"ApplicationTheme", + "documentation":"The application theme of the brand.
" + }, + "LogoConfiguration":{ + "shape":"LogoConfiguration", + "documentation":"The logo configuration of the brand.
" + } + }, + "documentation":"The definition of the brand.
" + }, + "BrandDetail":{ + "type":"structure", + "required":["BrandId"], + "members":{ + "BrandId":{ + "shape":"ShortRestrictiveResourceId", + "documentation":"The ID of the Amazon QuickSight brand.
" + }, + "Arn":{ + "shape":"Arn", + "documentation":"The Amazon Resource Name (ARN) of the brand.
" + }, + "BrandStatus":{ + "shape":"BrandStatus", + "documentation":"The status of the brand.
" + }, + "CreatedTime":{ + "shape":"Timestamp", + "documentation":"The time that the brand was created.
" + }, + "LastUpdatedTime":{ + "shape":"Timestamp", + "documentation":"The last time the brand was updated.
" + }, + "VersionId":{ + "shape":"ShortRestrictiveResourceId", + "documentation":"The ID of the version.
" + }, + "VersionStatus":{ + "shape":"BrandVersionStatus", + "documentation":"The status of the version.
" + }, + "Errors":{ + "shape":"ErrorList", + "documentation":"A list of errors that occurred during the most recent brand operation.
" + }, + "Logo":{ + "shape":"Logo", + "documentation":"The logo details.
" + } + }, + "documentation":"The details of the brand.
" + }, + "BrandElementStyle":{ + "type":"structure", + "members":{ + "NavbarStyle":{ + "shape":"NavbarStyle", + "documentation":"The navigation bar style.
" + } + }, + "documentation":"The element style.
" + }, + "BrandStatus":{ + "type":"string", + "enum":[ + "CREATE_IN_PROGRESS", + "CREATE_SUCCEEDED", + "CREATE_FAILED", + "DELETE_IN_PROGRESS", + "DELETE_FAILED" + ] + }, + "BrandSummary":{ + "type":"structure", + "members":{ + "Arn":{ + "shape":"Arn", + "documentation":"The Amazon Resource Name (ARN) of the brand.
" + }, + "BrandId":{ + "shape":"ShortRestrictiveResourceId", + "documentation":"The ID of the Amazon QuickSight brand.
" + }, + "BrandName":{ + "shape":"Name", + "documentation":"The name of the brand.
" + }, + "Description":{ + "shape":"Description", + "documentation":"The description of the brand.
" + }, + "BrandStatus":{ + "shape":"BrandStatus", + "documentation":"The status of the brand.
" + }, + "CreatedTime":{ + "shape":"Timestamp", + "documentation":"The time that the brand was created.
" + }, + "LastUpdatedTime":{ + "shape":"Timestamp", + "documentation":"The time when the brand was last updated.
" + } + }, + "documentation":"A summary of the brand.
" + }, + "BrandSummaryList":{ + "type":"list", + "member":{"shape":"BrandSummary"} + }, + "BrandVersionStatus":{ + "type":"string", + "enum":[ + "CREATE_IN_PROGRESS", + "CREATE_SUCCEEDED", + "CREATE_FAILED" + ] + }, "CIDR":{ "type":"string", "pattern":"^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/(3[0-2]|[1-2][0-9]|[1-9]))$" @@ -6659,6 +7187,84 @@ } } }, + "Capabilities":{ + "type":"structure", + "members":{ + "ExportToCsv":{ + "shape":"CapabilityState", + "documentation":"The ability to export to CSV files.
" + }, + "ExportToExcel":{ + "shape":"CapabilityState", + "documentation":"The ability to export to Excel files.
" + }, + "CreateAndUpdateThemes":{ + "shape":"CapabilityState", + "documentation":"The ability to export to Create and Update themes.
" + }, + "AddOrRunAnomalyDetectionForAnalyses":{ + "shape":"CapabilityState", + "documentation":"The ability to add or run anomaly detection.
" + }, + "ShareAnalyses":{ + "shape":"CapabilityState", + "documentation":"The ability to share analyses.
" + }, + "CreateAndUpdateDatasets":{ + "shape":"CapabilityState", + "documentation":"The ability to create and update datasets.
" + }, + "ShareDatasets":{ + "shape":"CapabilityState", + "documentation":"The ability to share datasets.
" + }, + "SubscribeDashboardEmailReports":{ + "shape":"CapabilityState", + "documentation":"The ability to subscribe to email reports.
" + }, + "CreateAndUpdateDashboardEmailReports":{ + "shape":"CapabilityState", + "documentation":"The ability to create and update email reports.
" + }, + "ShareDashboards":{ + "shape":"CapabilityState", + "documentation":"The ability to share dashboards.
" + }, + "CreateAndUpdateThresholdAlerts":{ + "shape":"CapabilityState", + "documentation":"The ability to create and update threshold alerts.
" + }, + "RenameSharedFolders":{ + "shape":"CapabilityState", + "documentation":"The ability to rename shared folders.
" + }, + "CreateSharedFolders":{ + "shape":"CapabilityState", + "documentation":"The ability to create shared folders.
" + }, + "CreateAndUpdateDataSources":{ + "shape":"CapabilityState", + "documentation":"The ability to create and update data sources.
" + }, + "ShareDataSources":{ + "shape":"CapabilityState", + "documentation":"The ability to share data sources.
" + }, + "ViewAccountSPICECapacity":{ + "shape":"CapabilityState", + "documentation":"The ability to view account SPICE capacity.
" + }, + "CreateSPICEDataset":{ + "shape":"CapabilityState", + "documentation":"The ability to create a SPICE dataset.
" + } + }, + "documentation":"A set of actions that correspond to Amazon QuickSight permissions.
" + }, + "CapabilityState":{ + "type":"string", + "enum":["DENY"] + }, "CascadingControlConfiguration":{ "type":"structure", "members":{ @@ -8158,6 +8764,52 @@ } } }, + "CreateBrandRequest":{ + "type":"structure", + "required":[ + "AwsAccountId", + "BrandId" + ], + "members":{ + "AwsAccountId":{ + "shape":"AwsAccountId", + "documentation":"The ID of the Amazon Web Services account that owns the brand.
", + "location":"uri", + "locationName":"AwsAccountId" + }, + "BrandId":{ + "shape":"ShortRestrictiveResourceId", + "documentation":"The ID of the Amazon QuickSight brand.
", + "location":"uri", + "locationName":"BrandId" + }, + "BrandDefinition":{ + "shape":"BrandDefinition", + "documentation":"The definition of the brand.
" + }, + "Tags":{ + "shape":"TagList", + "documentation":"A map of the key-value pairs that are assigned to the brand.
" + } + } + }, + "CreateBrandResponse":{ + "type":"structure", + "members":{ + "RequestId":{ + "shape":"String", + "documentation":"The Amazon Web Services request ID for this operation.
" + }, + "BrandDetail":{ + "shape":"BrandDetail", + "documentation":"The details of the brand.
" + }, + "BrandDefinition":{ + "shape":"BrandDefinition", + "documentation":"The definition of the brand.
" + } + } + }, "CreateColumnsOperation":{ "type":"structure", "required":["Columns"], @@ -8169,6 +8821,50 @@ }, "documentation":"A transform operation that creates calculated columns. Columns created in one such operation form a lexical closure.
" }, + "CreateCustomPermissionsRequest":{ + "type":"structure", + "required":[ + "AwsAccountId", + "CustomPermissionsName" + ], + "members":{ + "AwsAccountId":{ + "shape":"AwsAccountId", + "documentation":"The ID of the Amazon Web Services account that you want to create the custom permissions profile in.
", + "location":"uri", + "locationName":"AwsAccountId" + }, + "CustomPermissionsName":{ + "shape":"CustomPermissionsName", + "documentation":"The name of the custom permissions profile that you want to create.
" + }, + "Capabilities":{ + "shape":"Capabilities", + "documentation":"A set of actions to include in the custom permissions profile.
" + }, + "Tags":{ + "shape":"TagList", + "documentation":"The tags to associate with the custom permissions profile.
" + } + } + }, + "CreateCustomPermissionsResponse":{ + "type":"structure", + "members":{ + "Status":{ + "shape":"StatusCode", + "documentation":"The HTTP status of the request.
" + }, + "Arn":{ + "shape":"Arn", + "documentation":"The Amazon Resource Name (ARN) of the custom permissions profile.
" + }, + "RequestId":{ + "shape":"String", + "documentation":"The Amazon Web Services request ID for this operation.
" + } + } + }, "CreateDashboardRequest":{ "type":"structure", "required":[ @@ -9788,6 +10484,34 @@ }, "documentation":"The customized parameter values.
This is a union type structure. For this structure to be valid, only one of the attributes can be defined.
" }, + "CustomPermissions":{ + "type":"structure", + "members":{ + "Arn":{ + "shape":"Arn", + "documentation":"The Amazon Resource Name (ARN) of the custom permissions profile.
" + }, + "CustomPermissionsName":{ + "shape":"CustomPermissionsName", + "documentation":"The name of the custom permissions profile.
" + }, + "Capabilities":{ + "shape":"Capabilities", + "documentation":"A set of actions in the custom permissions profile.
" + } + }, + "documentation":"The custom permissions profile.
" + }, + "CustomPermissionsList":{ + "type":"list", + "member":{"shape":"CustomPermissions"} + }, + "CustomPermissionsName":{ + "type":"string", + "max":64, + "min":1, + "pattern":"^[a-zA-Z0-9+=,.@_-]+$" + }, "CustomSql":{ "type":"structure", "required":[ @@ -12191,6 +12915,95 @@ } } }, + "DeleteBrandAssignmentRequest":{ + "type":"structure", + "required":["AwsAccountId"], + "members":{ + "AwsAccountId":{ + "shape":"AwsAccountId", + "documentation":"The ID of the Amazon Web Services account that owns the brand assignment.
", + "location":"uri", + "locationName":"AwsAccountId" + } + } + }, + "DeleteBrandAssignmentResponse":{ + "type":"structure", + "members":{ + "RequestId":{ + "shape":"String", + "documentation":"The Amazon Web Services request ID for this operation.
" + } + } + }, + "DeleteBrandRequest":{ + "type":"structure", + "required":[ + "AwsAccountId", + "BrandId" + ], + "members":{ + "AwsAccountId":{ + "shape":"AwsAccountId", + "documentation":"The ID of the Amazon Web Services account that owns the brand.
", + "location":"uri", + "locationName":"AwsAccountId" + }, + "BrandId":{ + "shape":"ShortRestrictiveResourceId", + "documentation":"The ID of the Amazon QuickSight brand.
", + "location":"uri", + "locationName":"BrandId" + } + } + }, + "DeleteBrandResponse":{ + "type":"structure", + "members":{ + "RequestId":{ + "shape":"String", + "documentation":"The Amazon Web Services request ID for this operation.
" + } + } + }, + "DeleteCustomPermissionsRequest":{ + "type":"structure", + "required":[ + "AwsAccountId", + "CustomPermissionsName" + ], + "members":{ + "AwsAccountId":{ + "shape":"AwsAccountId", + "documentation":"The ID of the Amazon Web Services account that contains the custom permissions profile that you want to delete.
", + "location":"uri", + "locationName":"AwsAccountId" + }, + "CustomPermissionsName":{ + "shape":"CustomPermissionsName", + "documentation":"The name of the custom permissions profile that you want to delete.
", + "location":"uri", + "locationName":"CustomPermissionsName" + } + } + }, + "DeleteCustomPermissionsResponse":{ + "type":"structure", + "members":{ + "Status":{ + "shape":"StatusCode", + "documentation":"The HTTP status of the request.
" + }, + "Arn":{ + "shape":"Arn", + "documentation":"The Amazon Resource Name (ARN) of the custom permissions profile.
" + }, + "RequestId":{ + "shape":"String", + "documentation":"The Amazon Web Services request ID for this operation.
" + } + } + }, "DeleteDashboardRequest":{ "type":"structure", "required":[ @@ -13145,6 +13958,48 @@ } } }, + "DeleteUserCustomPermissionRequest":{ + "type":"structure", + "required":[ + "UserName", + "AwsAccountId", + "Namespace" + ], + "members":{ + "UserName":{ + "shape":"UserName", + "documentation":"The username of the user that you want to remove custom permissions from.
", + "location":"uri", + "locationName":"UserName" + }, + "AwsAccountId":{ + "shape":"AwsAccountId", + "documentation":"The ID of the Amazon Web Services account that contains the custom permission configuration that you want to delete.
", + "location":"uri", + "locationName":"AwsAccountId" + }, + "Namespace":{ + "shape":"Namespace", + "documentation":"The namespace that the user belongs to.
", + "location":"uri", + "locationName":"Namespace" + } + } + }, + "DeleteUserCustomPermissionResponse":{ + "type":"structure", + "members":{ + "RequestId":{ + "shape":"String", + "documentation":"The Amazon Web Services request ID for this operation.
" + }, + "Status":{ + "shape":"StatusCode", + "documentation":"The HTTP status of the request.
", + "location":"statusCode" + } + } + }, "DeleteUserRequest":{ "type":"structure", "required":[ @@ -13696,6 +14551,151 @@ } } }, + "DescribeBrandAssignmentRequest":{ + "type":"structure", + "required":["AwsAccountId"], + "members":{ + "AwsAccountId":{ + "shape":"AwsAccountId", + "documentation":"The ID of the Amazon Web Services account that owns the brand assignment.
", + "location":"uri", + "locationName":"AwsAccountId" + } + } + }, + "DescribeBrandAssignmentResponse":{ + "type":"structure", + "members":{ + "RequestId":{ + "shape":"String", + "documentation":"The Amazon Web Services request ID for this operation.
" + }, + "BrandArn":{ + "shape":"Arn", + "documentation":"The Amazon Resource Name (ARN) of the brand.
" + } + } + }, + "DescribeBrandPublishedVersionRequest":{ + "type":"structure", + "required":[ + "AwsAccountId", + "BrandId" + ], + "members":{ + "AwsAccountId":{ + "shape":"AwsAccountId", + "documentation":"The ID of the Amazon Web Services account that owns the brand.
", + "location":"uri", + "locationName":"AwsAccountId" + }, + "BrandId":{ + "shape":"ShortRestrictiveResourceId", + "documentation":"The ID of the Amazon QuickSight brand.
", + "location":"uri", + "locationName":"BrandId" + } + } + }, + "DescribeBrandPublishedVersionResponse":{ + "type":"structure", + "members":{ + "RequestId":{ + "shape":"String", + "documentation":"The Amazon Web Services request ID for this operation.
" + }, + "BrandDetail":{ + "shape":"BrandDetail", + "documentation":"The details of the brand.
" + }, + "BrandDefinition":{ + "shape":"BrandDefinition", + "documentation":"The definition of the brand.
" + } + } + }, + "DescribeBrandRequest":{ + "type":"structure", + "required":[ + "AwsAccountId", + "BrandId" + ], + "members":{ + "AwsAccountId":{ + "shape":"AwsAccountId", + "documentation":"The ID of the Amazon Web Services account that owns the brand.
", + "location":"uri", + "locationName":"AwsAccountId" + }, + "BrandId":{ + "shape":"ShortRestrictiveResourceId", + "documentation":"The ID of the Amazon QuickSight brand.
", + "location":"uri", + "locationName":"BrandId" + }, + "VersionId":{ + "shape":"ShortRestrictiveResourceId", + "documentation":"The ID of the specific version. The default value is the latest version.
", + "location":"querystring", + "locationName":"versionId" + } + } + }, + "DescribeBrandResponse":{ + "type":"structure", + "members":{ + "RequestId":{ + "shape":"String", + "documentation":"The Amazon Web Services request ID for this operation.
" + }, + "BrandDetail":{ + "shape":"BrandDetail", + "documentation":"The details of the brand.
" + }, + "BrandDefinition":{ + "shape":"BrandDefinition", + "documentation":"The definition of the brand.
" + } + } + }, + "DescribeCustomPermissionsRequest":{ + "type":"structure", + "required":[ + "AwsAccountId", + "CustomPermissionsName" + ], + "members":{ + "AwsAccountId":{ + "shape":"AwsAccountId", + "documentation":"The ID of the Amazon Web Services account that contains the custom permissions profile that you want described.
", + "location":"uri", + "locationName":"AwsAccountId" + }, + "CustomPermissionsName":{ + "shape":"CustomPermissionsName", + "documentation":"The name of the custom permissions profile to describe.
", + "location":"uri", + "locationName":"CustomPermissionsName" + } + } + }, + "DescribeCustomPermissionsResponse":{ + "type":"structure", + "members":{ + "Status":{ + "shape":"StatusCode", + "documentation":"The HTTP status of the request.
" + }, + "CustomPermissions":{ + "shape":"CustomPermissions", + "documentation":"The custom permissions profile.
" + }, + "RequestId":{ + "shape":"String", + "documentation":"The Amazon Web Services request ID for this operation.
" + } + } + }, "DescribeDashboardDefinitionRequest":{ "type":"structure", "required":[ @@ -15484,6 +16484,12 @@ } } }, + "Description":{ + "type":"string", + "max":2048, + "min":1, + "pattern":"[ -ÿ]+" + }, "DestinationParameterValueConfiguration":{ "type":"structure", "members":{ @@ -15784,6 +16790,11 @@ }, "documentation":"Error information for the SPICE ingestion of a dataset.
" }, + "ErrorList":{ + "type":"list", + "member":{"shape":"ErrorMessage"} + }, + "ErrorMessage":{"type":"string"}, "ExasolParameters":{ "type":"structure", "required":[ @@ -18894,6 +19905,75 @@ "error":{"httpStatusCode":403}, "exception":true }, + "Image":{ + "type":"structure", + "members":{ + "Source":{ + "shape":"ImageSource", + "documentation":"The source of the logo image.
" + }, + "GeneratedImageUrl":{ + "shape":"String", + "documentation":"The URL that points to the generated logo image.
" + } + }, + "documentation":"The logo image.
" + }, + "ImageConfiguration":{ + "type":"structure", + "members":{ + "Source":{ + "shape":"ImageSource", + "documentation":"The source of the image.
" + } + }, + "documentation":"The logo image configuration.
" + }, + "ImageSet":{ + "type":"structure", + "required":["Original"], + "members":{ + "Original":{ + "shape":"Image", + "documentation":"The original image.
" + }, + "Height64":{ + "shape":"Image", + "documentation":"The image with the height set to 64 pixels.
" + }, + "Height32":{ + "shape":"Image", + "documentation":"The image with the height set to 32 pixels.
" + } + }, + "documentation":"The image set.
" + }, + "ImageSetConfiguration":{ + "type":"structure", + "required":["Original"], + "members":{ + "Original":{ + "shape":"ImageConfiguration", + "documentation":"The original image.
" + } + }, + "documentation":"The image set configuration.
" + }, + "ImageSource":{ + "type":"structure", + "members":{ + "PublicUrl":{ + "shape":"String", + "documentation":"The public URL that points to the source image.
" + }, + "S3Uri":{ + "shape":"String", + "documentation":"The Amazon S3 URI that points to the source image.
" + } + }, + "documentation":"The source of the image.
", + "union":true + }, "IncludeFolderMembers":{ "type":"string", "enum":[ @@ -19318,6 +20398,17 @@ "exception":true, "fault":true }, + "InternalServerException":{ + "type":"structure", + "required":["Message"], + "members":{ + "Message":{"shape":"String"} + }, + "documentation":"An internal service exception.
", + "error":{"httpStatusCode":500}, + "exception":true, + "fault":true + }, "InvalidNextTokenException":{ "type":"structure", "members":{ @@ -20334,6 +21425,44 @@ } } }, + "ListBrandsRequest":{ + "type":"structure", + "required":["AwsAccountId"], + "members":{ + "AwsAccountId":{ + "shape":"AwsAccountId", + "documentation":"The ID of the Amazon Web Services account that owns the brands that you want to list.
", + "location":"uri", + "locationName":"AwsAccountId" + }, + "MaxResults":{ + "shape":"MaxResults", + "documentation":"The maximum number of results to be returned in a single request.
", + "box":true, + "location":"querystring", + "locationName":"max-results" + }, + "NextToken":{ + "shape":"String", + "documentation":"The token for the next set of results, or null if there are no more results.
", + "location":"querystring", + "locationName":"next-token" + } + } + }, + "ListBrandsResponse":{ + "type":"structure", + "members":{ + "NextToken":{ + "shape":"String", + "documentation":"The token for the next set of results, or null if there are no more results.
" + }, + "Brands":{ + "shape":"BrandSummaryList", + "documentation":"A list of all brands in your Amazon Web Services account. This structure provides basic information about each brand.
" + } + } + }, "ListControlDisplayOptions":{ "type":"structure", "members":{ @@ -20376,6 +21505,53 @@ }, "documentation":"The configuration of the Select all options in a list control.
The ID of the Amazon Web Services account that contains the custom permissions profiles that you want to list.
", + "location":"uri", + "locationName":"AwsAccountId" + }, + "MaxResults":{ + "shape":"MaxResults", + "documentation":"The maximum number of results to return.
", + "box":true, + "location":"querystring", + "locationName":"max-results" + }, + "NextToken":{ + "shape":"String", + "documentation":"The token for the next set of results, or null if there are no more results.
", + "location":"querystring", + "locationName":"next-token" + } + } + }, + "ListCustomPermissionsResponse":{ + "type":"structure", + "members":{ + "Status":{ + "shape":"StatusCode", + "documentation":"The HTTP status of the request.
", + "location":"statusCode" + }, + "CustomPermissionsList":{ + "shape":"CustomPermissionsList", + "documentation":"A list of custom permissions profiles.
" + }, + "NextToken":{ + "shape":"String", + "documentation":"The token for the next set of results, or null if there are no more results.
" + }, + "RequestId":{ + "shape":"String", + "documentation":"The Amazon Web Services request ID for this operation.
" + } + } + }, "ListDashboardVersionsRequest":{ "type":"structure", "required":[ @@ -21974,6 +23150,72 @@ }, "documentation":"Information about the source of a logical table. This is a variant type structure. For this structure to be valid, only one of the attributes can be non-null.
" }, + "Logo":{ + "type":"structure", + "required":[ + "AltText", + "LogoSet" + ], + "members":{ + "AltText":{ + "shape":"AltText", + "documentation":"The alt text for the logo.
" + }, + "LogoSet":{ + "shape":"LogoSet", + "documentation":"A set of configured logos.
" + } + }, + "documentation":"The logo configuration.
" + }, + "LogoConfiguration":{ + "type":"structure", + "required":[ + "AltText", + "LogoSet" + ], + "members":{ + "AltText":{ + "shape":"String", + "documentation":"The alt text for the logo.
" + }, + "LogoSet":{ + "shape":"LogoSetConfiguration", + "documentation":"A set of configured logos.
" + } + }, + "documentation":"The logo configuration.
" + }, + "LogoSet":{ + "type":"structure", + "required":["Primary"], + "members":{ + "Primary":{ + "shape":"ImageSet", + "documentation":"The primary logo.
" + }, + "Favicon":{ + "shape":"ImageSet", + "documentation":"The favicon logo.
" + } + }, + "documentation":"A set of logos.
" + }, + "LogoSetConfiguration":{ + "type":"structure", + "required":["Primary"], + "members":{ + "Primary":{ + "shape":"ImageSetConfiguration", + "documentation":"The primary logo.
" + }, + "Favicon":{ + "shape":"ImageSetConfiguration", + "documentation":"The favicon logo.
" + } + }, + "documentation":"The logo set configuration.
" + }, "Long":{"type":"long"}, "LongFormatText":{ "type":"structure", @@ -22305,6 +23547,12 @@ }, "documentation":"The parameters for MySQL.
" }, + "Name":{ + "type":"string", + "max":512, + "min":1, + "pattern":"[ -ÿ]+" + }, "NamedEntityAggType":{ "type":"string", "enum":[ @@ -22478,6 +23726,20 @@ "type":"string", "max":150000 }, + "NavbarStyle":{ + "type":"structure", + "members":{ + "GlobalNavbar":{ + "shape":"Palette", + "documentation":"The global navigation bar style.
" + }, + "ContextualNavbar":{ + "shape":"Palette", + "documentation":"The contextual navigation bar style.
" + } + }, + "documentation":"The navigation bar style.
" + }, "NegativeFormat":{ "type":"structure", "members":{ @@ -23106,6 +24368,20 @@ }, "documentation":"The pagination configuration for a table visual or boxplot.
" }, + "Palette":{ + "type":"structure", + "members":{ + "Foreground":{ + "shape":"HexColor", + "documentation":"The foreground color.
" + }, + "Background":{ + "shape":"HexColor", + "documentation":"The background color.
" + } + }, + "documentation":"The color palette.
" + }, "PanelBorderStyle":{ "type":"string", "enum":[ @@ -31942,6 +33218,161 @@ } } }, + "UpdateBrandAssignmentRequest":{ + "type":"structure", + "required":[ + "AwsAccountId", + "BrandArn" + ], + "members":{ + "AwsAccountId":{ + "shape":"AwsAccountId", + "documentation":"The ID of the Amazon Web Services account that owns the brand assignment.
", + "location":"uri", + "locationName":"AwsAccountId" + }, + "BrandArn":{ + "shape":"Arn", + "documentation":"The Amazon Resource Name (ARN) of the brand.
" + } + } + }, + "UpdateBrandAssignmentResponse":{ + "type":"structure", + "members":{ + "RequestId":{ + "shape":"String", + "documentation":"The Amazon Web Services request ID for this operation.
" + }, + "BrandArn":{ + "shape":"Arn", + "documentation":"The Amazon Resource Name (ARN) of the brand.
" + } + } + }, + "UpdateBrandPublishedVersionRequest":{ + "type":"structure", + "required":[ + "AwsAccountId", + "BrandId", + "VersionId" + ], + "members":{ + "AwsAccountId":{ + "shape":"AwsAccountId", + "documentation":"The ID of the Amazon Web Services account that owns the brand.
", + "location":"uri", + "locationName":"AwsAccountId" + }, + "BrandId":{ + "shape":"ShortRestrictiveResourceId", + "documentation":"The ID of the Amazon QuickSight brand.
", + "location":"uri", + "locationName":"BrandId" + }, + "VersionId":{ + "shape":"ShortRestrictiveResourceId", + "documentation":"The ID of the published version.
" + } + } + }, + "UpdateBrandPublishedVersionResponse":{ + "type":"structure", + "members":{ + "RequestId":{ + "shape":"String", + "documentation":"The Amazon Web Services request ID for this operation.
" + }, + "VersionId":{ + "shape":"ShortRestrictiveResourceId", + "documentation":"The ID of the published version.
" + } + } + }, + "UpdateBrandRequest":{ + "type":"structure", + "required":[ + "AwsAccountId", + "BrandId" + ], + "members":{ + "AwsAccountId":{ + "shape":"AwsAccountId", + "documentation":"The ID of the Amazon Web Services account that owns the brand.
", + "location":"uri", + "locationName":"AwsAccountId" + }, + "BrandId":{ + "shape":"ShortRestrictiveResourceId", + "documentation":"The ID of the Amazon QuickSight brand.
", + "location":"uri", + "locationName":"BrandId" + }, + "BrandDefinition":{ + "shape":"BrandDefinition", + "documentation":"The definition of the brand.
" + } + } + }, + "UpdateBrandResponse":{ + "type":"structure", + "members":{ + "RequestId":{ + "shape":"String", + "documentation":"The Amazon Web Services request ID for this operation.
" + }, + "BrandDetail":{ + "shape":"BrandDetail", + "documentation":"The details of the brand.
" + }, + "BrandDefinition":{ + "shape":"BrandDefinition", + "documentation":"The definition of the brand.
" + } + } + }, + "UpdateCustomPermissionsRequest":{ + "type":"structure", + "required":[ + "AwsAccountId", + "CustomPermissionsName" + ], + "members":{ + "AwsAccountId":{ + "shape":"AwsAccountId", + "documentation":"The ID of the Amazon Web Services account that contains the custom permissions profile that you want to update.
", + "location":"uri", + "locationName":"AwsAccountId" + }, + "CustomPermissionsName":{ + "shape":"CustomPermissionsName", + "documentation":"The name of the custom permissions profile that you want to update.
", + "location":"uri", + "locationName":"CustomPermissionsName" + }, + "Capabilities":{ + "shape":"Capabilities", + "documentation":"A set of actions to include in the custom permissions profile.
" + } + } + }, + "UpdateCustomPermissionsResponse":{ + "type":"structure", + "members":{ + "Status":{ + "shape":"StatusCode", + "documentation":"The HTTP status of the request.
" + }, + "Arn":{ + "shape":"Arn", + "documentation":"The Amazon Resource Name (ARN) of the custom permissions profile.
" + }, + "RequestId":{ + "shape":"String", + "documentation":"The Amazon Web Services request ID for this operation.
" + } + } + }, "UpdateDashboardLinksRequest":{ "type":"structure", "required":[ @@ -33523,6 +34954,53 @@ } } }, + "UpdateUserCustomPermissionRequest":{ + "type":"structure", + "required":[ + "UserName", + "AwsAccountId", + "Namespace", + "CustomPermissionsName" + ], + "members":{ + "UserName":{ + "shape":"UserName", + "documentation":"The username of the user that you want to update custom permissions for.
", + "location":"uri", + "locationName":"UserName" + }, + "AwsAccountId":{ + "shape":"AwsAccountId", + "documentation":"The ID of the Amazon Web Services account that contains the custom permission configuration that you want to update.
", + "location":"uri", + "locationName":"AwsAccountId" + }, + "Namespace":{ + "shape":"Namespace", + "documentation":"The namespace that the user belongs to.
", + "location":"uri", + "locationName":"Namespace" + }, + "CustomPermissionsName":{ + "shape":"CustomPermissionsName", + "documentation":"The name of the custom permissions that you want to update.
" + } + } + }, + "UpdateUserCustomPermissionResponse":{ + "type":"structure", + "members":{ + "RequestId":{ + "shape":"String", + "documentation":"The Amazon Web Services request ID for this operation.
" + }, + "Status":{ + "shape":"StatusCode", + "documentation":"The HTTP status of the request.
", + "location":"statusCode" + } + } + }, "UpdateUserRequest":{ "type":"structure", "required":[ diff --git a/services/ram/pom.xml b/services/ram/pom.xml index ec1f8a04ce66..40771b941638 100644 --- a/services/ram/pom.xml +++ b/services/ram/pom.xml @@ -21,7 +21,7 @@Determines whether the read/write scope is enabled or disabled.
" + } + }, + "documentation":"The S3 Access Grants scope.
" + }, "RebootClusterMessage":{ "type":"structure", "required":["ClusterIdentifier"], @@ -10585,6 +10596,21 @@ "Cluster":{"shape":"Cluster"} } }, + "S3AccessGrantsScopeUnion":{ + "type":"structure", + "members":{ + "ReadWriteAccess":{ + "shape":"ReadWriteAccess", + "documentation":"The S3 Access Grants scope.
" + } + }, + "documentation":"A list of scopes set up for S3 Access Grants integration.
", + "union":true + }, + "S3AccessGrantsServiceIntegrations":{ + "type":"list", + "member":{"shape":"S3AccessGrantsScopeUnion"} + }, "S3KeyPrefixValue":{ "type":"string", "max":256, @@ -10877,6 +10903,10 @@ "LakeFormation":{ "shape":"LakeFormationServiceIntegrations", "documentation":"A list of scopes set up for Lake Formation integration.
" + }, + "S3AccessGrants":{ + "shape":"S3AccessGrantsServiceIntegrations", + "documentation":"A list of scopes set up for S3 Access Grants integration.
" } }, "documentation":"A list of service integrations.
", diff --git a/services/redshiftdata/pom.xml b/services/redshiftdata/pom.xml index 04a9cd50400a..f646a1cde619 100644 --- a/services/redshiftdata/pom.xml +++ b/services/redshiftdata/pom.xml @@ -21,7 +21,7 @@This operation aborts a multipart upload. After a multipart upload is aborted, no additional parts can be uploaded using that upload ID. The storage consumed by any previously uploaded parts will be freed. However, if any part uploads are currently in progress, those part uploads might or might not succeed. As a result, it might be necessary to abort a given multipart upload multiple times in order to completely free all storage consumed by all parts.
To verify that all parts have been removed and prevent getting charged for the part storage, you should call the ListParts API operation and ensure that the parts list is empty.
Directory buckets - If multipart uploads in a directory bucket are in progress, you can't delete the bucket until all the in-progress multipart uploads are aborted or completed. To delete these in-progress multipart uploads, use the ListMultipartUploads operation to list the in-progress multipart uploads in the bucket and use the AbortMultupartUpload operation to abort all the in-progress multipart uploads.
Directory buckets - For directory buckets, you must make requests for this API operation to the Zonal endpoint. These endpoints support virtual-hosted-style requests in the format https://bucket_name.s3express-az_id.region.amazonaws.com/key-name . Path-style requests are not supported. For more information, see Regional and Zonal endpoints in the Amazon S3 User Guide.
General purpose bucket permissions - For information about permissions required to use the multipart upload, see Multipart Upload and Permissions in the Amazon S3 User Guide.
Directory bucket permissions - To grant access to this API operation on a directory bucket, we recommend that you use the CreateSession API operation for session-based authorization. Specifically, you grant the s3express:CreateSession permission to the directory bucket in a bucket policy or an IAM identity-based policy. Then, you make the CreateSession API call on the bucket to obtain a session token. With the session token in your request header, you can make API requests to this operation. After the session token expires, you make another CreateSession API call to generate a new session token for use. Amazon Web Services CLI or SDKs create session and refresh the session token automatically to avoid service interruptions when a session expires. For more information about authorization, see CreateSession .
Directory buckets - The HTTP Host header syntax is Bucket_name.s3express-az_id.region.amazonaws.com.
The following operations are related to AbortMultipartUpload:
This operation aborts a multipart upload. After a multipart upload is aborted, no additional parts can be uploaded using that upload ID. The storage consumed by any previously uploaded parts will be freed. However, if any part uploads are currently in progress, those part uploads might or might not succeed. As a result, it might be necessary to abort a given multipart upload multiple times in order to completely free all storage consumed by all parts.
To verify that all parts have been removed and prevent getting charged for the part storage, you should call the ListParts API operation and ensure that the parts list is empty.
Directory buckets - If multipart uploads in a directory bucket are in progress, you can't delete the bucket until all the in-progress multipart uploads are aborted or completed. To delete these in-progress multipart uploads, use the ListMultipartUploads operation to list the in-progress multipart uploads in the bucket and use the AbortMultipartUpload operation to abort all the in-progress multipart uploads.
Directory buckets - For directory buckets, you must make requests for this API operation to the Zonal endpoint. These endpoints support virtual-hosted-style requests in the format https://bucket_name.s3express-az_id.region.amazonaws.com/key-name . Path-style requests are not supported. For more information, see Regional and Zonal endpoints in the Amazon S3 User Guide.
General purpose bucket permissions - For information about permissions required to use the multipart upload, see Multipart Upload and Permissions in the Amazon S3 User Guide.
Directory bucket permissions - To grant access to this API operation on a directory bucket, we recommend that you use the CreateSession API operation for session-based authorization. Specifically, you grant the s3express:CreateSession permission to the directory bucket in a bucket policy or an IAM identity-based policy. Then, you make the CreateSession API call on the bucket to obtain a session token. With the session token in your request header, you can make API requests to this operation. After the session token expires, you make another CreateSession API call to generate a new session token for use. Amazon Web Services CLI or SDKs create session and refresh the session token automatically to avoid service interruptions when a session expires. For more information about authorization, see CreateSession .
Directory buckets - The HTTP Host header syntax is Bucket_name.s3express-az_id.region.amazonaws.com.
The following operations are related to AbortMultipartUpload:
This operation is not supported by directory buckets.
Returns a list of all buckets owned by the authenticated sender of the request. To use this operation, you must have the s3:ListAllMyBuckets permission.
For information about Amazon S3 buckets, see Creating, configuring, and working with Amazon S3 buckets.
", + "documentation":"This operation is not supported by directory buckets.
Returns a list of all buckets owned by the authenticated sender of the request. To use this operation, you must have the s3:ListAllMyBuckets permission.
For information about Amazon S3 buckets, see Creating, configuring, and working with Amazon S3 buckets.
We strongly recommend using only paginated requests. Unpaginated requests are only supported for Amazon Web Services accounts set to the default general purpose bucket quota of 10,000. If you have an approved general purpose bucket quota above 10,000, you must send paginated requests to list your account’s buckets. All unpaginated ListBuckets requests will be rejected for Amazon Web Services accounts with a general purpose bucket quota greater than 10,000.
Returns a list of all Amazon S3 directory buckets owned by the authenticated sender of the request. For more information about directory buckets, see Directory buckets in the Amazon S3 User Guide.
Directory buckets - For directory buckets, you must make requests for this API operation to the Regional endpoint. These endpoints support path-style requests in the format https://s3express-control.region_code.amazonaws.com/bucket-name . Virtual-hosted-style requests aren't supported. For more information, see Regional and Zonal endpoints in the Amazon S3 User Guide.
You must have the s3express:ListAllMyDirectoryBuckets permission in an IAM identity-based policy instead of a bucket policy. Cross-account access to this API operation isn't supported. This operation can only be performed by the Amazon Web Services account that owns the resource. For more information about directory bucket policies and permissions, see Amazon Web Services Identity and Access Management (IAM) for S3 Express One Zone in the Amazon S3 User Guide.
Directory buckets - The HTTP Host header syntax is s3express-control.region.amazonaws.com.
Returns a list of all Amazon S3 directory buckets owned by the authenticated sender of the request. For more information about directory buckets, see Directory buckets in the Amazon S3 User Guide.
Directory buckets - For directory buckets, you must make requests for this API operation to the Regional endpoint. These endpoints support path-style requests in the format https://s3express-control.region_code.amazonaws.com/bucket-name . Virtual-hosted-style requests aren't supported. For more information, see Regional and Zonal endpoints in the Amazon S3 User Guide.
You must have the s3express:ListAllMyDirectoryBuckets permission in an IAM identity-based policy instead of a bucket policy. Cross-account access to this API operation isn't supported. This operation can only be performed by the Amazon Web Services account that owns the resource. For more information about directory bucket policies and permissions, see Amazon Web Services Identity and Access Management (IAM) for S3 Express One Zone in the Amazon S3 User Guide.
Directory buckets - The HTTP Host header syntax is s3express-control.region.amazonaws.com.
The BucketRegion response element is not part of the ListDirectoryBuckets Response Syntax.
This operation lists in-progress multipart uploads in a bucket. An in-progress multipart upload is a multipart upload that has been initiated by the CreateMultipartUpload request, but has not yet been completed or aborted.
Directory buckets - If multipart uploads in a directory bucket are in progress, you can't delete the bucket until all the in-progress multipart uploads are aborted or completed. To delete these in-progress multipart uploads, use the ListMultipartUploads operation to list the in-progress multipart uploads in the bucket and use the AbortMultupartUpload operation to abort all the in-progress multipart uploads.
The ListMultipartUploads operation returns a maximum of 1,000 multipart uploads in the response. The limit of 1,000 multipart uploads is also the default value. You can further limit the number of uploads in a response by specifying the max-uploads request parameter. If there are more than 1,000 multipart uploads that satisfy your ListMultipartUploads request, the response returns an IsTruncated element with the value of true, a NextKeyMarker element, and a NextUploadIdMarker element. To list the remaining multipart uploads, you need to make subsequent ListMultipartUploads requests. In these requests, include two query parameters: key-marker and upload-id-marker. Set the value of key-marker to the NextKeyMarker value from the previous response. Similarly, set the value of upload-id-marker to the NextUploadIdMarker value from the previous response.
Directory buckets - The upload-id-marker element and the NextUploadIdMarker element aren't supported by directory buckets. To list the additional multipart uploads, you only need to set the value of key-marker to the NextKeyMarker value from the previous response.
For more information about multipart uploads, see Uploading Objects Using Multipart Upload in the Amazon S3 User Guide.
Directory buckets - For directory buckets, you must make requests for this API operation to the Zonal endpoint. These endpoints support virtual-hosted-style requests in the format https://bucket_name.s3express-az_id.region.amazonaws.com/key-name . Path-style requests are not supported. For more information, see Regional and Zonal endpoints in the Amazon S3 User Guide.
General purpose bucket permissions - For information about permissions required to use the multipart upload API, see Multipart Upload and Permissions in the Amazon S3 User Guide.
Directory bucket permissions - To grant access to this API operation on a directory bucket, we recommend that you use the CreateSession API operation for session-based authorization. Specifically, you grant the s3express:CreateSession permission to the directory bucket in a bucket policy or an IAM identity-based policy. Then, you make the CreateSession API call on the bucket to obtain a session token. With the session token in your request header, you can make API requests to this operation. After the session token expires, you make another CreateSession API call to generate a new session token for use. Amazon Web Services CLI or SDKs create session and refresh the session token automatically to avoid service interruptions when a session expires. For more information about authorization, see CreateSession .
General purpose bucket - In the ListMultipartUploads response, the multipart uploads are sorted based on two criteria:
Key-based sorting - Multipart uploads are initially sorted in ascending order based on their object keys.
Time-based sorting - For uploads that share the same object key, they are further sorted in ascending order based on the upload initiation time. Among uploads with the same key, the one that was initiated first will appear before the ones that were initiated later.
Directory bucket - In the ListMultipartUploads response, the multipart uploads aren't sorted lexicographically based on the object keys.
Directory buckets - The HTTP Host header syntax is Bucket_name.s3express-az_id.region.amazonaws.com.
The following operations are related to ListMultipartUploads:
This operation lists in-progress multipart uploads in a bucket. An in-progress multipart upload is a multipart upload that has been initiated by the CreateMultipartUpload request, but has not yet been completed or aborted.
Directory buckets - If multipart uploads in a directory bucket are in progress, you can't delete the bucket until all the in-progress multipart uploads are aborted or completed. To delete these in-progress multipart uploads, use the ListMultipartUploads operation to list the in-progress multipart uploads in the bucket and use the AbortMultipartUpload operation to abort all the in-progress multipart uploads.
The ListMultipartUploads operation returns a maximum of 1,000 multipart uploads in the response. The limit of 1,000 multipart uploads is also the default value. You can further limit the number of uploads in a response by specifying the max-uploads request parameter. If there are more than 1,000 multipart uploads that satisfy your ListMultipartUploads request, the response returns an IsTruncated element with the value of true, a NextKeyMarker element, and a NextUploadIdMarker element. To list the remaining multipart uploads, you need to make subsequent ListMultipartUploads requests. In these requests, include two query parameters: key-marker and upload-id-marker. Set the value of key-marker to the NextKeyMarker value from the previous response. Similarly, set the value of upload-id-marker to the NextUploadIdMarker value from the previous response.
Directory buckets - The upload-id-marker element and the NextUploadIdMarker element aren't supported by directory buckets. To list the additional multipart uploads, you only need to set the value of key-marker to the NextKeyMarker value from the previous response.
For more information about multipart uploads, see Uploading Objects Using Multipart Upload in the Amazon S3 User Guide.
Directory buckets - For directory buckets, you must make requests for this API operation to the Zonal endpoint. These endpoints support virtual-hosted-style requests in the format https://bucket_name.s3express-az_id.region.amazonaws.com/key-name . Path-style requests are not supported. For more information, see Regional and Zonal endpoints in the Amazon S3 User Guide.
General purpose bucket permissions - For information about permissions required to use the multipart upload API, see Multipart Upload and Permissions in the Amazon S3 User Guide.
Directory bucket permissions - To grant access to this API operation on a directory bucket, we recommend that you use the CreateSession API operation for session-based authorization. Specifically, you grant the s3express:CreateSession permission to the directory bucket in a bucket policy or an IAM identity-based policy. Then, you make the CreateSession API call on the bucket to obtain a session token. With the session token in your request header, you can make API requests to this operation. After the session token expires, you make another CreateSession API call to generate a new session token for use. Amazon Web Services CLI or SDKs create session and refresh the session token automatically to avoid service interruptions when a session expires. For more information about authorization, see CreateSession .
General purpose bucket - In the ListMultipartUploads response, the multipart uploads are sorted based on two criteria:
Key-based sorting - Multipart uploads are initially sorted in ascending order based on their object keys.
Time-based sorting - For uploads that share the same object key, they are further sorted in ascending order based on the upload initiation time. Among uploads with the same key, the one that was initiated first will appear before the ones that were initiated later.
Directory bucket - In the ListMultipartUploads response, the multipart uploads aren't sorted lexicographically based on the object keys.
Directory buckets - The HTTP Host header syntax is Bucket_name.s3express-az_id.region.amazonaws.com.
The following operations are related to ListMultipartUploads:
ContinuationToken indicates to Amazon S3 that the list is being continued on this bucket with a token. ContinuationToken is obfuscated and is not a real key. You can use this ContinuationToken for pagination of the list results.
Length Constraints: Minimum length of 0. Maximum length of 1024.
Required: No.
", + "documentation":" ContinuationToken indicates to Amazon S3 that the list is being continued on this bucket with a token. ContinuationToken is obfuscated and is not a real key. You can use this ContinuationToken for pagination of the list results.
Length Constraints: Minimum length of 0. Maximum length of 1024.
Required: No.
If you specify the bucket-region, prefix, or continuation-token query parameters without using max-buckets to set the maximum number of buckets returned in the response, Amazon S3 applies a default page size of 10,000 and provides a continuation token if there are more buckets.
Returns a set of temporary security credentials that you can use to access Amazon Web Services resources. These temporary credentials consist of an access key ID, a secret access key, and a security token. Typically, you use AssumeRole within your account or for cross-account access. For a comparison of AssumeRole with other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the Amazon Web Services STS API operations in the IAM User Guide.
Permissions
The temporary security credentials created by AssumeRole can be used to make API calls to any Amazon Web Services service with the following exception: You cannot call the Amazon Web Services STS GetFederationToken or GetSessionToken API operations.
(Optional) You can pass inline or managed session policies to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed session policies. The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
When you create a role, you create two policies: a role trust policy that specifies who can assume the role, and a permissions policy that specifies what can be done with the role. You specify the trusted principal that is allowed to assume the role in the role trust policy.
To assume a role from a different account, your Amazon Web Services account must be trusted by the role. The trust relationship is defined in the role's trust policy when the role is created. That trust policy states which accounts are allowed to delegate that access to users in the account.
A user who wants to access a role in a different account must also have permissions that are delegated from the account administrator. The administrator must attach a policy that allows the user to call AssumeRole for the ARN of the role in the other account.
To allow a user to assume a role in the same account, you can do either of the following:
Attach a policy to the user that allows the user to call AssumeRole (as long as the role's trust policy trusts the account).
Add the user as a principal directly in the role's trust policy.
You can do either because the role’s trust policy acts as an IAM resource-based policy. When a resource-based policy grants access to a principal in the same account, no additional identity-based policy is required. For more information about trust policies and resource-based policies, see IAM Policies in the IAM User Guide.
Tags
(Optional) You can pass tag key-value pairs to your session. These tags are called session tags. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide.
You can set the session tags as transitive. Transitive tags persist during role chaining. For more information, see Chaining Roles with Session Tags in the IAM User Guide.
Using MFA with AssumeRole
(Optional) You can include multi-factor authentication (MFA) information when you call AssumeRole. This is useful for cross-account scenarios to ensure that the user that assumes the role has been authenticated with an Amazon Web Services MFA device. In that scenario, the trust policy of the role being assumed includes a condition that tests for MFA authentication. If the caller does not include valid MFA information, the request to assume the role is denied. The condition in a trust policy that tests for MFA authentication might look like the following example.
\"Condition\": {\"Bool\": {\"aws:MultiFactorAuthPresent\": true}}
For more information, see Configuring MFA-Protected API Access in the IAM User Guide guide.
To use MFA with AssumeRole, you pass values for the SerialNumber and TokenCode parameters. The SerialNumber value identifies the user's hardware or virtual MFA device. The TokenCode is the time-based one-time password (TOTP) that the MFA device produces.
Returns a set of temporary security credentials that you can use to access Amazon Web Services resources. These temporary credentials consist of an access key ID, a secret access key, and a security token. Typically, you use AssumeRole within your account or for cross-account access. For a comparison of AssumeRole with other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Compare STS credentials in the IAM User Guide.
Permissions
The temporary security credentials created by AssumeRole can be used to make API calls to any Amazon Web Services service with the following exception: You cannot call the Amazon Web Services STS GetFederationToken or GetSessionToken API operations.
(Optional) You can pass inline or managed session policies to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed session policies. The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
When you create a role, you create two policies: a role trust policy that specifies who can assume the role, and a permissions policy that specifies what can be done with the role. You specify the trusted principal that is allowed to assume the role in the role trust policy.
To assume a role from a different account, your Amazon Web Services account must be trusted by the role. The trust relationship is defined in the role's trust policy when the role is created. That trust policy states which accounts are allowed to delegate that access to users in the account.
A user who wants to access a role in a different account must also have permissions that are delegated from the account administrator. The administrator must attach a policy that allows the user to call AssumeRole for the ARN of the role in the other account.
To allow a user to assume a role in the same account, you can do either of the following:
Attach a policy to the user that allows the user to call AssumeRole (as long as the role's trust policy trusts the account).
Add the user as a principal directly in the role's trust policy.
You can do either because the role’s trust policy acts as an IAM resource-based policy. When a resource-based policy grants access to a principal in the same account, no additional identity-based policy is required. For more information about trust policies and resource-based policies, see IAM Policies in the IAM User Guide.
Tags
(Optional) You can pass tag key-value pairs to your session. These tags are called session tags. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide.
You can set the session tags as transitive. Transitive tags persist during role chaining. For more information, see Chaining Roles with Session Tags in the IAM User Guide.
Using MFA with AssumeRole
(Optional) You can include multi-factor authentication (MFA) information when you call AssumeRole. This is useful for cross-account scenarios to ensure that the user that assumes the role has been authenticated with an Amazon Web Services MFA device. In that scenario, the trust policy of the role being assumed includes a condition that tests for MFA authentication. If the caller does not include valid MFA information, the request to assume the role is denied. The condition in a trust policy that tests for MFA authentication might look like the following example.
\"Condition\": {\"Bool\": {\"aws:MultiFactorAuthPresent\": true}}
For more information, see Configuring MFA-Protected API Access in the IAM User Guide guide.
To use MFA with AssumeRole, you pass values for the SerialNumber and TokenCode parameters. The SerialNumber value identifies the user's hardware or virtual MFA device. The TokenCode is the time-based one-time password (TOTP) that the MFA device produces.
Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response. This operation provides a mechanism for tying an enterprise identity store or directory to role-based Amazon Web Services access without user-specific credentials or configuration. For a comparison of AssumeRoleWithSAML with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the Amazon Web Services STS API operations in the IAM User Guide.
The temporary security credentials returned by this operation consist of an access key ID, a secret access key, and a security token. Applications can use these temporary security credentials to sign calls to Amazon Web Services services.
Session Duration
By default, the temporary security credentials created by AssumeRoleWithSAML last for one hour. However, you can use the optional DurationSeconds parameter to specify the duration of your session. Your role session lasts for the duration that you specify, or until the time specified in the SAML authentication response's SessionNotOnOrAfter value, whichever is shorter. You can provide a DurationSeconds value from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide. The maximum session duration limit applies when you use the AssumeRole* API operations or the assume-role* CLI commands. However the limit does not apply when you use those operations to create a console URL. For more information, see Using IAM Roles in the IAM User Guide.
Role chaining limits your CLI or Amazon Web Services API role session to a maximum of one hour. When you use the AssumeRole API operation to assume a role, you can specify the duration of your role session with the DurationSeconds parameter. You can specify a parameter value of up to 43200 seconds (12 hours), depending on the maximum session duration setting for your role. However, if you assume a role using role chaining and provide a DurationSeconds parameter value greater than one hour, the operation fails.
Permissions
The temporary security credentials created by AssumeRoleWithSAML can be used to make API calls to any Amazon Web Services service with the following exception: you cannot call the STS GetFederationToken or GetSessionToken API operations.
(Optional) You can pass inline or managed session policies to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed session policies. The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
Calling AssumeRoleWithSAML does not require the use of Amazon Web Services security credentials. The identity of the caller is validated by using keys in the metadata document that is uploaded for the SAML provider entity for your identity provider.
Calling AssumeRoleWithSAML can result in an entry in your CloudTrail logs. The entry includes the value in the NameID element of the SAML assertion. We recommend that you use a NameIDType that is not associated with any personally identifiable information (PII). For example, you could instead use the persistent identifier (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent).
Tags
(Optional) You can configure your IdP to pass attributes into your SAML assertion as session tags. Each session tag consists of a key name and an associated value. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
You can pass up to 50 session tags. The plaintext session tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.
An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs, and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
You can pass a session tag with the same key as a tag that is attached to the role. When you do, session tags override the role's tags with the same key.
An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide.
You can set the session tags as transitive. Transitive tags persist during role chaining. For more information, see Chaining Roles with Session Tags in the IAM User Guide.
SAML Configuration
Before your application can call AssumeRoleWithSAML, you must configure your SAML identity provider (IdP) to issue the claims required by Amazon Web Services. Additionally, you must use Identity and Access Management (IAM) to create a SAML provider entity in your Amazon Web Services account that represents your identity provider. You must also create an IAM role that specifies this SAML provider in its trust policy.
For more information, see the following resources:
About SAML 2.0-based Federation in the IAM User Guide.
Creating SAML Identity Providers in the IAM User Guide.
Configuring a Relying Party and Claims in the IAM User Guide.
Creating a Role for SAML 2.0 Federation in the IAM User Guide.
Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response. This operation provides a mechanism for tying an enterprise identity store or directory to role-based Amazon Web Services access without user-specific credentials or configuration. For a comparison of AssumeRoleWithSAML with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Compare STS credentials in the IAM User Guide.
The temporary security credentials returned by this operation consist of an access key ID, a secret access key, and a security token. Applications can use these temporary security credentials to sign calls to Amazon Web Services services.
Session Duration
By default, the temporary security credentials created by AssumeRoleWithSAML last for one hour. However, you can use the optional DurationSeconds parameter to specify the duration of your session. Your role session lasts for the duration that you specify, or until the time specified in the SAML authentication response's SessionNotOnOrAfter value, whichever is shorter. You can provide a DurationSeconds value from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide. The maximum session duration limit applies when you use the AssumeRole* API operations or the assume-role* CLI commands. However the limit does not apply when you use those operations to create a console URL. For more information, see Using IAM Roles in the IAM User Guide.
Role chaining limits your CLI or Amazon Web Services API role session to a maximum of one hour. When you use the AssumeRole API operation to assume a role, you can specify the duration of your role session with the DurationSeconds parameter. You can specify a parameter value of up to 43200 seconds (12 hours), depending on the maximum session duration setting for your role. However, if you assume a role using role chaining and provide a DurationSeconds parameter value greater than one hour, the operation fails.
Permissions
The temporary security credentials created by AssumeRoleWithSAML can be used to make API calls to any Amazon Web Services service with the following exception: you cannot call the STS GetFederationToken or GetSessionToken API operations.
(Optional) You can pass inline or managed session policies to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed session policies. The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
Calling AssumeRoleWithSAML does not require the use of Amazon Web Services security credentials. The identity of the caller is validated by using keys in the metadata document that is uploaded for the SAML provider entity for your identity provider.
Calling AssumeRoleWithSAML can result in an entry in your CloudTrail logs. The entry includes the value in the NameID element of the SAML assertion. We recommend that you use a NameIDType that is not associated with any personally identifiable information (PII). For example, you could instead use the persistent identifier (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent).
Tags
(Optional) You can configure your IdP to pass attributes into your SAML assertion as session tags. Each session tag consists of a key name and an associated value. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
You can pass up to 50 session tags. The plaintext session tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.
An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs, and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
You can pass a session tag with the same key as a tag that is attached to the role. When you do, session tags override the role's tags with the same key.
An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide.
You can set the session tags as transitive. Transitive tags persist during role chaining. For more information, see Chaining Roles with Session Tags in the IAM User Guide.
SAML Configuration
Before your application can call AssumeRoleWithSAML, you must configure your SAML identity provider (IdP) to issue the claims required by Amazon Web Services. Additionally, you must use Identity and Access Management (IAM) to create a SAML provider entity in your Amazon Web Services account that represents your identity provider. You must also create an IAM role that specifies this SAML provider in its trust policy.
For more information, see the following resources:
About SAML 2.0-based Federation in the IAM User Guide.
Creating SAML Identity Providers in the IAM User Guide.
Configuring a Relying Party and Claims in the IAM User Guide.
Creating a Role for SAML 2.0 Federation in the IAM User Guide.
Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider. Example providers include the OAuth 2.0 providers Login with Amazon and Facebook, or any OpenID Connect-compatible identity provider such as Google or Amazon Cognito federated identities.
For mobile applications, we recommend that you use Amazon Cognito. You can use Amazon Cognito with the Amazon Web Services SDK for iOS Developer Guide and the Amazon Web Services SDK for Android Developer Guide to uniquely identify a user. You can also supply the user with a consistent identity throughout the lifetime of an application.
To learn more about Amazon Cognito, see Amazon Cognito identity pools in Amazon Cognito Developer Guide.
Calling AssumeRoleWithWebIdentity does not require the use of Amazon Web Services security credentials. Therefore, you can distribute an application (for example, on mobile devices) that requests temporary security credentials without including long-term Amazon Web Services credentials in the application. You also don't need to deploy server-based proxy services that use long-term Amazon Web Services credentials. Instead, the identity of the caller is validated by using a token from the web identity provider. For a comparison of AssumeRoleWithWebIdentity with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the Amazon Web Services STS API operations in the IAM User Guide.
The temporary security credentials returned by this API consist of an access key ID, a secret access key, and a security token. Applications can use these temporary security credentials to sign calls to Amazon Web Services service API operations.
Session Duration
By default, the temporary security credentials created by AssumeRoleWithWebIdentity last for one hour. However, you can use the optional DurationSeconds parameter to specify the duration of your session. You can provide a value from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide. The maximum session duration limit applies when you use the AssumeRole* API operations or the assume-role* CLI commands. However the limit does not apply when you use those operations to create a console URL. For more information, see Using IAM Roles in the IAM User Guide.
Permissions
The temporary security credentials created by AssumeRoleWithWebIdentity can be used to make API calls to any Amazon Web Services service with the following exception: you cannot call the STS GetFederationToken or GetSessionToken API operations.
(Optional) You can pass inline or managed session policies to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed session policies. The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
Tags
(Optional) You can configure your IdP to pass attributes into your web identity token as session tags. Each session tag consists of a key name and an associated value. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
You can pass up to 50 session tags. The plaintext session tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.
An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs, and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
You can pass a session tag with the same key as a tag that is attached to the role. When you do, the session tag overrides the role tag with the same key.
An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide.
You can set the session tags as transitive. Transitive tags persist during role chaining. For more information, see Chaining Roles with Session Tags in the IAM User Guide.
Identities
Before your application can call AssumeRoleWithWebIdentity, you must have an identity token from a supported identity provider and create a role that the application can assume. The role that your application assumes must trust the identity provider that is associated with the identity token. In other words, the identity provider must be specified in the role's trust policy.
Calling AssumeRoleWithWebIdentity can result in an entry in your CloudTrail logs. The entry includes the Subject of the provided web identity token. We recommend that you avoid using any personally identifiable information (PII) in this field. For example, you could instead use a GUID or a pairwise identifier, as suggested in the OIDC specification.
For more information about how to use web identity federation and the AssumeRoleWithWebIdentity API, see the following resources:
Using Web Identity Federation API Operations for Mobile Apps and Federation Through a Web-based Identity Provider.
Web Identity Federation Playground. Walk through the process of authenticating through Login with Amazon, Facebook, or Google, getting temporary security credentials, and then using those credentials to make a request to Amazon Web Services.
Amazon Web Services SDK for iOS Developer Guide and Amazon Web Services SDK for Android Developer Guide. These toolkits contain sample apps that show how to invoke the identity providers. The toolkits then show how to use the information from these providers to get and use temporary security credentials.
Web Identity Federation with Mobile Applications. This article discusses web identity federation and shows an example of how to use web identity federation to get access to content in Amazon S3.
Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider. Example providers include the OAuth 2.0 providers Login with Amazon and Facebook, or any OpenID Connect-compatible identity provider such as Google or Amazon Cognito federated identities.
For mobile applications, we recommend that you use Amazon Cognito. You can use Amazon Cognito with the Amazon Web Services SDK for iOS Developer Guide and the Amazon Web Services SDK for Android Developer Guide to uniquely identify a user. You can also supply the user with a consistent identity throughout the lifetime of an application.
To learn more about Amazon Cognito, see Amazon Cognito identity pools in Amazon Cognito Developer Guide.
Calling AssumeRoleWithWebIdentity does not require the use of Amazon Web Services security credentials. Therefore, you can distribute an application (for example, on mobile devices) that requests temporary security credentials without including long-term Amazon Web Services credentials in the application. You also don't need to deploy server-based proxy services that use long-term Amazon Web Services credentials. Instead, the identity of the caller is validated by using a token from the web identity provider. For a comparison of AssumeRoleWithWebIdentity with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Compare STS credentials in the IAM User Guide.
The temporary security credentials returned by this API consist of an access key ID, a secret access key, and a security token. Applications can use these temporary security credentials to sign calls to Amazon Web Services service API operations.
Session Duration
By default, the temporary security credentials created by AssumeRoleWithWebIdentity last for one hour. However, you can use the optional DurationSeconds parameter to specify the duration of your session. You can provide a value from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. To learn how to view the maximum value for your role, see Update the maximum session duration for a role in the IAM User Guide. The maximum session duration limit applies when you use the AssumeRole* API operations or the assume-role* CLI commands. However the limit does not apply when you use those operations to create a console URL. For more information, see Using IAM Roles in the IAM User Guide.
Permissions
The temporary security credentials created by AssumeRoleWithWebIdentity can be used to make API calls to any Amazon Web Services service with the following exception: you cannot call the STS GetFederationToken or GetSessionToken API operations.
(Optional) You can pass inline or managed session policies to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed session policies. The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
Tags
(Optional) You can configure your IdP to pass attributes into your web identity token as session tags. Each session tag consists of a key name and an associated value. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
You can pass up to 50 session tags. The plaintext session tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.
An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs, and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
You can pass a session tag with the same key as a tag that is attached to the role. When you do, the session tag overrides the role tag with the same key.
An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide.
You can set the session tags as transitive. Transitive tags persist during role chaining. For more information, see Chaining Roles with Session Tags in the IAM User Guide.
Identities
Before your application can call AssumeRoleWithWebIdentity, you must have an identity token from a supported identity provider and create a role that the application can assume. The role that your application assumes must trust the identity provider that is associated with the identity token. In other words, the identity provider must be specified in the role's trust policy.
Calling AssumeRoleWithWebIdentity can result in an entry in your CloudTrail logs. The entry includes the Subject of the provided web identity token. We recommend that you avoid using any personally identifiable information (PII) in this field. For example, you could instead use a GUID or a pairwise identifier, as suggested in the OIDC specification.
For more information about how to use OIDC federation and the AssumeRoleWithWebIdentity API, see the following resources:
Using Web Identity Federation API Operations for Mobile Apps and Federation Through a Web-based Identity Provider.
Amazon Web Services SDK for iOS Developer Guide and Amazon Web Services SDK for Android Developer Guide. These toolkits contain sample apps that show how to invoke the identity providers. The toolkits then show how to use the information from these providers to get and use temporary security credentials.
Returns a set of short term credentials you can use to perform privileged tasks in a member account.
Before you can launch a privileged session, you must have enabled centralized root access in your organization. For steps to enable this feature, see Centralize root access for member accounts in the IAM User Guide.
The global endpoint is not supported for AssumeRoot. You must send this request to a Regional STS endpoint. For more information, see Endpoints.
You can track AssumeRoot in CloudTrail logs to determine what actions were performed in a session. For more information, see Track privileged tasks in CloudTrail in the IAM User Guide.
" }, "DecodeAuthorizationMessage":{ "name":"DecodeAuthorizationMessage", @@ -133,7 +152,7 @@ {"shape":"PackedPolicyTooLargeException"}, {"shape":"RegionDisabledException"} ], - "documentation":"Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a user. A typical use is in a proxy application that gets temporary security credentials on behalf of distributed applications inside a corporate network.
You must call the GetFederationToken operation using the long-term security credentials of an IAM user. As a result, this call is appropriate in contexts where those credentials can be safeguarded, usually in a server-based application. For a comparison of GetFederationToken with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the Amazon Web Services STS API operations in the IAM User Guide.
Although it is possible to call GetFederationToken using the security credentials of an Amazon Web Services account root user rather than an IAM user that you create for the purpose of a proxy application, we do not recommend it. For more information, see Safeguard your root user credentials and don't use them for everyday tasks in the IAM User Guide.
You can create a mobile-based or browser-based app that can authenticate users using a web identity provider like Login with Amazon, Facebook, Google, or an OpenID Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or AssumeRoleWithWebIdentity. For more information, see Federation Through a Web-based Identity Provider in the IAM User Guide.
Session duration
The temporary credentials are valid for the specified duration, from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default session duration is 43,200 seconds (12 hours). Temporary credentials obtained by using the root user credentials have a maximum duration of 3,600 seconds (1 hour).
Permissions
You can use the temporary credentials created by GetFederationToken in any Amazon Web Services service with the following exceptions:
You cannot call any IAM operations using the CLI or the Amazon Web Services API. This limitation does not apply to console sessions.
You cannot call any STS operations except GetCallerIdentity.
You can use temporary credentials for single sign-on (SSO) to the console.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed session policies. The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters.
Though the session policy parameters are optional, if you do not pass a policy, then the resulting federated user session has no permissions. When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide. For information about using GetFederationToken to create temporary security credentials, see GetFederationToken—Federation Through a Custom Identity Broker.
You can use the credentials to access a resource that has a resource-based policy. If that policy specifically references the federated user session in the Principal element of the policy, the session has the permissions allowed by the policy. These permissions are granted in addition to the permissions granted by the session policies.
Tags
(Optional) You can pass tag key-value pairs to your session. These are called session tags. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
You can create a mobile-based or browser-based app that can authenticate users using a web identity provider like Login with Amazon, Facebook, Google, or an OpenID Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or AssumeRoleWithWebIdentity. For more information, see Federation Through a Web-based Identity Provider in the IAM User Guide.
An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide.
Tag key–value pairs are not case sensitive, but case is preserved. This means that you cannot have separate Department and department tag keys. Assume that the user that you are federating has the Department=Marketing tag and you pass the department=engineering session tag. Department and department are not saved as separate tags, and the session tag passed in the request takes precedence over the user tag.
Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a user. A typical use is in a proxy application that gets temporary security credentials on behalf of distributed applications inside a corporate network.
You must call the GetFederationToken operation using the long-term security credentials of an IAM user. As a result, this call is appropriate in contexts where those credentials can be safeguarded, usually in a server-based application. For a comparison of GetFederationToken with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Compare STS credentials in the IAM User Guide.
Although it is possible to call GetFederationToken using the security credentials of an Amazon Web Services account root user rather than an IAM user that you create for the purpose of a proxy application, we do not recommend it. For more information, see Safeguard your root user credentials and don't use them for everyday tasks in the IAM User Guide.
You can create a mobile-based or browser-based app that can authenticate users using a web identity provider like Login with Amazon, Facebook, Google, or an OpenID Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or AssumeRoleWithWebIdentity. For more information, see Federation Through a Web-based Identity Provider in the IAM User Guide.
Session duration
The temporary credentials are valid for the specified duration, from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default session duration is 43,200 seconds (12 hours). Temporary credentials obtained by using the root user credentials have a maximum duration of 3,600 seconds (1 hour).
Permissions
You can use the temporary credentials created by GetFederationToken in any Amazon Web Services service with the following exceptions:
You cannot call any IAM operations using the CLI or the Amazon Web Services API. This limitation does not apply to console sessions.
You cannot call any STS operations except GetCallerIdentity.
You can use temporary credentials for single sign-on (SSO) to the console.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed session policies. The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters.
Though the session policy parameters are optional, if you do not pass a policy, then the resulting federated user session has no permissions. When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide. For information about using GetFederationToken to create temporary security credentials, see GetFederationToken—Federation Through a Custom Identity Broker.
You can use the credentials to access a resource that has a resource-based policy. If that policy specifically references the federated user session in the Principal element of the policy, the session has the permissions allowed by the policy. These permissions are granted in addition to the permissions granted by the session policies.
Tags
(Optional) You can pass tag key-value pairs to your session. These are called session tags. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
You can create a mobile-based or browser-based app that can authenticate users using a web identity provider like Login with Amazon, Facebook, Google, or an OpenID Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or AssumeRoleWithWebIdentity. For more information, see Federation Through a Web-based Identity Provider in the IAM User Guide.
An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide.
Tag key–value pairs are not case sensitive, but case is preserved. This means that you cannot have separate Department and department tag keys. Assume that the user that you are federating has the Department=Marketing tag and you pass the department=engineering session tag. Department and department are not saved as separate tags, and the session tag passed in the request takes precedence over the user tag.
Returns a set of temporary credentials for an Amazon Web Services account or IAM user. The credentials consist of an access key ID, a secret access key, and a security token. Typically, you use GetSessionToken if you want to use MFA to protect programmatic calls to specific Amazon Web Services API operations like Amazon EC2 StopInstances.
MFA-enabled IAM users must call GetSessionToken and submit an MFA code that is associated with their MFA device. Using the temporary security credentials that the call returns, IAM users can then make programmatic calls to API operations that require MFA authentication. An incorrect MFA code causes the API to return an access denied error. For a comparison of GetSessionToken with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the Amazon Web Services STS API operations in the IAM User Guide.
No permissions are required for users to perform this operation. The purpose of the sts:GetSessionToken operation is to authenticate the user using MFA. You cannot use policies to control authentication operations. For more information, see Permissions for GetSessionToken in the IAM User Guide.
Session Duration
The GetSessionToken operation must be called by using the long-term Amazon Web Services security credentials of an IAM user. Credentials that are created by IAM users are valid for the duration that you specify. This duration can range from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours), with a default of 43,200 seconds (12 hours). Credentials based on account credentials can range from 900 seconds (15 minutes) up to 3,600 seconds (1 hour), with a default of 1 hour.
Permissions
The temporary security credentials created by GetSessionToken can be used to make API calls to any Amazon Web Services service with the following exceptions:
You cannot call any IAM API operations unless MFA authentication information is included in the request.
You cannot call any STS API except AssumeRole or GetCallerIdentity.
The credentials that GetSessionToken returns are based on permissions associated with the IAM user whose credentials were used to call the operation. The temporary credentials have the same permissions as the IAM user.
Although it is possible to call GetSessionToken using the security credentials of an Amazon Web Services account root user rather than an IAM user, we do not recommend it. If GetSessionToken is called using root user credentials, the temporary credentials have root user permissions. For more information, see Safeguard your root user credentials and don't use them for everyday tasks in the IAM User Guide
For more information about using GetSessionToken to create temporary credentials, see Temporary Credentials for Users in Untrusted Environments in the IAM User Guide.
Returns a set of temporary credentials for an Amazon Web Services account or IAM user. The credentials consist of an access key ID, a secret access key, and a security token. Typically, you use GetSessionToken if you want to use MFA to protect programmatic calls to specific Amazon Web Services API operations like Amazon EC2 StopInstances.
MFA-enabled IAM users must call GetSessionToken and submit an MFA code that is associated with their MFA device. Using the temporary security credentials that the call returns, IAM users can then make programmatic calls to API operations that require MFA authentication. An incorrect MFA code causes the API to return an access denied error. For a comparison of GetSessionToken with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Compare STS credentials in the IAM User Guide.
No permissions are required for users to perform this operation. The purpose of the sts:GetSessionToken operation is to authenticate the user using MFA. You cannot use policies to control authentication operations. For more information, see Permissions for GetSessionToken in the IAM User Guide.
Session Duration
The GetSessionToken operation must be called by using the long-term Amazon Web Services security credentials of an IAM user. Credentials that are created by IAM users are valid for the duration that you specify. This duration can range from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours), with a default of 43,200 seconds (12 hours). Credentials based on account credentials can range from 900 seconds (15 minutes) up to 3,600 seconds (1 hour), with a default of 1 hour.
Permissions
The temporary security credentials created by GetSessionToken can be used to make API calls to any Amazon Web Services service with the following exceptions:
You cannot call any IAM API operations unless MFA authentication information is included in the request.
You cannot call any STS API except AssumeRole or GetCallerIdentity.
The credentials that GetSessionToken returns are based on permissions associated with the IAM user whose credentials were used to call the operation. The temporary credentials have the same permissions as the IAM user.
Although it is possible to call GetSessionToken using the security credentials of an Amazon Web Services account root user rather than an IAM user, we do not recommend it. If GetSessionToken is called using root user credentials, the temporary credentials have root user permissions. For more information, see Safeguard your root user credentials and don't use them for everyday tasks in the IAM User Guide
For more information about using GetSessionToken to create temporary credentials, see Temporary Credentials for Users in Untrusted Environments in the IAM User Guide.
An identifier for the assumed role session.
Use the role session name to uniquely identify a session when the same role is assumed by different principals or for different reasons. In cross-account scenarios, the role session name is visible to, and can be logged by the account that owns the role. The role session name is also used in the ARN of the assumed role principal. This means that subsequent cross-account API requests that use the temporary security credentials will expose the role session name to the external account in their CloudTrail logs.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
" + "documentation":"An identifier for the assumed role session.
Use the role session name to uniquely identify a session when the same role is assumed by different principals or for different reasons. In cross-account scenarios, the role session name is visible to, and can be logged by the account that owns the role. The role session name is also used in the ARN of the assumed role principal. This means that subsequent cross-account API requests that use the temporary security credentials will expose the role session name to the external account in their CloudTrail logs.
For security purposes, administrators can view this field in CloudTrail logs to help identify who performed an action in Amazon Web Services. Your administrator might require that you specify your user name as the session name when you assume the role. For more information, see sts:RoleSessionName .
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
" }, "PolicyArns":{ "shape":"policyDescriptorListType", @@ -174,11 +193,11 @@ }, "Policy":{ "shape":"unrestrictedSessionPolicyDocumentType", - "documentation":"An IAM policy in JSON format that you want to use as an inline session policy.
This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list (\\u0020 through \\u00FF). It can also include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs, and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
An IAM policy in JSON format that you want to use as an inline session policy.
This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list (\\u0020 through \\u00FF). It can also include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs, and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
For more information about role session permissions, see Session policies.
" }, "DurationSeconds":{ "shape":"roleDurationSecondsType", - "documentation":"The duration, in seconds, of the role session. The value specified can range from 900 seconds (15 minutes) up to the maximum session duration set for the role. The maximum session duration setting can have a value from 1 hour to 12 hours. If you specify a value higher than this setting or the administrator setting (whichever is lower), the operation fails. For example, if you specify a session duration of 12 hours, but your administrator set the maximum session duration to 6 hours, your operation fails.
Role chaining limits your Amazon Web Services CLI or Amazon Web Services API role session to a maximum of one hour. When you use the AssumeRole API operation to assume a role, you can specify the duration of your role session with the DurationSeconds parameter. You can specify a parameter value of up to 43200 seconds (12 hours), depending on the maximum session duration setting for your role. However, if you assume a role using role chaining and provide a DurationSeconds parameter value greater than one hour, the operation fails. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide.
By default, the value is set to 3600 seconds.
The DurationSeconds parameter is separate from the duration of a console session that you might request using the returned credentials. The request to the federation endpoint for a console sign-in token takes a SessionDuration parameter that specifies the maximum length of the console session. For more information, see Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console in the IAM User Guide.
The duration, in seconds, of the role session. The value specified can range from 900 seconds (15 minutes) up to the maximum session duration set for the role. The maximum session duration setting can have a value from 1 hour to 12 hours. If you specify a value higher than this setting or the administrator setting (whichever is lower), the operation fails. For example, if you specify a session duration of 12 hours, but your administrator set the maximum session duration to 6 hours, your operation fails.
Role chaining limits your Amazon Web Services CLI or Amazon Web Services API role session to a maximum of one hour. When you use the AssumeRole API operation to assume a role, you can specify the duration of your role session with the DurationSeconds parameter. You can specify a parameter value of up to 43200 seconds (12 hours), depending on the maximum session duration setting for your role. However, if you assume a role using role chaining and provide a DurationSeconds parameter value greater than one hour, the operation fails. To learn how to view the maximum value for your role, see Update the maximum session duration for a role.
By default, the value is set to 3600 seconds.
The DurationSeconds parameter is separate from the duration of a console session that you might request using the returned credentials. The request to the federation endpoint for a console sign-in token takes a SessionDuration parameter that specifies the maximum length of the console session. For more information, see Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console in the IAM User Guide.
A list of keys for session tags that you want to set as transitive. If you set a tag key as transitive, the corresponding key and value passes to subsequent sessions in a role chain. For more information, see Chaining Roles with Session Tags in the IAM User Guide.
This parameter is optional. When you set session tags as transitive, the session policy and session tags packed binary limit is not affected.
If you choose not to specify a transitive tag key, then no tags are passed from this session to any subsequent sessions.
" + "documentation":"A list of keys for session tags that you want to set as transitive. If you set a tag key as transitive, the corresponding key and value passes to subsequent sessions in a role chain. For more information, see Chaining Roles with Session Tags in the IAM User Guide.
This parameter is optional. The transitive status of a session tag does not impact its packed binary size.
If you choose not to specify a transitive tag key, then no tags are passed from this session to any subsequent sessions.
" }, "ExternalId":{ "shape":"externalIdType", @@ -202,7 +221,7 @@ }, "SourceIdentity":{ "shape":"sourceIdentityType", - "documentation":"The source identity specified by the principal that is calling the AssumeRole operation.
You can require users to specify a source identity when they assume a role. You do this by using the sts:SourceIdentity condition key in a role trust policy. You can use source identity information in CloudTrail logs to determine who took actions with a role. You can use the aws:SourceIdentity condition key to further control access to Amazon Web Services resources based on the value of source identity. For more information about using source identity, see Monitor and control actions taken with assumed roles in the IAM User Guide.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-. You cannot use a value that begins with the text aws:. This prefix is reserved for Amazon Web Services internal use.
The source identity specified by the principal that is calling the AssumeRole operation. The source identity value persists across chained role sessions.
You can require users to specify a source identity when they assume a role. You do this by using the sts:SourceIdentity condition key in a role trust policy. You can use source identity information in CloudTrail logs to determine who took actions with a role. You can use the aws:SourceIdentity condition key to further control access to Amazon Web Services resources based on the value of source identity. For more information about using source identity, see Monitor and control actions taken with assumed roles in the IAM User Guide.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-. You cannot use a value that begins with the text aws:. This prefix is reserved for Amazon Web Services internal use.
An IAM policy in JSON format that you want to use as an inline session policy.
This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list (\\u0020 through \\u00FF). It can also include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs, and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
An IAM policy in JSON format that you want to use as an inline session policy.
This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list (\\u0020 through \\u00FF). It can also include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
For more information about role session permissions, see Session policies.
An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs, and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
The value in the SourceIdentity attribute in the SAML assertion.
You can require users to set a source identity value when they assume a role. You do this by using the sts:SourceIdentity condition key in a role trust policy. That way, actions that are taken with the role are associated with that user. After the source identity is set, the value cannot be changed. It is present in the request for all actions that are taken by the role and persists across chained role sessions. You can configure your SAML identity provider to use an attribute associated with your users, like user name or email, as the source identity when calling AssumeRoleWithSAML. You do this by adding an attribute to the SAML assertion. For more information about using source identity, see Monitor and control actions taken with assumed roles in the IAM User Guide.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
" + "documentation":"The value in the SourceIdentity attribute in the SAML assertion. The source identity value persists across chained role sessions.
You can require users to set a source identity value when they assume a role. You do this by using the sts:SourceIdentity condition key in a role trust policy. That way, actions that are taken with the role are associated with that user. After the source identity is set, the value cannot be changed. It is present in the request for all actions that are taken by the role and persists across chained role sessions. You can configure your SAML identity provider to use an attribute associated with your users, like user name or email, as the source identity when calling AssumeRoleWithSAML. You do this by adding an attribute to the SAML assertion. For more information about using source identity, see Monitor and control actions taken with assumed roles in the IAM User Guide.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
" } }, "documentation":"Contains the response to a successful AssumeRoleWithSAML request, including temporary Amazon Web Services credentials that can be used to make Amazon Web Services requests.
" @@ -318,15 +337,15 @@ "members":{ "RoleArn":{ "shape":"arnType", - "documentation":"The Amazon Resource Name (ARN) of the role that the caller is assuming.
" + "documentation":"The Amazon Resource Name (ARN) of the role that the caller is assuming.
Additional considerations apply to Amazon Cognito identity pools that assume cross-account IAM roles. The trust policies of these roles must accept the cognito-identity.amazonaws.com service principal and must contain the cognito-identity.amazonaws.com:aud condition key to restrict role assumption to users from your intended identity pools. A policy that trusts Amazon Cognito identity pools without this condition creates a risk that a user from an unintended identity pool can assume the role. For more information, see Trust policies for IAM roles in Basic (Classic) authentication in the Amazon Cognito Developer Guide.
An identifier for the assumed role session. Typically, you pass the name or identifier that is associated with the user who is using your application. That way, the temporary security credentials that your application will use are associated with that user. This session name is included as part of the ARN and assumed role ID in the AssumedRoleUser response element.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
" + "documentation":"An identifier for the assumed role session. Typically, you pass the name or identifier that is associated with the user who is using your application. That way, the temporary security credentials that your application will use are associated with that user. This session name is included as part of the ARN and assumed role ID in the AssumedRoleUser response element.
For security purposes, administrators can view this field in CloudTrail logs to help identify who performed an action in Amazon Web Services. Your administrator might require that you specify your user name as the session name when you assume the role. For more information, see sts:RoleSessionName .
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
" }, "WebIdentityToken":{ "shape":"clientTokenType", - "documentation":"The OAuth 2.0 access token or OpenID Connect ID token that is provided by the identity provider. Your application must get this token by authenticating the user who is using your application with a web identity provider before the application makes an AssumeRoleWithWebIdentity call. Only tokens with RSA algorithms (RS256) are supported.
The OAuth 2.0 access token or OpenID Connect ID token that is provided by the identity provider. Your application must get this token by authenticating the user who is using your application with a web identity provider before the application makes an AssumeRoleWithWebIdentity call. Timestamps in the token must be formatted as either an integer or a long integer. Only tokens with RSA algorithms (RS256) are supported.
An IAM policy in JSON format that you want to use as an inline session policy.
This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list (\\u0020 through \\u00FF). It can also include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs, and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
An IAM policy in JSON format that you want to use as an inline session policy.
This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list (\\u0020 through \\u00FF). It can also include the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
For more information about role session permissions, see Session policies.
An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs, and session tags into a packed binary format that has a separate limit. Your request can fail for this limit even if your plaintext meets the other requirements. The PackedPolicySize response element indicates by percentage how close the policies and tags for your request are to the upper size limit.
The value of the source identity that is returned in the JSON web token (JWT) from the identity provider.
You can require users to set a source identity value when they assume a role. You do this by using the sts:SourceIdentity condition key in a role trust policy. That way, actions that are taken with the role are associated with that user. After the source identity is set, the value cannot be changed. It is present in the request for all actions that are taken by the role and persists across chained role sessions. You can configure your identity provider to use an attribute associated with your users, like user name or email, as the source identity when calling AssumeRoleWithWebIdentity. You do this by adding a claim to the JSON web token. To learn more about OIDC tokens and claims, see Using Tokens with User Pools in the Amazon Cognito Developer Guide. For more information about using source identity, see Monitor and control actions taken with assumed roles in the IAM User Guide.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
" + "documentation":"The value of the source identity that is returned in the JSON web token (JWT) from the identity provider.
You can require users to set a source identity value when they assume a role. You do this by using the sts:SourceIdentity condition key in a role trust policy. That way, actions that are taken with the role are associated with that user. After the source identity is set, the value cannot be changed. It is present in the request for all actions that are taken by the role and persists across chained role sessions. You can configure your identity provider to use an attribute associated with your users, like user name or email, as the source identity when calling AssumeRoleWithWebIdentity. You do this by adding a claim to the JSON web token. To learn more about OIDC tokens and claims, see Using Tokens with User Pools in the Amazon Cognito Developer Guide. For more information about using source identity, see Monitor and control actions taken with assumed roles in the IAM User Guide.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
" } }, "documentation":"Contains the response to a successful AssumeRoleWithWebIdentity request, including temporary Amazon Web Services credentials that can be used to make Amazon Web Services requests.
" }, + "AssumeRootRequest":{ + "type":"structure", + "required":[ + "TargetPrincipal", + "TaskPolicyArn" + ], + "members":{ + "TargetPrincipal":{ + "shape":"TargetPrincipalType", + "documentation":"The member account principal ARN or account ID.
" + }, + "TaskPolicyArn":{ + "shape":"PolicyDescriptorType", + "documentation":"The identity based policy that scopes the session to the privileged tasks that can be performed. You can use one of following Amazon Web Services managed policies to scope root session actions. You can add additional customer managed policies to further limit the permissions for the root session.
The duration, in seconds, of the privileged session. The value can range from 0 seconds up to the maximum session duration of 900 seconds (15 minutes). If you specify a value higher than this setting, the operation fails.
By default, the value is set to 900 seconds.
The temporary security credentials, which include an access key ID, a secret access key, and a security token.
The size of the security token that STS API operations return is not fixed. We strongly recommend that you make no assumptions about the maximum size.
The source identity specified by the principal that is calling the AssumeRoot operation.
You can use the aws:SourceIdentity condition key to control access based on the value of source identity. For more information about using source identity, see Monitor and control actions taken with assumed roles in the IAM User Guide.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
" + } + } + }, "AssumedRoleUser":{ "type":"structure", "required":[ @@ -622,7 +675,7 @@ "members":{ "message":{"shape":"invalidAuthorizationMessage"} }, - "documentation":"The error returned if the message passed to DecodeAuthorizationMessage was invalid. This can happen if the token contains invalid characters, such as linebreaks.
The error returned if the message passed to DecodeAuthorizationMessage was invalid. This can happen if the token contains invalid characters, such as line breaks, or if the message has expired.
STS is not activated in the requested region for the account that is being asked to generate credentials. The account administrator must use the IAM console to activate STS in that region. For more information, see Activating and Deactivating Amazon Web Services STS in an Amazon Web Services Region in the IAM User Guide.
", + "documentation":"STS is not activated in the requested region for the account that is being asked to generate credentials. The account administrator must use the IAM console to activate STS in that region. For more information, see Activating and Deactivating STS in an Amazon Web Services Region in the IAM User Guide.
", "error":{ "code":"RegionDisabledException", "httpStatusCode":403, @@ -713,6 +766,11 @@ }, "exception":true }, + "RootDurationSecondsType":{ + "type":"integer", + "max":900, + "min":0 + }, "SAMLAssertionType":{ "type":"string", "max":100000, @@ -739,6 +797,11 @@ }, "documentation":"You can pass custom key-value pair attributes when you assume a role or federate a user. These are called session tags. You can then use the session tags to control access to resources. For more information, see Tagging Amazon Web Services STS Sessions in the IAM User Guide.
" }, + "TargetPrincipalType":{ + "type":"string", + "max":2048, + "min":12 + }, "accessKeyIdType":{ "type":"string", "max":128, diff --git a/services/supplychain/pom.xml b/services/supplychain/pom.xml index cbc4f0367d44..12e25e819460 100644 --- a/services/supplychain/pom.xml +++ b/services/supplychain/pom.xml @@ -17,7 +17,7 @@